External Auth using Active Directory 2008

RT Users
1

I am new to RT, Just setup a 4.0.4 server this week.
I am using CentOS 6.2 64 bit.
MySQL
Apache

I used Ken Prickett’s CentOS5InstallPlus Some WIKI instructions and made the necessary mods to get things working, so to speak.

I am using the RT_SiteConfig.pm provided in the install doc. The only changes I made was to add my information.

The problem I am having is strange.
I have added several users into the RTUsers group I set up in AD.
The AD Administrator, a common Domain User called Test.Account that is located in the OU with all my other users, my personal account also located in the OU with all the other users and an alternate administrative account I use.

I can logon to RT with the AD Administrator account. I can logon to RT with the Test.Account and I can log in using my alternate account. But I cannot logon using my personal account. I also had my assistant test with her account and she cannot log on.
I have studied the problem and cannot find anything unique about the accounts that cannot logon.

Has anyone seen this problem before?

Van Howell
System Administrator
Lubbock Christian University

2

I have added several users into the RTUsers group I set up in AD.

The AD Administrator, a common Domain User called Test.Account that is located in the OU with
all my other users, my personal account also located in the OU with all the other users and an
alternate administrative account I use.

I can logon to RT with the AD Administrator account. I can logon to RT with the Test.Account
and I can log in using my alternate account. But I cannot logon using my personal account. I
also had my assistant test with her account and she cannot log on.

I have studied the problem and cannot find anything unique about the accounts that cannot
logon.

We really need to see your configuration for RT-Authen-ExternalAuth
and your logs for the failed login, turned up to debug.

-kevin

3

cat RT_SiteConfig.pm

Set($ExternalAuthPriority, [ ‘My_LDAP’,] );
Set($ExternalInfoPriority, [ ‘My_LDAP’,] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, {
‘My_LDAP’ => {

                            'type'              =>  'ldap',
                            'server'            =>  'zeus.mydomain.edu',
                            'user'              =>  'CN=LDAPRT,OU=CampusServices,DC=mydomain,DC=mydomain,DC=edu',
                            'pass'              =>  '*********',
                            'base'              =>  'DC=mydomain,DC=mydomain,DC=edu',

                            'filter'            =>  '(&(ObjectCategory=User)(ObjectClass=Person))',
                            'd_filter'          =>  '(userAccountControl:1.2.840.113556.1.4.803:=2)',

                            'tls'               =>  0,

‘ssl_version’ => 3,

                            'net_ldap_args'     => [ version => 3 ],
                            'group'             =>  'CN=RTUsers,OU=CampusServices,DC= mydomain,DC=mydomain,DC=edu',
                            'group_attr'        =>  'member',

                            'attr_match_list'   => [   'Name', 'EmailAddress'   ],
                            'attr_map'          => {   'Name' => 'sAMAccountName',
                                                       'EmailAddress' => 'mail',
                                                       'Organization' => 'physicalDeliveryOfficeName',
                                                       'RealName' => 'cn',
                                                       'ExternalAuthId' => 'sAMAccountName',
                                                       'Gecos' => 'sAMAccountName',
                                                       'WorkPhone' => 'telephoneNumber',
                                                       'Address1' => 'streetAddress',
                                                       'City' => 'l',
                                                       'State' => 'st',
                                                       'Zip' => 'postalCode',
                                                       'Country' => 'co'
                                                    }
                                    }

                        }

);

1;
EOF

I do not have Debugging turned on. I am going to need some help turning it on since this is new to me.

Here are some errors from /var/log/messages…

This is a failed attempt…

Feb 1 16:02:25 localhost RT: My_LDAP AUTH FAILED mary.servantez (can’t bind: LDAP_INVALID_CREDENTIALS 49 ) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:82)
Feb 1 16:02:25 localhost RT: FAILED LOGIN for mary.servantez from 10.1.41.95 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Here is a successful attemt…

