ExternalAuth - loading fine but isn't authenticating to LDAP

Hi everyone,

Where do I start debugging my setup??

I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
Active Drectory LDAP.

Everything loads fine(I get no errors from my config files). I’ve loaded
the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
user, I get an invalid user/pass. The only error/logging I can find
anywhere is in syslog and that just tells me the same thing…

I’m connecting to an Active Directory server, and with some
googling/rt-users searching I found the following settings to use.

‘filter’ => ‘(objectCategory=User)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,

I’ve left group and group_attr blank(is that allowed?) as I want all users
found under my base DN to be able to use RT.

In the attr_match_list I have name and email address only
In attr_map I have the sAMAccountName mail and cn mapped to their respective
places in RT.

I’ve tested the user/pass I’m using(our LDAP is setup to not allow anonymous
unfortunately, so I have to use an account to bind.

I can’t seem to find where ExternalAuth would toss an error out for me to
read if it’s failling because of the arguments I’ve set…

Any help would be appreciated.
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Mike,

First off, check to see how you’ve set $WebExternalAuto. I’m not sure how
that would affect LDAP if it was turned on.

Second, I’ll assume you’ve set your “Plugins” appropriately to include
"RT::Authen::ExternalAuth".

Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
if you’re using TLS, etc.).

Below is what we use for our list of parameters:

Set($ExternalAuthPriority, [ ‘My_LDAP’ ] );

Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );

Set($ExternalServiceUsesSSLorTLS, 1);

Set($AutoCreateNonExternalUsers, 0);

Set(

  • $ExternalSettings,*

  •  {*
    
  •    'My_LDAP' =>*
    
  •       {*
    
  •        ‘type’        => 'ldap',*
    
  •        ‘server’     => 'ldap.lbl.gov’,*
    
  •        ‘user’        =>  ‘’,*
    
  •        ‘pass’        =>  ‘’,*
    
  •        ‘base’        => 'ou=People,o=name of our company,c=US’,*
    
  •        ‘filter’       => '(&(status that equals active)(|(dicision
    

code)))’,*

  •        ‘d_filter’   => '(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))',*
    
  •        ‘tls’            => 1,*
    
  •        ‘net_ldap_args’    => [ version => 3],*
    
  •        ‘attr_match_list’  => ['Name',*
    
  •                                              'EmailAddress',*
    
  •                                              'RealName',*
    
  •                                              'uid'*
    
  •                                            ],*
    
  •        ‘attr_map’            =>  {'Name'                  => 'uid',*
    
  •                                              'EmailAddress'    =>
    

‘mail’,*

  •                                              'Organization'      =>
    

‘o’,*

  •                                              'RealName'           =>
    

‘cn’,*

  •                                              'ExternalAuthId'  =>
    

‘uid’,*

  •                                              'Gecos'
                => 'uid',*
    
  •                                              'WorkPhone'         =>
    

‘telephonenumber’,*

  •                                              'Address1'             =>
    

‘lblmailstop’,*

  •                                              'Address2'             =>
    

'postaladdress’*

  •                                             }*
    
  •       }*
    
  •  }*
    
  • );*
    1;

I don’t think the attr_map would affect this, but your match list could.

Anyway, check it all out cause if there are any inconsistencies (like TLS
being used and on), it will fail.

Hope this helps.

Kenn
LBNLOn Thu, Jul 22, 2010 at 6:59 AM, Mike Johnson mike.johnson@nosm.ca wrote:

Hi everyone,

Where do I start debugging my setup??

I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
Active Drectory LDAP.

Everything loads fine(I get no errors from my config files). I’ve loaded
the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
user, I get an invalid user/pass. The only error/logging I can find
anywhere is in syslog and that just tells me the same thing…

I’m connecting to an Active Directory server, and with some
googling/rt-users searching I found the following settings to use.

‘filter’ => ‘(objectCategory=User)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,

I’ve left group and group_attr blank(is that allowed?) as I want all users
found under my base DN to be able to use RT.

In the attr_match_list I have name and email address only
In attr_map I have the sAMAccountName mail and cn mapped to their
respective places in RT.

I’ve tested the user/pass I’m using(our LDAP is setup to not allow
anonymous unfortunately, so I have to use an account to bind.

I can’t seem to find where ExternalAuth would toss an error out for me to
read if it’s failling because of the arguments I’ve set…

Any help would be appreciated.

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Hi Haris,

No go yet.

