ExternalAuth help needed

I am using ExternalAuth to connect RT3.8.8 to LDAP.

Detailed documentation seems to be woefully absent, and I’ve scoured the
web and tried the dozens of conflicting suggestions, so I’m turning to
y’all.

Here’s the error I get:

[Tue Jan 11 01:41:56 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_INVALID_DN_SYNTAX 34
(/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

Here’s the LDAP section from my RT_Authen-ExternalAuth.pm

    'My_LDAP'       =>  {  
        ## GENERIC SECTION
        # The type of service (db/ldap/cookie)
        'type'                      =>  'ldap',
        # The server hosting the service
        'server'                    =>  'dir1.library.ucsc.edu',
        ## SERVICE-SPECIFIC SECTION
        # If you can bind to your LDAP server anonymously you should
        # remove the user and pass config lines, otherwise specify
them here:
        # The username RT should use to connect to the LDAP server
        'user'                      =>  'cn=admin,dc=ucsc,dc=edu',
        # The password RT should use to connect to the LDAP server
        'pass'                    =>  'PASSWORD',
        # The LDAP search base
        'base'                      =>  'ou=people,dc=ucsc,dc=edu',
        # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
        # YOU **MUST** SPECIFY A filter AND A d_filter!!
        # The filter to use to match RT-Users
        'filter'                    =>  '(objectClass=person)',
        # A catch-all example filter: '(objectClass=*)'
        # The filter that will only match disabled users
        'd_filter'                  =>  '(objectClass=FooBarBaz)',
        # A catch-none example d_filter: '(objectClass=FooBarBaz)'
        # Should we try to use TLS to encrypt connections?
        'tls'                       =>  0,
        # SSL Version to provide to Net::SSLeay *if* using SSL
        'ssl_version'               =>  3,
        # What other args should I pass to Net::LDAP->new($host,@args)?
        'net_ldap_args'             => [    version =>  3   ],
        # Does authentication depend on group membership? What group
name?
        'group'                     =>  'staff',
        # What is the attribute for the group object that determines
membership?
        'group_attr'                =>  'ou=group,dc=ucsc,dc=edu',
        ## RT ATTRIBUTE MATCHING SECTION
        # The list of RT attributes that uniquely identify a user

        # This example shows what you *can* specify.. I recommend
reducing this

        # to just the Name and EmailAddress to save encountering
problems later.
        'attr_match_list'           => [    'Name',
                                            'EmailAddress',
                                        ],
        # The mapping of RT attributes on to LDAP attributes
        'attr_map'                  =>  {   'Name' => 'uid',
                                            'EmailAddress' => 'mail',
                                            'RealName' => 'cn',
                                            'ExternalAuthId' => 'uid',
                                            'Gecos' => 'gecos',
                                            'WorkPhone' =>
'telephoneNumber',
                                        }

    },

What more do you need to know to help me get this working?

Wes

I have fiddled only a little with LDAP.

The error message sounds like it isn’t recognizing something as a DN.

To me, your username doesn’t look quite right. Is there really an LDAP server at ucsc.edu? Shouldn’t it be more like DC=ldap1,DC=ucsc,DC=edu, to specify the machine name?

I’m not even very good with windows, so, I could be way off, here.

Josh Narins

Director of Application Development
SeniorBridge
845 Third Ave
7th Floor
New York, NY 10022
Tel: (212) 994-6194
Fax: (212) 994-4260
Mobile: (917) 488-6248
jnarins@seniorbridge.com
seniorbridge.comhttp://www.seniorbridge.com/

[http://www.seniorbridge.com/images/seniorbridgedisclaimerTAG.gif]

SeniorBridge Statement of Confidentiality: The contents of this email message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. Any dissemination, distribution or copying of this email by an unintended or mistaken recipient is strictly prohibited. In said event, kindly reply to the sender and destroy all entries of this message and any attachments from your system. Thank you.From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Wes Modes
Sent: Monday, January 10, 2011 9:04 PM
To: RT Users
Subject: [rt-users] ExternalAuth help needed

I am using ExternalAuth to connect RT3.8.8 to LDAP.

Detailed documentation seems to be woefully absent, and I’ve scoured the web and tried the dozens of conflicting suggestions, so I’m turning to y’all.

Here’s the error I get:
[Tue Jan 11 01:41:56 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind: LDAP_INVALID_DN_SYNTAX 34 (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

Here’s the LDAP section from my RT_Authen-ExternalAuth.pm
’My_LDAP’ => {
## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
’server’ => ‘dir1.library.ucsc.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
’user’ => ‘cn=admin,dc=ucsc,dc=edu’,
# The password RT should use to connect to the LDAP server
’pass’ => ‘PASSWORD’,
# The LDAP search base
’base’ => ‘ou=people,dc=ucsc,dc=edu’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
’filter’ => ‘(objectClass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
# The filter that will only match disabled users
’d_filter’ => ‘(objectClass=FooBarBaz)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
’ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘staff’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘ou=group,dc=ucsc,dc=edu’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user

    # This example shows what you *can* specify.. I recommend reducing this

    # to just the Name and EmailAddress to save encountering problems later.
    'attr_match_list'           => [    'Name',
                                        'EmailAddress',
                                    ],
    # The mapping of RT attributes on to LDAP attributes
    'attr_map'                  =>  {   'Name' => 'uid',
                                        'EmailAddress' => 'mail',
                                        'RealName' => 'cn',
                                        'ExternalAuthId' => 'uid',
                                        'Gecos' => 'gecos',
                                        'WorkPhone' => 'telephoneNumber',
                                    }

},

What more do you need to know to help me get this working?

Wes

I am using ExternalAuth to connect RT3.8.8 to LDAP.

Detailed documentation seems to be woefully absent, and I’ve scoured the web and tried the
dozens of conflicting suggestions, so I’m turning to y’all.

Here’s the error I get:

 [Tue Jan 11 01:41:56 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj
 Can't bind: LDAP_INVALID_DN_SYNTAX 34
 (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

The error seems clear, something in your username or password isn’t
valid DN syntax according to your server.

Try connecting using the ldapsearch command line client.

-kevin

As suggested in a thread in this forum, I connected with ldapsearch with
no problem:

[root@rt2]# ldapsearch -x -LLL -D "cn=admin,dc=ucsc,dc=edu" -W -h
dir1.library.ucsc.edu -b "ou=people,dc=ucsc,dc=edu" uid=wmodes cn
telephoneNumber
Enter LDAP Password:
dn: uid=wmodes,ou=people,dc=ucsc,dc=edu
cn: Wes Modes
telephoneNumber: 831-459-5208

This was run from the server running RT. The DN and password I’m using
to connect is the same here and in the config file. Now what?

WesOn 1/11/2011 7:43 AM, Kevin Falcone wrote:

On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:

I am using ExternalAuth to connect RT3.8.8 to LDAP.

