Difficulty implementing LDAP/AD Authorization

I have a new install of RT 4.2.4 running on Centos 6.4 64 bit with Apache 2.2.15. I have installed RT::Authen::ExternalAuth and Net::LDAP, and have configured my /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm with the right server address and LDAP user and password, and added Set( @Plugins, qw(RT::Authen::ExternalAuth) ); to the file /opt/rt4/etc/RT_SiteConfig.pm. I have restarted https, restarted the entire server, but i continue to see the same results, e.g. I can log in to RT with the default installed root account, but when I try any AD user, it fails, and the error I receive in both /var/log/messages and /var/log/httpd/error_log is the same: “FAILED LOGIN for from (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:811)

Any suggestions on where to begin troubleshooting this would be appreciated.
Thanks,
Rezty Felty
Senior Linux Administrator
Adknowledge
816-559-1196

Jxplorer shows successful connection and authentication using the auth info I have in rt. Here is my /opt/rt4/etc/RT_SiteConfig.pm:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this command:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

Set( $rtname, ‘Adknowledge.com’);

Set( $WebDomain, ‘pkc-tracker02.ak-networks.com’);

Set( $WebPort, 443);

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

Plugin( “RT::Extension::QuickDelete” );

Plugin( “RT::Extension::CommandByMail” );

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

and my /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm, which I would think more important in this case:

=head1 NAME

External Authentication Configuration - Sample configs for LRT::Authen::ExternalAuth

=head1 DESCRIPTION

LRT::Authen::ExternalAuth provides a lot of flexibility

with many configuration options. This file describes these

configuration options and is itself a sample configuration

suitable for dropping into your C<etc/RT_SiteConfig.pm>

file and modifying.

=over 4

=item C<$ExternalAuthPriority>

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

You should remove services you don’t use. For example,

if you’re only using My_LDAP, remove My_MySQL and My_SSO_Cookie.

=cut

Set($ExternalAuthPriority, [ ‘My_LDAP’,

                          'My_MySQL',

                          'My_SSO_Cookie'

                        ]

);

=item C<$ExternalInfoPriority>

When multiple auth services are available, this value defines

the order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once a user record is found, no more services are checked.

You CANNOT use a SSO cookie to retrieve information.

You should remove services you don’t use, but you must define

at least one service.

=cut

Set($ExternalInfoPriority, [ ‘My_LDAP’,

                          'My_MySQL',

                        ]

);

=item C<$ExternalServiceUsesSSLorTLS>

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means LNet::SSLeay.

=cut

Set($ExternalServiceUsesSSLorTLS, 0);

=item C<$AutoCreateNonExternalUsers>

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service. This is useful if you have users outside

your organization who might interface with RT, perhaps by sending

email to a support email address.

=cut

Set($AutoCreateNonExternalUsers, 0);

=item C<$ExternalSettings>

These are the full settings for each external service as a HashOfHashes.

Note that you may have as many external services as you wish. They will

be checked in the order specified in $ExternalAuthPriority and

$ExternalInfoPriority directives above.

The outer structure is a key with the authentication option (name of external

source). The value is a hash reference with configuration keys and values,

for example:

Set($ExternalSettings, {

    MyLDAP => {

        type => 'ldap',

        ... other options ...

    },

    MyMySQL => {

        type => 'db',

        ... other options ...

    },

    ... other sources ...

    } );

As shown above, each description should have ‘type’ defined.

The following types are supported:

=over 4

=item ldap

Authenticate against and sync information with LDAP servers.

See LRT::Authen::ExternalAuth::LDAP for details.

=item db

Authenticate against and sync information with external RDBMS,

supported by Perl’s L interface. See LRT::Authen::ExternalAuth::DBI

for details.

=item cookie

Authenticate by cookie. See LRT::Authen::ExternalAuth::DBI::Cookie

for details.

=back

See the modules noted above for configuration options specific to each type.

The following apply to all types.

