External Authentication with LDAPS

Hi,

I’ve installed RT 3.8.7 on a debian lenny with the manual procedure listed
here: http://wiki.bestpractical.com/view/ExternalAuth

So, now i try to configure my RT_Siteconfig.pm to acces at RT via my LDAPS
serveur.

This is a part of my configuration:

#PLUGINS:
Set(@Plugins,(qw(
RT::Extension::MandatorySubject
RT::Extension::MandatoryRequestor
RT::Extension::SearchResults::XLS
RT::Extension::UserDetails
RT::FM
RT::IR
RTx::Tags
RT::Extension::WatchedQueues
RT::Extension::ServiceUpdates
RT::Authen::ExternalAuth
)));

AUTHENTICATION

Set($ExternalAuthPriority, [‘LDAP’,]
);

Set($ExternalInfoPriority, [‘LDAP’,]
);

Set($ExternalServiceUsesSSLorTLS, 1);

DATABASES CONFIGURATION

Set($ExternalSettings,
{
‘LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldap.BLANKED’,
‘user’ => ‘BLANKED’,
‘pass’ => ‘BLANKED’,
‘base’ => ‘dc=blanked,dc=fr’,
‘filter’ => ‘(uid=*)’,
‘d_filter’ =>
’(objectClass=foobar)’,
‘tls’ => 1,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],

‘group’ => ‘GROUP-NAME’,

‘group_attr’ => ‘GROUP_ATTR’,

                    'attr_match_list'       =>      'uid',
                    'attr_map'              =>      {
                            'Name' => 'uid',
                            'EmailAddress' => 'mail',

‘Organization’ => ‘’,

                            'RealName' => 'cn',

‘ExternalAuthId’ => ‘’,

‘Gecos’ => ‘’,

‘WorkPhone’ => ‘telephonenumber’,

‘Address1’ => ‘’,

‘City’ => ‘’,

‘State’ => ‘’,

‘Zip’ => ‘’,

‘Country’ => ‘’

                            }
                    }
    },

);
1;

When i try to log on, i have a message which said that m’y username or my
password isn’t correct.

In the log files (/var/log/apache2/error.log), i have only :

[Tue Jul 27 14:35:28 2010] [error]: FAILED LOGIN for anthony.brodard from
MY_IP (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

Do you know where is the mistake?

After that, i want to activate a session’s timeout on RT with mod_perl. Do
you know how can i do?

Regards,
Anthony BRODARD

Hi,

Try turning on RT’s logging in debug mode. That helped me figure out what
was going on with my ExternalAuth. In the log, before the FAILED line you
should see a few lines showing you if it’s connecting to your LDAP, finding
user etc.

Work from there!
Mike.On Wed, Jul 28, 2010 at 3:23 AM, Anthony BRODARD brodard.anthony@gmail.comwrote:

Hi,

I’ve installed RT 3.8.7 on a debian lenny with the manual procedure listed
here: http://wiki.bestpractical.com/view/ExternalAuth

So, now i try to configure my RT_Siteconfig.pm to acces at RT via my LDAPS
serveur.

This is a part of my configuration:

#PLUGINS:
Set(@Plugins,(qw(
RT::Extension::MandatorySubject
RT::Extension::MandatoryRequestor
RT::Extension::SearchResults::XLS
RT::Extension::UserDetails
RT::FM
RT::IR
RTx::Tags
RT::Extension::WatchedQueues
RT::Extension::ServiceUpdates
RT::Authen::ExternalAuth
)));

AUTHENTICATION

Set($ExternalAuthPriority, [‘LDAP’,]
);

Set($ExternalInfoPriority, [‘LDAP’,]
);

Set($ExternalServiceUsesSSLorTLS, 1);

DATABASES CONFIGURATION

Set($ExternalSettings,
{
‘LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldap.BLANKED’,
‘user’ => ‘BLANKED’,
‘pass’ => ‘BLANKED’,
‘base’ => ‘dc=blanked,dc=fr’,
‘filter’ => ‘(uid=*)’,
‘d_filter’ =>
’(objectClass=foobar)’,
‘tls’ => 1,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],