Detailed documentation seems to be woefully absent, and I've scoured the web and tried the
dozens of conflicting suggestions, so I'm turning to y'all.

Here's the error I get:

  [Tue Jan 11 01:41:56 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj
  Can't bind: LDAP_INVALID_DN_SYNTAX 34
  (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

The error seems clear, something in your username or password isn’t
valid DN syntax according to your server.

Try connecting using the ldapsearch command line client.

-kevin

Here's the LDAP section from my RT_Authen-ExternalAuth.pm

      'My_LDAP'       =>   {
          ## GENERIC SECTION
          # The type of service (db/ldap/cookie)
          'type'                      =>   'ldap',
          # The server hosting the service
          'server'                    =>   'dir1.library.ucsc.edu',
          ## SERVICE-SPECIFIC SECTION
          # If you can bind to your LDAP server anonymously you should
          # remove the user and pass config lines, otherwise specify them here:
          #
          # The username RT should use to connect to the LDAP server
          'user'                      =>   'cn=admin,dc=ucsc,dc=edu',
          # The password RT should use to connect to the LDAP server
          'pass'                    =>   'PASSWORD',
          #
          # The LDAP search base
          'base'                      =>   'ou=people,dc=ucsc,dc=edu',
          #
          # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
          # YOU **MUST** SPECIFY A filter AND A d_filter!!
          #
          # The filter to use to match RT-Users
          'filter'                    =>   '(objectClass=person)',
          # A catch-all example filter: '(objectClass=*)'
          #
          # The filter that will only match disabled users
          'd_filter'                  =>   '(objectClass=FooBarBaz)',
          # A catch-none example d_filter: '(objectClass=FooBarBaz)'
          #
          # Should we try to use TLS to encrypt connections?
          'tls'                       =>   0,
          # SSL Version to provide to Net::SSLeay *if* using SSL
          'ssl_version'               =>   3,
          # What other args should I pass to Net::LDAP->new($host,@args)?
          'net_ldap_args'             =>  [    version =>   3   ],
          # Does authentication depend on group membership? What group name?
          'group'                     =>   'staff',
          # What is the attribute for the group object that determines membership?
          'group_attr'                =>   'ou=group,dc=ucsc,dc=edu',
          ## RT ATTRIBUTE MATCHING SECTION
          # The list of RT attributes that uniquely identify a user

          # This example shows what you *can* specify.. I recommend reducing this

          # to just the Name and EmailAddress to save encountering problems later.
          'attr_match_list'           =>  [    'Name',
                                              'EmailAddress',
                                          ],
          # The mapping of RT attributes on to LDAP attributes
          'attr_map'                  =>   {   'Name' =>  'uid',
                                              'EmailAddress' =>  'mail',
                                              'RealName' =>  'cn',
                                              'ExternalAuthId' =>  'uid',
                                              'Gecos' =>  'gecos',
                                              'WorkPhone' =>  'telephoneNumber',
                                          }

      },

What more do you need to know to help me get this working?

Wes

My config file for LDAP uses this format

‘user’ => ‘username@domain’,

‘pass’ => ‘password’,

Regards,
DanFrom: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Wes Modes
Sent: January-11-11 1:33 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth help needed

As suggested in a thread in this forum, I connected with ldapsearch with
no problem:

[root@rt2]# ldapsearch -x -LLL -D “cn=admin,dc=ucsc,dc=edu” -W -h
dir1.library.ucsc.edu -b “ou=people,dc=ucsc,dc=edu” uid=wmodes cn
telephoneNumber
Enter LDAP Password:
dn: uid=wmodes,ou=people,dc=ucsc,dc=edu
cn: Wes Modes
telephoneNumber: 831-459-5208

This was run from the server running RT. The DN and password I’m using
to connect is the same here and in the config file. Now what?

Wes

The machine name is specified elsewhere, but that is what the root DN
looks like. Now whether that is the right format for that variable
value or not, I don’t know.

W.On 1/11/2011 5:49 AM, Josh Narins wrote:

I have fiddled only a little with LDAP.

The error message sounds like it isn’t recognizing something as a DN.

To me, your username doesn’t look quite right. Is there really an LDAP
server at ucsc.edu? Shouldn’t it be more like DC=ldap1,DC=ucsc,DC=edu,
to specify the machine name?

I’m not even very good with windows, so, I could be way off, here.

//

Josh Narins

Director of Application Development
SeniorBridge
845 Third Ave
7th Floor
New York, NY 10022
Tel: (212) 994-6194
Fax: (212) 994-4260
Mobile: (917) 488-6248
jnarins@seniorbridge.com
seniorbridge.com http://www.seniorbridge.com/

SeniorBridge


SeniorBridge Statement of Confidentiality: The contents of this
email message are intended for the exclusive use of the addressee(s)
and may contain confidential or privileged information. Any
dissemination, distribution or copying of this email by an unintended
or mistaken recipient is strictly prohibited. In said event, kindly
reply to the sender and destroy all entries of this message and any
attachments from your system. Thank you.

*From:*rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] *On Behalf Of *Wes Modes
Sent: Monday, January 10, 2011 9:04 PM
To: RT Users
Subject: [rt-users] ExternalAuth help needed

I am using ExternalAuth to connect RT3.8.8 to LDAP.

Detailed documentation seems to be woefully absent, and I’ve scoured
the web and tried the dozens of conflicting suggestions, so I’m
turning to y’all.

Here’s the error I get:

[Tue Jan 11 01:41:56 2011] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_DN_SYNTAX 34
(/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

Here’s the LDAP section from my RT_Authen-ExternalAuth.pm

'My_LDAP'       =>  {  
    ## GENERIC SECTION
    # The type of service (db/ldap/cookie)
    'type'                      =>  'ldap',
    # The server hosting the service
    'server'                    =>  'dir1.library.ucsc.edu',
    ## SERVICE-SPECIFIC SECTION
    # If you can bind to your LDAP server anonymously you should
    # remove the user and pass config lines, otherwise specify

them here:
#
# The username RT should use to connect to the LDAP server
’user’ => ‘cn=admin,dc=ucsc,dc=edu’,
# The password RT should use to connect to the LDAP server
’pass’ => ‘PASSWORD’,
#
# The LDAP search base
’base’ => ‘ou=people,dc=ucsc,dc=edu’,
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
’filter’ => ‘(objectClass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
#
# The filter that will only match disabled users
’d_filter’ => ‘(objectClass=FooBarBaz)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
#
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
’ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘staff’,
# What is the attribute for the group object that determines
membership?
‘group_attr’ => ‘ou=group,dc=ucsc,dc=edu’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user

    # This example shows what you *can* specify.. I recommend

reducing this

    # to just the Name and EmailAddress to save encountering

problems later.
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
],
# The mapping of RT attributes on to LDAP attributes
’attr_map’ => { ‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘uid’,
‘Gecos’ => ‘gecos’,
‘WorkPhone’ =>
‘telephoneNumber’,
}

},

What more do you need to know to help me get this working?

