External Users are not authenticated

Ashrock · September 23, 2010, 4:06pm

Hi,

If anyone can look at my RT_SiteConfig and suggest if I am doing
something wrong. I installed Authen::ExternalAuth and modified UserLocal.pm

I am unable to log in into RT with LDAP Credentials.

Error Log says. _GetBoundObj: Invalid Credentials.

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set($WebBaseURL,‘http://10.10.10.10:443’); Set($WebPath,‘’);

Set($DatabaseName, ‘rt3’); Set($DatabaseType, ‘mysql’);

Set($DatbaseUser, ‘rt_user’); Set($DatabasePassword, ‘pass’);

Set($rtname,‘Ticket’); Set($Organization,“http://www.midcontinent.com”);

#Set(@Plugins,(qw(Extension::QuickDelete)));

#Set(@Plguins,(qw(RT::FM)));

Set(@Plugins,(qw(RT::Authen::ExternalAuth)));

#Set($LogToFileNamedl, “rt.log”);

#Set($LogToFile, ‘debug’);

Set($CorrespondAddress, ‘rt-its@midcontinent.com’);

Set($CommentAddress, ‘rt-comment@midcontinent.com’);

@MailCommand , ‘sendmailpipe’;

$SendMailArguments = “-oi -t”;

$SendmailPath = “/usr/sbin/sendmail”;

$SenderMustExistInExternaDatabase = undef;

#Set($MailCommand, ‘sendmail’);

#Set($SendMailArguments, “-bm --rt-its@midcontinent.com”);

#Set($SendmailPath, “/usr/sbin/exim4”);

Set($NotifyActor, 0);

Set($RecordOutgoingEmail, 1);

Set($Timezone, ‘US/Central’);

$WebURL = $WebBaseURL . $WebPath . “/”;

#Set($WebExternalAuth, 1);

#Set($WebFallbackToInternalAuth, true);

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

Should be considered disabled.

Once user info is found, no more services are checked.

Set ($ExternalAuthPriority, [‘My_LDAP’]);

Set ($ExternalInfoPriority, [‘My_LDAP’]);

#Set ($ExternalServiceUsesSSLorTLS, 1);

#If this is set true, then the relevant packages will

#be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set ($AutoCreateNonExternalUsers, 1);

#These are full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

#be checked in the order specified in the Priority directives above.

e.g .

Set($ExternalAuthPriority, [‘My_LDAP’]);

Set($ExternalSettings, {

‘My_LDAP’ =>

{

GENERIC SECTION

The type of service (db/ldap/cookie)

‘type’ => ‘ldap’,

‘server’ => ‘10.10.10.10’,

‘port’ => ‘389’,

Should the service be used for authentication?

‘auth’ => 1,

Should the service be used for information?

‘info’ => 1,

The server hosting the service

#‘server’ => ‘server.midcontinent.local’,

SERVICE-SPECIFIC SECTION

If you can bind to your LDAP server anonymously you should

#remove the user and pass config lines, otherwise specify them here:

The username RT should be used to connect to the LDAP server

‘user’ => ‘CN=rmc, ou=users, ou=midcontinent, ou=local’,

The password RT should use to connect to the LDAP server

‘pass’ => ‘temporarypassword’,

The LDAP search base

‘base’ => ‘dc=server dc=midcontinent, dc=local’,

The filter to use to match RT-Users

#‘filter’ => ‘(uid=*)’,

‘filter’ => ‘(objectclass = Person)’,

The filter that will only match disable users

#‘d_filter’ => ‘(objectClass=pwdPolicy)’,

‘d_filter’ => ‘(userAccountControl : 1.2.840.113556.1.4.803:=2)’,

#‘d_filter’ => ‘(&(objectCategory=person)
(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))’,

Should we try to use TLS to encrypt connections?

‘tls’ => 1,

‘ssl_version’ => 3,

What other args should I pass to Net::LDAP->new($host, @args)?

‘net_ldap_args’ => [version => 3],

Does authentication depend on group membership? What group name?

#‘group’ =>‘’,

#what is the attribute for the group object that determines membership?