Feb 2 10:14:02 localhost RT: RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP ): test.account (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:139)
Feb 2 10:14:02 localhost RT: Couldn’t enable user 28 (/opt/rt4/sbin/…/lib/RT/User.pm:1066)
Feb 2 10:14:02 localhost RT: User marked as ENABLED ( test.account ) per External Service (, ) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:274)
Feb 2 10:14:02 localhost RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City: , Country: , EmailAddress: test.account@LCU.EDU, ExternalAuthId: test.account, Gecos: test.account, Name: test.account, Organization: , RealName: Test Account, State: , WorkPhone: , Zip: (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Feb 2 10:14:02 localhost RT: Successful login for test.account from 10.1.5.9 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:219)

Van Howell
System Administrator
Lubbock Christian University-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Wednesday, February 01, 2012 5:33 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] External Auth using Active Directory 2008

On Wed, Feb 01, 2012 at 11:04:38PM +0000, Howell, Van wrote:

I have added several users into the RTUsers group I set up in AD.

The AD Administrator, a common Domain User called Test.Account that is located in the OU with
all my other users, my personal account also located in the OU with all the other users and an
alternate administrative account I use.

I can logon to RT with the AD Administrator account. I can logon to RT with the Test.Account
and I can log in using my alternate account. But I cannot logon using my personal account. I
also had my assistant test with her account and she cannot log on.

I have studied the problem and cannot find anything unique about the accounts that cannot
logon.

We really need to see your configuration for RT-Authen-ExternalAuth and your logs for the failed login, turned up to debug.

-kevin

4

I do not have Debugging turned on. I am going to need some help turning it on since this is new to me.

Here are some errors from /var/log/messages…

This is a failed attempt…

Feb 1 16:02:25 localhost RT: My_LDAP AUTH FAILED mary.servantez (can’t bind: LDAP_INVALID_CREDENTIALS 49 ) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:82)
Feb 1 16:02:25 localhost RT: FAILED LOGIN for mary.servantez from 10.1.41.95 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Here is a successful attemt…

Feb 2 10:14:02 localhost RT: RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP ): test.account (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:139)
Feb 2 10:14:02 localhost RT: Couldn’t enable user 28 (/opt/rt4/sbin/…/lib/RT/User.pm:1066)
Feb 2 10:14:02 localhost RT: User marked as ENABLED ( test.account ) per External Service (, ) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:274)
Feb 2 10:14:02 localhost RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City: , Country: , EmailAddress: test.account@LCU.EDU, ExternalAuthId: test.account, Gecos: test.account, Name: test.account, Organization: , RealName: Test Account, State: , WorkPhone: , Zip: (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Feb 2 10:14:02 localhost RT: Successful login for test.account from 10.1.5.9 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:219)

Since you’re seeing these in /var/log/messages I assume you’re using
the syslog configuration.

You want to read about LogToSyslog in etc/RT_Config.pm then copy that
setting to RT_SiteConfig.pm and change it to debug.

Restart RT and try the failed login again.

-kevin

5

I added Set($LogToSyslog, “debug”); to my RT_SiteConfig.pm file
I don’t seem to be getting an more logging.
I restarted the httpd service, didn’t see any more logging so I restarted the server.

This is the entire tail of the messages log…

[root@OpenNMS etc]# tail /var/log/messages
Feb 2 11:56:45 localhost abrtd: Dump directory is a duplicate of /var/spool/abrt/ccpp-2012-02-01-14:08:36-18683
Feb 2 11:56:45 localhost abrtd: Deleting dump directory ccpp-2012-02-02-11:54:56-2567 (dup of ccpp-2012-02-01-14:08:36-18683), sending dbus signal
Feb 2 12:00:42 localhost RT: The actual HTTP_HOST (192.168.1.200) does NOT match the configured WebDomain (lcu.edu). Perhaps you should Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:05:43 localhost RT: The actual HTTP_HOST (192.168.1.200) does NOT match the configured WebDomain (lcu.edu). Perhaps you should Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:10:44 localhost RT: The actual HTTP_HOST (192.168.1.200) does NOT match the configured WebDomain (helpdesk.lcu.edu). Perhaps you should Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:14:00 localhost RT: My_LDAP AUTH FAILED: van.howell (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
Feb 2 12:14:00 localhost RT: FAILED LOGIN for van.howell from 10.1.5.9 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)
Feb 2 12:15:45 localhost RT: The actual HTTP_HOST (192.168.1.200) does NOT match the configured WebDomain (helpdesk.lcu.edu). Perhaps you should Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:16:16 localhost RT: My_LDAP AUTH FAILED: van.howell (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
Feb 2 12:16:16 localhost RT: FAILED LOGIN for van.howell from 10.1.5.9 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Thanks for helping with this.