Kenneth did send some info for me to check out, perhaps it may help you…

Kenneth’s email cut/pasted
Mike,
First off, check to see how you’ve set $WebExternalAuto. I’m not sure how
that would affect LDAP if it was turned on.
Second, I’ll assume you’ve set your “Plugins” appropriately to include
"RT::Authen::ExternalAuth".
Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
if you’re using TLS, etc.).
Below is what we use for our list of parameters:

Set($ExternalAuthPriority, [ ‘My_LDAP’ ] );
Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);

Set(
$ExternalSettings,
{
‘My_LDAP’ =>
{
‘type’ => ‘ldap’,
‘server’ => 'ldap.lbl.gov’,
‘user’ => ‘’,
‘pass’ => ‘’,
‘base’ => 'ou=People,o=name of our company,c=US’,
‘filter’ => '(&(status that equals active)(|(dicision
code)))’,
‘d_filter’ => ‘(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))’,
‘tls’ => 1,
‘net_ldap_args’ => [ version => 3],
‘attr_match_list’ => [‘Name’,
‘EmailAddress’,
‘RealName’,
‘uid’
],
‘attr_map’ => {‘Name’ => ‘uid’,
‘EmailAddress’ =>
‘mail’,
‘Organization’ =>
‘o’,
‘RealName’ =>
‘cn’,
‘ExternalAuthId’ =>
‘uid’,
‘Gecos’
=> ‘uid’,
‘WorkPhone’ =>
‘telephonenumber’,
‘Address1’ =>
‘lblmailstop’,
‘Address2’ =>
'postaladdress’
}
}
}
);
1;

I don’t think the attr_map would affect this, but your match list could.
Anyway, check it all out cause if there are any inconsistencies (like TLS
being used and on), it will fail.
Hope this helps.
Kenn
LBNL

*** end cut/paste**On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris mfharis@gmail.com wrote:

hi Mike,
I am also facing the same problem and i have checked my configuration over
and over, also compared with some available on internet.
in my case i didn’t enter any attribute with blank value like 'group’
attribute in your case. but rest of the things are similar to what i have
entered.

I get a message 'Failed to Login with user (myuser) … ’

do you get the same error message? please share your experience if you are
able to solve this crap.

thanks
Haris

On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson mike.johnson@nosm.cawrote:

Hi everyone,

Where do I start debugging my setup??

I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
Active Drectory LDAP.

Everything loads fine(I get no errors from my config files). I’ve loaded
the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
user, I get an invalid user/pass. The only error/logging I can find
anywhere is in syslog and that just tells me the same thing…

I’m connecting to an Active Directory server, and with some
googling/rt-users searching I found the following settings to use.

‘filter’ => ‘(objectCategory=User)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,

I’ve left group and group_attr blank(is that allowed?) as I want all users
found under my base DN to be able to use RT.

In the attr_match_list I have name and email address only
In attr_map I have the sAMAccountName mail and cn mapped to their
respective places in RT.

I’ve tested the user/pass I’m using(our LDAP is setup to not allow
anonymous unfortunately, so I have to use an account to bind.

I can’t seem to find where ExternalAuth would toss an error out for me to
read if it’s failling because of the arguments I’ve set…

Any help would be appreciated.

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

I found another guide that outlines how to setup ExternalAuth for AD on the
wiki

http://wiki.bestpractical.com/view/CentOS5InstallPlusSome

Others following this thread might find it useful…

I did learn that you’re looking for the full cn/ou path for your user, not
just a username…(I forgot that’s how LDAP finds users)…

Haris you might want to check that in your config… didn’t help me shrug
but might help you.

Thanks!
Mike.On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson mike.johnson@nosm.ca wrote:

Hi Haris,

No go yet.

Kenneth did send some info for me to check out, perhaps it may help you…

Kenneth’s email cut/pasted
Mike,
First off, check to see how you’ve set $WebExternalAuto. I’m not sure how
that would affect LDAP if it was turned on.
Second, I’ll assume you’ve set your “Plugins” appropriately to include
"RT::Authen::ExternalAuth".
Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
if you’re using TLS, etc.).
Below is what we use for our list of parameters:

Set($ExternalAuthPriority, [ ‘My_LDAP’ ] );
Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);

