ExternalAuth doesn't work

Robert_Wysocki · March 3, 2011, 2:58pm

Hi there,

I have a problem with ExternalAuth - it doesn’t work at all.
Actually, when I run tcpdump against the ip of LDAP server, I can’t see
any packets going through.

There is no firewall between those two.
Here’s my RT_SiteConfig:

Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [
‘LDAP1’,
‘LDAP2’
]
);

Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
# AN EXAMPLE LDAP SERVICE
’LDAP1’ => {
‘type’ => ‘ldap’,
‘server’ => ‘192.168.X.Y:3268’,
‘user’ => ‘CN=ldapauth,CN=Users,DC=path’,
‘pass’ => ‘pass’,
‘base’ => ‘DC=path’,
‘filter’ => ‘(objectclass=user)’,
‘d_filter’ => ‘(employmentStatus=Terminated)’,
‘tls’ => 1,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ =>
[ ‘Name’,‘EmailAddress’,‘RealName’,‘WorkPhone’,‘Address2’,‘ExternalContactInfoId’ ],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘Address2’ => ‘postOfficeBox’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
‘ExternalContactInfoId’ => ‘dn’ }
}

LDAP2 configuration is the same expect ip, path and password.
RT::Authen::ExternalAuth is installed under local/plugins, other plugins
installed there work fine.

Any ideas?

Thomas_Sibley · March 3, 2011, 3:00pm

What RT and ExternalAuth versions are you running? ExternalAuth 0.08
doesn’t work with RT 3.8.9. There’s a development version of
ExternalAuth 0.08_01, which users have reported fixes the problem.

ThomasOn 03 Mar 2011 09:58, Robert Wysocki wrote:

Hi there,

I have a problem with ExternalAuth - it doesn’t work at all.
Actually, when I run tcpdump against the ip of LDAP server, I can’t see
any packets going through.

There is no firewall between those two.
Here’s my RT_SiteConfig:

Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [
‘LDAP1’,
‘LDAP2’
]
);

Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
# AN EXAMPLE LDAP SERVICE
‘LDAP1’ => {
‘type’ => ‘ldap’,
‘server’ => ‘192.168.X.Y:3268’,
‘user’ => ‘CN=ldapauth,CN=Users,DC=path’,
‘pass’ => ‘pass’,
‘base’ => ‘DC=path’,
‘filter’ => ‘(objectclass=user)’,
‘d_filter’ => ‘(employmentStatus=Terminated)’,
‘tls’ => 1,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ =>
[ ‘Name’,‘EmailAddress’,‘RealName’,‘WorkPhone’,‘Address2’,‘ExternalContactInfoId’ ],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘Address2’ => ‘postOfficeBox’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
‘ExternalContactInfoId’ => ‘dn’ }
}

LDAP2 configuration is the same expect ip, path and password.
RT::Authen::ExternalAuth is installed under local/plugins, other plugins
installed there work fine.

Any ideas?

Robert_Wysocki · March 3, 2011, 3:05pm

Dnia 2011-03-03, czw o godzinie 10:00 -0500, Thomas Sibley pisze:

What RT and ExternalAuth versions are you running? ExternalAuth 0.08
doesn’t work with RT 3.8.9. There’s a development version of
ExternalAuth 0.08_01, which users have reported fixes the problem.

RT-Authen-ExternalAuth-0.08_01 - RT Authen-ExternalAuth Extension - metacpan.org

Thanks, I’ll try it, I was struggling with 0.08.

Robert

Jason_Ledford · March 3, 2011, 3:06pm

From another thread I had issues with it and the dev version worked for me. I downloaded the latest dev release from here RT-Authen-ExternalAuth-0.27 - RT Authentication using External Sources - metacpan.org since I couldn’t get the svn to work.From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Thomas Sibley
Sent: Thursday, March 03, 2011 10:01 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth doesn’t work

What RT and ExternalAuth versions are you running? ExternalAuth 0.08 doesn’t work with RT 3.8.9. There’s a development version of ExternalAuth 0.08_01, which users have reported fixes the problem.

Thomas

Robert_Wysocki · March 3, 2011, 3:18pm

Dnia 2011-03-03, czw o godzinie 16:05 +0100, Robert Wysocki pisze:

Dnia 2011-03-03, czw o godzinie 10:00 -0500, Thomas Sibley pisze:

What RT and ExternalAuth versions are you running? ExternalAuth 0.08
doesn’t work with RT 3.8.9. There’s a development version of
ExternalAuth 0.08_01, which users have reported fixes the problem.

RT-Authen-ExternalAuth-0.08_01 - RT Authen-ExternalAuth Extension - metacpan.org

Thanks, I’ll try it, I was struggling with 0.08.

Well, tcpdump still doesn’t show any packets…
Can any of you with working installation of RT 3.8.9 and ExternalAuth
paste your config? Maybe i’ve made some stupid mistake?

