I can't authenticate via LDAP; I don't see the log messages I expect

Hi all,

I’m having a problem making RT::Authen::ExternalAuth work with LDAP.
Furthermore, when I go to the log to find out what’s wrong, I see almost
nothing there.

I’m on Ubuntu 10.04.1, running RT 3.8.8 installed from source to /opt/rt3,
and RT::Authen::ExternalAuth 0.08 installed from CPAN via this command:

PERL5LIB=/opt/rt3/lib cpan RT::Authen::ExternalAuth

Here is my RT_SiteConfig.pm: http://pastie.org/1648532

I can log in as root, or any other locally-created user. When I do, I get a
message to rt.log that looks like this:

[Tue Mar 8 19:46:18 2011] [info]: Successful login for root from
192.168.55.133 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:430)

I cannot log in as any of my Active Directory users. When I do, or when I
send a known-bad username/password combination, I get a message to rt.log
that looks like this:

[Tue Mar 8 19:45:55 2011] [error]: FAILED LOGIN for mledbetter from
192.168.55.133 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

Those are the only messages that are EVER logged to the log file. I didn’t
even realize that there were more things that RT would log, until I ran
across this message:
http://lists.bestpractical.com/pipermail/rt-users/2010-August/065986.html

Why can I not see those log messages? I would very much appreciate help in
this regard, because if I could just solve that problem I think I could fix
the Active Directory problem myself.

Note that when I log in as root (which works because, of course, root is a
local user, not an AD user), I can go to the System Configuration page.

There, in the “RT Configuration” section, I see this line:

Plugins RT::Authen::ExternalAuth site config
And in the “Loaded perl modules” section, I see this line:
RT::Interface::Web::Request 0.30
/opt/rt3/bin/…/lib/RT/Interface/Web/Request.pm

I’m not sure where to go from here, and I’d appreciate any input. I’d also
like to thank trs and jibsheet for helping me on IRC.

• Micah

Mark,

Thanks for the reply.On 3/8/2011 4:41 PM, Mark Farver wrote:

I’m having a problem making RT::Authen::ExternalAuth work with LDAP.
Furthermore, when I go to the log to find out what’s wrong, I see almost
nothing there.
It took me a very long time to figure this problem out, eventually
figuring it out with strace. RT::ExternalAuth created an example
/opt/rt3/local/etc/RT_SiteConfig.pm file that was overriding my
/opt/rt3/etc/RT_SiteConfig.pm file. Since the example file created by
ExternalAuth has very little in it it was breaking my config. Copying
the required contents into my SiteConfig and deleting the example was
all it took to start getting meaningful errors.

I did find another RT_SiteConfig.pm, not inside /opt/rt3/local/etc, but
inside /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/ – however,
when I deleted it and restarted apache, there was no change in the
logging behavior. I ran a “find /opt/rt3 -name *Config*” just to be
sure, but it didn’t find any config file that I didn’t already know
about. I also checked in /etc/ but I found nothing there of interest either.

Good eye, though. Any other ideas?

• Micah

You might turn up the log level, add:

Set($LogToScreen , ‘debug’);

And see if anything interesting turns up in the Apache logs.

You could also try using the same credentials, hostname etc with
ldapsearch on the command line to verify that you have AD configured
correctly.

Mark

Actually, LogToScreen is already set in my RT_SiteConfig.pm and the only
thing I get out of Apache’s error.log is this stuff:

[Tue Mar 08 17:45:27 2011] [info] [client 192.168.55.133] Connection
to child 5 established (server alpha:443)
[Tue Mar 08 17:45:27 2011] [info] Seeding PRNG with 648 bytes of entropy
[Tue Mar 08 17:45:27 2011] [info] Initial (No.1) HTTPS request
received for child 5 (server alpha:443)
[Tue Mar 8 23:45:27 2011] [error]: FAILED LOGIN for mledbetter from
192.168.55.133 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)
[Tue Mar 08 17:45:27 2011] [info] Subsequent (No.2) HTTPS request
received for child 5 (server alpha:443)
[Tue Mar 08 17:45:27 2011] [info] [client 192.168.55.133] Spelling
fix: /rt/NoAuth/RichText/fckeditor.js: 1 candidates from
https://alpha/rt/, referer: https://alpha/rt/
[Tue Mar 08 17:45:27 2011] [info] Subsequent (No.3) HTTPS request
received for child 5 (server alpha:443)
[Tue Mar 08 17:45:27 2011] [info] [client 192.168.55.133] Spelling
fix: /rt/NoAuth/RichText/fckeditor.js: 1 candidates from
https://alpha/rt/, referer: https://alpha/rt/
[Tue Mar 08 17:45:42 2011] [info] [client 192.168.55.133] (70007)The
timeout specified has expired: SSL input filter read failed.
[Tue Mar 08 17:45:42 2011] [info] [client 192.168.55.133] Connection
closed to child 5 with standard shutdown (server alpha:443)

And I’m not even sure that those [info] lines don’t come from apache
itself anyway. At any rate, there is no evidence that it’s even trying
LDAP authentication.