Wes

Does authentication depend on group membership? What group name?

         'group'                     =>  'staff',

         # What is the attribute for the group object that determines membership?

         'group_attr'                =>  'ou=group,dc=ucsc,dc=edu',

I believe what you want there is:

‘group_attr’ => ‘memberOf’

As in the name of the attribute that would have the value “staff” (from your config).

HTH

Jok

Maybe, but then this isn’t what is causing the error, no?

Also, memberOf is one way of implementing groups. That is a one-to-many
record within the user record. If you don’t have memberOf implemented
within your LDAP, then you can have a group record that contains a list
of userIDs.

WesOn 1/12/2011 9:08 AM, Joachim Thuau wrote:

             # Does authentication depend on group membership? What group name?

             'group'                     =>  'staff',

             # What is the attribute for the group object that determines membership?

             'group_attr'                =>  'ou=group,dc=ucsc,dc=edu',

 

I believe what you want there is:

 

'group_attr' => 'memberOf'

 

As in the name of the attribute that would have the value "staff" (from your config).

 

HTH

Jok

Kevin, you said the error is clear. but it seems less than clear to
me. Especially since I have no problem connecting to ldap with
ldapsearch using the same DN.

Are we stalled out here, then? If this forum can not offer help, any
suggestions where to turn to for help?

In my experience with other software, LDAP is one of the simplest
integrations possible. In total one has to configure maybe three, maybe
four things. The server FQDN, maybe the port, the base DN, and maybe
the root DN. Voila! That’s it! LDAP integration.

I have a difficult time believing that RT is so difficult to integrate
with LDAP, that there is so little step-by-step documentation, and that
the user forums offer so little help. This has been a surprisingly
difficult process, but I’d still like to be proved completely wrong.

WesOn 1/11/2011 7:43 AM, Kevin Falcone wrote:

On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:

I am using ExternalAuth to connect RT3.8.8 to LDAP.

Detailed documentation seems to be woefully absent, and I’ve scoured the web and tried the
dozens of conflicting suggestions, so I’m turning to y’all.

Here’s the error I get:

 [Tue Jan 11 01:41:56 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj
 Can't bind: LDAP_INVALID_DN_SYNTAX 34
 (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

The error seems clear, something in your username or password isn’t
valid DN syntax according to your server.

Try connecting using the ldapsearch command line client.

-kevin

Here’s the LDAP section from my RT_Authen-ExternalAuth.pm

     'My_LDAP'       =>  {
         ## GENERIC SECTION
         # The type of service (db/ldap/cookie)
         'type'                      =>  'ldap',
         # The server hosting the service
         'server'                    =>  'dir1.library.ucsc.edu',
         ## SERVICE-SPECIFIC SECTION
         # If you can bind to your LDAP server anonymously you should
         # remove the user and pass config lines, otherwise specify them here:
         #
         # The username RT should use to connect to the LDAP server
         'user'                      =>  'cn=admin,dc=ucsc,dc=edu',
         # The password RT should use to connect to the LDAP server
         'pass'                    =>  'PASSWORD',
         #
         # The LDAP search base
         'base'                      =>  'ou=people,dc=ucsc,dc=edu',
         #
         # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
         # YOU **MUST** SPECIFY A filter AND A d_filter!!
         #
         # The filter to use to match RT-Users
         'filter'                    =>  '(objectClass=person)',
         # A catch-all example filter: '(objectClass=*)'
         #
         # The filter that will only match disabled users
         'd_filter'                  =>  '(objectClass=FooBarBaz)',
         # A catch-none example d_filter: '(objectClass=FooBarBaz)'
         #
         # Should we try to use TLS to encrypt connections?
         'tls'                       =>  0,
         # SSL Version to provide to Net::SSLeay *if* using SSL
         'ssl_version'               =>  3,
         # What other args should I pass to Net::LDAP->new($host,@args)?
         'net_ldap_args'             => [    version =>  3   ],
         # Does authentication depend on group membership? What group name?
         'group'                     =>  'staff',
         # What is the attribute for the group object that determines membership?
         'group_attr'                =>  'ou=group,dc=ucsc,dc=edu',
         ## RT ATTRIBUTE MATCHING SECTION
         # The list of RT attributes that uniquely identify a user

         # This example shows what you *can* specify.. I recommend reducing this

         # to just the Name and EmailAddress to save encountering problems later.
         'attr_match_list'           => [    'Name',
                                             'EmailAddress',
                                         ],
         # The mapping of RT attributes on to LDAP attributes
         'attr_map'                  =>  {   'Name' => 'uid',
                                             'EmailAddress' => 'mail',
                                             'RealName' => 'cn',
                                             'ExternalAuthId' => 'uid',
                                             'Gecos' => 'gecos',
                                             'WorkPhone' => 'telephoneNumber',
                                         }

     },

What more do you need to know to help me get this working?

Wes

Kevin, you said the error is clear. but it seems less than clear to
me. Especially since I have no problem connecting to ldap with
ldapsearch using the same DN.

Are we stalled out here, then? If this forum can not offer help, any
suggestions where to turn to for help?

In my experience with other software, LDAP is one of the simplest
integrations possible. In total one has to configure maybe three, maybe
four things. The server FQDN, maybe the port, the base DN, and maybe
the root DN. Voila! That’s it! LDAP integration.

I have a difficult time believing that RT is so difficult to integrate
with LDAP, that there is so little step-by-step documentation, and that
the user forums offer so little help. This has been a surprisingly
difficult process, but I’d still like to be proved completely wrong.

Wes, plenty of folks have this working and I’ve set it up more times
than I can count. You’ve cherry picked an error that tells me that
your LDAP server is rejecting the connection attempt. What do your
LDAP logs say?

As someone observed, your group settings look interestingly wrong, but
since I’m staring at one log line it’s kind of hard to tell if this is
the initial bind or a later bind failure.

-kevin> On 1/11/2011 7:43 AM, Kevin Falcone wrote:

On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:

I am using ExternalAuth to connect RT3.8.8 to LDAP.

Detailed documentation seems to be woefully absent, and I’ve scoured the web and tried the
dozens of conflicting suggestions, so I’m turning to y’all.

Here’s the error I get:

 [Tue Jan 11 01:41:56 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj
 Can't bind: LDAP_INVALID_DN_SYNTAX 34
 (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

The error seems clear, something in your username or password isn’t
valid DN syntax according to your server.

Try connecting using the ldapsearch command line client.