=over 4

=item attr_match_list

The list of RT attributes that uniquely identify a user. These values

are used, in order, to find users in the selected authentication

source. Each value specified here must have a mapping in the

L</“attr_map”> section below. You can remove values you don’t

expect to match, but it’s recommended to use ‘Name’ and ‘EmailAddress’

at minimum. For example:

'attr_match_list' => [

    'Name',

    'EmailAddress',

],

You should not use items that can map to multiple users (such as a

RealName or building name).

=item attr_map

Mapping of RT attributes on to attributes in the external source.

Valid keys are attributes of an

LRT::User|http://bestpractical.com/rt/docs/latest/RT/User.html.

The values are attributes from your authentication source.

For example, an LDAP mapping might look like:

'attr_map' => {

    'Name'         => 'sAMAccountName',

    'EmailAddress' => 'mail',

    'Organization' => 'physicalDeliveryOfficeName',

    'RealName'     => 'cn',

    ...

},

=back

=cut

Set($ExternalSettings, {

# AN EXAMPLE DB SERVICE

'My_MySQL'   =>  {

    'type'                      =>  'db',

    'server'                    =>  'server.domain.tld',

    'database'                  =>  'DB_NAME',

    'table'                     =>  'USERS_TABLE',

    'user'                      =>  'DB_USER',

    'pass'                      =>  'DB_PASS',

    'port'                      =>  'DB_PORT',

    'dbi_driver'                =>  'DBI_DRIVER',

    'u_field'                   =>  'username',

    'p_field'                   =>  'password',

    'p_enc_pkg'                 =>  'Crypt::MySQL',

    'p_enc_sub'                 =>  'password',

    'd_field'                   =>  'disabled',

    'd_values'                  =>  ['0'],

    'attr_match_list' =>  [

        'Gecos',

        'Name',

    ],

    'attr_map' => {

        'Name'           => 'username',

        'EmailAddress'   => 'email',

        'ExternalAuthId' => 'username',

        'Gecos'          => 'userID',

    },

},

# AN EXAMPLE LDAP SERVICE

'My_LDAP'       =>  {

    'type'                      =>  'ldap',

    'server'                    =>  '10.201.0.200',

    'user'                      =>  'apacheldap@adknowledge.com',

    'pass'                      =>  ‘redacted',

    'base'                      =>  'dc=adknowledge,dc=com',

    'filter'                    =>  '(FILTER_STRING)',

    'd_filter'                  =>  '(FILTER_STRING)',

    'group'                     =>  'GROUP_NAME',

    'group_attr'                =>  'GROUP_ATTR',

    'tls'                       =>  0,

    'ssl_version'               =>  3,

    'net_ldap_args'             => [    version =>  3   ],

    'group_scope'               =>  'base',

    'group_attr_value'          =>  'GROUP_ATTR_VALUE',

    'attr_match_list' => [

        'Name',

        'EmailAddress',

        'RealName',

    ],

    'attr_map' => {

        'Name' => 'sAMAccountName',

        'EmailAddress' => 'mail',

        'Organization' => 'physicalDeliveryOfficeName',

        'RealName' => 'cn',

        'ExternalAuthId' => 'sAMAccountName',

        'Gecos' => 'sAMAccountName',

        'WorkPhone' => 'telephoneNumber',

        'Address1' => 'streetAddress',

        'City' => 'l',

        'State' => 'st',

        'Zip' => 'postalCode',

        'Country' => 'co'

    },

},

# An example SSO cookie service

'My_SSO_Cookie'  => {

    'type'                      =>  'cookie',

    'name'                      =>  'loginCookieValue',

    'u_table'                   =>  'users',

    'u_field'                   =>  'username',

    'u_match_key'               =>  'userID',

    'c_table'                   =>  'login_cookie',

    'c_field'                   =>  'loginCookieValue',

    'c_match_key'               =>  'loginCookieUserID',

    'db_service_name'           =>  'My_MySQL'

},

} );

1;