As for running ldapsearch with the credentials in my RT_SiteConfig.pm,
I’ve already tried that and it works. If I run this command:

ldapsearch -h fattire -p 3268 -D rtldap -w ‘PASSWORD’
-b ‘ou=Services,dc=neuric,dc=internal’

And it will return my RT Users group:

dn: CN=RT Users,OU=Services,DC=neuric,DC=internal
… etc …

I’ve tried setting the ‘user’ in $ExternalSettings to ‘rtldap’ and the
full ‘cn=rtldap,ou=Services,dc=internal,dc=local’ because I’ve seen it
both ways online, but neither one works, or produces any different log
output.

However, going any further toward debugging this without any LDAP
related logging at all is obviously no fun, and I’d really like to
actually get logging working before jumping ahead and trying to just
troubleshoot through a black box.

Thanks for your suggestions.

• Micah

I am using rt 3.8.9, but I had to update to the dev release of external auth
http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAuth-0.08_01.tar.gz

I was getting results like you, or lack of results. It didn’t appear to even be loading the plugin.From: rt-users-bounces@lists.bestpractical.com [rt-users-bounces@lists.bestpractical.com] On Behalf Of Micah R Ledbetter [mledbetter@neuric.com]
Sent: Tuesday, March 08, 2011 3:24 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I can’t authenticate via LDAP; I don’t see the log messages I expect

Hi all,

I’m having a problem making RT::Authen::ExternalAuth work with LDAP.
Furthermore, when I go to the log to find out what’s wrong, I see almost
nothing there.

I’m on Ubuntu 10.04.1, running RT 3.8.8 installed from source to /opt/rt3,
and RT::Authen::ExternalAuth 0.08 installed from CPAN via this command:

PERL5LIB=/opt/rt3/lib cpan RT::Authen::ExternalAuth

Here is my RT_SiteConfig.pm: http://pastie.org/1648532

I can log in as root, or any other locally-created user. When I do, I get a
message to rt.log that looks like this:

[Tue Mar 8 19:46:18 2011] [info]: Successful login for root from
192.168.55.133 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:430)

I cannot log in as any of my Active Directory users. When I do, or when I
send a known-bad username/password combination, I get a message to rt.log
that looks like this:

[Tue Mar 8 19:45:55 2011] [error]: FAILED LOGIN for mledbetter from
192.168.55.133 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

Those are the only messages that are EVER logged to the log file. I didn’t
even realize that there were more things that RT would log, until I ran
across this message:
http://lists.bestpractical.com/pipermail/rt-users/2010-August/065986.html

Why can I not see those log messages? I would very much appreciate help in
this regard, because if I could just solve that problem I think I could fix
the Active Directory problem myself.

Note that when I log in as root (which works because, of course, root is a
local user, not an AD user), I can go to the System Configuration page.

There, in the “RT Configuration” section, I see this line:

Plugins RT::Authen::ExternalAuth site config
And in the “Loaded perl modules” section, I see this line:
RT::Interface::Web::Request 0.30
/opt/rt3/bin/…/lib/RT/Interface/Web/Request.pm

I’m not sure where to go from here, and I’d appreciate any input. I’d also
like to thank trs and jibsheet for helping me on IRC.

• Micah

THANK YOU! This worked for me - I am now getting a lot more stuff logged to
rt.log!

What I did, in detail:

• I removed what CPAN had installed to /opt/rt3/local/plugins
• I downloaded and installed the dev release of external auth
• I installed it via perl Makefile.PL; make; make install
• I removed the default RT_SiteConfig.pm it created in
  /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc

Now my each failed login produces these lines in rt.log:

[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jason LedfordSent: Tuesday, March 08, 2011 18:48
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I can’t authenticate via LDAP; I don’t see the log
messages I expect

I am using rt 3.8.9, but I had to update to the dev release of external auth
http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAuth-0
.08_01.tar.gz

I was getting results like you, or lack of results. It didn’t appear to
even be loading the plugin.

From: rt-users-bounces@lists.bestpractical.com
[rt-users-bounces@lists.bestpractical.com] On Behalf Of Micah R Ledbetter
[mledbetter@neuric.com]
Sent: Tuesday, March 08, 2011 3:24 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I can’t authenticate via LDAP; I don’t see the log
messages I expect

Hi all,

I’m having a problem making RT::Authen::ExternalAuth work with LDAP.
Furthermore, when I go to the log to find out what’s wrong, I see almost
nothing there.

I’m on Ubuntu 10.04.1, running RT 3.8.8 installed from source to /opt/rt3,
and RT::Authen::ExternalAuth 0.08 installed from CPAN via this command:

PERL5LIB=/opt/rt3/lib cpan RT::Authen::ExternalAuth

Here is my RT_SiteConfig.pm: http://pastie.org/1648532

I can log in as root, or any other locally-created user. When I do, I get a
message to rt.log that looks like this:

[Tue Mar 8 19:46:18 2011] [info]: Successful login for root from
192.168.55.133 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:430)

I cannot log in as any of my Active Directory users. When I do, or when I
send a known-bad username/password combination, I get a message to rt.log
that looks like this:

[Tue Mar 8 19:45:55 2011] [error]: FAILED LOGIN for mledbetter from
192.168.55.133 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

Those are the only messages that are EVER logged to the log file. I didn’t
even realize that there were more things that RT would log, until I ran
across this message:
http://lists.bestpractical.com/pipermail/rt-users/2010-August/065986.html

Why can I not see those log messages? I would very much appreciate help in
this regard, because if I could just solve that problem I think I could fix
the Active Directory problem myself.

Note that when I log in as root (which works because, of course, root is a
local user, not an AD user), I can go to the System Configuration page.

There, in the “RT Configuration” section, I see this line:

Plugins RT::Authen::ExternalAuth site config
And in the “Loaded perl modules” section, I see this line:
RT::Interface::Web::Request 0.30
/opt/rt3/bin/…/lib/RT/Interface/Web/Request.pm

I’m not sure where to go from here, and I’d appreciate any input. I’d also
like to thank trs and jibsheet for helping me on IRC.

• Micah

YES! This worked, thank you so much!

In detail, here’s what I did.

• I removed everything that CPAN had put in /opt/rt3/local/plugins
• I downloaded the dev release of external auth
• I installed it with a simple perl Makefile.PL; make; make install
• I removed the example RT_SiteConfig.pm that was created in
  /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/

Now my logs are full of [debug] lines that pointed me in the right
direction, and now Active Directory authentication is finally working.

Thanks again.

Should I file a bug report somewhere with what happened? I’d be happy to if
it would be helpful for someone.

• Micah

[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jason LedfordSent: Tuesday, March 08, 2011 18:48
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I can’t authenticate via LDAP; I don’t see the log
messages I expect

I am using rt 3.8.9, but I had to update to the dev release of external auth
http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAuth-0
.08_01.tar.gz

I was getting results like you, or lack of results. It didn’t appear to
even be loading the plugin.

From: rt-users-bounces@lists.bestpractical.com
[rt-users-bounces@lists.bestpractical.com] On Behalf Of Micah R Ledbetter
[mledbetter@neuric.com]
Sent: Tuesday, March 08, 2011 3:24 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I can’t authenticate via LDAP; I don’t see the log
messages I expect

Hi all,

I’m having a problem making RT::Authen::ExternalAuth work with LDAP.
Furthermore, when I go to the log to find out what’s wrong, I see almost
nothing there.

I’m on Ubuntu 10.04.1, running RT 3.8.8 installed from source to /opt/rt3,
and RT::Authen::ExternalAuth 0.08 installed from CPAN via this command:

PERL5LIB=/opt/rt3/lib cpan RT::Authen::ExternalAuth

Here is my RT_SiteConfig.pm: http://pastie.org/1648532

I can log in as root, or any other locally-created user. When I do, I get a
message to rt.log that looks like this:

[Tue Mar 8 19:46:18 2011] [info]: Successful login for root from
192.168.55.133 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:430)

I cannot log in as any of my Active Directory users. When I do, or when I
send a known-bad username/password combination, I get a message to rt.log
that looks like this:

[Tue Mar 8 19:45:55 2011] [error]: FAILED LOGIN for mledbetter from
192.168.55.133 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

Those are the only messages that are EVER logged to the log file. I didn’t
even realize that there were more things that RT would log, until I ran
across this message:
http://lists.bestpractical.com/pipermail/rt-users/2010-August/065986.html

Why can I not see those log messages? I would very much appreciate help in
this regard, because if I could just solve that problem I think I could fix
the Active Directory problem myself.

Note that when I log in as root (which works because, of course, root is a
local user, not an AD user), I can go to the System Configuration page.

There, in the “RT Configuration” section, I see this line:

Plugins RT::Authen::ExternalAuth site config
And in the “Loaded perl modules” section, I see this line:
RT::Interface::Web::Request 0.30
/opt/rt3/bin/…/lib/RT/Interface/Web/Request.pm

I’m not sure where to go from here, and I’d appreciate any input. I’d also
like to thank trs and jibsheet for helping me on IRC.

• Micah

Should I file a bug report somewhere with what happened? I’d be happy to if
it would be helpful for someone.

What RT version are you actually running?

You claimed RT 3.8.8, but ExternalAuth 0.08 is known to work with that
and upgrading to ExternalAuth 0.08_01 shouldn’t have mattered for 3.8.8.

Thomas

Should I file a bug report somewhere with what happened? I’d be happy to if
it would be helpful for someone.

What RT version are you actually running?

You claimed RT 3.8.8, but ExternalAuth 0.08 is known to work with that
and upgrading to ExternalAuth 0.08_01 shouldn’t have mattered for 3.8.8.

828×650 57 KB

• Micah