External Auth config with RT on Debian

RT Users
1

Hi All,

I have ran into a wits end situation and am now going to ask the experts. I
have been given the task of standing up RT for my company. So far that part
has gone ok. I am able to get to login page and log in with local ROOT
account. That part is working. I have even played around with theme colors
to match my company’s color scheme etc etc…It was brought to my attention
that we need to intergrate AD authentication into RT. In doing that i
reached out to google and found what I had thought to be some promising
information. I downloaded and installed the RT::Authen:ExternalAuth Plugin
by doing the following:

cpan -i RT::Authen::ExternalAuth

It ran and i entered in the path it wanted for RT.pm and away it went. It
made and it installed like it should. I then took the sample
RT_SiteConfig.pm in /usr/share/local/request-tracker4/plugins/xxxx and
copied it to /etc/request-tracker4/RT_SiteConfig.d/external auth. I then
make that file look like this:

Default settings till here…
#PLUGINS
Set( @Plugins, qw(RT::Authen::ExternalAuth));

#External Auth Settings

Set($ExternalAuthPriority, [ ‘My_LDAP’,] );
Set($ExternalInfoPriority, [ ‘My_LDAP’,] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘dc2.xxxxxx.com’,
‘user’ => ‘cn=Bind
Ldap,ou=User,Logins,dc=intrepidls,dc=com’,
‘pass’ => ‘xxxxxxx’,
‘base’ => ‘dc=xxxx,dc=com’,
‘filter’ =>
‘(&(ObjectCategory=User)(ObjectClass=Person))’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803=2)’,
‘group’ => ‘cn=Domain
Users,ou=Groups_Security,dc=xxxxx,dc=com’,
‘group_attr’ => ‘member’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3, port => 3268 ],
‘group_scope’ => ‘base’,
‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
‘RealName’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
},
},
# An example SSO cookie service
‘My_SSO_Cookie’ => {
‘type’ => ‘cookie’,
‘name’ => ‘loginCookieValue’,
‘u_table’ => ‘users’,
‘u_field’ => ‘username’,
‘u_match_key’ => ‘userID’,
‘c_table’ => ‘login_cookie’,
‘c_field’ => ‘loginCookieValue’,
‘c_match_key’ => ‘loginCookieUserID’,
‘db_service_name’ => ‘My_MySQL’
},
} );

1;

I then use update-rt-siteconfig to merge these settings into
RT_SiteConfig.pm. From what I read this is all correct and “Should” allow AD
accounts to log in. Here is what is logging in the apache2 error log:

[Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST (admin-rt4) does
NOT match the configured WebDomain (localhost). Perhaps you should
Set($WebDomain, ‘admin-rt4’); in RT_SiteConfig.pm, otherwise your internal
links may be broken.
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for jsolberg@xxxxxx.com
from 10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
10.10.30.62 ( /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
root@admin-rt4:/usr/share/request-tracker4/lib#

Notice the SUCCESSFUL login from ROOT. I really hope I am just missing
something really simple but from what I can see its not even sending the
request to the AD server as I can type in the wrong password 10 times and it
is not locking the account out. I have other servers configured to use LDAP
and using the same bind account so i know my LDAP settings are correct. I
have tried more than one AD account to no avail. I installed all the Request
Tracker componants via apt-get install. PLEASE HELP!

Thanks.

Jeff

View this message in context: http://requesttracker.8502.n7.nabble.com/External-Auth-config-with-RT-on-Debian-tp54486.html

2

Default settings till here…
#PLUGINS
Set( @Plugins, qw(RT::Authen::ExternalAuth));