‘group’ => ‘GROUP-NAME’,

‘group_attr’ => ‘GROUP_ATTR’,

                    'attr_match_list'       =>      'uid',
                    'attr_map'              =>      {
                            'Name' => 'uid',
                            'EmailAddress' => 'mail',

‘Organization’ => ‘’,

                            'RealName' => 'cn',

‘ExternalAuthId’ => ‘’,

‘Gecos’ => ‘’,

‘WorkPhone’ => ‘telephonenumber’,

‘Address1’ => ‘’,

‘City’ => ‘’,

‘State’ => ‘’,

‘Zip’ => ‘’,

‘Country’ => ‘’

                            }
                    }
    },

);
1;

When i try to log on, i have a message which said that m’y username or my
password isn’t correct.

In the log files (/var/log/apache2/error.log), i have only :

[Tue Jul 27 14:35:28 2010] [error]: FAILED LOGIN for anthony.brodard from
MY_IP (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

Do you know where is the mistake?

After that, i want to activate a session’s timeout on RT with mod_perl. Do
you know how can i do?

Regards,
Anthony BRODARD

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Hi Mike, thanks to help me!

I’ve turned on RT’s debug mode ( add " Set($LogToFile, ‘debug’);
Set($LogDir,
’/var/log/rt’); " in my RT_Siteconfig.pm).

Now, when I try to loggin with a LDAP account, this lines are written in my
log file:

[Thu Jul 29 07:46:08 2010] [debug]: Reloading RT::User to work around a bug
in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Thu Jul 29 07:46:08 2010] [debug]: Attempting to use external auth service:
LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Jul 29 07:46:08 2010] [debug]: Calling UserExists with $username
(anthony.brodard) and $service (LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Thu Jul 29 07:46:08 2010] [debug]: UserExists params:
username: anthony.brodard , service: LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
*[Thu Jul 29 07:46:30 2010] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
ldap.[Blanked].fr
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
[Thu Jul 29 07:46:30 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Thu Jul 29 07:46:30 2010] [error]: FAILED LOGIN for anthony.brodard from
[IP] (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

I try a telnet on server:

[rt-test]~ # telnet ldap.[Blanked].fr 636
Trying [IP]…
Connected to ldap.[Blanked].fr.
Escape character is ‘^]’.

Maybe RT use the LDAP’s default port (389), not the LDAPS (636). How can i
see it or modify in RT_Siteconfig.pm ?

Regards,
Anthony2010/7/28 Mike Johnson mike.johnson@nosm.ca

Hi,

Try turning on RT’s logging in debug mode. That helped me figure out what
was going on with my ExternalAuth. In the log, before the FAILED line you
should see a few lines showing you if it’s connecting to your LDAP, finding
user etc.

Work from there!
Mike.

If you read the ExternalAuth’s RT_SiteConfig.pm in
/RTROOT/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm

It shows you how to set the port you are connecting on.

Set that to the port your LDAP server is listening to.

Good luck
MIke.On Thu, Jul 29, 2010 at 4:04 AM, Anthony BRODARD brodard.anthony@gmail.comwrote:

Hi Mike, thanks to help me!

I’ve turned on RT’s debug mode ( add " Set($LogToFile, ‘debug’); Set($LogDir,
’/var/log/rt’); " in my RT_Siteconfig.pm).

Now, when I try to loggin with a LDAP account, this lines are written in my
log file:

[Thu Jul 29 07:46:08 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Thu Jul 29 07:46:08 2010] [debug]: Attempting to use external auth
service: LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Jul 29 07:46:08 2010] [debug]: Calling UserExists with $username
(anthony.brodard) and $service (LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Thu Jul 29 07:46:08 2010] [debug]: UserExists params:
username: anthony.brodard , service: LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
*[Thu Jul 29 07:46:30 2010] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
ldap.[Blanked].fr
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
*
[Thu Jul 29 07:46:30 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Thu Jul 29 07:46:30 2010] [error]: FAILED LOGIN for anthony.brodard from
[IP] (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

I try a telnet on server:

[rt-test]~ # telnet ldap.[Blanked].fr 636
Trying [IP]…
Connected to ldap.[Blanked].fr.
Escape character is ‘^]’.