-kevin

Here’s the LDAP section from my RT_Authen-ExternalAuth.pm

     'My_LDAP'       =>  {
         ## GENERIC SECTION
         # The type of service (db/ldap/cookie)
         'type'                      =>  'ldap',
         # The server hosting the service
         'server'                    =>  'dir1.library.ucsc.edu',
         ## SERVICE-SPECIFIC SECTION
         # If you can bind to your LDAP server anonymously you should
         # remove the user and pass config lines, otherwise specify them here:
         #
         # The username RT should use to connect to the LDAP server
         'user'                      =>  'cn=admin,dc=ucsc,dc=edu',
         # The password RT should use to connect to the LDAP server
         'pass'                    =>  'PASSWORD',
         #
         # The LDAP search base
         'base'                      =>  'ou=people,dc=ucsc,dc=edu',
         #
         # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
         # YOU **MUST** SPECIFY A filter AND A d_filter!!
         #
         # The filter to use to match RT-Users
         'filter'                    =>  '(objectClass=person)',
         # A catch-all example filter: '(objectClass=*)'
         #
         # The filter that will only match disabled users
         'd_filter'                  =>  '(objectClass=FooBarBaz)',
         # A catch-none example d_filter: '(objectClass=FooBarBaz)'
         #
         # Should we try to use TLS to encrypt connections?
         'tls'                       =>  0,
         # SSL Version to provide to Net::SSLeay *if* using SSL
         'ssl_version'               =>  3,
         # What other args should I pass to Net::LDAP->new($host,@args)?
         'net_ldap_args'             => [    version =>  3   ],
         # Does authentication depend on group membership? What group name?
         'group'                     =>  'staff',
         # What is the attribute for the group object that determines membership?
         'group_attr'                =>  'ou=group,dc=ucsc,dc=edu',
         ## RT ATTRIBUTE MATCHING SECTION
         # The list of RT attributes that uniquely identify a user

         # This example shows what you *can* specify.. I recommend reducing this

         # to just the Name and EmailAddress to save encountering problems later.
         'attr_match_list'           => [    'Name',
                                             'EmailAddress',
                                         ],
         # The mapping of RT attributes on to LDAP attributes
         'attr_map'                  =>  {   'Name' => 'uid',
                                             'EmailAddress' => 'mail',
                                             'RealName' => 'cn',
                                             'ExternalAuthId' => 'uid',
                                             'Gecos' => 'gecos',
                                             'WorkPhone' => 'telephoneNumber',
                                         }

     },

What more do you need to know to help me get this working?

Wes

Guys,

I am new to RT, and I’ve encounter the following issue:

I have changed the domain on the email address for some of our users, but
now when they send a request to our queue, they get the following response.

Could not load a valid user

What do I need to change so that it does not happen again?

Thank you so much.

AlbertoOn Wed, Jan 12, 2011 at 3:05 PM, Kevin Falcone falcone@bestpractical.comwrote:

On Wed, Jan 12, 2011 at 03:00:30PM -0800, Wes Modes wrote:

Kevin, you said the error is clear. but it seems less than clear to
me. Especially since I have no problem connecting to ldap with
ldapsearch using the same DN.

Are we stalled out here, then? If this forum can not offer help, any
suggestions where to turn to for help?

In my experience with other software, LDAP is one of the simplest
integrations possible. In total one has to configure maybe three, maybe
four things. The server FQDN, maybe the port, the base DN, and maybe
the root DN. Voila! That’s it! LDAP integration.

I have a difficult time believing that RT is so difficult to integrate
with LDAP, that there is so little step-by-step documentation, and that
the user forums offer so little help. This has been a surprisingly
difficult process, but I’d still like to be proved completely wrong.

Wes, plenty of folks have this working and I’ve set it up more times
than I can count. You’ve cherry picked an error that tells me that
your LDAP server is rejecting the connection attempt. What do your
LDAP logs say?

As someone observed, your group settings look interestingly wrong, but
since I’m staring at one log line it’s kind of hard to tell if this is
the initial bind or a later bind failure.

-kevin

On 1/11/2011 7:43 AM, Kevin Falcone wrote:

On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:

I am using ExternalAuth to connect RT3.8.8 to LDAP.

Detailed documentation seems to be woefully absent, and I’ve
scoured the web and tried the

dozens of conflicting suggestions, so I’m turning to y’all.

Here’s the error I get:

 [Tue Jan 11 01:41:56 2011] [critical]:

RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj

 Can't bind: LDAP_INVALID_DN_SYNTAX 34

(/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

The error seems clear, something in your username or password isn’t
valid DN syntax according to your server.

Try connecting using the ldapsearch command line client.

-kevin

Here’s the LDAP section from my RT_Authen-ExternalAuth.pm

     'My_LDAP'       =>  {
         ## GENERIC SECTION
         # The type of service (db/ldap/cookie)
         'type'                      =>  'ldap',
         # The server hosting the service
         'server'                    =>  'dir1.library.ucsc.edu',
         ## SERVICE-SPECIFIC SECTION
         # If you can bind to your LDAP server anonymously you

should

         # remove the user and pass config lines, otherwise

specify them here:

         #
         # The username RT should use to connect to the LDAP

server

         'user'                      =>

‘cn=admin,dc=ucsc,dc=edu’,

         # The password RT should use to connect to the LDAP

server

         'pass'                    =>  'PASSWORD',
         #
         # The LDAP search base
         'base'                      =>

‘ou=people,dc=ucsc,dc=edu’,

         #
         # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN

PARENTHESES!

         # YOU **MUST** SPECIFY A filter AND A d_filter!!
         #
         # The filter to use to match RT-Users
         'filter'                    =>  '(objectClass=person)',
         # A catch-all example filter: '(objectClass=*)'
         #
         # The filter that will only match disabled users
         'd_filter'                  =>

‘(objectClass=FooBarBaz)’,

         # A catch-none example d_filter:

‘(objectClass=FooBarBaz)’

         #
         # Should we try to use TLS to encrypt connections?
         'tls'                       =>  0,
         # SSL Version to provide to Net::SSLeay *if* using SSL
         'ssl_version'               =>  3,
         # What other args should I pass to

Net::LDAP->new($host,@args)?

         'net_ldap_args'             => [    version =>  3   ],
         # Does authentication depend on group membership? What

group name?

         'group'                     =>  'staff',
         # What is the attribute for the group object that

determines membership?

         'group_attr'                =>

‘ou=group,dc=ucsc,dc=edu’,

         ## RT ATTRIBUTE MATCHING SECTION
         # The list of RT attributes that uniquely identify a user

         # This example shows what you *can* specify.. I recommend

reducing this

         # to just the Name and EmailAddress to save encountering

problems later.

         'attr_match_list'           => [    'Name',
                                             'EmailAddress',
                                         ],
         # The mapping of RT attributes on to LDAP attributes
         'attr_map'                  =>  {   'Name' => 'uid',
                                             'EmailAddress' =>

‘mail’,

                                             'RealName' => 'cn',
                                             'ExternalAuthId' =>

‘uid’,

                                             'Gecos' => 'gecos',
                                             'WorkPhone' =>

‘telephoneNumber’,

                                         }

     },

What more do you need to know to help me get this working?

Wes

Alberto Vazquez-Dzul
Email: betovaz@gmail.com
Mobile: (805) 444-0835
GVoice: (805) 768-4798

I’ve confirmed that the user “rjohnson” can indeed login to other
services via LDAP. However, he can’t login to rt.