Thanks,
Rezty Felty
Senior Linux Administrator
Adknowledge
816-559-1196From: Marco Agostini <comunelevico@gmail.commailto:comunelevico@gmail.com>
Date: Wednesday, July 30, 2014 at 11:38 AM
To: Rezty Felty <rfelty@adknowledge.commailto:rfelty@adknowledge.com>
Subject: Re: [rt-users] Difficulty implementing LDAP/AD Authorization

I have a new install of RT 4.2.4 running on Centos 6.4 64 bit with Apache 2.2.15. I have installed RT::Authen::ExternalAuth and Net::LDAP, and have configured my /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm with the right server address and LDAP user and password, and added Set( @Plugins, qw(RT::Authen::ExternalAuth) ); to the file /opt/rt4/etc/RT_SiteConfig.pm. I have restarted https, restarted the entire server, but i continue to see the same results, e.g. I can log in to RT with the default installed root account, but when I try any AD user, it fails, and the error I receive in both /var/log/messages and /var/log/httpd/error_log is the same: “FAILED LOGIN for from (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:811)

Any suggestions on where to begin troubleshooting this would be appreciated.

Use these tool http://jxplorer.org/ to test the parameter that you are using in RT.

Post the content of /opt/rt4/etc/RT_SiteConfig.pm

RT won’t look at any changes you place in example RT_SiteConfig.pm files
included with extensions (if that’s why you’ve included that file in your
previous e-mail). You need to copy the relevant changes into your RT
installation’s RT_SiteConfig.pm file.On 31/07/2014 3:12 am, “Rezty Felty” rfelty@adknowledge.com wrote:

Jxplorer shows successful connection and authentication using the auth
info I have in rt. Here is my /opt/rt4/etc/RT_SiteConfig.pm:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this command:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

Set( $rtname, ‘Adknowledge.com’);

Set( $WebDomain, ‘pkc-tracker02.ak-networks.com’);

Set( $WebPort, 443);

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

Plugin( “RT::Extension::QuickDelete” );

Plugin( “RT::Extension::CommandByMail” );

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

and my /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm,
which I would think more important in this case:

=head1 NAME

External Authentication Configuration - Sample configs for
LRT::Authen::ExternalAuth

=head1 DESCRIPTION

LRT::Authen::ExternalAuth provides a lot of flexibility

with many configuration options. This file describes these

configuration options and is itself a sample configuration

suitable for dropping into your C<etc/RT_SiteConfig.pm>

file and modifying.

=over 4

=item C<$ExternalAuthPriority>

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

You should remove services you don’t use. For example,

if you’re only using My_LDAP, remove My_MySQL and My_SSO_Cookie.

=cut

Set($ExternalAuthPriority, [ ‘My_LDAP’,

                          'My_MySQL',

                          'My_SSO_Cookie'

                        ]

);

=item C<$ExternalInfoPriority>

When multiple auth services are available, this value defines

the order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once a user record is found, no more services are checked.

You CANNOT use a SSO cookie to retrieve information.

You should remove services you don’t use, but you must define

at least one service.

=cut

Set($ExternalInfoPriority, [ ‘My_LDAP’,

                          'My_MySQL',

                        ]

);

=item C<$ExternalServiceUsesSSLorTLS>

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means LNet::SSLeay.

=cut

Set($ExternalServiceUsesSSLorTLS, 0);

=item C<$AutoCreateNonExternalUsers>

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service. This is useful if you have users outside

your organization who might interface with RT, perhaps by sending

email to a support email address.

=cut

Set($AutoCreateNonExternalUsers, 0);

=item C<$ExternalSettings>

These are the full settings for each external service as a HashOfHashes.

Note that you may have as many external services as you wish. They will

be checked in the order specified in $ExternalAuthPriority and

$ExternalInfoPriority directives above.

The outer structure is a key with the authentication option (name of
external

source). The value is a hash reference with configuration keys and values,

for example:

 Set($ExternalSettings, {

    MyLDAP => {

        type => 'ldap',

        ... other options ...