Maybe RT use the LDAP’s default port (389), not the LDAPS (636). How can i
see it or modify in RT_Siteconfig.pm ?

Regards,
Anthony

2010/7/28 Mike Johnson mike.johnson@nosm.ca

Hi,

Try turning on RT’s logging in debug mode. That helped me figure out what
was going on with my ExternalAuth. In the log, before the FAILED line you
should see a few lines showing you if it’s connecting to your LDAP, finding
user etc.

Work from there!
Mike.

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Oops, looking at it again, i was looking at the mysql config part, not ldap.

i think the only way you can adjust what port you are connecting to through
LDAP is specifying if it’s TLS or not(I believe TLS is 636? google to
confirm).

You said you are supposed to be connecting on 636, so set the tls argument
in your LDAP settings to 1.

restart apache and give it a shot.

Good luck!
Mike.On Thu, Jul 29, 2010 at 8:48 AM, Mike Johnson mike.johnson@nosm.ca wrote:

If you read the ExternalAuth’s RT_SiteConfig.pm in
/RTROOT/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm

It shows you how to set the port you are connecting on.

Set that to the port your LDAP server is listening to.

Good luck
MIke.
On Thu, Jul 29, 2010 at 4:04 AM, Anthony BRODARD < brodard.anthony@gmail.com> wrote:

Hi Mike, thanks to help me!

I’ve turned on RT’s debug mode ( add " Set($LogToFile, ‘debug’); Set($LogDir,
’/var/log/rt’); " in my RT_Siteconfig.pm).

Now, when I try to loggin with a LDAP account, this lines are written in
my log file:

[Thu Jul 29 07:46:08 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Thu Jul 29 07:46:08 2010] [debug]: Attempting to use external auth
service: LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Jul 29 07:46:08 2010] [debug]: Calling UserExists with $username
(anthony.brodard) and $service (LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Thu Jul 29 07:46:08 2010] [debug]: UserExists params:
username: anthony.brodard , service: LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
*[Thu Jul 29 07:46:30 2010] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
ldap.[Blanked].fr
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
*
[Thu Jul 29 07:46:30 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Thu Jul 29 07:46:30 2010] [error]: FAILED LOGIN for anthony.brodard from
[IP] (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

I try a telnet on server:

[rt-test]~ # telnet ldap.[Blanked].fr 636
Trying [IP]…
Connected to ldap.[Blanked].fr.
Escape character is ‘^]’.

Maybe RT use the LDAP’s default port (389), not the LDAPS (636). How can i
see it or modify in RT_Siteconfig.pm ?

Regards,
Anthony

2010/7/28 Mike Johnson mike.johnson@nosm.ca

Hi,

Try turning on RT’s logging in debug mode. That helped me figure out
what was going on with my ExternalAuth. In the log, before the FAILED line
you should see a few lines showing you if it’s connecting to your LDAP,
finding user etc.

Work from there!
Mike.


Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

make sure you reply to the list, very important to share all this so others
can learn.

The only thing I could think of is your LDAP settings are incorrect
somewhere.

Some things I found when I was setting things up

  1. user = the fully qualified CN of the user(ie CN=Mike
    Johnson,OU=Users,OU=mycompany,OU=mydomain,OU=local
  2. filter and d_filter have to have valid settings
  3. Group/Group_Attr had to have settings.

I was binding to an AD, so I’m not 100% on 3 if it isn’t an AD… but 1 and
2 hold true for any LDAP.

HTH
Mike.On Thu, Jul 29, 2010 at 9:38 AM, Anthony BRODARD brodard.anthony@gmail.comwrote:

TLS argument is already sets to 1.

I don’t know how to see if it’s the ldap’s server which refuses the
connection, or it’s an other problem.

