ExternalAuth: trouble getting to work with Active Directory

Hi folks,

I’m trying to get ExternalAuth to work
with RT and Active Directory. My config
is below. When I try to authenticate a
user from AD (whose username and
password I know are correct), I don’t
even get back a “Your username or
password is incorrect” error; I get
nothing at all.

I’ve added 'Set( @Plugins, qw(RT::Authen::ExternalAuth) );'
to
/etc/request-tracker3.6/RT_SiteConfig.pm,
as written here:
http://wiki.bestpractical.com/view/ExternalAuth

I’ve added the ‘port => 3268’ config
option below, following the advice here:
http://www.nabble.com/RT-Authen-ExternalAuth-custom-LDAP-port-td19885597.html
after confirming (via nmap) that the
right service is listening on port 3268
on the LDAP server.

I’ve run Wireshark and confirmed that
there’s an LDAP request going out to the
LDAP server at the moment I try to log
in. I can’t figure out how to debug any
further than this.

Can someone help me understand why RT
isn’t authenticating properly against
LDAP?

Many thanks,
Steve

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

#Set($ExternalAuthPriority, [ ‘My_LDAP’,

‘My_MySQL’

]

Set($ExternalAuthPriority, [ ‘My_LDAP’ ]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

#Set($ExternalInfoPriority, [ ‘My_LDAP’, ‘My_MySQL’ ]
Set($ExternalInfoPriority, [ ‘My_LDAP’ ]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
’My_MySQL’ => { ## GENERIC SECTION
# The type of service (db/ldap)
‘type’ => ‘db’,
# Should the service be used for authentication?
‘auth’ => 1,
# Should the service be used for information?
‘info’ => 1,
# The server hosting the service
’server’ => ‘some.domain.tld’,
## SERVICE-SPECIFIC SECTION
# The database name
’database’ => ‘rtauth’,
# The database table
’table’ => ‘USERS_TABLE’,
# The user to connect to the database as
’user’ => ‘rtauth’,
# The password to use to connect with
’pass’ => ‘somepass’,
# The port to use to connect with (e.g. 3306)
‘port’ => ‘3306’,
# The name of the Perl DBI driver to use (e.g. mysql)
‘dbi_driver’ => ‘mysql’,
# The field in the table that holds usernames
’u_field’ => ‘username’,
# The field in the table that holds passwords
’p_field’ => ‘password’,
# The Perl package & subroutine used to encrypt passwords
# e.g. if the passwords are stored using the MySQL v3.23 “PASSWORD”
# function, then you will need Crypt::MySQL::password, but for the
# MySQL4+ password function you will need Crypt::MySQL::password41
# Alternatively, you could use Crypt::MD5::md5_hex or any other
# encryption subroutine you can load in your perl installation
’p_enc_pkg’ => ‘Crypt::MySQL’,
‘p_enc_sub’ => ‘password’,
# The field and values in the table that determines if a user should
# be disabled. For example, if the field is ‘user_status’ and the values
# are [‘0’,‘1’,‘2’,‘disabled’] then the user will be disabled if their
# user_status is set to ‘0’,‘1’,‘2’ or the string ‘disabled’.
# Otherwise, they will be considered enabled.
‘d_field’ => ‘userSupportAccess’,
‘d_values’ => [‘0’],
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
’attr_match_list’ => [ ‘Gecos’,
‘Name’
],
# The mapping of RT attributes on to field names
’attr_map’ => { ‘Name’ => ‘username’,
‘EmailAddress’ => ‘email’,
‘ExternalAuthId’ => ‘username’,
‘Gecos’ => ‘userID’
}
},
# AN EXAMPLE LDAP SERVICE
’My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# Should the service be used for authentication?
‘auth’ => 1,
# Should the service be used for information?
‘info’ => 1,
# The server hosting the service
’server’ => ‘some.domain.tld’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
’user’ => ‘domain\username’,
# The password RT should use to connect to the LDAP server
’pass’ => ‘somepass’,
# The LDAP search base
’base’ => ‘ou=Students,dc=domain,dc=tld’,
# The filter to use to match RT-Users
’filter’ => ‘(objectCategory=*)’,
# The filter that will only match disabled users
# Complicated filter string copied from J. Random Webpage:
# http://forums.devshed.com/ldap-programming-76/ldapsearch-for-ad-disabled-accounts-466619.html
’d_filter’ => ‘(UserAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3, port => 3268 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
’attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
# The mapping of RT attributes on to LDAP attributes
’attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);

1;

Stephen R. Laniel
steve@stevereads.com
Cell: +(617) 308-5571
http://stevereads.com/
PGP key: http://stevereads.com/slaniel.key