Enabled debugging and here is the output. I know I exist, I must have missed
something somewhere when configuring the authentication method. I will also
post my current RT_SiteConfig underneath the error log.
[Mon Aug 29 18:57:19 2011] [debug]: Attempting to use external auth service:
Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 29 18:57:19 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Aug 29 18:57:19 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Mon Aug 29 18:57:23 2011] [debug]: Attempting to use external auth service:
Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Aug 29 18:57:23 2011] [debug]: Calling UserExists with $username (josh
cole) and $service (Active_Directory)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Aug 29 18:57:23 2011] [debug]: UserExists params:
username: josh cole , service: Active_Directory
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Aug 29 18:57:23 2011] [debug]: LDAP Search === Base:
OU=ITS,DC=mydomain,DC=local == Filter:
(&(objectclass=person)(sAMAccountName=josh cole)) == Attrs:
l,displayName,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Aug 29 18:57:23 2011] [debug]: User Check Failed :: ( Active_Directory
) josh cole User not found
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)
Current config:
This file was generated by running “update-rt-siteconfig-3.8”.
While local modifications will not be overwritten without permission,
it is recommended the they are instead placed in
/etc/request-tracker3.8/RT_SiteConfig.d
Note that modifications to the RT_SiteConfig.d directory won’t
take effect until the update command mentioned above is run again.
start /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone
dynamically find out the current timezone
my $zone = “PST”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);
end /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone
start /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf
THE BASICS:
Set($WebDomain, ‘rt.netman.mydomain.local’);
Set($rtname, ‘rt.netman.mydomain.local’);
Set($Organization, ‘netman.mydomain.local’);
#Set($CorrespondAddress , ‘rt@netman.mydomain.local’);
#Set($CommentAddress , ‘rt-comment@netman.mydomain.local’);
Set($MaxAttachmentSize , 10000000);
Set($FriendlyFromLineFormat, “"%s" <%s>”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, { ‘Active_Directory’ => { ‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘172.16.1.70’,
‘base’
=> ‘OU=ITS,DC=fpu,DC=local’,
‘user’ => ‘rtauth’,
# The password RT
should use to connect to the LDAP server
‘pass’
=> ‘xxxxxx’,
# The filter to use
to match RT-Users
‘filter’
=> ‘(objectclass=person)’,
# The filter that
will only match disabled users
‘d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we try to
use TLS to encrypt connections?
‘tls’
=> 0,
# What other args
should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is the
attribute for the group object that determines membership?
‘group_attr’
=> ‘member’,
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The mapping of RT
attributes on to LDAP attributes
‘attr_map’
=> { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘displayName’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);
THE WEBSERVER:
Set($LogToFile, ‘debug’);
Set($LogDir, ‘/var/log/rt’);
Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.netman.mydomain.local”);
end /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf
start /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common
THE DATABASE:
generated by dbconfig-common
map from dbconfig-common database types to their names as known by RT
my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);
Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);
Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);
Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘xxxxxx’);
SQLite needs a special case, since $DatabaseName must be a full pathname
my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName,
‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
end /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common
1;
josh.cole wrote:
I think I am close now. I made those changes to the config. I am receiving
an error when I try to login with my AD credentials. The error is simply:
[Mon Aug 29 18:18:58 2011] [error]: FAILED LOGIN for josh cole from
xxx.xxx.xxx.xxx (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:655)
Do I need to specify an ldap port? I did add a username and password to
authenticate.
josh.cole wrote:
Thank you very much for your feedback. I really appreciate it.
Andrew Wagner-4 wrote:
Yes, Josh. That is correct. The ExternalAuthen checks all locations
for users under the base OU. Either change your specified base in
RT_SiteConfig.pm or move the users to the OU that you want RT to search.
Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu
Thank you for your response. So just to make sure I understand, if the
users
I want to be able to authenticate in RT are not in the OU specified it
will
not work? So I should move those users to whatever the OU is that I
specify
in the base?
Andrew Wagner-4 wrote:
-
For group_attr, you want the term to be ‘member’. That checks for
membership in the group.
-
For your base, you need to choose the next highest level of Active
Directory beyond where your users are stored. This means you need to
specify the OU where your users are, not just a random “Users” OU.
Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.edu
I am trying to make this work. I installed the latest version of
ExternalAuth. I am working with Request Tracker for the first time,
just
upgraded from 3.8.7 to 4.0.1. There are a few things that I think are
off
but I am not sure what the correct solution is.
-
I am not sure what to use for the group_attr I want to have users
in
the
group Request-Tracker inside of AD be able to authenticate with their
credentials when logging into RT and I believe the filter is set
correctly
other than what needs to be added for the group_attribute. I am not
sure
what that should be.
-
For my base statement. I am specifying the Users OU but none of my
users
are in that OU. I am not sure exactly what it’s looking for there.
Any help is appreciated!
ExternalAuth config:
I have added the following to my RT_SiteConfig.pm:
@RT::MailPlugins = (“RT::Authen::ExternalAuth”);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalAuthPriority, [ ‘Active_Directory’
]
);
Set($ExternalInfoPriority, [ ‘Active_Directory’
]
);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, { ‘Active_Directory’ => {
‘type’
=> ‘ldap’,
‘auth’
=> 1,
‘info’
=> 1,
‘server’
=> ‘rt.mydomain.local’,
‘base’
=> ‘OU=Users,DC=mydomain,DC=local’,
# The
filter to
use
to match RT-Users
‘filter’
=> ‘(objectclass=person)’,
# The
filter
that
will only match disabled users
‘d_filter’
=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
# Should we
try
to
use TLS to encrypt connections?
‘tls’
=> 0,
# What
other
args
should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘Request-Tracker’,
# What is
the
attribute for the group object that determines membership?
#‘group_attr’
=> ‘GROUP_ATTR’,
## RT
ATTRIBUTE
MATCHING SECTION
# The list
of RT
attributes that uniquely identify a user
‘attr_match_list’
=> [ ‘ExternalAuthId’,‘EmailAddress’ ],
# The
mapping of
RT
attributes on to LDAP attributes
‘attr_map’
=> { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘displayName’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);
RT Training Sessions (http://bestpractical.com/services/training.html)
- Chicago, IL, USA September 26& 27, 2011
- San Francisco, CA, USA October 18& 19, 2011
- Washington DC, USA October 31& November 1, 2011
- Melbourne VIC, Australia November 28& 29, 2011
- Barcelona, Spain November 28& 29, 2011
RT Training Sessions (http://bestpractical.com/services/training.html)
- Chicago, IL, USA September 26 & 27, 2011
- San Francisco, CA, USA October 18 & 19, 2011
- Washington DC, USA October 31 & November 1, 2011
- Melbourne VIC, Australia November 28 & 29, 2011
- Barcelona, Spain November 28 & 29, 2011
View this message in context: http://old.nabble.com/Has-anyone-sucessfully-configured-LDAP-to-authenticate-against-AD-with-version-4.0.1--tp32358024p32359355.html