2010/7/29 Mike Johnson mike.johnson@nosm.ca

Oops, looking at it again, i was looking at the mysql config part, not

ldap.

i think the only way you can adjust what port you are connecting to
through LDAP is specifying if it’s TLS or not(I believe TLS is 636? google
to confirm).

You said you are supposed to be connecting on 636, so set the tls argument
in your LDAP settings to 1.

restart apache and give it a shot.

Good luck!
Mike.

On Thu, Jul 29, 2010 at 8:48 AM, Mike Johnson mike.johnson@nosm.cawrote:

If you read the ExternalAuth’s RT_SiteConfig.pm in
/RTROOT/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm

It shows you how to set the port you are connecting on.

Set that to the port your LDAP server is listening to.

Good luck
MIke.

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Hi Mike!

Thanks for your replies.
After i had try what you said in your last mail, i’ve decide to reinstall a
new clean RT, and test only the external authentication plugin.

So, this is a part of my new RT_SiteConfig, with your last recommendations:

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, { ‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldap.mydomain’,
‘user’ => ‘cn=auth,o=others,dc=blanked,dc=fr’,
‘pass’ => ‘xxxxx’,
‘base’ => ‘dc=blanked,dc=fr’,
‘filter’ => ‘(uid=*)’,
‘d_filter’ => ‘objectClass=Nothing’,
‘tls’ => 1,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],

‘group’ =>

‘group_attr’ =>

    'attr_match_list' => ['Name'],
    'attr_map' => { 'Name' => 'uid'},
    }

});

And in my error-rt.log:

[Mon Aug 2 09:26:09 2010] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
ldap.blank.fr(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
[Mon Aug 2 09:26:09 2010] [error]: FAILED LOGIN for anthony.brodard from
10.1.104.30 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

I don’t understand how to sets the fields “d_filter”, “group”, “group_attr”.

Thanks

Anthony BRODARD2010/7/29 Mike Johnson mike.johnson@nosm.ca

make sure you reply to the list, very important to share all this so others
can learn.

The only thing I could think of is your LDAP settings are incorrect
somewhere.

Some things I found when I was setting things up

  1. user = the fully qualified CN of the user(ie CN=Mike
    Johnson,OU=Users,OU=mycompany,OU=mydomain,OU=local
  2. filter and d_filter have to have valid settings
  3. Group/Group_Attr had to have settings.

I was binding to an AD, so I’m not 100% on 3 if it isn’t an AD… but 1 and
2 hold true for any LDAP.

HTH
Mike.

On Thu, Jul 29, 2010 at 9:38 AM, Anthony BRODARD < brodard.anthony@gmail.com> wrote:

TLS argument is already sets to 1.

I don’t know how to see if it’s the ldap’s server which refuses the
connection, or it’s an other problem.

2010/7/29 Mike Johnson mike.johnson@nosm.ca

Oops, looking at it again, i was looking at the mysql config part, not

ldap.

i think the only way you can adjust what port you are connecting to
through LDAP is specifying if it’s TLS or not(I believe TLS is 636? google
to confirm).

You said you are supposed to be connecting on 636, so set the tls
argument in your LDAP settings to 1.

restart apache and give it a shot.

Good luck!
Mike.

On Thu, Jul 29, 2010 at 8:48 AM, Mike Johnson mike.johnson@nosm.cawrote:

If you read the ExternalAuth’s RT_SiteConfig.pm in
/RTROOT/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm

It shows you how to set the port you are connecting on.

Set that to the port your LDAP server is listening to.

Good luck
MIke.


Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

And here, another logs generate with debug:

[Mon Aug 2 12:05:00 2010] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
ldap.blanked.fr(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
[Mon Aug 2 12:05:00 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Aug 2 12:05:00 2010] [error]: FAILED LOGIN for anthony.brodard from
10.1.104.30 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)
[Mon Aug 2 12:05:01 2010] [debug]: Reloading RT::User to work around a bug
in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Aug 2 12:05:01 2010] [debug]: Attempting to use external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 2 12:05:01 2010] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Aug 2 12:05:01 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Aug 2 12:05:01 2010] [crit]: Apache2::RequestIO::rflush: (103)
Software caused connection abort at
/usr/local/share/perl/5.10.0/HTML/Mason/ApacheHandler.pm line 1020
(/opt/rt3/bin/webmux.pl:168)
[Mon Aug 2 12:05:01 2010] [debug]: Attempting to use external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 2 12:05:01 2010] [debug]: Calling UserExists with $username
(anthony.brodard) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Aug 2 12:05:01 2010] [debug]: UserExists params:
username: anthony.brodard , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Aug 2 12:05:01 2010] [crit]: Apache2::RequestIO::rflush: (103)
Software caused connection abort at
/usr/local/share/perl/5.10.0/HTML/Mason/ApacheHandler.pm line 1020
(/opt/rt3/bin/webmux.pl:168)2010/7/29 Mike Johnson mike.johnson@nosm.ca

make sure you reply to the list, very important to share all this so others
can learn.

The only thing I could think of is your LDAP settings are incorrect
somewhere.

Some things I found when I was setting things up

  1. user = the fully qualified CN of the user(ie CN=Mike
    Johnson,OU=Users,OU=mycompany,OU=mydomain,OU=local
  2. filter and d_filter have to have valid settings
  3. Group/Group_Attr had to have settings.

I was binding to an AD, so I’m not 100% on 3 if it isn’t an AD… but 1 and
2 hold true for any LDAP.

HTH
Mike.

On Thu, Jul 29, 2010 at 9:38 AM, Anthony BRODARD < brodard.anthony@gmail.com> wrote:

TLS argument is already sets to 1.

I don’t know how to see if it’s the ldap’s server which refuses the
connection, or it’s an other problem.

2010/7/29 Mike Johnson mike.johnson@nosm.ca

Oops, looking at it again, i was looking at the mysql config part, not

ldap.

i think the only way you can adjust what port you are connecting to
through LDAP is specifying if it’s TLS or not(I believe TLS is 636? google
to confirm).

You said you are supposed to be connecting on 636, so set the tls
argument in your LDAP settings to 1.

restart apache and give it a shot.

Good luck!
Mike.

On Thu, Jul 29, 2010 at 8:48 AM, Mike Johnson mike.johnson@nosm.cawrote:

If you read the ExternalAuth’s RT_SiteConfig.pm in
/RTROOT/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm

It shows you how to set the port you are connecting on.

Set that to the port your LDAP server is listening to.

Good luck
MIke.


Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

filter is your LDAP query string to determine if a particular CN is a user.
If you are connecting to an AD it would be (&(objectCategory=User) (Object
Class=Person))

d_filter is your LDAP query to determine disabled users. If you are
connecting to an AD it would be a bitmask like so
(userAccountControl:1.2.840.113556.1.4.803:=2)

group is your LDAP CN that all your RT users would be a part of. This
should be the full CN

group_attr is the attribute of the user CN that determines what groups they
are in. In AD this would be member

One thing I would test is getting an LDAP browser and connecting using the
same info you are attempting to connect with in RT, verify the user you are
using works…

Then troubleshoot from there…

Good luck!
Mike.On Mon, Aug 2, 2010 at 8:08 AM, Anthony BRODARD brodard.anthony@gmail.comwrote:

And here, another logs generate with debug:

[Mon Aug 2 12:05:00 2010] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
ldap.blanked.fr(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
[Mon Aug 2 12:05:00 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Aug 2 12:05:00 2010] [error]: FAILED LOGIN for anthony.brodard from
10.1.104.30 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)
[Mon Aug 2 12:05:01 2010] [debug]: Reloading RT::User to work around a bug
in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Aug 2 12:05:01 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 2 12:05:01 2010] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Aug 2 12:05:01 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Aug 2 12:05:01 2010] [crit]: Apache2::RequestIO::rflush: (103)
Software caused connection abort at
/usr/local/share/perl/5.10.0/HTML/Mason/ApacheHandler.pm line 1020
(/opt/rt3/bin/webmux.pl:168)
[Mon Aug 2 12:05:01 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 2 12:05:01 2010] [debug]: Calling UserExists with $username
(anthony.brodard) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Aug 2 12:05:01 2010] [debug]: UserExists params:
username: anthony.brodard , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Aug 2 12:05:01 2010] [crit]: Apache2::RequestIO::rflush: (103)
Software caused connection abort at
/usr/local/share/perl/5.10.0/HTML/Mason/ApacheHandler.pm line 1020
(/opt/rt3/bin/webmux.pl:168)

2010/7/29 Mike Johnson mike.johnson@nosm.ca

make sure you reply to the list, very important to share all this so
others can learn.