#External Auth Settings

Set($ExternalAuthPriority, [ ‘My_LDAP’,] );
Set($ExternalInfoPriority, [ ‘My_LDAP’,] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘dc2.xxxxxx.com’,
‘user’ => ‘cn=Bind
Ldap,ou=User,Logins,dc=intrepidls,dc=com’,
‘pass’ => ‘xxxxxxx’,
‘base’ => ‘dc=xxxx,dc=com’,
‘filter’ =>
‘(&(ObjectCategory=User)(ObjectClass=Person))’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803=2)’,
‘group’ => ‘cn=Domain
Users,ou=Groups_Security,dc=xxxxx,dc=com’,
‘group_attr’ => ‘member’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3, port => 3268 ],
‘group_scope’ => ‘base’,
‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
‘RealName’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
},
},
# An example SSO cookie service
‘My_SSO_Cookie’ => {
‘type’ => ‘cookie’,
‘name’ => ‘loginCookieValue’,
‘u_table’ => ‘users’,
‘u_field’ => ‘username’,
‘u_match_key’ => ‘userID’,
‘c_table’ => ‘login_cookie’,
‘c_field’ => ‘loginCookieValue’,
‘c_match_key’ => ‘loginCookieUserID’,
‘db_service_name’ => ‘My_MySQL’
},
} );

1;

I then use update-rt-siteconfig to merge these settings into
RT_SiteConfig.pm. From what I read this is all correct and “Should” allow AD
accounts to log in. Here is what is logging in the apache2 error log:

[Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST (admin-rt4) does
NOT match the configured WebDomain (localhost). Perhaps you should
Set($WebDomain, ‘admin-rt4’); in RT_SiteConfig.pm, otherwise your internal
links may be broken.
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for jsolberg@xxxxxx.com
from 10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
10.10.30.62 ( /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
root@admin-rt4:/usr/share/request-tracker4/lib#

Navigate to Tools → Configuration → System Configuration and check
that Plugins contains RT::Authen::ExternalAuth.

-kevin

3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Thanks for your reply. In the sys config it shows the following under PLUGINS:

Plugins [
‘RT::Authen::ExternalAuth’
]

Jeff

  • PGP Signed by an unknown key
4
  • PGP Signed by an unknown key

Default settings till here…
#PLUGINS
Set( @Plugins, qw(RT::Authen::ExternalAuth));

#External Auth Settings

Set($ExternalAuthPriority, [ ‘My_LDAP’,] ); Set($ExternalInfoPriority,
[ ‘My_LDAP’,] ); Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘dc2.xxxxxx.com’,
‘user’ => ‘cn=Bind
Ldap,ou=User,Logins,dc=intrepidls,dc=com’,
‘pass’ => ‘xxxxxxx’,
‘base’ => ‘dc=xxxx,dc=com’,
‘filter’ =>
‘(&(ObjectCategory=User)(ObjectClass=Person))’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803=2)’,
‘group’ => ‘cn=Domain
Users,ou=Groups_Security,dc=xxxxx,dc=com’,
‘group_attr’ => ‘member’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3, port => 3268 ],
‘group_scope’ => ‘base’,
‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
‘RealName’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
},
},
# An example SSO cookie service
‘My_SSO_Cookie’ => {
‘type’ => ‘cookie’,
‘name’ => ‘loginCookieValue’,
‘u_table’ => ‘users’,
‘u_field’ => ‘username’,
‘u_match_key’ => ‘userID’,
‘c_table’ => ‘login_cookie’,
‘c_field’ => ‘loginCookieValue’,
‘c_match_key’ => ‘loginCookieUserID’,
‘db_service_name’ => ‘My_MySQL’
},
} );

1;

I then use update-rt-siteconfig to merge these settings into
RT_SiteConfig.pm. From what I read this is all correct and “Should”
allow AD accounts to log in. Here is what is logging in the apache2 error log:

[Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST (admin-rt4)
does NOT match the configured WebDomain (localhost). Perhaps you
should Set($WebDomain, ‘admin-rt4’); in RT_SiteConfig.pm, otherwise
your internal links may be broken.
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for
jsolberg@xxxxxx.com from 10.10.30.62
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
10.10.30.62 ( /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
root@admin-rt4:/usr/share/request-tracker4/lib#

Navigate to Tools → Configuration → System Configuration and check that Plugins contains RT::Authen::ExternalAuth.

Thanks for your reply. In the sys config it shows the following under PLUGINS:

Plugins [
‘RT::Authen::ExternalAuth’
]

Great - now go make sure your $LogToScreen is set to ‘debug’ and log
in again.

root will always be able to log in because it has a local password
set, you’re more concerned about getting useful debugging messages for
your jsolberg user.