Looking closer, here’s all the rt.log says about the failed login attempt:

[Wed Jan 12 23:21:18 2011] [error]: FAILED LOGIN for rjohnson from
128.114.163.50 (/usr/lib/rt/RT/Interface/Web.pm:424)

Where did the original error I reported go? Beats me? Here’s what
ldap.log says on the LDAP server:

Jan 12 15:21:18 dir1 slapd2.4[2475]: conn=614436 fd=48 ACCEPT from
IP=128.114.163.13:407
52 (IP=0.0.0.0:389)
Jan 12 15:21:18 dir1 slapd2.4[2475]: conn=614436 op=0 BIND
dn="cn=admin,dc=ucsc,dc=edu"
method=128
Jan 12 15:21:18 dir1 slapd2.4[2475]: conn=614436 op=0 BIND
dn="cn=admin,dc=ucsc,dc=edu"
mech=SIMPLE ssf=0
Jan 12 15:21:18 dir1 slapd2.4[2475]: conn=614436 op=0 RESULT tag=97
err=0 text=
Jan 12 15:21:18 dir1 slapd2.4[2475]: conn=614436 op=1 SRCH
base="ou=people,dc=ucsc,dc=ed
u" scope=2 deref=2 filter="(&(objectClass=person)(uid=rjohnson))"
Jan 12 15:21:18 dir1 slapd2.4[2475]: conn=614436 op=1 SRCH
attr=telephoneNumber cn mail
uid gecos uid
Jan 12 15:21:18 dir1 slapd2.4[2475]: conn=614436 op=1 SEARCH RESULT
tag=101 err=0 nentri
es=1 text=
Jan 12 15:21:18 dir1 slapd2.4[2475]: conn=614436 fd=48 closed
(connection lost)
Jan 12 15:21:19 dir1 slapd2.4[2475]: conn=614435 op=4 UNBIND
Jan 12 15:21:19 dir1 slapd2.4[2475]: conn=614435 fd=39 closed

However, when I login as another user, one that has a local rt login, I
get this in the rt.log:

[Wed Jan 12 23:31:22 2011] [critical]: Search for
(ou=group,dc=ucsc,dc=edu=uid=wmodes,ou=people,dc=ucsc,dc=edu)
failed: LDAP_INVALID_DN_SYNTAX 34
(/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)
[Wed Jan 12 23:31:22 2011] [error]: AUTH FAILED, Couldn't Load
Password Encryption Package. Error: Can't locate Crypt/MySQL.pm in
@INC (@INC contains: /usr/local/rt/lib
/usr/local/rt/plugins/RT-Extension-ExtractCustomFieldValues/lib
/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib /usr/lib/rt
/usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl
/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl
/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi
/usr/lib/perl5/5.8.8 . /etc/httpd) at (eval 4588) line 3, <DATA>
line 440.

Stack:
  [(eval 4588):3]
 
[/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:330]
 
[/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:156]
 
[/usr/local/rt/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:25]
  [/usr/lib/rt/RT/Interface/Web.pm:202]
  [/var/rt/html/autohandler:53]
(/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm:70)
[Wed Jan 12 23:31:22 2011] [error]: My_MySQL AUTH FAILED The
encryption package you gave me ( Crypt::MySQL ) does not support the
encryption method you specified ( password )
(/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm:99)

It looks like you are right about the group setting being messed up, but
does that explain the failure of the first login? There may be multiple
things messed up and prove conclusively that two wrongs do not make a right.

WesOn 1/12/2011 3:05 PM, Kevin Falcone wrote:

On Wed, Jan 12, 2011 at 03:00:30PM -0800, Wes Modes wrote:

Kevin, you said the error is clear. but it seems less than clear to
me. Especially since I have no problem connecting to ldap with
ldapsearch using the same DN.

Are we stalled out here, then? If this forum can not offer help, any
suggestions where to turn to for help?

In my experience with other software, LDAP is one of the simplest
integrations possible. In total one has to configure maybe three, maybe
four things. The server FQDN, maybe the port, the base DN, and maybe
the root DN. Voila! That’s it! LDAP integration.

I have a difficult time believing that RT is so difficult to integrate
with LDAP, that there is so little step-by-step documentation, and that
the user forums offer so little help. This has been a surprisingly
difficult process, but I’d still like to be proved completely wrong.
Wes, plenty of folks have this working and I’ve set it up more times
than I can count. You’ve cherry picked an error that tells me that
your LDAP server is rejecting the connection attempt. What do your
LDAP logs say?

As someone observed, your group settings look interestingly wrong, but
since I’m staring at one log line it’s kind of hard to tell if this is
the initial bind or a later bind failure.

-kevin

On 1/11/2011 7:43 AM, Kevin Falcone wrote:

On Mon, Jan 10, 2011 at 06:03:37PM -0800, Wes Modes wrote:

I am using ExternalAuth to connect RT3.8.8 to LDAP.

Detailed documentation seems to be woefully absent, and I’ve scoured the web and tried the
dozens of conflicting suggestions, so I’m turning to y’all.

Here’s the error I get:

 [Tue Jan 11 01:41:56 2011] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj
 Can't bind: LDAP_INVALID_DN_SYNTAX 34
 (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

The error seems clear, something in your username or password isn’t
valid DN syntax according to your server.

Try connecting using the ldapsearch command line client.

-kevin

Here’s the LDAP section from my RT_Authen-ExternalAuth.pm

     'My_LDAP'       =>  {
         ## GENERIC SECTION
         # The type of service (db/ldap/cookie)
         'type'                      =>  'ldap',
         # The server hosting the service
         'server'                    =>  'dir1.library.ucsc.edu',
         ## SERVICE-SPECIFIC SECTION
         # If you can bind to your LDAP server anonymously you should
         # remove the user and pass config lines, otherwise specify them here:
         #
         # The username RT should use to connect to the LDAP server
         'user'                      =>  'cn=admin,dc=ucsc,dc=edu',
         # The password RT should use to connect to the LDAP server
         'pass'                    =>  'PASSWORD',
         #
         # The LDAP search base
         'base'                      =>  'ou=people,dc=ucsc,dc=edu',
         #
         # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
         # YOU **MUST** SPECIFY A filter AND A d_filter!!
         #
         # The filter to use to match RT-Users
         'filter'                    =>  '(objectClass=person)',
         # A catch-all example filter: '(objectClass=*)'
         #
         # The filter that will only match disabled users
         'd_filter'                  =>  '(objectClass=FooBarBaz)',
         # A catch-none example d_filter: '(objectClass=FooBarBaz)'
         #
         # Should we try to use TLS to encrypt connections?
         'tls'                       =>  0,
         # SSL Version to provide to Net::SSLeay *if* using SSL
         'ssl_version'               =>  3,
         # What other args should I pass to Net::LDAP->new($host,@args)?
         'net_ldap_args'             => [    version =>  3   ],
         # Does authentication depend on group membership? What group name?
         'group'                     =>  'staff',
         # What is the attribute for the group object that determines membership?
         'group_attr'                =>  'ou=group,dc=ucsc,dc=edu',
         ## RT ATTRIBUTE MATCHING SECTION
         # The list of RT attributes that uniquely identify a user

         # This example shows what you *can* specify.. I recommend reducing this

         # to just the Name and EmailAddress to save encountering problems later.
         'attr_match_list'           => [    'Name',
                                             'EmailAddress',
                                         ],
         # The mapping of RT attributes on to LDAP attributes
         'attr_map'                  =>  {   'Name' => 'uid',
                                             'EmailAddress' => 'mail',
                                             'RealName' => 'cn',
                                             'ExternalAuthId' => 'uid',
                                             'Gecos' => 'gecos',
                                             'WorkPhone' => 'telephoneNumber',
                                         }

     },

What more do you need to know to help me get this working?