Van Howell
System Administrator
Lubbock Christian University-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Thursday, February 02, 2012 11:17 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] External Auth using Active Directory 2008

On Thu, Feb 02, 2012 at 04:16:53PM +0000, Howell, Van wrote:

I do not have Debugging turned on. I am going to need some help turning it on since this is new to me.

Here are some errors from /var/log/messages…

This is a failed attempt…

Feb 1 16:02:25 localhost RT: My_LDAP AUTH FAILED mary.servantez
(can’t bind: LDAP_INVALID_CREDENTIALS 49 )
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth/LDAP.pm:82) Feb 1 16:02:25 localhost RT: FAILED LOGIN for
mary.servantez from 10.1.41.95
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Here is a successful attemt…

Feb 2 10:14:02 localhost RT: RT::Authen::ExternalAuth::LDAP::GetAuth
External Auth OK ( My_LDAP ): test.account
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth/LDAP.pm:139) Feb 2 10:14:02 localhost RT: Couldn’t enable user 28
(/opt/rt4/sbin/…/lib/RT/User.pm:1066)
Feb 2 10:14:02 localhost RT: User marked as ENABLED ( test.account )
per External Service (, )
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth.pm:274) Feb 2 10:14:02 localhost RT:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Country: , EmailAddress: test.account@LCU.EDU, ExternalAuthId:
test.account, Gecos: test.account, Name: test.account, Organization: ,
RealName: Test Account, State: , WorkPhone: , Zip:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth.pm:536) Feb 2 10:14:02 localhost RT: Successful login for
test.account from 10.1.5.9
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth.pm:219)

Since you’re seeing these in /var/log/messages I assume you’re using the syslog configuration.

You want to read about LogToSyslog in etc/RT_Config.pm then copy that setting to RT_SiteConfig.pm and change it to debug.

Restart RT and try the failed login again.

-kevin

6

I added Set($LogToSyslog, “debug”); to my RT_SiteConfig.pm file
I don’t seem to be getting an more logging.
I restarted the httpd service, didn’t see any more logging so I restarted the server.

Unfortunately - it seems you have syslog itself set to discard debug
messages. You can try turning up $LogToScreen to debug and then check
your webserver logs instead of your syslog logs.

-kevin

7

Here is the Apache Log from my last login attempt…

[Fri Feb 3 18:02:40 2012] [debug]: Password validation required for service - Executing… (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Fri Feb 3 18:02:40 2012] [debug]: Trying external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Fri Feb 3 18:02:40 2012] [debug]: LDAP Search === Base: DC=xxxxxx,DC=xxx,DC=edu == Filter: (&(sAMAccountName=van.howell)(&(ObjectCategory=User)(ObjectClass=Person))) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Fri Feb 3 18:02:40 2012] [debug]: Found LDAP DN: CN=Howell, Van,OU=Staff,OU=LCU,DC=xxxxxx,DC=xxx,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Fri Feb 3 18:02:40 2012] [debug]: LDAP Search === Base: DC=xxxxxx,DC=xxx,DC=edu == Filter: (member=CN=Howell, Van,OU=Staff,OU=LCU,DC=xxxxxx,DC=xxx,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Fri Feb 3 18:02:40 2012] [info]: My_LDAP AUTH FAILED: van.howell (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Fri Feb 3 18:02:40 2012] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Fri Feb 3 18:02:40 2012] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Fri Feb 3 18:02:40 2012] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Fri Feb 3 18:02:40 2012] [error]: FAILED LOGIN for van.howell from 10.1.5.9 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Van Howell
System Administrator
Lubbock Christian UniversityFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Friday, February 03, 2012 11:32 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] External Auth using Active Directory 2008

I added Set($LogToSyslog, “debug”); to my RT_SiteConfig.pm file I
don’t seem to be getting an more logging.
I restarted the httpd service, didn’t see any more logging so I restarted the server.

Unfortunately - it seems you have syslog itself set to discard debug messages. You can try turning up $LogToScreen to debug and then check your webserver logs instead of your syslog logs.