Robert

Jason_Ledford · March 3, 2011, 3:25pm

Did you configure the plugin to load and does RT show it being loaded, and has apache been restarted? Here are my 2 config files, RT-authen first:

Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’,
‘My_SSO_Cookie’
]
);

Set($ExternalInfoPriority, [ ‘My_LDAP’,
‘My_MySQL’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
# AN EXAMPLE LDAP SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
‘server’ => ‘dc.example.com’,
‘user’ => ‘user@example.com’,
‘pass’ => ‘FUB28tra’,
‘base’ => ‘ou=Departments,dc=domain,dc=example,dc=com’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(userAccountControl=514)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’
],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘department’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
}
}
}
);

1;

Now my site config

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set( $rtname, ‘myserver.example.com’);
Set($Organization, ‘example.com’);
Set($CorrespondAddress , ‘esworkorder@example.com’);
Set($CommentAddress , ‘escomment@example.com’);
Set($Timezone, “EST”); # obviously choose what suits you

Set($DatabaseUser , ‘rt123’);
Set($DatabasePassword , ‘rt123’);
Set($DatabaseName , ‘cdc124asv_rt’); # Ensure this is set to rt3!
Set($DatabaseHost, ‘mysql.example.com’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://myserver.example.com”);

require “/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm”;
Set(@Plugins, (qw(RT::Extension::MobileUI RT::Extension::LDAPImport RT::Authen::ExternalAuth)));

#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
Set($LDAPHost,‘dc.example.com’);
Set($LDAPUser, ‘user@example.com’);
Set($LDAPPassword, ‘pass’);
Set($LDAPBase, ‘OU=departments,dc=domain,dc=example,dc=com’);
Set($LDAPFilter, ‘(&(objectClass=user)(objectClass=*))’);
Set($LDAPMapping, {Name => ‘sAMAccountName’,
EmailAddress => ‘mail’,
RealName => ‘cn’,
MobilePhone => ‘mobile’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘department’,
FreeformContactInfo => ‘title’});
Set($LDAPUpdateUsers,1);

1;From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Robert Wysocki
Sent: Thursday, March 03, 2011 10:18 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth doesn’t work

Dnia 2011-03-03, czw o godzinie 16:05 +0100, Robert Wysocki pisze:

Dnia 2011-03-03, czw o godzinie 10:00 -0500, Thomas Sibley pisze:

What RT and ExternalAuth versions are you running? ExternalAuth
0.08 doesn’t work with RT 3.8.9. There’s a development version of
ExternalAuth 0.08_01, which users have reported fixes the problem.

RT-Authen-ExternalAuth-0.08_01 - RT Authen-ExternalAuth Extension - metacpan.org

Thanks, I’ll try it, I was struggling with 0.08.

Well, tcpdump still doesn’t show any packets…
Can any of you with working installation of RT 3.8.9 and ExternalAuth paste your config? Maybe i’ve made some stupid mistake?

Robert

Robert_Wysocki · March 4, 2011, 8:38am

Dnia 2011-03-03, czw o godzinie 10:25 -0500, Jason Ledford pisze:

Did you configure the plugin to load and does RT show it being loaded, and has apache been restarted? Here are my 2 config files, RT-authen first:

Thanks for the config files.
Plugin is configured to load, but RT doesn’t show any plugins being
loaded. All of the plugins configured to load work fine except
ExternalAuth.
I’ve tried with SSL, without SSL, with port number, without it and
everything fails.

Robert

Robert_Wysocki · March 4, 2011, 8:48am

Dnia 2011-03-04, pią o godzinie 09:38 +0100, Robert Wysocki pisze:

Dnia 2011-03-03, czw o godzinie 10:25 -0500, Jason Ledford pisze:

Did you configure the plugin to load and does RT show it being loaded, and has apache been restarted? Here are my 2 config files, RT-authen first:

Thanks for the config files.
Plugin is configured to load, but RT doesn’t show any plugins being
loaded. All of the plugins configured to load work fine except
ExternalAuth.
I’ve tried with SSL, without SSL, with port number, without it and
everything fails.

OK, solved.

The problem was:
Set($ExternalAuthPriority, [
‘LDAP1’,
‘LDAP2’
]
);

although syntactically OK, should be:

Set($ExternalAuthPriority, [ ‘LDAP1’,
‘LDAP2’
]
);

And the same with ExternalInfoPriority.

Robert

Ruslan_Zakirov1 · March 4, 2011, 11:24am

Dnia 2011-03-04, pią o godzinie 09:38 +0100, Robert Wysocki pisze:

Dnia 2011-03-03, czw o godzinie 10:25 -0500, Jason Ledford pisze:

Did you configure the plugin to load and does RT show it being loaded, and has apache been restarted? Here are my 2 config files, RT-authen first:

Thanks for the config files.
Plugin is configured to load, but RT doesn’t show any plugins being
loaded. All of the plugins configured to load work fine except
ExternalAuth.
I’ve tried with SSL, without SSL, with port number, without it and
everything fails.

OK, solved.

The problem was:
Set($ExternalAuthPriority, [
‘LDAP1’,
‘LDAP2’
]
);

although syntactically OK, should be:

Set($ExternalAuthPriority, [ ‘LDAP1’,
‘LDAP2’
]
);

And the same with ExternalInfoPriority.

Only difference I see is in spaces and those spaces changes don’t
change meaning. It was something else.

–
Robert

Best regards, Ruslan.

Robert_Wysocki · March 4, 2011, 11:36am

Dnia 2011-03-04, pią o godzinie 14:24 +0300, Ruslan Zakirov pisze:

Only difference I see is in spaces and those spaces changes don’t
change meaning. It was something else.

I am tottaly aware that both notations are OK (with enter after [ and
without it), but it was the only thing I’ve changed.
But maybe I’ve had some special characters at the end of the line that
didn’t show up in the editor, who knows.

Robert