-kevin

5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Do I just add the $SetToLog options anywhere in the RT_SiteConfig.pm?

  • PGP Signed by an unknown key
6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Added the following to my site config:

#logging
Set($LogToSyslog , ‘’);
Set($LogToScreen , ‘debug’);
Set($LogToFile , ‘debug’);
Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

end /etc/request-tracker4/RT_SiteConfig.d/logging

And restarted apache2, I tried to log in with domain account and this is what is being logged to rt.log

root@admin-rt4:/var/log/request-tracker4# cat rt.log
[Mon Jul 1 17:47:43 2013] [debug]: The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT recieves emails on addresses that are not in the database or config. (/usr/share/request-tracker4/lib/RT/Config.pm:454)
[Mon Jul 1 17:47:43 2013] [warning]: The actual HTTP_HOST (admin-rt4) does NOT match the configured WebDomain (localhost). Perhaps you should Set($WebDomain, ‘admin-rt4’); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Mon Jul 1 17:47:50 2013] [error]: FAILED LOGIN for jsolberg from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Mon Jul 1 17:49:46 2013] [info]: Successful login for root from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
[Mon Jul 1 17:53:05 2013] [error]: FAILED LOGIN for jsolberg@xxxxx.com from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)

My guess is the debugging options is not telling us much :frowning:

Jeff

  • PGP Signed by an unknown key
7

Jeff
I put mine at the beginning, but I am pretty sure it does not matter.

Don’t forget when you make changes to this config you need to restart Apache.

Thanks
Bryon Baker
Network Operations Manager
Copesan - Specialists in Pest Solutions
800-267-3726 . 262-783-6261 ext. 2296
bbaker@copesan.com

"Servicing North America with Local Care"From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jeff Solberg
Sent: Monday, July 01, 2013 11:38 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] External Auth config with RT on Debian
Sensitivity: Confidential

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Do I just add the $SetToLog options anywhere in the RT_SiteConfig.pm?

  • PGP Signed by an unknown key
8

Added the following to my site config:

Go back to the System Configuration page and confirm that you see
these settings being read by RT.

If you have the Plugin installed, and the logging configured, then it
isn’t being run. The next things to check are permissions. Can the
webserver read the callbacks provided by the extension and are they
being run.

-kevin

9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kevin,

In System Configuration in the Web UI I show the following being read in RT.

LogToFile ‘debug’ site config
LogToFileNamed ‘rt.log’ site config
LogToScreen ‘debug’ site config
LogToSyslog ‘’ site config
Plugins ‘RT::Authen::ExternalAuth’ site config

Then under loaded Perl Modules I see

RT::Authen::ExternalAuth 0.16 /usr/local/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm

I would definably agree with you that the plugin is not being run because I have done TCP Packet dumps as I was logging in and there is no activity being sent to my LDAP Server/DC. Oddly enough one would think that with the debugging set it would be telling me something. As I stated earlier the only message being logged in RT.LOG is the FAILED LOGON message. I will look at the permissions on the plugin. Should it be readable by www-data? Thanks again for your help on this. I really need to get this working so I can then move on to the next phase and tailor it to my companies needs.

Jeff

  • PGP Signed by an unknown key

Added the following to my site config:

Go back to the System Configuration page and confirm that you see these settings being read by RT.

If you have the Plugin installed, and the logging configured, then it isn’t being run. The next things to check are permissions. Can the webserver read the callbacks provided by the extension and are they being run.

  • -kevin

#logging
Set($LogToSyslog , ‘’);
Set($LogToScreen , ‘debug’);
Set($LogToFile , ‘debug’);
Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

end /etc/request-tracker4/RT_SiteConfig.d/logging

And restarted apache2, I tried to log in with domain account and this
is what is being logged to rt.log