Set(
$ExternalSettings,
{
‘My_LDAP’ =>
{
‘type’ => ‘ldap’,
‘server’ => 'ldap.lbl.gov’,
‘user’ => ‘’,
‘pass’ => ‘’,
‘base’ => 'ou=People,o=name of our company,c=US’,
‘filter’ => '(&(status that equals active)(|(dicision
code)))’,
‘d_filter’ => ‘(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))’,
‘tls’ => 1,
‘net_ldap_args’ => [ version => 3],
‘attr_match_list’ => [‘Name’,
‘EmailAddress’,
‘RealName’,
‘uid’
],
‘attr_map’ => {‘Name’ => ‘uid’,
‘EmailAddress’ =>
‘mail’,
‘Organization’ =>
‘o’,
‘RealName’ =>
‘cn’,
‘ExternalAuthId’ =>
‘uid’,
‘Gecos’
=> ‘uid’,
‘WorkPhone’ =>
‘telephonenumber’,
‘Address1’ =>
‘lblmailstop’,
‘Address2’ =>
'postaladdress’
}
}
}
);
1;

I don’t think the attr_map would affect this, but your match list could.
Anyway, check it all out cause if there are any inconsistencies (like TLS
being used and on), it will fail.
Hope this helps.
Kenn
LBNL

*** end cut/paste**

On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris mfharis@gmail.com wrote:

hi Mike,
I am also facing the same problem and i have checked my configuration over
and over, also compared with some available on internet.
in my case i didn’t enter any attribute with blank value like 'group’
attribute in your case. but rest of the things are similar to what i have
entered.

I get a message 'Failed to Login with user (myuser) … ’

do you get the same error message? please share your experience if you are
able to solve this crap.

thanks
Haris

On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson mike.johnson@nosm.cawrote:

Hi everyone,

Where do I start debugging my setup??

I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
Active Drectory LDAP.

Everything loads fine(I get no errors from my config files). I’ve loaded
the ExternalAuth plugin, but when I attempt to login to the UI with an LDAP
user, I get an invalid user/pass. The only error/logging I can find
anywhere is in syslog and that just tells me the same thing…

I’m connecting to an Active Directory server, and with some
googling/rt-users searching I found the following settings to use.

‘filter’ => ‘(objectCategory=User)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,

I’ve left group and group_attr blank(is that allowed?) as I want all
users found under my base DN to be able to use RT.

In the attr_match_list I have name and email address only
In attr_map I have the sAMAccountName mail and cn mapped to their
respective places in RT.

I’ve tested the user/pass I’m using(our LDAP is setup to not allow
anonymous unfortunately, so I have to use an account to bind.

I can’t seem to find where ExternalAuth would toss an error out for me to
read if it’s failling because of the arguments I’ve set…

Any help would be appreciated.

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

So,

After a few days of searching and testing, I’ve come to the conclusion that
RT simply isn’t sending anything to our LDAP server to authenticate…

RT is still using RT’s regular authentication method.

Can anyone tell me what’s wrong with my setup? RT doesn’t complain when I
boot it up, yet ExternalAuth will not even attempt to authenticate to my
LDAP when I try to login.

I’ve used SoftTerra’s LDAP browser to ensure the “service rt”(account name
is svc_rt) can bind to the LDAP and I even gave it update rights during
troubleshooting… this is also how I figured out that RT isn’t binding,
only the LDAP browser connections are showing up in the Event log.

I’ve also verified that my RT box can hit the ldap port(by “telnet to
myad.mydomain.local 389”)…

I’m lost on where to go next…

Here are all the LDAP/ExternalAuth related settings in my config…

LDAP SETTINGS

Set($ExternalAuthPriority,[‘NOSMLDAP’]);
Set($ExternalInfoPriority,[‘NOSMLDAP’]);
Set($ExternalServiceUSersSSLorTLS,0);
Set($AutoCreateNonExternalUsers,1);
Set($WebExternalAuto,1);
Set($AutoCreate,{Priviledged =>1});
Set($ExternalSettings, {
‘NOSMLDAP’ => {

‘type’ => ‘ldap’,

‘server’ => ‘’,

‘user’ => ‘cn=service rt,ou=Users,ou=Northern Ontario
School of Medicine,dc=nosm,dc=local’,

‘pass’ => ‘’,

‘base’ => ‘dc=nosm,dc=local’,

‘filter’ => ‘(&(objectCategory=User)
(ObjectClass=Person))’,

‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,

‘tls’ => 0,

‘ssl_version’ => 3,

‘net_ldap_args’ => [ version => 3 ],

‘group’ => ‘cn=Staff,ou=Groups,ou=Northern Ontario
School of Medicine,dc=nosm,dc=local’,

‘group_attr’ => ‘member’,

‘attr_match_list’ => [ ‘Name’,

‘EmailAddress’

],

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’

}
}
}
);
Set(@Plugins,qw(RT::Authen::ExternalAuth));

As I indicated before

CentOS 5.5
RT3.8.8
ExternalAuth 0.8
LDAP = Windows 2003 AD
Help would be much appreciated.

