ExternalAuth+LDAP questions/oddities

Hi!

I have the following setup: Two machines, web.vm and db.vm (both Ubuntu
9.10), where web.vm hosts a newly installed rt-3.8.4 (from the Ubuntu
repositories) and db.vm an OpenLDAP server. I have installed the
ExternalAuth plugin (using cpan) as described on
http://wiki.bestpractical.com/view/ExternalAuth but it doesn’t really
work out.

I’ll list the config file RT_SiteConfig.pm, then the problems:

This file was generated by running “update-rt-siteconfig”.

While local modifications will not be overwritten without permission,

it is recommended the they are instead placed in

/etc/request-tracker3.8/RT_SiteConfig.d

Note that modifications to the RT_SiteConfig.d directory won’t

take effect until the update command mentioned above is run again.

start /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone

dynamically find out the current timezone

my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

end /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone

start /etc/request-tracker3.8/RT_SiteConfig.d/41-external-auth

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

Set($ExternalAuthPriority, [ ‘My_LDAP’ ]);

Set($ExternalInfoPriority, [ ‘My_LDAP’ ]);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE
’My_LDAP’ => {
## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
’server’ => ‘db.vm’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them
here:
# The username RT should use to connect to the LDAP server
#‘user’ => ‘rt_ldap_username’,
# The password RT should use to connect to the LDAP server
#‘pass’ => ‘rt_ldap_password’,
# The LDAP search base
’base’ => ‘dc=vm’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
’filter’ => ‘(objectClass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
# The filter that will only match disabled users
’d_filter’ => ‘(objectClass=FooBarBaz)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
’ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
#‘group’ => ‘GROUP_NAME’,
# What is the attribute for the group object that determines
membership?
#‘group_attr’ => ‘GROUP_ATTR’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing
this
# to just the Name and EmailAddress to save encountering problems
later.
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’
],
# The mapping of RT attributes on to LDAP attributes
’attr_map’ =>
{ ‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
#‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘uid’,
‘Gecos’ => ‘uid’,
#‘WorkPhone’ => ‘telephoneNumber’,
#‘Address1’ => ‘streetAddress’,
#‘City’ => ‘l’,
#‘State’ => ‘st’,
#‘Zip’ => ‘postalCode’,
#‘Country’ => ‘co’
}
}
}
);

1;

end /etc/request-tracker3.8/RT_SiteConfig.d/41-external-auth

start /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf

THE BASICS:

Set($rtname, ‘***’);
Set($Organization, ‘web.vm’);

Set($CorrespondAddress , ‘rt@web.vm’);
Set($CommentAddress , ‘rt-comment@web.vm’);

THE WEBSERVER:

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://web.vm”);

LOGGING

Set($LogToFile , ‘debug’);

end /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf

start /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common

THE DATABASE:

generated by dbconfig-common

map from dbconfig-common database types to their names as known by RT

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{pgsql} || “UNKNOWN”);

Set($DatabaseHost, ‘db.vm’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘****’);

SQLite needs a special case, since $DatabaseName must be a full

pathname
my $dbc_dbname = ‘rt’; if ( “pgsql” eq “sqlite3” ) { Set ($DatabaseName,
’’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }

end /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common

1;

The format of an LDAP user entry is as follows:

dn: uid=pfeiffer,ou=team,dc=vm
givenName: Tobias
sn: Pfeiffer
mail: pfeiffer@***
uid: pfeiffer
objectClass: inetOrgPerson
objectClass: top
objectClass: person
objectClass: organizationalPerson
cn: Tobias Pfeiffer
[…]

I can login fine using the root account. Now if I try to login using the
account “pfeiffer” and my LDAP password, the logfile lists only:

[Tue Dec 22 14:04:22 2009] [error]: FAILED LOGIN for pfeiffer from
192.168.122.1 (/usr/share/request-tracker3.8/html/autohandler:268)

  1. The “debug” log setting seems to have no effect here. (In general,
    e.g. while adding a new ticket, it works, however.)

  2. I guess that the listed file “…/html/autohandler” isn’t the correct
    one if ExternalAuth is used.

  3. The web interface lists RT::Authen::ExternalAuth as a loaded plugin.

  4. How exactly does ExternalAuth determine the DN to bind with from the
    given username? Should I login with my eMail address? The whole DN?

Maybe I’m missing something trivial… does anyone see anything that’s
missing? I’ve read through a number of posts where LDAP auth didn’t work
either, but at least they had the debug messages… maybe the answer to
why I can’t see them would be great already.

Thanks for your help,
Tobias

signature.asc (197 Bytes)

Hi again,

this ExternalAuth thing still doesn’t really work for me. I’ll try to
shorten my mail and hope anyone can help me.

  1. I installed rt-3.8.4 via Ubuntu (9.10) repositories.

  2. I installed RT::Authen::ExternalAuth via:
    export PERL5LIB=/usr/share/request-tracker3.8/lib
    cpan -i RT::Authen::ExternalAuth

  3. I added
    Set( @Plugins, qw(RT::Authen::ExternalAuth) );
    Set($LogToFile , ‘debug’);
    (and other options; see my previous mail) to the RT_SiteConfig.pm.