root@admin-rt4:/var/log/request-tracker4# cat rt.log [Mon Jul 1
17:47:43 2013] [debug]: The RTAddressRegexp option is not set in the
config. Not setting this option results in additional SQL queries to
check whether each address belongs to RT or not. It is especially
important to set this option if RT recieves emails on addresses that
are not in the database or config.
(/usr/share/request-tracker4/lib/RT/Config.pm:454)
[Mon Jul 1 17:47:43 2013] [warning]: The actual HTTP_HOST (admin-rt4)
does NOT match the configured WebDomain (localhost). Perhaps you
should Set($WebDomain, ‘admin-rt4’); in RT_SiteConfig.pm, otherwise
your internal links may be broken.
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Mon Jul 1 17:47:50 2013] [error]: FAILED LOGIN for jsolberg from
10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Mon Jul 1 17:49:46 2013] [info]: Successful login for root from
10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
[Mon Jul 1 17:53:05 2013] [error]: FAILED LOGIN for
jsolberg@xxxxx.com from 10.10.30.63
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)

My guess is the debugging options is not telling us much :frowning:

Jeff

Old Signed by an unknown key

Old Signed by an unknown key

Default settings till here…
#PLUGINS
Set( @Plugins, qw(RT::Authen::ExternalAuth));

#External Auth Settings

Set($ExternalAuthPriority, [ ‘My_LDAP’,] );
Set($ExternalInfoPriority, [ ‘My_LDAP’,] );
Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘dc2.xxxxxx.com’,
‘user’ => ‘cn=Bind
Ldap,ou=User,Logins,dc=intrepidls,dc=com’,
‘pass’ => ‘xxxxxxx’,
‘base’ => ‘dc=xxxx,dc=com’,
‘filter’ =>
‘(&(ObjectCategory=User)(ObjectClass=Person))’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803=2)’,
‘group’ => ‘cn=Domain
Users,ou=Groups_Security,dc=xxxxx,dc=com’,
‘group_attr’ => ‘member’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3, port => 3268 ],
‘group_scope’ => ‘base’,
‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
‘RealName’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
},
},
# An example SSO cookie service
‘My_SSO_Cookie’ => {
‘type’ => ‘cookie’,
‘name’ => ‘loginCookieValue’,
‘u_table’ => ‘users’,
‘u_field’ => ‘username’,
‘u_match_key’ => ‘userID’,
‘c_table’ => ‘login_cookie’,
‘c_field’ => ‘loginCookieValue’,
‘c_match_key’ => ‘loginCookieUserID’,
‘db_service_name’ => ‘My_MySQL’
},
} );

1;

I then use update-rt-siteconfig to merge these settings into
RT_SiteConfig.pm. From what I read this is all correct and “Should”
allow AD accounts to log in. Here is what is logging in the apache2 error log:

[Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST
(admin-rt4) does NOT match the configured WebDomain (localhost).
Perhaps you should Set($WebDomain, ‘admin-rt4’); in
RT_SiteConfig.pm, otherwise your internal links may be broken.
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for
jsolberg@xxxxxx.com from 10.10.30.62
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg
from
10.10.30.62 (
/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:52 2013] [info]: Successful login for root
from
10.10.30.62
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
root@admin-rt4:/usr/share/request-tracker4/lib#

Navigate to Tools → Configuration → System Configuration and check that Plugins contains RT::Authen::ExternalAuth.

Thanks for your reply. In the sys config it shows the following under PLUGINS:

Plugins [
‘RT::Authen::ExternalAuth’
]

Great - now go make sure your $LogToScreen is set to ‘debug’ and log in again.

root will always be able to log in because it has a local password set, you’re more concerned about getting useful debugging messages for your jsolberg user.

  • -kevin
  • Unknown Key
  • 0x9E42250A

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.1 (Build 4940)
Charset: us-ascii

wsBVAwUBUdHDnE8vfChWkpdqAQhtUQf8D4xW7+1lNWhskwrlWBqby4bVW2GNnOLe
s4cxkRIMt5ReLeOyLZCUsUb99NuHwkPonIMrfzAHsD4b5J+bpoXI9VHwSA7Ob0EP
r9+lwAAZV+JWq0gC5BRSqZFC9nQhEOcCTQj+YDX5ykhZEBqB7pHb0fvGv1KViT5U
SPusBWr21tvjdH7++/vb0XAdxKT+JTYbjzXmVQG7Mv82A3x9Q01bNQBJ4Xn+tH4R
h/Dny3llTZYhaf1Ms9pWwSAK48gok0G7EpWYKxL5zjWZvjtWgg3ZNlXURE6MNDTv
GKaMeceeDiTZP8tdO/UA9WcxSkiqt7p4qyYigAb5J4RGKJASjCLchQ==
=aMI6
-----END PGP SIGNATURE-----