-kevin

This is the entire tail of the messages log…

[root@OpenNMS etc]# tail /var/log/messages Feb 2 11:56:45 localhost
abrtd: Dump directory is a duplicate of
/var/spool/abrt/ccpp-2012-02-01-14:08:36-18683
Feb 2 11:56:45 localhost abrtd: Deleting dump directory
ccpp-2012-02-02-11:54:56-2567 (dup of ccpp-2012-02-01-14:08:36-18683),
sending dbus signal Feb 2 12:00:42 localhost RT: The actual HTTP_HOST
(192.168.1.200) does NOT match the configured WebDomain (lcu.edu).
Perhaps you should Set($WebDomain, ‘192.168.1.200’); in
RT_SiteConfig.pm, otherwise your internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:05:43 localhost RT: The actual HTTP_HOST (192.168.1.200)
does NOT match the configured WebDomain (lcu.edu). Perhaps you should
Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm, otherwise your
internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:10:44 localhost RT: The actual HTTP_HOST (192.168.1.200)
does NOT match the configured WebDomain (helpdesk.lcu.edu). Perhaps
you should Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm,
otherwise your internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:14:00 localhost RT: My_LDAP AUTH FAILED: van.howell
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth/LDAP.pm:127) Feb 2 12:14:00 localhost RT: FAILED LOGIN for
van.howell from 10.1.5.9
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)
Feb 2 12:15:45 localhost RT: The actual HTTP_HOST (192.168.1.200)
does NOT match the configured WebDomain (helpdesk.lcu.edu). Perhaps
you should Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm,
otherwise your internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:16:16 localhost RT: My_LDAP AUTH FAILED: van.howell
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth/LDAP.pm:127) Feb 2 12:16:16 localhost RT: FAILED LOGIN for
van.howell from 10.1.5.9
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Thanks for helping with this.

Van Howell
System Administrator
Lubbock Christian University

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin
Falcone
Sent: Thursday, February 02, 2012 11:17 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] External Auth using Active Directory 2008

I do not have Debugging turned on. I am going to need some help turning it on since this is new to me.

Here are some errors from /var/log/messages…

This is a failed attempt…

Feb 1 16:02:25 localhost RT: My_LDAP AUTH FAILED mary.servantez
(can’t bind: LDAP_INVALID_CREDENTIALS 49 )
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth/LDAP.pm:82) Feb 1 16:02:25 localhost RT: FAILED LOGIN for
mary.servantez from 10.1.41.95
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Here is a successful attemt…

Feb 2 10:14:02 localhost RT:
RT::Authen::ExternalAuth::LDAP::GetAuth
External Auth OK ( My_LDAP ): test.account
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth/LDAP.pm:139) Feb 2 10:14:02 localhost RT: Couldn’t enable user
28
(/opt/rt4/sbin/…/lib/RT/User.pm:1066)
Feb 2 10:14:02 localhost RT: User marked as ENABLED ( test.account
) per External Service (, )
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth.pm:274) Feb 2 10:14:02 localhost RT:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Country: , EmailAddress: test.account@LCU.EDU, ExternalAuthId:
test.account, Gecos: test.account, Name: test.account, Organization:
,
RealName: Test Account, State: , WorkPhone: , Zip:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth.pm:536) Feb 2 10:14:02 localhost RT: Successful login for
test.account from 10.1.5.9
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth.pm:219)

Since you’re seeing these in /var/log/messages I assume you’re using the syslog configuration.

You want to read about LogToSyslog in etc/RT_Config.pm then copy that setting to RT_SiteConfig.pm and change it to debug.

Restart RT and try the failed login again.

-kevin

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Boston March 5 & 6, 2012
8

One more thing,
It’s like it is not sending the password to AD at all. I can type a random password multiple times and is does not lock my account.

Van Howell
System Administrator
Lubbock Christian UniversityFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Friday, February 03, 2012 11:32 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] External Auth using Active Directory 2008

I added Set($LogToSyslog, “debug”); to my RT_SiteConfig.pm file I
don’t seem to be getting an more logging.
I restarted the httpd service, didn’t see any more logging so I restarted the server.

Unfortunately - it seems you have syslog itself set to discard debug messages. You can try turning up $LogToScreen to debug and then check your webserver logs instead of your syslog logs.

