Running SuSE Linux, eDirectory, LDAP, RT 3.8.7. In my test setting, I can query ldap anonymously. I downloaded RT-Authen-ExternalAuth-0.08.tar.gz and installed it. I notice the wiki page (ExternalAuth - Request Tracker Wiki ) says to “answer the prompt as to your RT base directory”, but I didn’t observe that behavior. Added the required entries to RT_SiteConfig.pm as far as I can tell (see below). Trying to log on as “mjames”, I only get “your username or password is incorrect”.

I feel like I’m missing something obvious… Any ideas?

Mike

Output of ldapsearch command:

rt384:~ # ldapsearch -x -b “o=sbf” -h lxutility “cn=mjames” mail uid

extended LDIF

LDAPv3

base <o=sbf> with scope subtree

filter: cn=mjames

requesting: mail uid

MJames, STONEBRIDGE, SBF

dn: cn=MJames,ou=STONEBRIDGE,o=SBF

MJames, Users, STONEBRIDGEBANK, SBF

dn: cn=MJames,cn=Users,ou=STONEBRIDGEBANK,o=SBF
uid: MJames
mail: MJames@stonebridgebank.com

search result

search: 2
result: 0 Success

numResponses: 3

numEntries: 2

cat RT_SiteConfig.pm

Set( $rtname, ‘CashMgt’);
Set(@Plugins , qw(RT::Authen::ExternalAuth));
Set($WebBaseURL , “http://cashmgt.stonebridgebank.com”);
Set( $Organization , “cashmgt.stonebridgebank.com”);
Set($Timezone , “US/Eastern”);
Set($RTAddressRegexp , ‘^rt@cashmgt.stonebridgebank.com$’);
Set($DatabaseType , ‘mysql’);
Set($DatabaseUser , ‘rt_user’);
Set($DatabasePassword , ‘rt_pass’);
Set($DatabaseName , ‘cashmgt’);
Set($DatabaseHost , ‘localhost’);
Set($DatabaseRTHost , ‘localhost’);
Set($MaxAttachmentSize, 50000000);
Set($WebPath , “”);
Set($CorrespondAddress , ‘correspond@cashmgt.stonebridgebank.com’);
Set($CommentAddress , ‘comment@cashmgt.stonebridgebank.com’);

Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’,
]
);

Set($ExternalInfoPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_MySQL’ => { ## GENERIC SECTION
‘type’ => ‘db’,
‘server’ => ‘localhost’,
‘database’ => ‘cashmgt’,
‘table’ => ‘USERS’,
‘user’ => ‘rt_user’,
‘pass’ => ‘rt_pass’,
‘port’ => ‘3306’,
‘dbi_driver’ => ‘mysql’,
‘u_field’ => ‘name’,
‘p_field’ => ‘password’,
‘p_enc_pkg’ => ‘Crypt::MySQL’,
‘p_enc_sub’ => ‘password’,
‘d_field’ => ‘disabled’,
‘d_values’ => [‘0’],
‘attr_match_list’ => [ ‘Gecos’,
‘Name’
],
‘attr_map’ => { ‘Name’ => ‘username’,
‘EmailAddress’ => ‘email’,
‘ExternalAuthId’ => ‘username’,
‘Gecos’ => ‘userID’
}
},
# AN EXAMPLE LDAP SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
‘type’ => ‘ldap’,
‘server’ => ‘172.31.4.56’,
‘base’ => ‘o=sbf’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(employmentStatus=Terminated)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’
}
},
}
);

1;

The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify Stonebridge Bank immediately by replying to this message and deleting it from your computer.

Hi List,

We are using the ExternalAuth plugin with RT 4.0.2 at our school authenticating against two different LDAP branches. We also have some internal RT users defined too for users outside of our school who need to be able to log tickets in our queues.

At the moment we are using the “Everyone” group to define the permissions on our internal queues, but this means that external users can see them too. What we would ideally like to be able to do is have all LDAP users put into a global group at the point of creation (i.e. when they first log in).

Does anyone know if it would be possible to adjust the ExternalAuth plugin so that you could define a global group and have all users who authenticate from an external source automatically added to that group? This would really help our permissions set up, as it would allow us to create a global group for each LDAP source and assign the permissions to that group rather than using the “Everyone” group.

Thanks in advance,

Jon

Jon Witts
Director of ICT
South Hunsley School and Sixth Form College
01482 636720

Confidentiality: this e-mail and its attachments may be confidential and are intended solely for the use of the named recipient(s). If you are not the intended recipient you must take no action based on them, nor must you copy or show them to anyone. If you have received this e-mail in error, please advise the sender by return e-mail and delete all copies of this e-mail and any attachments from your computer.

Security Warning: Please note that internet e-mail is not a completely secure or error free method of communication, and information could be intercepted, corrupted, lost, destroyed, or could arrive late or incomplete. You should understand and accept this lack of security when it communicating by email.

Viruses: Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept responsibility for any loss or damage you sustain as a result of software viruses. You are advised to carry out your own checks before any attachments are opened.