    },

    MyMySQL => {

        type => 'db',

        ... other options ...

    },

    ... other sources ...

    } );

As shown above, each description should have ‘type’ defined.

The following types are supported:

=over 4

=item ldap

Authenticate against and sync information with LDAP servers.

See LRT::Authen::ExternalAuth::LDAP for details.

=item db

Authenticate against and sync information with external RDBMS,

supported by Perl’s L interface. See LRT::Authen::ExternalAuth::DBI

for details.

=item cookie

Authenticate by cookie. See LRT::Authen::ExternalAuth::DBI::Cookie

for details.

=back

See the modules noted above for configuration options specific to each
type.

The following apply to all types.

=over 4

=item attr_match_list

The list of RT attributes that uniquely identify a user. These values

are used, in order, to find users in the selected authentication

source. Each value specified here must have a mapping in the

L</“attr_map”> section below. You can remove values you don’t

expect to match, but it’s recommended to use ‘Name’ and ‘EmailAddress’

at minimum. For example:

 'attr_match_list' => [

    'Name',

    'EmailAddress',

],

You should not use items that can map to multiple users (such as a

RealName or building name).

=item attr_map

Mapping of RT attributes on to attributes in the external source.

Valid keys are attributes of an

LRT::User|http://bestpractical.com/rt/docs/latest/RT/User.html.

The values are attributes from your authentication source.

For example, an LDAP mapping might look like:

 'attr_map' => {

    'Name'         => 'sAMAccountName',

    'EmailAddress' => 'mail',

    'Organization' => 'physicalDeliveryOfficeName',

    'RealName'     => 'cn',

    ...

},

=back

=cut

Set($ExternalSettings, {

# AN EXAMPLE DB SERVICE

'My_MySQL'   =>  {

    'type'                      =>  'db',

    'server'                    =>  'server.domain.tld',

    'database'                  =>  'DB_NAME',

    'table'                     =>  'USERS_TABLE',

    'user'                      =>  'DB_USER',

    'pass'                      =>  'DB_PASS',

    'port'                      =>  'DB_PORT',

    'dbi_driver'                =>  'DBI_DRIVER',

    'u_field'                   =>  'username',

    'p_field'                   =>  'password',

    'p_enc_pkg'                 =>  'Crypt::MySQL',

    'p_enc_sub'                 =>  'password',

    'd_field'                   =>  'disabled',

    'd_values'                  =>  ['0'],

    'attr_match_list' =>  [

        'Gecos',

        'Name',

    ],

    'attr_map' => {

        'Name'           => 'username',

        'EmailAddress'   => 'email',

        'ExternalAuthId' => 'username',

        'Gecos'          => 'userID',

    },

},

# AN EXAMPLE LDAP SERVICE

'My_LDAP'       =>  {

    'type'                      =>  'ldap',

    'server'                    =>  '10.201.0.200',

    'user'                      =>  'apacheldap@adknowledge.com',

    'pass'                      =>  ‘redacted',

    'base'                      =>  'dc=adknowledge,dc=com',

    'filter'                    =>  '(FILTER_STRING)',

    'd_filter'                  =>  '(FILTER_STRING)',

    'group'                     =>  'GROUP_NAME',

    'group_attr'                =>  'GROUP_ATTR',

    'tls'                       =>  0,

    'ssl_version'               =>  3,

    'net_ldap_args'             => [    version =>  3   ],

    'group_scope'               =>  'base',

    'group_attr_value'          =>  'GROUP_ATTR_VALUE',

    'attr_match_list' => [

        'Name',

        'EmailAddress',

        'RealName',

    ],

    'attr_map' => {

        'Name' => 'sAMAccountName',

        'EmailAddress' => 'mail',

        'Organization' => 'physicalDeliveryOfficeName',

        'RealName' => 'cn',

        'ExternalAuthId' => 'sAMAccountName',

        'Gecos' => 'sAMAccountName',

        'WorkPhone' => 'telephoneNumber',

        'Address1' => 'streetAddress',

        'City' => 'l',

        'State' => 'st',

        'Zip' => 'postalCode',

        'Country' => 'co'