-kevin

This is the entire tail of the messages log…

[root@OpenNMS etc]# tail /var/log/messages Feb 2 11:56:45 localhost
abrtd: Dump directory is a duplicate of
/var/spool/abrt/ccpp-2012-02-01-14:08:36-18683
Feb 2 11:56:45 localhost abrtd: Deleting dump directory
ccpp-2012-02-02-11:54:56-2567 (dup of ccpp-2012-02-01-14:08:36-18683),
sending dbus signal Feb 2 12:00:42 localhost RT: The actual HTTP_HOST
(192.168.1.200) does NOT match the configured WebDomain (lcu.edu).
Perhaps you should Set($WebDomain, ‘192.168.1.200’); in
RT_SiteConfig.pm, otherwise your internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:05:43 localhost RT: The actual HTTP_HOST (192.168.1.200)
does NOT match the configured WebDomain (lcu.edu). Perhaps you should
Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm, otherwise your
internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:10:44 localhost RT: The actual HTTP_HOST (192.168.1.200)
does NOT match the configured WebDomain (helpdesk.lcu.edu). Perhaps
you should Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm,
otherwise your internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:14:00 localhost RT: My_LDAP AUTH FAILED: van.howell
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth/LDAP.pm:127) Feb 2 12:14:00 localhost RT: FAILED LOGIN for
van.howell from 10.1.5.9
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)
Feb 2 12:15:45 localhost RT: The actual HTTP_HOST (192.168.1.200)
does NOT match the configured WebDomain (helpdesk.lcu.edu). Perhaps
you should Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm,
otherwise your internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:16:16 localhost RT: My_LDAP AUTH FAILED: van.howell
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth/LDAP.pm:127) Feb 2 12:16:16 localhost RT: FAILED LOGIN for
van.howell from 10.1.5.9
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Thanks for helping with this.

Van Howell
System Administrator
Lubbock Christian University

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin
Falcone
Sent: Thursday, February 02, 2012 11:17 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] External Auth using Active Directory 2008

I do not have Debugging turned on. I am going to need some help turning it on since this is new to me.

Here are some errors from /var/log/messages…

This is a failed attempt…

Feb 1 16:02:25 localhost RT: My_LDAP AUTH FAILED mary.servantez
(can’t bind: LDAP_INVALID_CREDENTIALS 49 )
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth/LDAP.pm:82) Feb 1 16:02:25 localhost RT: FAILED LOGIN for
mary.servantez from 10.1.41.95
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Here is a successful attemt…

Feb 2 10:14:02 localhost RT:
RT::Authen::ExternalAuth::LDAP::GetAuth
External Auth OK ( My_LDAP ): test.account
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth/LDAP.pm:139) Feb 2 10:14:02 localhost RT: Couldn’t enable user
28
(/opt/rt4/sbin/…/lib/RT/User.pm:1066)
Feb 2 10:14:02 localhost RT: User marked as ENABLED ( test.account
) per External Service (, )
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth.pm:274) Feb 2 10:14:02 localhost RT:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Country: , EmailAddress: test.account@LCU.EDU, ExternalAuthId:
test.account, Gecos: test.account, Name: test.account, Organization:
,
RealName: Test Account, State: , WorkPhone: , Zip:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth.pm:536) Feb 2 10:14:02 localhost RT: Successful login for
test.account from 10.1.5.9
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth.pm:219)

Since you’re seeing these in /var/log/messages I assume you’re using the syslog configuration.

You want to read about LogToSyslog in etc/RT_Config.pm then copy that setting to RT_SiteConfig.pm and change it to debug.

Restart RT and try the failed login again.

