Can't authenticate with ExternalAuth


#1

Hello,

We have RT-3.6.6 and RT::Authen::ExternalAuth. ExternalAuth is installed
and configured to the extent that it is able to bind to LDAP, request
and receive info on the user, trying to login. But each time we receive
"Your username or password is incorrect ".

Looking at the traces I can’t see anything related to password checking
against LDAP. May be I’m missing something.

Thank you for your input.

Mikhail.

Here are RT_SiteConfig.pm and RT_SiteConfig_ExtAuth.pm, which is
included from RT_SiteConfig.pm

RT_SiteConfig.pm

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set( $rtname, ‘CTLMRT’ );

Set( $WebBaseURL , “http://company.com:$WebPort” );

Set($WebExternalAuth , 1);

Set($WebFallbackToInternalAuth , 1);

Set($WebExternalGecos , 0);

require “/opt/rt3/etc/RT_SiteConfig_ExtAuth.pm”;

1;

RT_SiteConfig_ExtAuth.pm

Set( $ExternalAuthPriority, [‘LDAP’] );
Set( $ExternalInfoPriority, [‘LDAP’] );
Set( $ExternalServiceUsesSSLorTLS, 0 );
Set( $ExternalSettings,

{ ‘LDAP’ =>

{

‘type’ => ‘ldap’,
‘auth’ => 1,
‘info’ => 1,
‘server’ => ‘ldapsrv’,
‘user’ => ‘ldap_user’,
‘pass’ => ‘ldap_user_pass’,
‘base’ => ‘OU=users,DC=company,DC=com’,

The filter to use to match RT-Users

The filter that will only match disabled users

‘filter’ => ‘’,
‘d_filter’ => ‘’,

Should we try to use TLS to encrypt connections?

What other args should I pass to Net::LDAP->new($host,@args)?

‘tls’ => 0,
‘net_ldap_args’ => [version => 3],

Does authentication depend on group membership? What group name?

What is the attribute for the group object that determines membership?

#‘group’ => ‘GROUP_NAME’,
#‘group_attr’ => ‘GROUP_ATTR’,

RT ATTRIBUTE MATCHING SECTION

The list of RT attributes that uniquely identify a user

‘attr_match_list’ =>

[
‘Name’
#‘EmailAddress’,
#‘RealName’,
#‘WorkPhone’,
#‘Address2’
],

The mapping of RT attributes on to LDAP attributes

‘attr_map’ =>

{

‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’

} # close ‘attr_map’
} # close ‘LDAP’
} # close $ExternalSettings
); # close Set $ExternalSettings

1;


#2

Mikhail.Gorbunov@cetelem.ru wrote:

Hello,

We have RT-3.6.6 and RT::Authen::ExternalAuth. ExternalAuth is installed
and configured to the extent that it is able to bind to LDAP, request
and receive info on the user, trying to login. But each time we receive
"Your username or password is incorrect ".

Looking at the traces I can’t see anything related to password checking
against LDAP. May be I’m missing something.

Thank you for your input.

Can you provide a copy of the log output in debug mode for a login?
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com


#3

Mikhail.Gorbunov@cetelem.ru wrote:

Hi,

Finally I’ve sorted this out: we needed to set d_filter, so that ExtAuth
could check if the user is disabled properly.

One more quick question: group, mentioned in LDAP config relates to AD
group, or RT group ?

AD group. If you use groupos with ExternalAuth, you are saying “In order
to be allowed to access RT, the user must be a member of the LDAP group
I have specified.”.

Glad you got it sorted.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com


#4

Mikhail.Gorbunov@cetelem.ru wrote:

Any ways/plans to import groups from AD to RT ?

It is as a possibility for the future, but at the moment I haven’t the
time to implement such an extensive feature.

In any case, it’s not often that AD groups and RT groups are completely
compatible. You could have people automatically added to particular
groups, but then management of those groups within RT is almost always
more complex than you could define in AD.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com


#5

I’m using RT 3.6.6 on centos 5.1. I’m new to RT and trying to setup the basics on how we’ll use it to track trouble tickets in our small IT dept.