  4. The web interface lists
    RT::Authen::ExternalAuth v0.08;
    as a loaded plugin and (among others, of course) the following options:
    ExternalAuthPriority: My_LDAP
    ExternalInfoPriority:My_LDAP
    ExternalSettings: My_LDAP, HASH(0xb44e3460)
    Plugins: RT::Authen::ExternalAuth

  5. When logging in to the web interface with a user other than root, I
    just get
    [error]: FAILED LOGIN for pfeiffer from 192.168.122.1
    (/usr/share/request-tracker3.8/html/autohandler:268)
    in the log file.

As someone told me on IRC, “if RT-Authen-ExternalAuth is enabled, it
will be very chatty”, so I’m afraid that this isn’t really "activated"
at all. Is there anything I could have done wrong (e.g. not setting the
correct PERL5LIB variable at some place) or something how I could check
if that plugin is ever used?

Thanks for your help,
Tobias

signature.asc (197 Bytes)

my test machine has rt installed on debian via apt-get (and should be the same on ubuntu) and it looks like you are missing this line
require “/usr/local/share/request-tracker3.8/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm”

you will also need to edit that file for your configuration. restart apache and give it another try.From: rt-users-bounces@lists.bestpractical.com [rt-users-bounces@lists.bestpractical.com] On Behalf Of Tobias G. Pfeiffer [tgpfeiffer@web.de]
Sent: Monday, December 28, 2009 5:49 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth+LDAP questions/oddities

Hi again,

this ExternalAuth thing still doesn’t really work for me. I’ll try to
shorten my mail and hope anyone can help me.

  1. I installed rt-3.8.4 via Ubuntu (9.10) repositories.

  2. I installed RT::Authen::ExternalAuth via:
    export PERL5LIB=/usr/share/request-tracker3.8/lib
    cpan -i RT::Authen::ExternalAuth

  3. I added
    Set( @Plugins, qw(RT::Authen::ExternalAuth) );
    Set($LogToFile , ‘debug’);
    (and other options; see my previous mail) to the RT_SiteConfig.pm.

  4. The web interface lists
    RT::Authen::ExternalAuth v0.08;
    as a loaded plugin and (among others, of course) the following options:
    ExternalAuthPriority: My_LDAP
    ExternalInfoPriority:My_LDAP
    ExternalSettings: My_LDAP, HASH(0xb44e3460)
    Plugins: RT::Authen::ExternalAuth

  5. When logging in to the web interface with a user other than root, I
    just get
    [error]: FAILED LOGIN for pfeiffer from 192.168.122.1
    (/usr/share/request-tracker3.8/html/autohandler:268)
    in the log file.

As someone told me on IRC, “if RT-Authen-ExternalAuth is enabled, it
will be very chatty”, so I’m afraid that this isn’t really "activated"
at all. Is there anything I could have done wrong (e.g. not setting the
correct PERL5LIB variable at some place) or something how I could check
if that plugin is ever used?

Thanks for your help,
Tobias

Hi!

my test machine has rt installed on debian via apt-get (and should be
the same on ubuntu) and it looks like you are missing this line
require
"/usr/local/share/request-tracker3.8/plugins/RT-Authen-ExternalAuth/
etc/RT_SiteConfig.pm"

I had the configuration options defined in that file already copied to
my global RT_SiteConfig.pm, so that shouldn’t be the problem.

But still, I can’t see what I’m doing wrong. Now I removed the Ubuntu
packages and installed RT v3.8.7 by hand:
$ sudo ./configure …
$ sudo make fixdeps
$ sudo make install
results in a working installation in /opt/rt3.

$ sudo cpan -if RT::Authen::ExternalAuth
installs the ExternalAuth v0.08 plugin to /opt/rt3/local/plugins/RT-
Authen-ExternalAuth. I added only
require “/opt/rt3/local/plugins/RT-Authen-
ExternalAuth/etc/RT_SiteConfig.pm”;
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
to my (working) RT_SiteConfig.pm.

Of course this can’t work, as the ExternalAuth config file isn’t edited
yet, but at least I would expect some debug messages now. Everyone else
experiencing problems with ExternalAuth posts messages like

[Fri Jun 26 20:29:58 2009] [debug]: Attempting to use external auth
service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/
RT/Authen/ExternalAuth.pm:64)

but all I get is:

[Tue Dec 29 12:53:39 2009] [error]: FAILED LOGIN for *** from
192.168.122.1 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

Do I need to set any other options for “use plugins” or “try other
authentication methods” or so?

Thanks for your help,
Tobias

Tomorrow will be cancelled due to lack of interest.

signature.asc (197 Bytes)

Hi!Am Donnerstag, 31. Dezember 2009, 11:48 schrieb Tobias G. Pfeiffer:

Do I need to set any other options for “use plugins” or “try other
authentication methods” or so?

I solved the problem: The CPAN installation of the ExternalAuth plugin
set the directory permissions wrong, i.e. apache couldn’t access the
plugin’s “html” subfolder. LDAP auth is working fine now :slight_smile:

Bye
Tobias

signature.asc (197 Bytes)