ExternalAuth seems to do nothing

I have RT 4.0.1 newly installed and functioning on Fedora 15.
Additionally, I’ve installed RT::Authen::ExternalAuth and (I think) added all the corresponding config directives, pointing to an AD server.
So far I’ve seen no indication that any LDAP connection has been attempted, I can only authenticate as an internal RT user, and I see no log messages of any sort involving ExternalAuth or LDAP or any related thing. Logging is on debug. What am I missing?

Wasn’t sure about the d_filter, which I assume can be anything. If this was invalid would it totally disable the LDAP connection/functionality?

Also, what is the syntax for putting DOMAIN\ in front of the AD admin user? ‘DOMAIN\Administrator’?
And what if your admin password happens to have an apostrophe in it, does escaping with backslash have the desired result or are there multiple escape levels to worry about?

Here is my RT_SiteConfig.pm:

Set($WebPath, “”);
Set($Timezone, “US/Pacific”);
Set(@Plugins, (qw(RT::Authen::ExternalAuth)));
Set($DatabaseRTHost, “localhost”);
Set($LogToSyslog, “debug”);
Set($LogToScreen, “error”);
Set($LogStackTraces, “debug”);
Set($LogToFile, 1);
Set($LogDir, q{var/log});
Set($LogToFileNamed, “rt.log”); #log to rt.log
Set($LogoLinkURL, “http://helpdesk.here.org”);
Set($LogoAltText, “Your Help Desk from Information Technology”);
Set($HomePageRefreshInterval, 1200);
Set($PlainTextPre, 0);
Set($SuppressInlineTextFiles, 1);
Set(@Active_MakeClicky, qw(‘httpurl’));
Set( $rtname, ‘here.org’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $CorrespondAddress, ‘helpdesk@here.org’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘80’ );
Set( $Organization, ‘here.org’ );
Set( $DatabaseType, ‘mysql’ );
Set( $DatabasePassword, ‘secret’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘helpdesk.here.org’ );
Set( $DatabaseAdminPassword, ‘secret’ );
Set( $CommentAddress, ‘helpdesk@here.org’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $OwnerEmail, ‘elyons@here.org’ );

Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’,
‘My_SSO_Cookie’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE
’My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
’server’ => ‘blacksun.here.org’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
’user’ => ‘Administrator’,
# The password RT should use to connect to the LDAP server
’pass’ => ‘secret’,
# The LDAP search base
’base’ => ‘ou=Organisational Unit,dc=here,dc=org’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
’filter’ => ‘(objectClass=organizationalPerson)’,
# A catch-all example filter: ‘(objectClass=*)’
# The filter that will only match disabled users
’d_filter’ => ‘(objectClass=THINGY)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
’ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘member’,
# What is the attribute for the group object that determines membership?

‘group_attr’ => ‘GROUP_ATTR’,

            'group_attr'                =>  'cn',
            ## RT ATTRIBUTE MATCHING SECTION
            # The list of RT attributes that uniquely identify a user
                    # This example shows what you *can* specify.. I recommend reducing this
                    # to just the Name and EmailAddress to save encountering problems later.
                    'attr_match_list'           => [    'Name',
                                         'EmailAddress'
                #                         'EmailAddress',
                #                         'RealName',
                #                         'WorkPhone',
                #                         'Address2'
                                     ],
                    # The mapping of RT attributes on to LDAP attributes
                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                         'EmailAddress' => 'mail',
                                         'Organization' => 'physicalDeliveryOfficeName',
                                         'RealName' => 'cn',
                                         'ExternalAuthId' => 'sAMAccountName',
                                         'Gecos' => 'sAMAccountName',
                                         'WorkPhone' => 'telephoneNumber',
                                         'Address1' => 'streetAddress',
                                         'City' => 'l',
                                         'State' => 'st',
                                         'Zip' => 'postalCode',
                                         'Country' => 'co'
                                     }
                              },
                            # An example SSO cookie service
                            'My_SSO_Cookie'  => {   # # The type of service (db/ldap/cookie)
                    'type'                      =>  'cookie',
                    # The name of the cookie to be used
                    'name'                      =>  'loginCookieValue',
                    # The users table
                    'u_table'                   =>  'users',
                    # The username field in the users table
                    'u_field'                   =>  'username',
                    # The field in the users table that uniquely identifies a user
                    # and also exists in the cookies table
                    'u_match_key'               =>  'userID',
                    # The cookies table
                    'c_table'                   =>  'login_cookie',
                    # The field that stores cookie values
                    'c_field'                   =>  'loginCookieValue',
                    # The field in the cookies table that uniquely identifies a user
                    # and also exists in the users table
                    'c_match_key'               =>  'loginCookieUserID',
                    # The DB service in this configuration to use to lookup the cookie information
                    'db_service_name'           =>  'My_MySQL'
            }
    }

);

I have RT 4.0.1 newly installed and functioning on Fedora 15.
Additionally, I’ve installed RT::Authen::ExternalAuth and (I think) added all the
corresponding config directives, pointing to an AD server.
So far I’ve seen no indication that any LDAP connection has been attempted, I can only
authenticate as an internal RT user, and I see no log messages of any sort involving
ExternalAuth or LDAP or any related thing. Logging is on debug. What am I missing?

You actually have 3 kinds of logging enabled:

Set($LogToSyslog, “debug”);

Many syslogs suppress debug messages

Set($LogToScreen, “error”);

Your apache logs only get errors

Set($LogToFile, 1);

That isn’t a valid value, so you get nothing useful in rt.log
Try “debug”.

Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’,
‘My_SSO_Cookie’
]

Did you want to check 3 things, or just your ldap config

Set($ExternalInfoPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);

Did you want to check 2 things, or just your ldap config?

You don’t actually have My_MySQL defined, so I bet you’re getting
errors about that.