Thanks!
Mike.On Fri, Jul 23, 2010 at 10:03 AM, Mike Johnson mike.johnson@nosm.ca wrote:

I found another guide that outlines how to setup ExternalAuth for AD on the
wiki

http://wiki.bestpractical.com/view/CentOS5InstallPlusSome

Others following this thread might find it useful…

I did learn that you’re looking for the full cn/ou path for your user, not
just a username…(I forgot that’s how LDAP finds users)…

Haris you might want to check that in your config… didn’t help me shrug
but might help you.

Thanks!
Mike.

On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson mike.johnson@nosm.cawrote:

Hi Haris,

No go yet.

Kenneth did send some info for me to check out, perhaps it may help you…

Kenneth’s email cut/pasted
Mike,
First off, check to see how you’ve set $WebExternalAuto. I’m not sure how
that would affect LDAP if it was turned on.
Second, I’ll assume you’ve set your “Plugins” appropriately to include
"RT::Authen::ExternalAuth".
Thirdly, you have to make sure certain LDAP parameters are consistent (ie.
if you’re using TLS, etc.).
Below is what we use for our list of parameters:

Set($ExternalAuthPriority, [ ‘My_LDAP’ ] );
Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);

Set(
$ExternalSettings,
{
‘My_LDAP’ =>
{
‘type’ => ‘ldap’,
‘server’ => 'ldap.lbl.gov’,
‘user’ => ‘’,
‘pass’ => ‘’,
‘base’ => 'ou=People,o=name of our company,c=US’,
‘filter’ => '(&(status that equals active)(|(dicision
code)))’,
‘d_filter’ => ‘(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))’,
‘tls’ => 1,
‘net_ldap_args’ => [ version => 3],
‘attr_match_list’ => [‘Name’,
‘EmailAddress’,
‘RealName’,
‘uid’
],
‘attr_map’ => {‘Name’ => ‘uid’,
‘EmailAddress’ =>
‘mail’,
‘Organization’ =>
‘o’,
‘RealName’ =>
‘cn’,
‘ExternalAuthId’ =>
‘uid’,

‘Gecos’ => ‘uid’,
‘WorkPhone’ =>
‘telephonenumber’,
‘Address1’
=> ‘lblmailstop’,
‘Address2’
=> 'postaladdress’
}
}
}
);
1;

I don’t think the attr_map would affect this, but your match list could.
Anyway, check it all out cause if there are any inconsistencies (like TLS
being used and on), it will fail.
Hope this helps.
Kenn
LBNL

*** end cut/paste**

On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris mfharis@gmail.com wrote:

hi Mike,
I am also facing the same problem and i have checked my configuration
over and over, also compared with some available on internet.
in my case i didn’t enter any attribute with blank value like 'group’
attribute in your case. but rest of the things are similar to what i have
entered.

I get a message 'Failed to Login with user (myuser) … ’

do you get the same error message? please share your experience if you
are able to solve this crap.

thanks
Haris

On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson mike.johnson@nosm.cawrote:

Hi everyone,

Where do I start debugging my setup??

I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
Active Drectory LDAP.

Everything loads fine(I get no errors from my config files). I’ve
loaded the ExternalAuth plugin, but when I attempt to login to the UI with
an LDAP user, I get an invalid user/pass. The only error/logging I can find
anywhere is in syslog and that just tells me the same thing…

I’m connecting to an Active Directory server, and with some
googling/rt-users searching I found the following settings to use.

‘filter’ => ‘(objectCategory=User)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,

I’ve left group and group_attr blank(is that allowed?) as I want all
users found under my base DN to be able to use RT.

In the attr_match_list I have name and email address only
In attr_map I have the sAMAccountName mail and cn mapped to their
respective places in RT.

I’ve tested the user/pass I’m using(our LDAP is setup to not allow
anonymous unfortunately, so I have to use an account to bind.

I can’t seem to find where ExternalAuth would toss an error out for me
to read if it’s failling because of the arguments I’ve set…

Any help would be appreciated.

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca


Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Ok, so I turned on rt.logging and surprise!!! apparently it is touching our
LDAP, even though AD doesn’t log it by default(stupid AD).