Please note that any views or opinions expressed in this e-mail are solely those of the author and do not necessarily represent those of South Hunsley School and Sixth Form College and the content of their e-mail is not intended to be contractually binding.

South Hunsley School and Sixth Form College is registered in England and Wales with company registration number 07542211 and VAT Registration Number 109 7208 18.

We are using the ExternalAuth plugin with RT 4.0.2 at our school authenticating against two different LDAP branches. We also have some internal RT users defined too for users outside of our school who need to be able to log tickets in our queues.

At the moment we are using the “Everyone” group to define the permissions on our internal queues, but this means that external users can see them too. What we would ideally like to be able to do is have all LDAP users put into a global group at the point of creation (i.e. when they first log in).

Does anyone know if it would be possible to adjust the ExternalAuth plugin so that you could define a global group and have all users who authenticate from an external source automatically added to that group? This would really help our permissions set up, as it would allow us to create a global group for each LDAP source and assign the permissions to that group rather than using the “Everyone” group.

This is not a feature of the plugin, although you could certainly add
it and send a patch. Many people just make sure the LDAP users are
Privileged and use that rather than Everyone. You could also use
RT-Extension-LDAPImport and import groups and group memberships from
LDAP.

-kevin

Date: Mon, 14 Nov 2011 10:36:19 -0500
From: Kevin Falcone falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth
Message-ID: 20111114153619.GX1021@jibsheet.com
Content-Type: text/plain; charset=“us-ascii”

We are using the ExternalAuth plugin with RT 4.0.2 at our school authenticating against two different LDAP branches. We also have some internal RT users defined too for users outside of our school who need to be able to log tickets in our queues.

At the moment we are using the “Everyone” group to define the permissions on our internal queues, but this means that external users can see them too. What we would ideally like to be able to do is have all LDAP users put into a global group at the point of creation (i.e. when they first log in).

Does anyone know if it would be possible to adjust the ExternalAuth plugin so that you could define a global group and have all users who authenticate from an external source automatically added to that group? This would really help our permissions set up, as it would allow us to create a global group for each LDAP source and assign the permissions to that group rather than using the “Everyone” group.

This is not a feature of the plugin, although you could certainly add
it and send a patch. Many people just make sure the LDAP users are
Privileged and use that rather than Everyone. You could also use
RT-Extension-LDAPImport and import groups and group memberships from
LDAP.

-kevin

Hi Kevin,

Thanks for responding. Are there any plugins which would provide a good starting point for me to look at the code to add users into a custom group? I am very new to Perl programming, but am not adverse to get in to the code if that is what is required!

Thanks

Jon

Confidentiality: this e-mail and its attachments may be confidential and are intended solely for the use of the named recipient(s). If you are not the intended recipient you must take no action based on them, nor must you copy or show them to anyone. If you have received this e-mail in error, please advise the sender by return e-mail and delete all copies of this e-mail and any attachments from your computer.

Security Warning: Please note that internet e-mail is not a completely secure or error free method of communication, and information could be intercepted, corrupted, lost, destroyed, or could arrive late or incomplete. You should understand and accept this lack of security when it communicating by email.

Viruses: Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept responsibility for any loss or damage you sustain as a result of software viruses. You are advised to carry out your own checks before any attachments are opened.

Please note that any views or opinions expressed in this e-mail are solely those of the author and do not necessarily represent those of South Hunsley School and Sixth Form College and the content of their e-mail is not intended to be contractually binding.

South Hunsley School and Sixth Form College is registered in England and Wales with company registration number 07542211 and VAT Registration Number 109 7208 18.

Date: Mon, 14 Nov 2011 10:36:19 -0500
From: Kevin Falcone falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth
Message-ID: 20111114153619.GX1021@jibsheet.com
Content-Type: text/plain; charset=“us-ascii”

We are using the ExternalAuth plugin with RT 4.0.2 at our school authenticating against two different LDAP branches. We also have some internal RT users defined too for users outside of our school who need to be able to log tickets in our queues.

At the moment we are using the “Everyone” group to define the permissions on our internal queues, but this means that external users can see them too. What we would ideally like to be able to do is have all LDAP users put into a global group at the point of creation (i.e. when they first log in).

Does anyone know if it would be possible to adjust the ExternalAuth plugin so that you could define a global group and have all users who authenticate from an external source automatically added to that group? This would really help our permissions set up, as it would allow us to create a global group for each LDAP source and assign the permissions to that group rather than using the “Everyone” group.

This is not a feature of the plugin, although you could certainly add
it and send a patch. Many people just make sure the LDAP users are
Privileged and use that rather than Everyone. You could also use
RT-Extension-LDAPImport and import groups and group memberships from
LDAP.

-kevin

Thanks for responding. Are there any plugins which would provide a good starting point for me to look at the code to add users into a custom group? I am very new to Perl programming, but am not adverse to get in to the code if that is what is required!

RT-Extension-LDAPImport adds users to groups, so it’d be a place to look.

-kevin