The only thing I could think of is your LDAP settings are incorrect
somewhere.

Some things I found when I was setting things up

  1. user = the fully qualified CN of the user(ie CN=Mike
    Johnson,OU=Users,OU=mycompany,OU=mydomain,OU=local
  2. filter and d_filter have to have valid settings
  3. Group/Group_Attr had to have settings.

I was binding to an AD, so I’m not 100% on 3 if it isn’t an AD… but 1
and 2 hold true for any LDAP.

HTH
Mike.

On Thu, Jul 29, 2010 at 9:38 AM, Anthony BRODARD < brodard.anthony@gmail.com> wrote:

TLS argument is already sets to 1.

I don’t know how to see if it’s the ldap’s server which refuses the
connection, or it’s an other problem.

2010/7/29 Mike Johnson mike.johnson@nosm.ca

Oops, looking at it again, i was looking at the mysql config part, not

ldap.

i think the only way you can adjust what port you are connecting to
through LDAP is specifying if it’s TLS or not(I believe TLS is 636? google
to confirm).

You said you are supposed to be connecting on 636, so set the tls
argument in your LDAP settings to 1.

restart apache and give it a shot.

Good luck!
Mike.

On Thu, Jul 29, 2010 at 8:48 AM, Mike Johnson mike.johnson@nosm.cawrote:

If you read the ExternalAuth’s RT_SiteConfig.pm in
/RTROOT/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm

It shows you how to set the port you are connecting on.

Set that to the port your LDAP server is listening to.

Good luck
MIke.


Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

It works!

I’ve configured the connection without SSL (port 389) and it works fine.

So, I’ve modify the file *
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm
I add this perl module:

use Net::LDAPS;

And modify the function _GetBoundLdapObj ( l.422):

sub _GetBoundLdapObj {
# Config as hashref
my $config = shift;
# Figure out what’s what
my $ldap_server = $config->{‘server’};
my $ldap_port = $config->{‘port’};

  • my $ldap_ca_path = $config->{‘ca_path’};*
    my $ldap_user = $config->{‘user’};
    my $ldap_pass = $config->{‘pass’};
    my $ldap_tls = $config->{‘tls’};
    my $ldap_ssl_ver = $config->{‘ssl_version’};
    my $ldap_args = $config->{‘net_ldap_args’};
  • my $ldap = new Net::LDAPS($ldap_server, @$ldap_args, $ldap_port,
    $ldap_ca_path);*
    unless ($ldap) {
    $RT::Logger->critical( (caller(0))[3],
    ": Cannot connect to",
    $ldap_server);
    return undef;
    }

RT_SiteConfig.pm:

Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, { ‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldap.domain.tld’,

  • 'port' => '636',*
    
  •    'ca_path' => '/etc/ssl/certs/',*
      'user' => 'cn=xxx,o=xxx,dc=xxx,dc=xxx',
      'pass' => 'xxxxxx',
      'base' => 'dc=xxx,dc=xxx',
      'filter' => '(uid=*)',
      'd_filter' => '(objectClass=pwdPolicy)',
      'tls' => 1,
      'ssl_version' => 3,
      'net_ldap_args' => [ version => 3 ],
    

‘group’ =>

‘group_attr’ =>

    'attr_match_list' => ['Name','EmailAddress'],
    'attr_map' => { 'Name' => 'uid',
                     'EmailAddress' => 'mail'},
    }

});

Sincere thanks for your help Mike

Best regards,
Anthony

0/8/3 Mike Johnson mike.johnson@nosm.ca