Now I’m seeing a few things in the debug level logging…

First thing that really stands out is …

[error]: Couldn’t create user mjohnson: Could not create user
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[debug]: Autohandler called ExternalAuth. Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

Something is preventing the user from being created… based on the INSERT
language I see, it looks like RTFM doesn’t work with 3.8.8??? I dunno, it’s
trying to use a field called Priviledged in the User table… which doesn’t
exist?

I’m not sure if I"m on the right track, but it would be nice if anyone has
experienced this or has any thoughts to let me know!
Mike.On Mon, Jul 26, 2010 at 2:19 PM, Mike Johnson mike.johnson@nosm.ca wrote:

So,

After a few days of searching and testing, I’ve come to the conclusion that
RT simply isn’t sending anything to our LDAP server to authenticate…

RT is still using RT’s regular authentication method.

Can anyone tell me what’s wrong with my setup? RT doesn’t complain when I
boot it up, yet ExternalAuth will not even attempt to authenticate to my
LDAP when I try to login.

I’ve used SoftTerra’s LDAP browser to ensure the “service rt”(account name
is svc_rt) can bind to the LDAP and I even gave it update rights during
troubleshooting… this is also how I figured out that RT isn’t binding,
only the LDAP browser connections are showing up in the Event log.

I’ve also verified that my RT box can hit the ldap port(by “telnet to
myad.mydomain.local 389”)…

I’m lost on where to go next…

Here are all the LDAP/ExternalAuth related settings in my config…

LDAP SETTINGS

Set($ExternalAuthPriority,[‘NOSMLDAP’]);
Set($ExternalInfoPriority,[‘NOSMLDAP’]);
Set($ExternalServiceUSersSSLorTLS,0);
Set($AutoCreateNonExternalUsers,1);
Set($WebExternalAuto,1);
Set($AutoCreate,{Priviledged =>1});
Set($ExternalSettings, {
‘NOSMLDAP’ => {

‘type’ => ‘ldap’,

‘server’ => ‘’,

‘user’ => ‘cn=service rt,ou=Users,ou=Northern Ontario
School of Medicine,dc=nosm,dc=local’,

‘pass’ => ‘’,

‘base’ => ‘dc=nosm,dc=local’,

‘filter’ => ‘(&(objectCategory=User)
(ObjectClass=Person))’,

‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,

‘tls’ => 0,

‘ssl_version’ => 3,

‘net_ldap_args’ => [ version => 3 ],

‘group’ => ‘cn=Staff,ou=Groups,ou=Northern Ontario
School of Medicine,dc=nosm,dc=local’,

‘group_attr’ => ‘member’,

‘attr_match_list’ => [ ‘Name’,

‘EmailAddress’

],

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’

}
}
}
);
Set(@Plugins,qw(RT::Authen::ExternalAuth));

As I indicated before

CentOS 5.5
RT3.8.8
ExternalAuth 0.8
LDAP = Windows 2003 AD
Help would be much appreciated.

Thanks!
Mike.

On Fri, Jul 23, 2010 at 10:03 AM, Mike Johnson mike.johnson@nosm.cawrote:

I found another guide that outlines how to setup ExternalAuth for AD on
the wiki

http://wiki.bestpractical.com/view/CentOS5InstallPlusSome

Others following this thread might find it useful…

I did learn that you’re looking for the full cn/ou path for your user, not
just a username…(I forgot that’s how LDAP finds users)…

Haris you might want to check that in your config… didn’t help me
shrug but might help you.

Thanks!
Mike.

On Fri, Jul 23, 2010 at 9:18 AM, Mike Johnson mike.johnson@nosm.cawrote:

Hi Haris,

No go yet.

Kenneth did send some info for me to check out, perhaps it may help
you…

Kenneth’s email cut/pasted
Mike,
First off, check to see how you’ve set $WebExternalAuto. I’m not sure how
that would affect LDAP if it was turned on.
Second, I’ll assume you’ve set your “Plugins” appropriately to include
"RT::Authen::ExternalAuth".
Thirdly, you have to make sure certain LDAP parameters are consistent
(ie. if you’re using TLS, etc.).
Below is what we use for our list of parameters:

Set($ExternalAuthPriority, [ ‘My_LDAP’ ] );
Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);