My plan was to have a single queue “NewTicket” that was the only queue accessible to all users. The helpdesk person would look at the ticket and then assign it to an appropriate queue like : “printers”, “access-request”, …

I would think that would be a pretty common workflow management task; but I cannot find a way to do it and google has not produced anything useful.

  1. If this is do-able, is there a link that tells me what I’m missing?
  2. Am I taking the wrong aproach, and there is a better way to do this?
  3. or ?..

thanks for any help you can offer

The information contained in this message may be privileged and / or
confidential and protected from disclosure. If the reader of this message is
not the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please notify the sender
immediately by replying to this message and deleting the material from any
computer.


#6

Unless I’m missing something in your question: just click on the 'Basics’
link in the navigation bar and select the Queue: pulldown and select the
queue you want it to go into (then save changes by clicking the ‘Save
Changes’ button).
SteveOn Tue, May 27, 2008 at 12:42 PM, Sells, Fred fred.sells@adventistcare.org wrote:

I’m using RT 3.6.6 on centos 5.1. I’m new to RT and trying to setup the
basics on how we’ll use it to track trouble tickets in our small IT dept.

My plan was to have a single queue “NewTicket” that was the only queue
accessible to all users. The helpdesk person would look at the ticket and
then assign it to an appropriate queue like : “printers”, “access-request”,

I would think that would be a pretty common workflow management task; but I
cannot find a way to do it and google has not produced anything useful.

  1. If this is do-able, is there a link that tells me what I’m missing?
  2. Am I taking the wrong aproach, and there is a better way to do this?
  3. or ?..

thanks for any help you can offer


The information contained in this message may be privileged and / or
confidential and protected from disclosure. If the reader of this message
is
not the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If
you
have received this communication in error, please notify the sender
immediately by replying to this message and deleting the material from any
computer.


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

There is no greater gift to an insecure leader that quite matches a vague
enemy who can be used to whip up fear and hatred among the population.
-Paul Rusesabagina, humanitarian (b. 1954)

Human beings are perhaps never more frightening than when they are
convinced beyond doubt that they are right. -Laurens van der Post, explorer
and writer (1906-1996)


#7

thanks, I must not have had the ticket selected when I tried “Basics”, I appreciate you’re taking the time to explain the obvious with a zinger :slight_smile:

Fred.-----Original Message-----
From: sholmes42@gmail.com [mailto:sholmes42@gmail.com]On Behalf Of Steve Holmes
Sent: Tuesday, May 27, 2008 1:34 PM
To: Sells, Fred
Cc: RT-Users@lists.bestpractical.com
Subject: [senderbase] Re: [rt-users] newbie needs help to move ticket to different queue

Unless I’m missing something in your question: just click on the ‘Basics’ link in the navigation bar and select the Queue: pulldown and select the queue you want it to go into (then save changes by clicking the ‘Save Changes’ button).

Steve

On Tue, May 27, 2008 at 12:42 PM, Sells, Fred < fred.sells@adventistcare.org> wrote:

I’m using RT 3.6.6 on centos 5.1. I’m new to RT and trying to setup the basics on how we’ll use it to track trouble tickets in our small IT dept.

My plan was to have a single queue “NewTicket” that was the only queue accessible to all users. The helpdesk person would look at the ticket and then assign it to an appropriate queue like : “printers”, “access-request”, …

I would think that would be a pretty common workflow management task; but I cannot find a way to do it and google has not produced anything useful.

  1. If this is do-able, is there a link that tells me what I’m missing?
  2. Am I taking the wrong aproach, and there is a better way to do this?
  3. or ?..

thanks for any help you can offer

The information contained in this message may be privileged and / or
confidential and protected from disclosure. If the reader of this message is
not the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please notify the sender
immediately by replying to this message and deleting the material from any
computer.
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

There is no greater gift to an insecure leader that quite matches a vague enemy who can be used to whip up fear and hatred among the population.
-Paul Rusesabagina, humanitarian (b. 1954)

Human beings are perhaps never more frightening than when they are
convinced beyond doubt that they are right. -Laurens van der Post, explorer
and writer (1906-1996)