Wes

 [Wed Jan 12 23:31:22 2011] [error]: AUTH FAILED, Couldn't Load Password Encryption Package.
 Error: Can't locate Crypt/MySQL.pm in @INC (@INC contains: /usr/local/rt/lib

What are you doing to load that?

You should send along the other parts of your RT_SiteConfig.pm, it
appears you’ve got something ‘interesting’ running. Did you tell
RT-Authen-ExternalAuth to look at LDAP and a mysql database?

-kevin

I found that I don’t need to define MySQL as an external auth source
because, uh, it is not external. I am using the default mysql
authentication for rt. So I removed mysql from the ExternalAuthPriority
and ExternalInfoPriority arrays.
This quiets some of the more perplexing “Password Encryption” errors,
but still leaves me with these similar errors:

For a local rt user:

[Thu Jan 13 21:39:34 2011] [critical]: Search for
(ou=group,dc=ucsc,dc=edu=uid=wmodes,ou=people,dc=ucsc,dc=edu)
failed: LDAP_INVALID_DN_SYNTAX 34
(/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)

and for an LDAP only user:

[Thu Jan 13 21:40:27 2011] [critical]: Search for
(ou=group,dc=ucsc,dc=edu=uid=rjohnson,ou=people,dc=ucsc,dc=edu)
failed: LDAP_INVALID_DN_SYNTAX 34
(/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)
[Thu Jan 13 21:40:27 2011] [error]: FAILED LOGIN for rjohnson from
128.114.163.50 (/usr/lib/rt/RT/Interface/Web.pm:424)

Here are the config files:

# Any configuration directives you include  here will override
# RT's default configuration file, RT_Config.pm
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
# This file is actually a perl module, so you can include valid
# perl code, as well.
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#   perl -c /path/to/your/etc/RT_SiteConfig.pm

#Set( $rtname, 'example.com');
#Set( $rtname, 'example.com');
#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
Set(@Plugins,qw(RT::Extension::ExtractCustomFieldValues
RT::Authen::ExternalAuth));

require "/etc/rt/RT_Authen-ExternalAuth.pm";

# Look into the zoneinfo database for valid values
(/usr/share/zoneinfo/)
# Set( $Timezone , 'US/Eastern');

# Set( $WebBaseURL , "http://localhost");

Set( $WebPath , "/rt");

Set($rtname , "rt.library.ucsc.edu");
Set($Organization , "rt.library.ucsc.edu");
Set($Timezone , 'US/Pacific');

Set($DatabaseUser , 'root');
Set($DatabasePassword , 'r3c@ll');
Set($DatabaseName , 'rt3');

Set($CanonicalizeEmailAddressMatch   , 'rt2.library.ucsc.edu$');
#Set($CanonicalizeEmailAddressReplace , 'library.ucsc.edu');

Set($RTAddressRegexp, '\@rt2.library.ucsc.edu$');

Set($OwnerEmail, 'rootmail');
Set($WebBaseURL, "http://rt2.library.ucsc.edu");

# $LogoURL points to the URL of the RT logo displayed in the web UI
Set($LogoURL , $WebImagesURL . "library.gif");

Set($LogToFile, 'error');

1;

and the external auth config:

# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority,  [   'My_LDAP',
                            ]
);

# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
# Once user info is found, no more services are checked.
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority,  [
                                'My_LDAP'
                            ]
);

# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS,    0);

# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,    0);

# These are the full settings for each external service as a
HashOfHashes
# Note that you may have as many external services as you wish. They
will
# be checked in the order specified in the Priority directives above.
# e.g.
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']);
Set($ExternalSettings,      {  
    # AN EXAMPLE DB SERVICE
                               
    'My_MySQL'   =>  {     
        ## GENERIC SECTION
        # The type of service (db/ldap/cookie)
        'type'                      =>  'db',
        # The server hosting the service
        'server'                    =>  'rt2.library.ucsc.edu',
        ## SERVICE-SPECIFIC SECTION
        # The database name
        'database'                  =>  'rt3',
        # The database table
        'table'                     =>  'Users',
        # The user to connect to the database as
        'user'                      =>  'root',
        # The password to use to connect with
        'pass'                      =>  'xxxxxxxx',
        # The port to use to connect with (e.g. 3306)
        'port'                      =>  '3306',
        # The name of the Perl DBI driver to use (e.g. mysql)
        'dbi_driver'                =>  'mysql',
        # The field in the table that holds usernames
        'u_field'                   =>  'Name',
        # The field in the table that holds passwords
        'p_field'                   =>  'Password',
        # The Perl package & subroutine used to encrypt passwords
        # e.g. if the passwords are stored using the MySQL v3.23
"PASSWORD"
        # function, then you will need Crypt::MySQL::password, but
for the
        # MySQL4+ password function you will need
Crypt::MySQL::password41
        # Alternatively, you could use Digest::MD5::md5_hex or any other
        # encryption subroutine you can load in your perl installation
        'p_enc_pkg'                 =>  'Crypt::MySQL',
        'p_enc_sub'                 =>  'password',
        # If your p_enc_sub takes a salt as a second parameter,
        # uncomment this line to add your salt
        #'p_salt'                    =>  'SALT',
        # The field and values in the table that determines if a
user should
        # be disabled. For example, if the field is 'user_status'
and the values
        # are ['0','1','2','disabled'] then the user will be
disabled if their
        # user_status is set to '0','1','2' or the string 'disabled'.
        # Otherwise, they will be considered enabled.
        'd_field'                   =>  'disabled',
        'd_values'                  =>  ['0'],
        ## RT ATTRIBUTE MATCHING SECTION
        # The list of RT attributes that uniquely identify a user
        'attr_match_list'           =>  [   'Gecos',
                                            'Name'
                                        ],
        # The mapping of RT attributes on to field names
        'attr_map'                  =>  {   'Name' => 'username',
                                            'EmailAddress' => 'email',
                                            'ExternalAuthId' =>
'username',
                                            'Gecos' => 'userID'
                                        }
    },
    # AN EXAMPLE LDAP SERVICE
    'My_LDAP'       =>  {  
        ## GENERIC SECTION
        # The type of service (db/ldap/cookie)
        'type'                      =>  'ldap',
        # The server hosting the service
        'server'                    =>  'dir1.library.ucsc.edu',
        ## SERVICE-SPECIFIC SECTION
        # If you can bind to your LDAP server anonymously you should
        # remove the user and pass config lines, otherwise specify
them here:
        # The username RT should use to connect to the LDAP server
        'user'                      =>  'cn=admin,dc=ucsc,dc=edu',
        # The password RT should use to connect to the LDAP server
        'pass'                    =>  'xxxxxxxx',
        # The LDAP search base
        'base'                      =>  'ou=people,dc=ucsc,dc=edu',
        # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
        # YOU **MUST** SPECIFY A filter AND A d_filter!!
        # The filter to use to match RT-Users
        'filter'                    =>  '(objectClass=person)',
        # A catch-all example filter: '(objectClass=*)'
        # The filter that will only match disabled users
        'd_filter'                  =>  '(objectClass=FooBarBaz)',
        # A catch-none example d_filter: '(objectClass=FooBarBaz)'
        # Should we try to use TLS to encrypt connections?
        'tls'                       =>  0,
        # SSL Version to provide to Net::SSLeay *if* using SSL
        'ssl_version'               =>  3,
        # What other args should I pass to Net::LDAP->new($host,@args)?
        'net_ldap_args'             => [    version =>  3   ],
        # Does authentication depend on group membership? What group
name?
        'group'                     =>  'staff',
        # What is the attribute for the group object that determines
membership?
        'group_attr'                =>  'ou=group,dc=ucsc,dc=edu',
        ## RT ATTRIBUTE MATCHING SECTION
        # The list of RT attributes that uniquely identify a user