-kevin

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Boston March 5 & 6, 2012
9

Here is the debug log for a successful attempt…

[Fri Feb 3 18:20:32 2012] [warning]: Couldn’t enable user 28 (/opt/rt4/sbin/…/lib/RT/User.pm:1066)
[Fri Feb 3 18:20:32 2012] [info]: User marked as ENABLED ( test.account ) per External Service (, ) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:274)
[Fri Feb 3 18:20:32 2012] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::Authen::ExternalAuth /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 553 with: Name: test.account (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Fri Feb 3 18:20:32 2012] [debug]: Attempting to get user info using this external service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Fri Feb 3 18:20:32 2012] [debug]: Attempting to use this canonicalization key: Name (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Fri Feb 3 18:20:32 2012] [debug]: LDAP Search === Base: DC=xxxxxx,DC=xxx,DC=edu == Filter: (&(&(ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=test.account)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Fri Feb 3 18:20:32 2012] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City: , Country: , EmailAddress: test.account@LCU.EDU, ExternalAuthId: test.account, Gecos: test.account, Name: test.account, Organization: , RealName: Test Account, State: , WorkPhone: , Zip: (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Fri Feb 3 18:20:32 2012] [debug]: UPDATED user ( test.account ) from External Service (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:307)
[Fri Feb 3 18:20:32 2012] [info]: Successful login for test.account from 10.1.5.9 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:219)
[Fri Feb 3 18:20:32 2012] [debug]: Autohandler called ExternalAuth. Response: (1, Successful login) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)

Van Howell
System Administrator
Lubbock Christian UniversityFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Friday, February 03, 2012 11:32 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] External Auth using Active Directory 2008

I added Set($LogToSyslog, “debug”); to my RT_SiteConfig.pm file I
don’t seem to be getting an more logging.
I restarted the httpd service, didn’t see any more logging so I restarted the server.

Unfortunately - it seems you have syslog itself set to discard debug messages. You can try turning up $LogToScreen to debug and then check your webserver logs instead of your syslog logs.

-kevin

This is the entire tail of the messages log…

[root@OpenNMS etc]# tail /var/log/messages Feb 2 11:56:45 localhost
abrtd: Dump directory is a duplicate of
/var/spool/abrt/ccpp-2012-02-01-14:08:36-18683
Feb 2 11:56:45 localhost abrtd: Deleting dump directory
ccpp-2012-02-02-11:54:56-2567 (dup of ccpp-2012-02-01-14:08:36-18683),
sending dbus signal Feb 2 12:00:42 localhost RT: The actual HTTP_HOST
(192.168.1.200) does NOT match the configured WebDomain (lcu.edu).
Perhaps you should Set($WebDomain, ‘192.168.1.200’); in
RT_SiteConfig.pm, otherwise your internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:05:43 localhost RT: The actual HTTP_HOST (192.168.1.200)
does NOT match the configured WebDomain (lcu.edu). Perhaps you should
Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm, otherwise your
internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:10:44 localhost RT: The actual HTTP_HOST (192.168.1.200)
does NOT match the configured WebDomain (helpdesk.lcu.edu). Perhaps
you should Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm,
otherwise your internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:14:00 localhost RT: My_LDAP AUTH FAILED: van.howell
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth/LDAP.pm:127) Feb 2 12:14:00 localhost RT: FAILED LOGIN for
van.howell from 10.1.5.9
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)
Feb 2 12:15:45 localhost RT: The actual HTTP_HOST (192.168.1.200)
does NOT match the configured WebDomain (helpdesk.lcu.edu). Perhaps
you should Set($WebDomain, ‘192.168.1.200’); in RT_SiteConfig.pm,
otherwise your internal links may be broken.
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1087)
Feb 2 12:16:16 localhost RT: My_LDAP AUTH FAILED: van.howell
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth/LDAP.pm:127) Feb 2 12:16:16 localhost RT: FAILED LOGIN for
van.howell from 10.1.5.9
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Thanks for helping with this.

Van Howell
System Administrator
Lubbock Christian University

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin
Falcone
Sent: Thursday, February 02, 2012 11:17 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] External Auth using Active Directory 2008

I do not have Debugging turned on. I am going to need some help turning it on since this is new to me.