    },

},

# An example SSO cookie service

'My_SSO_Cookie'  => {

    'type'                      =>  'cookie',

    'name'                      =>  'loginCookieValue',

    'u_table'                   =>  'users',

    'u_field'                   =>  'username',

    'u_match_key'               =>  'userID',

    'c_table'                   =>  'login_cookie',

    'c_field'                   =>  'loginCookieValue',

    'c_match_key'               =>  'loginCookieUserID',

    'db_service_name'           =>  'My_MySQL'

},

} );

1;

Thanks,
Rezty Felty
Senior Linux Administrator
Adknowledge
816-559-1196

From: Marco Agostini comunelevico@gmail.com
Date: Wednesday, July 30, 2014 at 11:38 AM
To: Rezty Felty rfelty@adknowledge.com
Subject: Re: [rt-users] Difficulty implementing LDAP/AD Authorization

Il 30/lug/2014 17:34 “Rezty Felty” rfelty@adknowledge.com ha scritto:

I have a new install of RT 4.2.4 running on Centos 6.4 64 bit with
Apache 2.2.15. I have installed RT::Authen::ExternalAuth and Net::LDAP,
and have configured
my /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm with
the right server address and LDAP user and password, and added Set(
@Plugins, qw(RT::Authen::ExternalAuth) ); to the
file /opt/rt4/etc/RT_SiteConfig.pm. I have restarted https, restarted the
entire server, but i continue to see the same results, e.g. I can log in to
RT with the default installed root account, but when I try any AD user, it
fails, and the error I receive in both /var/log/messages and
/var/log/httpd/error_log is the same: “FAILED LOGIN for from
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:811)

Any suggestions on where to begin troubleshooting this would be
appreciated.

Use these tool http://jxplorer.org/ to test the parameter that you are
using in RT.

Post the content of /opt/rt4/etc/RT_SiteConfig.pm


RT Training - Boston, September 9-10
http://bestpractical.com/training

Well, we were unable to get the RT::Authen::ExternalAuth plugin to work, no matter what we tried, but I had a co-worker looking over my configs as well, and I had previously tried to make AD/LDAP auth work by just using Apache to do it . . . When looking in the vhost conf file for rt, he noticed I had placed my Apache Location Directive inside my Directory Directive, which is fairly common and I would never have thought twice about. However, in this instance, the Directory Directive began as such:

<Directory /opt/rt4/share/html>

and the Location Directive began as such:

Since they were two different paths, the Location Directive was never getting executed, which was where all the apache ldap auth info was. By moving the Location Directive outside the Directory Directive, and adding an alias:

ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

we were able to make AD/LDAP authorization work.

Thanks,
Rezty Felty
Senior Linux Administrator
Adknowledge
816-559-1196From: Alex Peters <alex@peters.netmailto:alex@peters.net>
Date: Wednesday, July 30, 2014 at 7:31 PM
To: Rezty Felty <rfelty@adknowledge.commailto:rfelty@adknowledge.com>
Cc: RT users <rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com>
Subject: Re: [rt-users] Difficulty implementing LDAP/AD Authorization

RT won’t look at any changes you place in example RT_SiteConfig.pm files included with extensions (if that’s why you’ve included that file in your previous e-mail). You need to copy the relevant changes into your RT installation’s RT_SiteConfig.pm file.

Jxplorer shows successful connection and authentication using the auth info I have in rt. Here is my /opt/rt4/etc/RT_SiteConfig.pm:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this command:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

Set( $rtname, ‘Adknowledge.com’);

Set( $WebDomain, ‘pkc-tracker02.ak-networks.comhttp://pkc-tracker02.ak-networks.com’);

Set( $WebPort, 443);

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

Plugin( “RT::Extension::QuickDelete” );

Plugin( “RT::Extension::CommandByMail” );

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

and my /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm, which I would think more important in this case:

=head1 NAME

External Authentication Configuration - Sample configs for LRT::Authen::ExternalAuth

=head1 DESCRIPTION

LRT::Authen::ExternalAuth provides a lot of flexibility

with many configuration options. This file describes these

configuration options and is itself a sample configuration

suitable for dropping into your C<etc/RT_SiteConfig.pm>

file and modifying.