        # This example shows what you *can* specify.. I recommend
reducing this

        # to just the Name and EmailAddress to save encountering
problems later.
        'attr_match_list'           => [    'Name',
                                            'EmailAddress',
                                        ],
        # The mapping of RT attributes on to LDAP attributes
        'attr_map'                  =>  {   'Name' => 'uid',
                                            'EmailAddress' => 'mail',
                                            'RealName' => 'cn',
                                            'ExternalAuthId' => 'uid',
                                            'Gecos' => 'gecos',
                                            'WorkPhone' =>
'telephoneNumber',
                                        }

    },
    # An example SSO cookie service
    'My_SSO_Cookie'  => {  
        # # The type of service (db/ldap/cookie)
        'type'                      =>  'cookie',
        # The name of the cookie to be used
        'name'                      =>  'loginCookieValue',
        # The users table
        'u_table'                   =>  'users',
        # The username field in the users table
        'u_field'                   =>  'username',
        # The field in the users table that uniquely identifies a user
        # and also exists in the cookies table
        'u_match_key'               =>  'userID',
        # The cookies table
        'c_table'                   =>  'login_cookie',
        # The field that stores cookie values
        'c_field'                   =>  'loginCookieValue',
        # The field in the cookies table that uniquely identifies a user
        # and also exists in the users table
        'c_match_key'               =>  'loginCookieUserID',
        # The DB service in this configuration to use to lookup the
cookie information
        'db_service_name'           =>  'My_MySQL'
    }
}

);

1;

Any help would be appreciated. Thanks.

WesOn 1/12/2011 4:14 PM, Kevin Falcone wrote:

On Wed, Jan 12, 2011 at 04:01:08PM -0800, Wes Modes wrote:

 [Wed Jan 12 23:31:22 2011] [error]: AUTH FAILED, Couldn't Load Password Encryption Package.
 Error: Can't locate Crypt/MySQL.pm in @INC (@INC contains: /usr/local/rt/lib

What are you doing to load that?

You should send along the other parts of your RT_SiteConfig.pm, it
appears you’ve got something ‘interesting’ running. Did you tell
RT-Authen-ExternalAuth to look at LDAP and a mysql database?

-kevin

Your previous errors were actually in GetBoundLDAPObj so this is
different.

 [Thu Jan 13 21:39:34 2011] [critical]: Search for
 (ou=group,dc=ucsc,dc=edu=uid=wmodes,ou=people,dc=ucsc,dc=edu) failed: LDAP_INVALID_DN_SYNTAX
 34 (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)

As noted earlier, this seems to be because your config is interesting and
isn’t specifying an attribute for the group_attr.

RT-Authen-ExternalAuth’s group membership expects to work based on a search for

group_attr = DN of user
with a base of the group’s DN

being a valid query. You should see a debug output of something like:

    $RT::Logger->debug( "LDAP Search === ",
                        "Base:",
                        $base,
                        "== Filter:",
                        $filter->as_string,
                        "== Attrs:",
                        join(',',@attrs));
         'group'                     =>  'staff',
         # What is the attribute for the group object that determines membership?
         'group_attr'                =>  'ou=group,dc=ucsc,dc=edu',

-kevin

Wes,

Your user DN for the admin user is odd. I would expect it included some sort of “ou” component, something more along the lines of:

‘user’ => ‘cn=admin,ou=people,dc=ucsc,dc=edu’,

A couple more questions for you:

  •     What kind of LDAP server are you running?
    
  •     Do you have any sort of LDAP browser software on your machine? (ldapsearch is fine, but sometimes a little hard to get going).
    

That should solve your LDAP DN syntax issue.

Thanks,
JokFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Wes Modes
Sent: Thursday, January 13, 2011 1:42 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth help needed

I found that I don’t need to define MySQL as an external auth source because, uh, it is not external. I am using the default mysql authentication for rt. So I removed mysql from the ExternalAuthPriority and ExternalInfoPriority arrays.
This quiets some of the more perplexing “Password Encryption” errors, but still leaves me with these similar errors:

For a local rt user:
[Thu Jan 13 21:39:34 2011] [critical]: Search for (ou=group,dc=ucsc,dc=edu=uid=wmodes,ou=people,dc=ucsc,dc=edu) failed: LDAP_INVALID_DN_SYNTAX 34 (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)

and for an LDAP only user:
[Thu Jan 13 21:40:27 2011] [critical]: Search for (ou=group,dc=ucsc,dc=edu=uid=rjohnson,ou=people,dc=ucsc,dc=edu) failed: LDAP_INVALID_DN_SYNTAX 34 (/usr/local/rt/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)
[Thu Jan 13 21:40:27 2011] [error]: FAILED LOGIN for rjohnson from 128.114.163.50 (/usr/lib/rt/RT/Interface/Web.pm:424)

Here are the config files:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

#Set( $rtname, ‘example.com’);
#Set( $rtname, ‘example.com’);
#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
Set(@Plugins,qw(RT::Extension::ExtractCustomFieldValues
RT::Authen::ExternalAuth));

require “/etc/rt/RT_Authen-ExternalAuth.pm”;