Here are some errors from /var/log/messages…

This is a failed attempt…

Feb 1 16:02:25 localhost RT: My_LDAP AUTH FAILED mary.servantez
(can’t bind: LDAP_INVALID_CREDENTIALS 49 )
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth/LDAP.pm:82) Feb 1 16:02:25 localhost RT: FAILED LOGIN for
mary.servantez from 10.1.41.95
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

Here is a successful attemt…

Feb 2 10:14:02 localhost RT:
RT::Authen::ExternalAuth::LDAP::GetAuth
External Auth OK ( My_LDAP ): test.account
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth/LDAP.pm:139) Feb 2 10:14:02 localhost RT: Couldn’t enable user
28
(/opt/rt4/sbin/…/lib/RT/User.pm:1066)
Feb 2 10:14:02 localhost RT: User marked as ENABLED ( test.account
) per External Service (, )
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth.pm:274) Feb 2 10:14:02 localhost RT:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Country: , EmailAddress: test.account@LCU.EDU, ExternalAuthId:
test.account, Gecos: test.account, Name: test.account, Organization:
,
RealName: Test Account, State: , WorkPhone: , Zip:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth.pm:536) Feb 2 10:14:02 localhost RT: Successful login for
test.account from 10.1.5.9
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth.pm:219)

Since you’re seeing these in /var/log/messages I assume you’re using the syslog configuration.

You want to read about LogToSyslog in etc/RT_Config.pm then copy that setting to RT_SiteConfig.pm and change it to debug.

Restart RT and try the failed login again.

-kevin

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Boston March 5 & 6, 2012
10

I would use ldapsearch on that machine to make sure you can bind to
the AD server using the login credentials in your Site_Config. Make
sure you are using the proper certificates to connect via the TLS you
have configured. I’ve noticed that being one of the biggest problems
with ldap and Windows 2008 and 2008 R2 AD servers.

james

11

Here is the Apache Log from my last login attempt…

[Fri Feb 3 18:02:40 2012] [debug]: Found LDAP DN: CN=Howell, Van,OU=Staff,OU=LCU,DC=xxxxxx,DC=xxx,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)

There was a bug reported about commas in DNs causing problems, I
wonder if you’re running afoul of that (note that your testuser has a
different CN).

You can try with 0.09_02 which my colleague released last week and is
available on CPAN. It contains a bugfix for this.

-kevin

12

I ran the install again, The version it put on is 0.09
FALCONE/RT-Authen-ExternalAuth-0.09.tar.gz

Not the new version. I still have the same problem

I shelled into CPAN
perl -MCPAN -e shell

then I ran
install RT::Authen::ExternalAuth

Is there a different way?

Sorry for the dumb questions, but I’m new to this.

VanFrom: rt-users-bounces@lists.bestpractical.com [rt-users-bounces@lists.bestpractical.com] on behalf of Kevin Falcone [falcone@bestpractical.com]
Sent: Friday, February 03, 2012 1:05 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] External Auth using Active Directory 2008

Here is the Apache Log from my last login attempt…

[Fri Feb 3 18:02:40 2012] [debug]: Found LDAP DN: CN=Howell, Van,OU=Staff,OU=LCU,DC=xxxxxx,DC=xxx,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)

There was a bug reported about commas in DNs causing problems, I
wonder if you’re running afoul of that (note that your testuser has a
different CN).

You can try with 0.09_02 which my colleague released last week and is
available on CPAN. It contains a bugfix for this.

-kevin

[Fri Feb 3 18:02:40 2012] [debug]: LDAP Search === Base: DC=xxxxxx,DC=xxx,DC=edu == Filter: (member=CN=Howell, Van,OU=Staff,OU=LCU,DC=xxxxxx,DC=xxx,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Fri Feb 3 18:02:40 2012] [info]: My_LDAP AUTH FAILED: van.howell (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Fri Feb 3 18:02:40 2012] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Fri Feb 3 18:02:40 2012] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Fri Feb 3 18:02:40 2012] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Fri Feb 3 18:02:40 2012] [error]: FAILED LOGIN for van.howell from 10.1.5.9 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)

13

I ran the install again, The version it put on is 0.09
FALCONE/RT-Authen-ExternalAuth-0.09.tar.gz

Not the new version. I still have the same problem

I shelled into CPAN
perl -MCPAN -e shell

then I ran
install RT::Authen::ExternalAuth

Is there a different way?

Sorry for the dumb questions, but I’m new to this.

Do install a development release, you either need to fully specify the
path in the CPAN shell (something like
T/TS/TSIBLEY/RT-Authen-ExternalAuth-0.09_02.tar.gz ) or go to
http://search.cpan.org or http://metacpan.org and find and download
the development tarball and install it manually.

-kevin