#‘group_attr’ => ‘’,

RT ATTRIBUTE MATCHING SECTION

#The list of RT attributes that uniquely identify a user

‘attr_match_list’ => [‘Name’,‘Email Address’],

The mapping of RT attributes on to LDAP attributes

#‘attr_map’ => {‘Name’ => ‘uid’, ‘EmailAddress’ => ‘mail’}

‘attr_map’ => {‘Name’ => ‘sAMAaccountName’,‘EmailAddress’ =>
‘mail’,‘Organization’ => ‘physicalDeliveryOfficeName’,‘RealName’ =>
‘cn’,‘EternalAuthId’=> ‘sAMAccountname’,

‘Gecos’ => ‘sAMAccountName’,‘WorkPhone’ => ‘telephoneNumber’,‘Address1’
=> ‘streetAddress’,‘City’ => ‘1’,‘State’ => ‘st’,‘Zip’ =>
‘postalCode’,‘Country’ => ‘co’

}

);

1;

Ashrock · September 23, 2010, 4:48pm

The exact error i get is this in Apache:
[critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot
connect to server.midcontinent.local
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:440)
[error]: FAILED LOGIN for rmc from 10.10.10.12
(/opt/rt3/share/html/autohandler:265)

Is it a common error ?
I checked previous posts, but could figure out where i have configured
wrong.

Any help appreciated. Thanks.On 9/23/2010 11:06 AM, Ashrock wrote:

Hi,

If anyone can look at my RT_SiteConfig and suggest if I am doing
something wrong. I installed Authen::ExternalAuth and modified
UserLocal.pm

I am unable to log in into RT with LDAP Credentials.

Error Log says. _GetBoundObj: Invalid Credentials.

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set($WebBaseURL,‘http://10.10.10.10:443’); Set($WebPath,‘’);

Set($DatabaseName, ‘rt3’); Set($DatabaseType, ‘mysql’);

Set($DatbaseUser, ‘rt_user’); Set($DatabasePassword, ‘pass’);

Set($rtname,‘Ticket’); Set($Organization,“http://www.midcontinent.com”);

#Set(@Plugins,(qw(Extension::QuickDelete)));

#Set(@Plguins,(qw(RT::FM)));

Set(@Plugins,(qw(RT::Authen::ExternalAuth)));

#Set($LogToFileNamedl, “rt.log”);

#Set($LogToFile, ‘debug’);

Set($CorrespondAddress, ‘rt-its@midcontinent.com’);

Set($CommentAddress, ‘rt-comment@midcontinent.com’);

@MailCommand , ‘sendmailpipe’;

$SendMailArguments = “-oi -t”;

$SendmailPath = “/usr/sbin/sendmail”;

$SenderMustExistInExternaDatabase = undef;

#Set($MailCommand, ‘sendmail’);

#Set($SendMailArguments, “-bm --rt-its@midcontinent.com”);

#Set($SendmailPath, “/usr/sbin/exim4”);

Set($NotifyActor, 0);

Set($RecordOutgoingEmail, 1);

Set($Timezone, ‘US/Central’);

$WebURL = $WebBaseURL . $WebPath . “/”;

#Set($WebExternalAuth, 1);

#Set($WebFallbackToInternalAuth, true);

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

Should be considered disabled.

Once user info is found, no more services are checked.

Set ($ExternalAuthPriority, [‘My_LDAP’]);

Set ($ExternalInfoPriority, [‘My_LDAP’]);

#Set ($ExternalServiceUsesSSLorTLS, 1);

#If this is set true, then the relevant packages will

#be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set ($AutoCreateNonExternalUsers, 1);

#These are full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

#be checked in the order specified in the Priority directives above.

e.g .

Set($ExternalAuthPriority, [‘My_LDAP’]);

Set($ExternalSettings, {

‘My_LDAP’ =>

{

GENERIC SECTION

The type of service (db/ldap/cookie)

‘type’ => ‘ldap’,

‘server’ => ‘10.10.10.10’,

‘port’ => ‘389’,

Should the service be used for authentication?

‘auth’ => 1,

Should the service be used for information?

‘info’ => 1,

The server hosting the service

#‘server’ => ‘server.midcontinent.local’,

SERVICE-SPECIFIC SECTION

If you can bind to your LDAP server anonymously you should

#remove the user and pass config lines, otherwise specify them here:

The username RT should be used to connect to the LDAP server

‘user’ => ‘CN=rmc, ou=users, ou=midcontinent, ou=local’,

The password RT should use to connect to the LDAP server

‘pass’ => ‘temporarypassword’,

The LDAP search base

‘base’ => ‘dc=server dc=midcontinent, dc=local’,

The filter to use to match RT-Users

#‘filter’ => ‘(uid=*)’,

‘filter’ => ‘(objectclass = Person)’,

The filter that will only match disable users

#‘d_filter’ => ‘(objectClass=pwdPolicy)’,

‘d_filter’ => ‘(userAccountControl : 1.2.840.113556.1.4.803:=2)’,

#‘d_filter’ => ‘(&(objectCategory=person)
(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))’,

Should we try to use TLS to encrypt connections?