Look into the zoneinfo database for valid values (/usr/share/zoneinfo/)

Set( $Timezone , ‘US/Eastern’);

Set( $WebBaseURL , "http://localhost"http://localhost);

Set( $WebPath , “/rt”);

Set($rtname , “rt.library.ucsc.edu”);
Set($Organization , “rt.library.ucsc.edu”);
Set($Timezone , ‘US/Pacific’);

Set($DatabaseUser , ‘root’);
Set($DatabasePassword , ‘r3c@ll’);
Set($DatabaseName , ‘rt3’);

Set($CanonicalizeEmailAddressMatch , ‘rt2.library.ucsc.edu$’);
#Set($CanonicalizeEmailAddressReplace , ‘library.ucsc.edu’);

Set($RTAddressRegexp, ‘@rt2.library.ucsc.edu$’);

Set($OwnerEmail, ‘rootmail’);
Set($WebBaseURL, "http://rt2.library.ucsc.edu"http://rt2.library.ucsc.edu);

$LogoURL points to the URL of the RT logo displayed in the web UI

Set($LogoURL , $WebImagesURL . “library.gif”);

Set($LogToFile, ‘error’);

1;

and the external auth config:

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [
‘My_LDAP’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {
# AN EXAMPLE DB SERVICE

'My_MySQL'   =>  {
    ## GENERIC SECTION
    # The type of service (db/ldap/cookie)
    'type'                      =>  'db',
    # The server hosting the service
    'server'                    =>  'rt2.library.ucsc.edu',
    ## SERVICE-SPECIFIC SECTION
    # The database name
    'database'                  =>  'rt3',
    # The database table
    'table'                     =>  'Users',
    # The user to connect to the database as
    'user'                      =>  'root',
    # The password to use to connect with
    'pass'                      =>  'xxxxxxxx',
    # The port to use to connect with (e.g. 3306)
    'port'                      =>  '3306',
    # The name of the Perl DBI driver to use (e.g. mysql)
    'dbi_driver'                =>  'mysql',
    # The field in the table that holds usernames
    'u_field'                   =>  'Name',
    # The field in the table that holds passwords
    'p_field'                   =>  'Password',
    # The Perl package & subroutine used to encrypt passwords
    # e.g. if the passwords are stored using the MySQL v3.23 "PASSWORD"
    # function, then you will need Crypt::MySQL::password, but for the
    # MySQL4+ password function you will need Crypt::MySQL::password41
    # Alternatively, you could use Digest::MD5::md5_hex or any other
    # encryption subroutine you can load in your perl installation
    'p_enc_pkg'                 =>  'Crypt::MySQL',
    'p_enc_sub'                 =>  'password',
    # If your p_enc_sub takes a salt as a second parameter,
    # uncomment this line to add your salt
    #'p_salt'                    =>  'SALT',
    # The field and values in the table that determines if a user should
    # be disabled. For example, if the field is 'user_status' and the values
    # are ['0','1','2','disabled'] then the user will be disabled if their
    # user_status is set to '0','1','2' or the string 'disabled'.
    # Otherwise, they will be considered enabled.
    'd_field'                   =>  'disabled',
    'd_values'                  =>  ['0'],
    ## RT ATTRIBUTE MATCHING SECTION
    # The list of RT attributes that uniquely identify a user
    'attr_match_list'           =>  [   'Gecos',
                                        'Name'
                                    ],
    # The mapping of RT attributes on to field names
    'attr_map'                  =>  {   'Name' => 'username',
                                        'EmailAddress' => 'email',
                                        'ExternalAuthId' => 'username',
                                        'Gecos' => 'userID'
                                    }
},
# AN EXAMPLE LDAP SERVICE
'My_LDAP'       =>  {
    ## GENERIC SECTION
    # The type of service (db/ldap/cookie)
    'type'                      =>  'ldap',
    # The server hosting the service
    'server'                    =>  'dir1.library.ucsc.edu',
    ## SERVICE-SPECIFIC SECTION
    # If you can bind to your LDAP server anonymously you should
    # remove the user and pass config lines, otherwise specify them here:
    # The username RT should use to connect to the LDAP server
    'user'                      =>  'cn=admin,dc=ucsc,dc=edu',
    # The password RT should use to connect to the LDAP server
    'pass'                    =>  'xxxxxxxx',
    # The LDAP search base
    'base'                      =>  'ou=people,dc=ucsc,dc=edu',
    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
    # YOU **MUST** SPECIFY A filter AND A d_filter!!
    # The filter to use to match RT-Users
    'filter'                    =>  '(objectClass=person)',
    # A catch-all example filter: '(objectClass=*)'
    # The filter that will only match disabled users
    'd_filter'                  =>  '(objectClass=FooBarBaz)',
    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
    # Should we try to use TLS to encrypt connections?
    'tls'                       =>  0,
    # SSL Version to provide to Net::SSLeay *if* using SSL
    'ssl_version'               =>  3,
    # What other args should I pass to Net::LDAP->new($host,@args)?
    'net_ldap_args'             => [    version =>  3   ],
    # Does authentication depend on group membership? What group name?
    'group'                     =>  'staff',
    # What is the attribute for the group object that determines membership?
    'group_attr'                =>  'ou=group,dc=ucsc,dc=edu',
    ## RT ATTRIBUTE MATCHING SECTION
    # The list of RT attributes that uniquely identify a user

    # This example shows what you *can* specify.. I recommend reducing this

    # to just the Name and EmailAddress to save encountering problems later.
    'attr_match_list'           => [    'Name',
                                        'EmailAddress',
                                    ],
    # The mapping of RT attributes on to LDAP attributes
    'attr_map'                  =>  {   'Name' => 'uid',
                                        'EmailAddress' => 'mail',
                                        'RealName' => 'cn',
                                        'ExternalAuthId' => 'uid',
                                        'Gecos' => 'gecos',
                                        'WorkPhone' => 'telephoneNumber',
                                    }

},
# An example SSO cookie service
'My_SSO_Cookie'  => {
    # # The type of service (db/ldap/cookie)
    'type'                      =>  'cookie',
    # The name of the cookie to be used
    'name'                      =>  'loginCookieValue',
    # The users table
    'u_table'                   =>  'users',
    # The username field in the users table
    'u_field'                   =>  'username',
    # The field in the users table that uniquely identifies a user
    # and also exists in the cookies table
    'u_match_key'               =>  'userID',
    # The cookies table
    'c_table'                   =>  'login_cookie',
    # The field that stores cookie values
    'c_field'                   =>  'loginCookieValue',
    # The field in the cookies table that uniquely identifies a user
    # and also exists in the users table
    'c_match_key'               =>  'loginCookieUserID',
    # The DB service in this configuration to use to lookup the cookie information
    'db_service_name'           =>  'My_MySQL'
}

}

);

1;
Any help would be appreciated. Thanks.

Wes