=over 4

=item C<$ExternalAuthPriority>

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

You should remove services you don’t use. For example,

if you’re only using My_LDAP, remove My_MySQL and My_SSO_Cookie.

=cut

Set($ExternalAuthPriority, [ ‘My_LDAP’,

                          'My_MySQL',

                          'My_SSO_Cookie'

                        ]

);

=item C<$ExternalInfoPriority>

When multiple auth services are available, this value defines

the order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once a user record is found, no more services are checked.

You CANNOT use a SSO cookie to retrieve information.

You should remove services you don’t use, but you must define

at least one service.

=cut

Set($ExternalInfoPriority, [ ‘My_LDAP’,

                          'My_MySQL',

                        ]

);

=item C<$ExternalServiceUsesSSLorTLS>

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means LNet::SSLeay.

=cut

Set($ExternalServiceUsesSSLorTLS, 0);

=item C<$AutoCreateNonExternalUsers>

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service. This is useful if you have users outside

your organization who might interface with RT, perhaps by sending

email to a support email address.

=cut

Set($AutoCreateNonExternalUsers, 0);

=item C<$ExternalSettings>

These are the full settings for each external service as a HashOfHashes.

Note that you may have as many external services as you wish. They will

be checked in the order specified in $ExternalAuthPriority and

$ExternalInfoPriority directives above.

The outer structure is a key with the authentication option (name of external

source). The value is a hash reference with configuration keys and values,

for example:

Set($ExternalSettings, {

    MyLDAP => {

        type => 'ldap',

        ... other options ...

    },

    MyMySQL => {

        type => 'db',

        ... other options ...

    },

    ... other sources ...

    } );

As shown above, each description should have ‘type’ defined.

The following types are supported:

=over 4

=item ldap

Authenticate against and sync information with LDAP servers.

See LRT::Authen::ExternalAuth::LDAP for details.

=item db

Authenticate against and sync information with external RDBMS,

supported by Perl’s L interface. See LRT::Authen::ExternalAuth::DBI

for details.

=item cookie

Authenticate by cookie. See LRT::Authen::ExternalAuth::DBI::Cookie

for details.

=back

See the modules noted above for configuration options specific to each type.

The following apply to all types.

=over 4

=item attr_match_list

The list of RT attributes that uniquely identify a user. These values

are used, in order, to find users in the selected authentication

source. Each value specified here must have a mapping in the

L</“attr_map”> section below. You can remove values you don’t

expect to match, but it’s recommended to use ‘Name’ and ‘EmailAddress’

at minimum. For example:

'attr_match_list' => [

    'Name',

    'EmailAddress',

],

You should not use items that can map to multiple users (such as a

RealName or building name).

=item attr_map

Mapping of RT attributes on to attributes in the external source.

Valid keys are attributes of an

LRT::User|http://bestpractical.com/rt/docs/latest/RT/User.html.

The values are attributes from your authentication source.

For example, an LDAP mapping might look like:

'attr_map' => {

    'Name'         => 'sAMAccountName',

    'EmailAddress' => 'mail',

    'Organization' => 'physicalDeliveryOfficeName',

    'RealName'     => 'cn',

    ...

