Hi!
I have the following setup: Two machines, web.vm and db.vm (both Ubuntu
9.10), where web.vm hosts a newly installed rt-3.8.4 (from the Ubuntu
repositories) and db.vm an OpenLDAP server. I have installed the
ExternalAuth plugin (using cpan) as described on
ExternalAuth - Request Tracker Wiki but it doesn’t really
work out.
I’ll list the config file RT_SiteConfig.pm, then the problems:
This file was generated by running “update-rt-siteconfig”.
While local modifications will not be overwritten without permission,
it is recommended the they are instead placed in
/etc/request-tracker3.8/RT_SiteConfig.d
Note that modifications to the RT_SiteConfig.d directory won’t
take effect until the update command mentioned above is run again.
start /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone
dynamically find out the current timezone
my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);
end /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone
start /etc/request-tracker3.8/RT_SiteConfig.d/41-external-auth
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘My_LDAP’ ]);
Set($ExternalInfoPriority, [ ‘My_LDAP’ ]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE
‘My_LDAP’ => {
## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘db.vm’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them
here:
# The username RT should use to connect to the LDAP server
#‘user’ => ‘rt_ldap_username’,
# The password RT should use to connect to the LDAP server
#‘pass’ => ‘rt_ldap_password’,
# The LDAP search base
‘base’ => ‘dc=vm’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
‘filter’ => ‘(objectClass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
# The filter that will only match disabled users
‘d_filter’ => ‘(objectClass=FooBarBaz)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
#‘group’ => ‘GROUP_NAME’,
# What is the attribute for the group object that determines
membership?
#‘group_attr’ => ‘GROUP_ATTR’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing
this
# to just the Name and EmailAddress to save encountering problems
later.
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ =>
{ ‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
#‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘uid’,
‘Gecos’ => ‘uid’,
#‘WorkPhone’ => ‘telephoneNumber’,
#‘Address1’ => ‘streetAddress’,
#‘City’ => ‘l’,
#‘State’ => ‘st’,
#‘Zip’ => ‘postalCode’,
#‘Country’ => ‘co’
}
}
}
);
1;
end /etc/request-tracker3.8/RT_SiteConfig.d/41-external-auth
start /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf
THE BASICS:
Set($rtname, ‘***’);
Set($Organization, ‘web.vm’);
Set($CorrespondAddress , ‘rt@web.vm’);
Set($CommentAddress , ‘rt-comment@web.vm’);
THE WEBSERVER:
Set($WebPath , “/rt”);
Set($WebBaseURL , “http://web.vm”);
LOGGING
Set($LogToFile , ‘debug’);
end /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf
start /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common
THE DATABASE:
generated by dbconfig-common
map from dbconfig-common database types to their names as known by RT
my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);
Set($DatabaseType, $typemap{pgsql} || “UNKNOWN”);
Set($DatabaseHost, ‘db.vm’);
Set($DatabasePort, ‘’);
Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘****’);
SQLite needs a special case, since $DatabaseName must be a full
pathname
my $dbc_dbname = ‘rt’; if ( “pgsql” eq “sqlite3” ) { Set ($DatabaseName,
‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
end /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common
1;
The format of an LDAP user entry is as follows:
dn: uid=pfeiffer,ou=team,dc=vm
givenName: Tobias
sn: Pfeiffer
mail: pfeiffer@***
uid: pfeiffer
objectClass: inetOrgPerson
objectClass: top
objectClass: person
objectClass: organizationalPerson
cn: Tobias Pfeiffer
[…]
I can login fine using the root account. Now if I try to login using the
account “pfeiffer” and my LDAP password, the logfile lists only:
[Tue Dec 22 14:04:22 2009] [error]: FAILED LOGIN for pfeiffer from
192.168.122.1 (/usr/share/request-tracker3.8/html/autohandler:268)
-
The “debug” log setting seems to have no effect here. (In general,
e.g. while adding a new ticket, it works, however.) -
I guess that the listed file “…/html/autohandler” isn’t the correct
one if ExternalAuth is used. -
The web interface lists RT::Authen::ExternalAuth as a loaded plugin.
-
How exactly does ExternalAuth determine the DN to bind with from the
given username? Should I login with my eMail address? The whole DN?
Maybe I’m missing something trivial… does anyone see anything that’s
missing? I’ve read through a number of posts where LDAP auth didn’t work
either, but at least they had the debug messages… maybe the answer to
why I can’t see them would be great already.
Thanks for your help,
Tobias
signature.asc (197 Bytes)