‘tls’ => 1,

‘ssl_version’ => 3,

What other args should I pass to Net::LDAP->new($host, @args)?

‘net_ldap_args’ => [version => 3],

Does authentication depend on group membership? What group name?

#‘group’ =>‘’,

#what is the attribute for the group object that determines membership?

#‘group_attr’ => ‘’,

RT ATTRIBUTE MATCHING SECTION

#The list of RT attributes that uniquely identify a user

‘attr_match_list’ => [‘Name’,‘Email Address’],

The mapping of RT attributes on to LDAP attributes

#‘attr_map’ => {‘Name’ => ‘uid’, ‘EmailAddress’ => ‘mail’}

‘attr_map’ => {‘Name’ => ‘sAMAaccountName’,‘EmailAddress’ =>
‘mail’,‘Organization’ => ‘physicalDeliveryOfficeName’,‘RealName’ =>
‘cn’,‘EternalAuthId’=> ‘sAMAccountname’,

‘Gecos’ => ‘sAMAccountName’,‘WorkPhone’ =>
‘telephoneNumber’,‘Address1’ => ‘streetAddress’,‘City’ => ‘1’,‘State’
=> ‘st’,‘Zip’ => ‘postalCode’,‘Country’ => ‘co’

}

}

}

);

1;

Kevin_Falcone · September 23, 2010, 4:53pm

The exact error i get is this in Apache:
[critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
server.midcontinent.local
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:440)
[error]: FAILED LOGIN for rmc from 10.10.10.12 (/opt/rt3/share/html/autohandler:265)

Is it a common error ?
I checked previous posts, but could figure out where i have configured wrong.

Connecting to this server with this username and password is not
working.

 'server' => '10.10.10.10',
 'user' => 'CN=rmc, ou=users, ou=midcontinent, ou=local',
 'pass' => 'temporarypassword',

You need to verify that you can connect to that host with that user
and password from the RT host.

-kevin

Ashrock · September 23, 2010, 5:19pm

Do the user and the password need to be of an Administrator ?

Now the new error messages says, It Can’t Bind, Invalid credentials.On 9/23/2010 11:53 AM, Kevin Falcone wrote:

On Thu, Sep 23, 2010 at 11:48:03AM -0500, Ashrock wrote:
The exact error i get is this in Apache:
 [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
server.midcontinent.local
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:440)
 [error]: FAILED LOGIN for rmc from 10.10.10.12 (/opt/rt3/share/html/autohandler:265)

Is it a common error ?
I checked previous posts, but could figure out where i have configured wrong.
Connecting to this server with this username and password is not
working.
  'server' =>  '10.10.10.10',
  'user' =>  'CN=rmc, ou=users, ou=midcontinent, ou=local',
  'pass' =>  'temporarypassword',
You need to verify that you can connect to that host with that user
and password from the RT host.

-kevin

RT Training in Washington DC, USA on Oct 25& 26 2010
Last one this year – Learn how to get the most out of RT!

Gary_Greene1 · September 23, 2010, 5:41pm

Can you bind to that server using that account using ldapsearch? If so,
verify if you¹re using TLS or GSSAPI for the bind. If that is the case,
you¹ll need to modify your configuration for RT accordingly. If not, then
talk to your LDAP admin to work through the LDAP access first.On 23/9/10 10:19 AM, “Ashrock” mdashraf.ash@gmail.com wrote:

Do the user and the password need to be of an Administrator ?

Now the new error messages says, It Can’t Bind, Invalid credentials.

On 9/23/2010 11:53 AM, Kevin Falcone wrote:
On Thu, Sep 23, 2010 at 11:48:03AM -0500, Ashrock wrote:

The exact error i get is this in Apache:
[critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot
connect to
server.midcontinent.local

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LD
AP.pm:440)
[error]: FAILED LOGIN for rmc from 10.10.10.12
(/opt/rt3/share/html/autohandler:265)

Is it a common error ?
I checked previous posts, but could figure out where i have configured
wrong.

Connecting to this server with this username and password is not
working.
 'server' => '10.10.10.10',
 'user' => 'CN=rmc, ou=users, ou=midcontinent, ou=local',
 'pass' => 'temporarypassword',
You need to verify that you can connect to that host with that user
and password from the RT host.

-kevin

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!
RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell: (650) 704-6633
Office: (408) 240-1239

smime.p7s (2.4 KB)