},

=back

=cut

Set($ExternalSettings, {

# AN EXAMPLE DB SERVICE

'My_MySQL'   =>  {

    'type'                      =>  'db',

    'server'                    =>  'server.domain.tld',

    'database'                  =>  'DB_NAME',

    'table'                     =>  'USERS_TABLE',

    'user'                      =>  'DB_USER',

    'pass'                      =>  'DB_PASS',

    'port'                      =>  'DB_PORT',

    'dbi_driver'                =>  'DBI_DRIVER',

    'u_field'                   =>  'username',

    'p_field'                   =>  'password',

    'p_enc_pkg'                 =>  'Crypt::MySQL',

    'p_enc_sub'                 =>  'password',

    'd_field'                   =>  'disabled',

    'd_values'                  =>  ['0'],

    'attr_match_list' =>  [

        'Gecos',

        'Name',

    ],

    'attr_map' => {

        'Name'           => 'username',

        'EmailAddress'   => 'email',

        'ExternalAuthId' => 'username',

        'Gecos'          => 'userID',

    },

},

# AN EXAMPLE LDAP SERVICE

'My_LDAP'       =>  {

    'type'                      =>  'ldap',

    'server'                    =>  '10.201.0.200',

    'user'                      =>  'apacheldap@adknowledge.com<mailto:apacheldap@adknowledge.com>',

    'pass'                      =>  ‘redacted',

    'base'                      =>  'dc=adknowledge,dc=com',

    'filter'                    =>  '(FILTER_STRING)',

    'd_filter'                  =>  '(FILTER_STRING)',

    'group'                     =>  'GROUP_NAME',

    'group_attr'                =>  'GROUP_ATTR',

    'tls'                       =>  0,

    'ssl_version'               =>  3,

    'net_ldap_args'             => [    version =>  3   ],

    'group_scope'               =>  'base',

    'group_attr_value'          =>  'GROUP_ATTR_VALUE',

    'attr_match_list' => [

        'Name',

        'EmailAddress',

        'RealName',

    ],

    'attr_map' => {

        'Name' => 'sAMAccountName',

        'EmailAddress' => 'mail',

        'Organization' => 'physicalDeliveryOfficeName',

        'RealName' => 'cn',

        'ExternalAuthId' => 'sAMAccountName',

        'Gecos' => 'sAMAccountName',

        'WorkPhone' => 'telephoneNumber',

        'Address1' => 'streetAddress',

        'City' => 'l',

        'State' => 'st',

        'Zip' => 'postalCode',

        'Country' => 'co'

    },

},

# An example SSO cookie service

'My_SSO_Cookie'  => {

    'type'                      =>  'cookie',

    'name'                      =>  'loginCookieValue',

    'u_table'                   =>  'users',

    'u_field'                   =>  'username',

    'u_match_key'               =>  'userID',

    'c_table'                   =>  'login_cookie',

    'c_field'                   =>  'loginCookieValue',

    'c_match_key'               =>  'loginCookieUserID',

    'db_service_name'           =>  'My_MySQL'

},

} );

1;

Thanks,
Rezty Felty
Senior Linux Administrator
Adknowledge
816-559-1196

From: Marco Agostini <comunelevico@gmail.commailto:comunelevico@gmail.com>
Date: Wednesday, July 30, 2014 at 11:38 AM
To: Rezty Felty <rfelty@adknowledge.commailto:rfelty@adknowledge.com>
Subject: Re: [rt-users] Difficulty implementing LDAP/AD Authorization

I have a new install of RT 4.2.4 running on Centos 6.4 64 bit with Apache 2.2.15. I have installed RT::Authen::ExternalAuth and Net::LDAP, and have configured my /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm with the right server address and LDAP user and password, and added Set( @Plugins, qw(RT::Authen::ExternalAuth) ); to the file /opt/rt4/etc/RT_SiteConfig.pm. I have restarted https, restarted the entire server, but i continue to see the same results, e.g. I can log in to RT with the default installed root account, but when I try any AD user, it fails, and the error I receive in both /var/log/messages and /var/log/httpd/error_log is the same: “FAILED LOGIN for from (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:811)

Any suggestions on where to begin troubleshooting this would be appreciated.

Use these tool http://jxplorer.org/ to test the parameter that you are using in RT.

Post the content of /opt/rt4/etc/RT_SiteConfig.pm

RT Training - Boston, September 9-10
http://bestpractical.com/training