Set(
$ExternalSettings,
{
‘My_LDAP’ =>
{
‘type’ => ‘ldap’,
‘server’ => 'ldap.lbl.gov’,
‘user’ => ‘’,
‘pass’ => ‘’,
‘base’ => 'ou=People,o=name of our company,c=US’,
‘filter’ => '(&(status that equals active)(|(dicision
code)))’,
‘d_filter’ => ‘(!(|(lblEmpStat=Staff)(lblEmpStat=Guest)))’,
‘tls’ => 1,
‘net_ldap_args’ => [ version => 3],
‘attr_match_list’ => [‘Name’,
‘EmailAddress’,
‘RealName’,
‘uid’
],
‘attr_map’ => {‘Name’ => ‘uid’,
‘EmailAddress’ =>
‘mail’,
‘Organization’ =>
‘o’,
‘RealName’ =>
‘cn’,
‘ExternalAuthId’ =>
‘uid’,

‘Gecos’ => ‘uid’,
‘WorkPhone’ =>
‘telephonenumber’,
‘Address1’
=> ‘lblmailstop’,
‘Address2’
=> 'postaladdress’
}
}
}
);
1;

I don’t think the attr_map would affect this, but your match list could.
Anyway, check it all out cause if there are any inconsistencies (like TLS
being used and on), it will fail.
Hope this helps.
Kenn
LBNL

*** end cut/paste**

On Thu, Jul 22, 2010 at 7:23 PM, M.F.Haris mfharis@gmail.com wrote:

hi Mike,
I am also facing the same problem and i have checked my configuration
over and over, also compared with some available on internet.
in my case i didn’t enter any attribute with blank value like 'group’
attribute in your case. but rest of the things are similar to what i have
entered.

I get a message 'Failed to Login with user (myuser) … ’

do you get the same error message? please share your experience if you
are able to solve this crap.

thanks
Haris

On Thu, Jul 22, 2010 at 3:59 PM, Mike Johnson mike.johnson@nosm.cawrote:

Hi everyone,

Where do I start debugging my setup??

I have CentOS5.5, RT3.8.8, ExternalAuth 0.8 attempting to connect to an
Active Drectory LDAP.

Everything loads fine(I get no errors from my config files). I’ve
loaded the ExternalAuth plugin, but when I attempt to login to the UI with
an LDAP user, I get an invalid user/pass. The only error/logging I can find
anywhere is in syslog and that just tells me the same thing…

I’m connecting to an Active Directory server, and with some
googling/rt-users searching I found the following settings to use.

‘filter’ => ‘(objectCategory=User)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,

I’ve left group and group_attr blank(is that allowed?) as I want all
users found under my base DN to be able to use RT.

In the attr_match_list I have name and email address only
In attr_map I have the sAMAccountName mail and cn mapped to their
respective places in RT.

I’ve tested the user/pass I’m using(our LDAP is setup to not allow
anonymous unfortunately, so I have to use an account to bind.

I can’t seem to find where ExternalAuth would toss an error out for me
to read if it’s failling because of the arguments I’ve set…

Any help would be appreciated.

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca


Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca


Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Something is preventing the user from being created… based on the INSERT language I see, it
looks like RTFM doesn’t work with 3.8.8??? I dunno, it’s trying to use a field called
Priviledged in the User table… which doesn’t exist?

Please provide the actual failing code you’re seeing.
Privileged is a user attribute stored in a different table.
Why do you believe that RTFM is causing conflicts with this?

-kevin

Hi Kevin,

I’m not a Perl wiz at all, and I’m just grasping at straws trying to
troubleshoot why it isn’t working.

Here is the core of the log before the lines I posted…

[Mon Jul 26 19:52:54 2010] [debug]: Reloading RT::User to work around a bug
in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jul 26 19:52:54 2010] [debug]: Attempting to use external auth service:
NOSMLDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Jul 26 19:52:54 2010] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Jul 26 19:52:54 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Jul 26 19:52:58 2010] [debug]: Reloading RT::User to work around a bug
in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Jul 26 19:52:58 2010] [debug]: Attempting to use external auth service:
NOSMLDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Jul 26 19:52:58 2010] [debug]: Calling UserExists with $username
(testuser) and $service (NOSMLDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Jul 26 19:52:58 2010] [debug]: UserExists params:
username: testuser , service: NOSMLDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Jul 26 19:52:58 2010] [debug]: LDAP Search === Base: dc=nosm,dc=local
== Filter:
(&(&(objectCategory=User)(ObjectClass=Person))(sAMAccountName=testuser)) ==
Attrs: cn,mail,sAMAccountName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Jul 26 19:52:58 2010] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with:
Disabled: 0, EmailAddress: , Gecos: testuser, Name: testuser, Priviledged:
1, Privileged: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Mon Jul 26 19:52:58 2010] [debug]: Attempting to get user info using this
external service: NOSMLDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Mon Jul 26 19:52:58 2010] [debug]: Attempting to use this canonicalization
key: Name
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Jul 26 19:52:58 2010] [debug]: LDAP Search === Base: dc=nosm,dc=local
== Filter:
(&(&(objectCategory=User)(ObjectClass=Person))(sAMAccountName=testuser)) ==
Attrs: cn,mail,sAMAccountName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Mon Jul 26 19:52:58 2010] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0,
EmailAddress: test.user@normed.ca, ExternalAuthId: testuser, Gecos:
testuser, Name: testuser, Priviledged: 1, Privileged: 0, RealName: Test User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Jul 26 19:52:58 2010] [warning]: DBD::mysql::st execute failed: Unknown
column ‘Priviledged’ in ‘field list’ at
/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 509,
line 273. (/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm:509)
[Mon Jul 26 19:52:58 2010] [warning]: RT::Handle=HASH(0x2b88760b6e00)
couldn’t execute the query ‘INSERT INTO Users (Priviledged, RealName,
EmailAddress, Creator, Gecos, LastUpdatedBy, Password, Created, id, Name,
LastUpdated, ExternalAuthId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)’ at
/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 522