  • Unknown Key
  • 0x9E42250A

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.1 (Build 4940)
Charset: us-ascii

wsBVAwUBUdMMW08vfChWkpdqAQiYCggAgoY4tX786FzhzU/mbpKSRRI+WNZUQFCV
bM1nHEuUR9chiiriUxqo9Ygqnpwcde7aCB7zijl6AJYR55NS2cpx7Puz1ihnY5Bl
HSy/Y9P0rXiu27Er1iiKjk9pA53+AjS3OZemk2W3AzVQ7Nlu8/7RQirXAn1iI0FO
G4QdoUFedB8XmvKIaTGCjZLvPLl2PUq7dTk2LH6QbTtGuh8Zq+BRrZ8PGF5qnUiD
c+jqhoq7zqJR+iEaO1NNirpCWtRnWCr0u2YvhSS91VwGe4QjVPMwMi9d3Ac3wmy4
6NLHzx1FsV/H0sSUn+8oiNDgc65dPf0HnjW3mLd+kOg7lyfQzlLKUw==
=NYaU
-----END PGP SIGNATURE-----

10

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kevin,

In System Configuration in the Web UI I show the following being read in RT.

LogToFile ‘debug’ site config
LogToFileNamed ‘rt.log’ site config
LogToScreen ‘debug’ site config
LogToSyslog ‘’ site config
Plugins ‘RT::Authen::ExternalAuth’ site config

Then under loaded Perl Modules I see

RT::Authen::ExternalAuth 0.16 /usr/local/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm

I would definably agree with you that the plugin is not being run because I have done TCP Packet dumps as I was logging in and there is no activity being sent to my LDAP Server/DC. Oddly enough one would think that with the debugging set it would be telling me something. As I stated earlier the only message being logged in RT.LOG is the FAILED LOGON message. I will look at the permissions on the plugin. Should it be readable by www-data? Thanks again for your help on this. I really need to get this working so I can then move on to the next phase and tailor it to my companies needs.

It should be readable by the user your webserver runs as.
Clearly the perl module loads, but the Mason components (under the
html directory in the plugin) don’t seem to be running.

There will be no extra debugging unless the plugin is running.

-kevin

11

I have ran into a wits end situation

Apologize in advance if you’ve already looked into this possibility:

    'attr_match_list' => [
        'Name',
        'EmailAddress',
        'RealName',
    ],

Have you checked if this is really what you want? Quoting from Thomas
Sibley’s documentation for the ExternAuth module at:

" Once installed, you should view the file:

3.4/3.6 $RTHOME/local/etc/ExternalAuth/RT_SiteConfig.pm 3.8
$RTHOME/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm "

Quoting from that file:

RT ATTRIBUTE MATCHING SECTION

The list of RT attributes that uniquely identify a user

This example shows what you can specify… I recommend reducing this

to just the Name and EmailAddress to save encountering problems later.

So, my question is: have you tried reducing attr_match_list? (Again,
sorry if you did and I just missed it.)

Nathan

12

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

After opening up the permissions on the directory where the External Auth Plugin lives (/usr/local/share/request-tracker4/) to my apache user I am now able to get logged into RT with a AD user!!! Prior to doing this root owned all these directories with only read permissions…

And looking at the logs I am now seeing a ton of chatter relating to this. Thanks for all your help.

Jeff

  • PGP Signed by an unknown key
13

After opening up the permissions on the directory where the External Auth Plugin lives (/usr/local/share/request-tracker4/) to my apache user I am now able to get logged into RT with a AD user!!! Prior to doing this root owned all these directories with only read permissions…

Excellent news.

And looking at the logs I am now seeing a ton of chatter relating to this. Thanks for all your help.

If you change the loglevel to “info” the amount of chatter goes way
down and you still get useful information.

Nathan