All of these comments assume that you’ve installed version 0.09,
cleared your mason cache and can see that the plugin is configured in
Tools -> Configuration -> Tools -> System Configuration

-kevin

Thanks Kevin,

That helped, at least with getting some proper logging going on. I did
even get one or two cryptic references to ExternalAuth and LDAP in the
log. Unfortunately, though, I still don’t see any evidence that a
connection is attempted. I’m a little concerned about escaping in the LDAP
admin user and password, as other open source products using this AD
require a username in the form “DOMAIN\Username”, and our admin password
happens to contain an apostrophe. But if there is something wrong with the
admin login it would be cool to see an error to that effect.

Here is the newly-trimmed config (I removed the SSO/cookie items to keep
it simple):

Set($Timezone, “US/Pacific”);
Set(@Plugins, (qw(RT::Authen::ExternalAuth)));
Set($DatabaseRTHost, “localhost”);
#Set($LogToSyslog, “debug”);
Set($LogToScreen, “error”);
Set($LogToFile, “debug”);
Set($LogToFileNamed, “rt.log”); #log to rt.log
Set($LogStackTraces, “error”);
Set($LogDir, q{var/log});
Set($LogoLinkURL, “http://helpdesk.here.org”);
Set($LogoAltText, “Your Help Desk from Information Technology”);
Set($HomePageRefreshInterval, 1200);
Set($PlainTextPre, 0);
Set($SuppressInlineTextFiles, 1);
Set(@Active_MakeClicky, qw(‘httpurl’));
Set( $rtname, ‘here.org’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $CorrespondAddress, ‘helpdesk@here.org’ );
Set( $rtname, ‘here.org’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘80’ );
Set( $Organization, ‘here.org’ );
Set( $DatabaseType, ‘mysql’ );
Set( $DatabasePassword, ‘secret’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘helpdesk.here.org’ );
Set( $DatabaseAdminPassword, ‘secret’ );
Set( $CommentAddress, ‘helpdesk@here.org’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $OwnerEmail, ‘elyons@here.org’ );
Set($ExternalAuthPriority, [ ‘My_LDAP’,
# ‘My_MySQL’,
# ‘My_SSO_Cookie’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ # ‘My_MySQL’,
‘My_LDAP’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,
‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE
’My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
’server’ => ‘blacksun.here.org’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you
should
# remove the user and pass config lines, otherwise specify
them here:
# The username RT should use to connect to the LDAP server
’user’ => ‘Administrator’,
# The password RT should use to connect to the LDAP server
’pass’ => ‘thing’2011’,
# The LDAP search base
’base’ => ‘ou=Organisational
Unit,dc=here,dc=org’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN
PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
’filter’ =>
’(objectClass=organizationalPerson)’,
# A catch-all example filter: ‘(objectClass=*)’
# The filter that will only match disabled users
’d_filter’ => ‘(MILF)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
’ssl_version’ => 3,
# What other args should I pass to
Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What
group name?
‘group’ => ‘member’,
# What is the attribute for the group object that
determines membership?

‘group_attr’ => ‘GROUP_ATTR’,

            'group_attr'                =>  'cn',
            ## RT ATTRIBUTE MATCHING SECTION
            # The list of RT attributes that uniquely identify a user
                    # This example shows what you *can* specify.. I

recommend reducing this
# to just the Name and EmailAddress to save
encountering problems later.
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’
# ‘EmailAddress’,
# ‘RealName’,
# ‘WorkPhone’,
# ‘Address2’
],
# The mapping of RT attributes on to LDAP
attributes
’attr_map’ => { ‘Name’ =>
‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ =>
‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
},
}
);On 8/5/11 6:49 AM, “Kevin Falcone” falcone@bestpractical.com wrote:

On Thu, Aug 04, 2011 at 01:40:15PM -0700, Erik Lyons wrote:

I have RT 4.0.1 newly installed and functioning on Fedora 15.
Additionally, I’ve installed RT::Authen::ExternalAuth and (I think)
added all the
corresponding config directives, pointing to an AD server.
So far I’ve seen no indication that any LDAP connection has been
attempted, I can only
authenticate as an internal RT user, and I see no log messages of
any sort involving
ExternalAuth or LDAP or any related thing. Logging is on debug. What
am I missing?

You actually have 3 kinds of logging enabled:

Set($LogToSyslog, “debug”);

Many syslogs suppress debug messages

Set($LogToScreen, “error”);

Your apache logs only get errors

Set($LogToFile, 1);

That isn’t a valid value, so you get nothing useful in rt.log
Try “debug”.

Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’,
‘My_SSO_Cookie’
]

Did you want to check 3 things, or just your ldap config

Set($ExternalInfoPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);

Did you want to check 2 things, or just your ldap config?

You don’t actually have My_MySQL defined, so I bet you’re getting
errors about that.

All of these comments assume that you’ve installed version 0.09,
cleared your mason cache and can see that the plugin is configured in
Tools -> Configuration -> Tools -> System Configuration

-kevin

Thanks Kevin,

That helped, at least with getting some proper logging going on. I did
even get one or two cryptic references to ExternalAuth and LDAP in the
log. Unfortunately, though, I still don’t see any evidence that a
connection is attempted. I’m a little concerned about escaping in the LDAP
admin user and password, as other open source products using this AD
require a username in the form “DOMAIN\Username”, and our admin password
happens to contain an apostrophe. But if there is something wrong with the
admin login it would be cool to see an error to that effect.

It ldapsearch works with your user/pass, RT-Authen-ExternalAuth will
normally work. ExternalAuth doesn’t need an admin, you can always
create a machine account called rtauthen with a non-quote password if
you’re concerned (it just needs to be able to read enough of the
system, it doesn’t need to update)

-kevin