DBIx::SearchBuilder::Handle::SimpleQuery(‘RT::Handle=HASH(0x2b88760b6e00)’,
‘INSERT INTO Users (Priviledged, RealName, EmailAddress, Creat…’, 1, ‘Test
User’, ‘test.user@normed.ca’, 1, ‘testuser’, 1, ‘NO-PASSWORD’, …) called
at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm line 357

DBIx::SearchBuilder::Handle::Insert(‘RT::Handle=HASH(0x2b88760b6e00)’,
‘Users’, ‘Priviledged’, 1, ‘RealName’, ‘Test User’, ‘EmailAddress’,
‘test.user@normed.ca’, ‘Creator’, …) called at
/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle/mysql.pm line 36

DBIx::SearchBuilder::Handle::mysql::Insert(‘RT::Handle=HASH(0x2b88760b6e00)’,
‘Users’, ‘Priviledged’, 1, ‘RealName’, ‘Test User’, ‘EmailAddress’,
‘test.user@normed.ca’, ‘Creator’, …) called at
/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Record.pm line 1293
DBIx::SearchBuilder::Record::Create(‘RT::User=HASH(0x2b8876d75580)’,
‘Priviledged’, 1, ‘RealName’, ‘Test User’, ‘Creator’, 1, ‘EmailAddress’,
‘test.user@normed.ca’, …) called at /opt/rt3/bin/…/lib/RT/Record.pm line
289
RT::Record::Create(‘RT::User=HASH(0x2b8876d75580)’, ‘id’, 40,
‘Priviledged’, 1, ‘RealName’, ‘Test User’, ‘EmailAddress’,
‘test.user@normed.ca’, …) called at /opt/rt3/bin/…/lib/RT/User_Overlay.pm
line 195
RT::User::Create(‘RT::User=HASH(0x2b8876d75580)’, ‘Priviledged’, 1,
‘Name’, ‘testuser’, ‘Gecos’, ‘testuser’) called at
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 124
RT::Authen::ExternalAuth::DoAuth(‘HASH(0x2b88754ecc70)’, ‘testuser’,
’<>’) called at
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth
line 25
HTML::Mason::Commands::ANON(‘pass’, ‘<>’, ‘user’,
‘testuser’) called at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Component.pm
line 135

HTML::Mason::Component::run(‘HTML::Mason::Component::FileBased=HASH(0x2b8875502fc0)’,
‘pass’, ‘<>’, ‘user’, ‘testuser’) called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 1297
eval {…} called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 1292
HTML::Mason::Request::comp(‘undef’, ‘undef’, ‘pass’, ‘<>’,
‘user’, ‘testuser’) called at
/opt/rt3/bin/…/lib/RT/Interface/Web/Request.pm line 180

RT::Interface::Web::Request::callback(‘RT::Interface::Web::Request=HASH(0x2b8879903140)’,
‘pass’, ‘<>’, ‘user’, ‘testuser’, ‘CallbackName’, ‘Auth’,
‘CallbackPage’, ‘/autohandler’, …) called at
/opt/rt3/bin/…/lib/RT/Interface/Web.pm line 202
RT::Interface::Web::HandleRequest(‘HASH(0x2b88755d3130)’) called at
/opt/rt3/share/html/autohandler line 53
HTML::Mason::Commands::ANON(‘pass’, ‘<>’, ‘user’,
‘testuser’) called at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Component.pm
line 135

HTML::Mason::Component::run(‘HTML::Mason::Component::FileBased=HASH(0x2b88754e9dd0)’,
‘pass’, ‘<>’, ‘user’, ‘testuser’) called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 1297
eval {…} called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 1292
HTML::Mason::Request::comp(‘undef’, ‘undef’, ‘undef’, ‘pass’,
’<>’, ‘user’, ‘testuser’) called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 481
eval {…} called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 481
eval {…} called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 433

HTML::Mason::Request::exec(‘RT::Interface::Web::Request=HASH(0x2b8879903140)’)
called at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm line
168

HTML::Mason::Request::ApacheHandler::exec(‘RT::Interface::Web::Request=HASH(0x2b8879903140)’)
called at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm line
825

HTML::Mason::ApacheHandler::handle_request(‘HTML::Mason::ApacheHandler=HASH(0x2b8875f5ae80)’,
‘Apache2::RequestRec=SCALAR(0x2b887622f770)’) called at /opt/rt3/bin/
webmux.pl line 78
eval {…} called at /opt/rt3/bin/webmux.pl line 78
RT::Mason::handler(‘Apache2::RequestRec=SCALAR(0x2b887622f770)’)
called at -e line 0
eval {…} called at -e line 0 (/usr/lib/perl5/5.8.8/Carp.pm:272)
[Mon Jul 26 19:52:58 2010] [error]: Could not create a new user -
Priviledged-1-RealName-Test
User-EmailAddress-test.user@normed.ca-Gecos-testuser-Password-NO-PASSWORD-Name-testuser-ExternalAuthId-testuser(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:201)
[Mon Jul 26 19:52:58 2010] [error]: Couldn’t create user testuser: Could not
create user
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)

Again, I am no perl wiz, and I’m just making guesses as to whats wrong based
on these logs… RTFM might work with 3.8.8, I just can’t get mine to work.

Sorry if I mislead in my wording.

Mike.On Mon, Jul 26, 2010 at 4:12 PM, Kevin Falcone falcone@bestpractical.comwrote:

On Mon, Jul 26, 2010 at 04:09:01PM -0400, Mike Johnson wrote:

Something is preventing the user from being created… based on the
INSERT language I see, it
looks like RTFM doesn’t work with 3.8.8??? I dunno, it’s trying to use
a field called
Priviledged in the User table… which doesn’t exist?

Please provide the actual failing code you’re seeing.
Privileged is a user attribute stored in a different table.
Why do you believe that RTFM is causing conflicts with this?

-kevin

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

[Mon Jul 26 19:52:58 2010] [warning]: DBD::mysql::st execute failed: Unknown column
’Priviledged’ in ‘field list’ at /usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm

The column is Privileged, not Priviledged. I’m going to assume you’ve
misconfigured something, possibly the AutoCreate setting.

Again, I am no perl wiz, and I’m just making guesses as to whats wrong based on these logs…
RTFM might work with 3.8.8, I just can’t get mine to work.

RTFM has a bug with 3.8.8, I just failed to see what it had to do with
your RT-Authen-ExternalAuth problems. You can pull a patch from the
rtfm repo or wait for 2.4.3rc1 to be released. There should be links
if you search the list archives.

-kevin

Wow…

3 days of on/off debugging and getting frustrated, for a spelling mistake…
hahahaha,

Much appreciated Kevin. I can now login using an AD Account and it creates
it properly in RT.

Thanks!
Mike.On Mon, Jul 26, 2010 at 5:03 PM, Kevin Falcone falcone@bestpractical.comwrote:

On Mon, Jul 26, 2010 at 04:25:21PM -0400, Mike Johnson wrote:

[Mon Jul 26 19:52:58 2010] [warning]: DBD::mysql::st execute failed:
Unknown column
’Priviledged’ in ‘field list’ at
/usr/lib/perl5/site_perl/5.8.8/DBIx/SearchBuilder/Handle.pm

The column is Privileged, not Priviledged. I’m going to assume you’ve
misconfigured something, possibly the AutoCreate setting.

Again, I am no perl wiz, and I’m just making guesses as to whats wrong
based on these logs…
RTFM might work with 3.8.8, I just can’t get mine to work.

RTFM has a bug with 3.8.8, I just failed to see what it had to do with
your RT-Authen-ExternalAuth problems. You can pull a patch from the
rtfm repo or wait for 2.4.3rc1 to be released. There should be links
if you search the list archives.

-kevin

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca