I need help with the RT-Authen-ExternalAuth LDAP settings, please

These are the settings I’ve started with:

Set($ExternalSettings, {
‘AD’ => {
‘type’ => ‘ldap’,
‘server’ => ‘domain_controller.example.com’,
‘base’ => ‘dc=example,dc=com’,
‘user’ => ‘rtuser’,
‘pass’ => ‘********’,
‘filter’ => ‘(ObjectClass=*)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
},

They aren’t working. Whenever someone attempts an initial login with just
their username (which should create their RT account) the following error
is logged:
Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.
Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not set
user info
Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
192.168.236.102

When initial logins are attempted with either example\username or
example.com\username only the FAILED LOGIN line is displayed.

We also have our Openfire Jabber server authenticating successfully. Those
settings are
ldap.autoFollowAliasReferrals = true
ldap.autoFollowReferrals = false
ldap.baseDN = dc=example,dc=com
ldap.connectionPoolEnabled = true
ldap.debugEnabled = false
ldap.emailField = mail
ldap.encloseDNs = true
ldap.groupDescriptionField = description
ldap.groupMemberField = member
ldap.groupNameField = cn
ldap.groupSearchFilter = (objectClass=group)
ldap.host = domain_controller.example.com
ldap.ldapDebugEnabled = false
ldap.nameField = cn
ldap.port = 389
ldap.searchFilter = (objectClass=*)
ldap.usernameField = sAMAccountName

I know they don’t match up exactly in terms of what Openfire calls the
settings vs. what RT does, but I’m hoping someone can help me sort out what
should be plugged in where on the RT side. For example, I don’t know what
the group_attr or group_attr_value setting should contain (if anything) in
the RT_SiteConfig.pm file. Basically, anything from the “group” settings.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither
am I.” - Me

For your ‘server’ try using IP rather than hostname.
Second for the ‘user’ field try using the DN name for your AD Binding user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com

Hope this helps…

JeffFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

These are the settings I’ve started with:

Set($ExternalSettings, {
‘AD’ => {
‘type’ => ‘ldap’,
‘server’ => ‘domain_controller.example.comhttp://domain_controller.example.com’,
‘base’ => ‘dc=example,dc=com’,
‘user’ => ‘rtuser’,
‘pass’ => ‘********’,
‘filter’ => ‘(ObjectClass=*)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
},

They aren’t working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged:
Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613.
Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not set user info
Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102

When initial logins are attempted with either example\username or example.comhttp://example.com\username only the FAILED LOGIN line is displayed.

We also have our Openfire Jabber server authenticating successfully. Those settings are
ldap.autoFollowAliasReferrals = true
ldap.autoFollowReferrals = false
ldap.baseDN = dc=example,dc=com
ldap.connectionPoolEnabled = true
ldap.debugEnabled = false
ldap.emailField = mail
ldap.encloseDNs = true
ldap.groupDescriptionField = description
ldap.groupMemberField = member
ldap.groupNameField = cn
ldap.groupSearchFilter = (objectClass=group)
ldap.host = domain_controller.example.comhttp://domain_controller.example.com
ldap.ldapDebugEnabled = false
ldap.nameField = cn
ldap.port = 389
ldap.searchFilter = (objectClass=*)
ldap.usernameField = sAMAccountName

I know they don’t match up exactly in terms of what Openfire calls the settings vs. what RT does, but I’m hoping someone can help me sort out what should be plugged in where on the RT side. For example, I don’t know what the group_attr or group_attr_value setting should contain (if anything) in the RT_SiteConfig.pm file. Basically, anything from the “group” settings.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither am I.” - Me

I didn’t know the OU until a few moments ago so I only entered
"cn=user,dc=example,dc=com". That did seem to make a difference. However,
I’m still not able to log in. Perhaps for other reasons, though:

Oct 17 16:33:11 zen-rt RT: [24525]
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49
Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from
192.168.236.102

I know I’m entering my username and password correctly and have again tried
just the username, example\username, and example.com\username. I’m
wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing
OU. I do know it now, but how do I enter an OU that has two words? I was
told it is example.com/Special Accounts.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither
am I.” - MeOn Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg jsolberg@intrepidls.comwrote:

For your ‘server’ try using IP rather than hostname.****

Second for the ‘user’ field try using the DN name for your AD Binding
user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com****


Hope this helps…****


Jeff****




From: rt-users-bounces@lists.bestpractical.com [mailto:
rt-users-bounces@lists.bestpractical.com] On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
settings, please
**


These are the settings I’ve started with:****


Set($ExternalSettings, {****

'AD'       =>  {****

    'type'                      =>  'ldap',****

    'server'                    =>  'domain_controller.example.com',**

**

    'base'                      =>  'dc=example,dc=com',****

    'user'                      =>  'rtuser',****

    'pass'                      =>  '********',****

    'filter'                    =>  '(ObjectClass=*)',****

    'tls'                       =>  0,****

    'ssl_version'               =>  3,****

    'net_ldap_args'             => [    version =>  3   ],****

    'attr_match_list' => [****

        'EmailAddress',****

    ],****

    'attr_map' => {****

        'Name' => 'sAMAccountName',****

        'EmailAddress' => 'mail',****

        'RealName' => 'cn',****

    },****

They aren’t working. Whenever someone attempts an initial login with just
their username (which should create their RT account) the following error
is logged:****

Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:****

Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not
set user info****

Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
192.168.236.102****


When initial logins are attempted with either example\username or
example.com\username only the FAILED LOGIN line is displayed.****


We also have our Openfire Jabber server authenticating successfully. Those
settings are****

ldap.autoFollowAliasReferrals = true****

ldap.autoFollowReferrals = false****

ldap.baseDN = dc=example,dc=com****

ldap.connectionPoolEnabled = true****

ldap.debugEnabled = false****

ldap.emailField = mail****

ldap.encloseDNs = true****

ldap.groupDescriptionField = description****

ldap.groupMemberField = member****

ldap.groupNameField = cn****

ldap.groupSearchFilter = (objectClass=group)****

ldap.host = domain_controller.example.com****

ldap.ldapDebugEnabled = false****

ldap.nameField = cn****

ldap.port = 389****

ldap.searchFilter = (objectClass=)***

ldap.usernameField = sAMAccountName****



I know they don’t match up exactly in terms of what Openfire calls the
settings vs. what RT does, but I’m hoping someone can help me sort out what
should be plugged in where on the RT side. For example, I don’t know what
the group_attr or group_attr_value setting should contain (if anything) in
the RT_SiteConfig.pm file. Basically, anything from the “group” settings.*



-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****

You shouldn’t need to preface the domain in your username string. Also to enter in an OU with 2 words just simply enter it is “OU=Special Accounts”…

To verify the CN name for your Bind account in AD, do a find/search on your bind user account, right-click on the object and select properties. Choose the Attribute Editor tab and scroll down to “distringuishedName”. This will give you the exact name.

JeffFrom: Mathew Snyder [mailto:mathew.snyder@gmail.com]
Sent: Thursday, October 17, 2013 1:40 PM
To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

I didn’t know the OU until a few moments ago so I only entered “cn=user,dc=example,dc=com”. That did seem to make a difference. However, I’m still not able to log in. Perhaps for other reasons, though:

Oct 17 16:33:11 zen-rt RT: [24525] RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind: LDAP_INVALID_CREDENTIALS 49
Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from 192.168.236.102

I know I’m entering my username and password correctly and have again tried just the username, example\username, and example.comhttp://example.com\username. I’m wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing OU. I do know it now, but how do I enter an OU that has two words? I was told it is example.com/Specialhttp://example.com/Special Accounts.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither am I.” - Me

I found another thread that indicated that the solution to the second
problem was to add @domain to the end of the username. That just reverted
to the previous list of errors with a couple new ones.

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in join
or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.
Oct 17 16:47:50 zen-rt RT: [24673]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:47:50 zen-rt RT: [24673] Couldn’t create user user: Could not set
user info
Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
192.168.236.102

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither
am I.” - MeOn Thu, Oct 17, 2013 at 4:39 PM, Mathew Snyder mathew.snyder@gmail.comwrote:

I didn’t know the OU until a few moments ago so I only entered
"cn=user,dc=example,dc=com". That did seem to make a difference. However,
I’m still not able to log in. Perhaps for other reasons, though:

Oct 17 16:33:11 zen-rt RT: [24525]
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49
Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from
192.168.236.102

I know I’m entering my username and password correctly and have again
tried just the username, example\username, and example.com\username. I’m
wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing
OU. I do know it now, but how do I enter an OU that has two words? I was
told it is example.com/Special Accounts.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me

On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg jsolberg@intrepidls.comwrote:

For your ‘server’ try using IP rather than hostname.****

Second for the ‘user’ field try using the DN name for your AD Binding
user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com****


Hope this helps…****


Jeff****




From: rt-users-bounces@lists.bestpractical.com [mailto:
rt-users-bounces@lists.bestpractical.com] On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
settings, please
**


These are the settings I’ve started with:****


Set($ExternalSettings, {****

'AD'       =>  {****

    'type'                      =>  'ldap',****

    'server'                    =>  'domain_controller.example.com',*

    'base'                      =>  'dc=example,dc=com',****

    'user'                      =>  'rtuser',****

    'pass'                      =>  '********',****

    'filter'                    =>  '(ObjectClass=*)',****

    'tls'                       =>  0,****

    'ssl_version'               =>  3,****

    'net_ldap_args'             => [    version =>  3   ],****

    'attr_match_list' => [****

        'EmailAddress',****

    ],****

    'attr_map' => {****

        'Name' => 'sAMAccountName',****

        'EmailAddress' => 'mail',****

        'RealName' => 'cn',****

    },****

They aren’t working. Whenever someone attempts an initial login with just
their username (which should create their RT account) the following error
is logged:****

Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string
eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:****

Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not
set user info****

Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
192.168.236.102****


When initial logins are attempted with either example\username or
example.com\username only the FAILED LOGIN line is displayed.****


We also have our Openfire Jabber server authenticating successfully.
Those settings are****

ldap.autoFollowAliasReferrals = true****

ldap.autoFollowReferrals = false****

ldap.baseDN = dc=example,dc=com****

ldap.connectionPoolEnabled = true****

ldap.debugEnabled = false****

ldap.emailField = mail****

ldap.encloseDNs = true****

ldap.groupDescriptionField = description****

ldap.groupMemberField = member****

ldap.groupNameField = cn****

ldap.groupSearchFilter = (objectClass=group)****

ldap.host = domain_controller.example.com****

ldap.ldapDebugEnabled = false****

ldap.nameField = cn****

ldap.port = 389****

ldap.searchFilter = (objectClass=)***

ldap.usernameField = sAMAccountName****



I know they don’t match up exactly in terms of what Openfire calls the
settings vs. what RT does, but I’m hoping someone can help me sort out what
should be plugged in where on the RT side. For example, I don’t know what
the group_attr or group_attr_value setting should contain (if anything) in
the RT_SiteConfig.pm file. Basically, anything from the “group” settings.



-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

These are the settings I’ve used in the past…

Set( $ExternalAuthPriority, [‘My_LDAP’]);
Set( $ExternalServiceUsesSSLorTLS, 0);
Set( $AutoCreateNonExternalUsers, 1);
Set( $ExternalInfoPriority, [‘My_LDAP’]);
Set( $ExternalSettings, {‘My_LDAP’ => { ## GENERIC SECTION
’type’ => ‘ldap’,
‘server’ => ‘myserver.intranet.local’,
‘port’ => ‘389’,
‘user’ => ‘myROuser@intranet.local’,
‘pass’ => ‘password’,
‘base’ => ‘dc=intranet,dc=local’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’, ‘EmailAddress’ ],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
}
},
});

Hopefully this helps you out…

Best,

  • –Glenn
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (Darwin)
    Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJgT38ACgkQf5MxTDXTimEWCwCgkmTZOoPQNtX4+JRea8nlQePW
tcIAnj175zP7D0SZ7H18+M+Q4S4imWW6
=7JJf
-----END PGP SIGNATURE-----

Here is a copy of my working ExternalAuth Config…Hope this helps…

#PLUGINS
Set( @Plugins, qw(RT::Authen::ExternalAuth));

#External Auth Settings
#Set($WebExternalAuth , 1);
#Set($WebFallbackToInternalAuth , 1);
#Set(WebExternalAuto , 1);
Set($ExternalAuthPriority, [ ‘My_LDAP’,] );
Set($ExternalInfoPriority, [ ‘My_LDAP’,] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘10.10.x.x’,
‘user’ => ‘cn= Bind Ldap,ou=User_Logins,dc=xxx,dc=xxx’,
‘pass’ => ‘xxxxx’,
‘base’ => ‘dc=xxx,dc=xxx’,
‘filter’ => ‘(&(ObjectCategory=User)(ObjectClass=Person))’,
‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803=2)’,

‘group’ => ‘cn=Domain Users,ou=Groups_Security,dc=xxx,dc=xxx’,

‘group_attr’ => ‘member’,

    'tls'                       =>  0,
    'ssl_version'               =>  3,
    'net_ldap_args'             => [    version =>  3 ],
    'group_scope'               =>  'base',

‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,

    'attr_match_list' => [
        'Name',
        'EmailAddress',
    ],
    'attr_map' => {
        'Name' => 'sAMAccountName',
        'EmailAddress' => 'mail',
        'Organization' => 'physicalDeliveryOfficeName',
        'RealName' => 'cn',
        'ExternalAuthId' => 'sAMAccountName',
        'Gecos' => 'sAMAccountName',
        'WorkPhone' => 'telephoneNumber',
        'Address1' => 'streetAddress',
        'City' => 'l',
        'State' => 'st',
        'Zip' => 'postalCode',
        'Country' => 'co'
    },
},
# An example SSO cookie service
'My_SSO_Cookie'  => {
    'type'                      =>  'cookie',
    'name'                      =>  'loginCookieValue',
    'u_table'                   =>  'users',
    'u_field'                   =>  'username',
    'u_match_key'               =>  'userID',
    'c_table'                   =>  'login_cookie',
    'c_field'                   =>  'loginCookieValue',
    'c_match_key'               =>  'loginCookieUserID',
    'db_service_name'           =>  'My_MySQL'
},From: Mathew Snyder [mailto:mathew.snyder@gmail.com]

Sent: Thursday, October 17, 2013 1:50 PM
To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

I found another thread that indicated that the solution to the second problem was to add @domain to the end of the username. That just reverted to the previous list of errors with a couple new ones.

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in hash element at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 611.
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613.
Oct 17 16:47:50 zen-rt RT: [24673] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:47:50 zen-rt RT: [24673] Couldn’t create user user: Could not set user info
Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from 192.168.236.102

-Mathew

“When you do things right, people won’t be sure you’ve done anything at all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither am I.” - Me

I’ve tried both the settings indicated by Jeff (excepting the SSO cookie
settings) and Glenn. I’m still getting the
"RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49" error.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither
am I.” - MeOn Thu, Oct 17, 2013 at 5:00 PM, Jeff Solberg jsolberg@intrepidls.comwrote:

Here is a copy of my working ExternalAuth Config…Hope this helps…****


#PLUGINS****

Set( @Plugins, qw(RT::Authen::ExternalAuth));****


#External Auth Settings****

#Set($WebExternalAuth , 1);****

#Set($WebFallbackToInternalAuth , 1);****

#Set(WebExternalAuto , 1);****

Set($ExternalAuthPriority, [ ‘My_LDAP’,] );****

Set($ExternalInfoPriority, [ ‘My_LDAP’,] );****

Set($ExternalServiceUsesSSLorTLS, 0);****

Set($AutoCreateNonExternalUsers, 0);****

Set($ExternalSettings, {****

'My_LDAP'       =>  {****

    'type'                      =>  'ldap',****

    'server'                    =>  '10.10.x.x',****

    'user'                      =>  'cn= Bind

Ldap,ou=User_Logins,dc=xxx,dc=xxx’,****

    'pass'                    =>  'xxxxx',****

    'base'                      =>  'dc=xxx,dc=xxx',****

    'filter'                    =>

‘(&(ObjectCategory=User)(ObjectClass=Person))’,****

    'd_filter'                  =>

‘(userAccountControl:1.2.840.113556.1.4.803=2)’,****

‘group’ => 'cn=Domain

Users,ou=Groups_Security,dc=xxx,dc=xxx’,****

‘group_attr’ => ‘member’,****

    'tls'                       =>  0,****

    'ssl_version'               =>  3,****

    'net_ldap_args'             => [    version =>  3 ],****

    'group_scope'               =>  'base',****

‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,****

    'attr_match_list' => [****

        'Name',****

        'EmailAddress',****

    ],****

    'attr_map' => {****

        'Name' => 'sAMAccountName',****

        'EmailAddress' => 'mail',****

        'Organization' => 'physicalDeliveryOfficeName',****

        'RealName' => 'cn',****

        'ExternalAuthId' => 'sAMAccountName',****

        'Gecos' => 'sAMAccountName',****

        'WorkPhone' => 'telephoneNumber',****

        'Address1' => 'streetAddress',****

        'City' => 'l',****

        'State' => 'st',****

        'Zip' => 'postalCode',****

        'Country' => 'co'****

    },****

},****

# An example SSO cookie service****

'My_SSO_Cookie'  => {****

    'type'                      =>  'cookie',****

    'name'                      =>  'loginCookieValue',****

    'u_table'                   =>  'users',****

    'u_field'                   =>  'username',****

    'u_match_key'               =>  'userID',****

    'c_table'                   =>  'login_cookie',****

    'c_field'                   =>  'loginCookieValue',****

    'c_match_key'               =>  'loginCookieUserID',****

    'db_service_name'           =>  'My_MySQL'****

},****

From: Mathew Snyder [mailto:mathew.snyder@gmail.com]
Sent: Thursday, October 17, 2013 1:50 PM

To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth
LDAP settings, please****


I found another thread that indicated that the solution to the second
problem was to add @domain to the end of the username. That just reverted
to the previous list of errors with a couple new ones.****


Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.****

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.****

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 16:47:50 zen-rt RT: [24673]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged: ****

Oct 17 16:47:50 zen-rt RT: [24673] Couldn’t create user user: Could not
set user info****

Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
192.168.236.102****



-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****


On Thu, Oct 17, 2013 at 4:39 PM, Mathew Snyder mathew.snyder@gmail.com
wrote:****

I didn’t know the OU until a few moments ago so I only entered
"cn=user,dc=example,dc=com". That did seem to make a difference. However,
I’m still not able to log in. Perhaps for other reasons, though:****


Oct 17 16:33:11 zen-rt RT: [24525]
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49****

Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from
192.168.236.102****


I know I’m entering my username and password correctly and have again
tried just the username, example\username, and example.com\username. I’m
wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing
OU. I do know it now, but how do I enter an OU that has two words? I was
told it is example.com/Special Accounts.****


-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****


On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg jsolberg@intrepidls.com
wrote:****

For your ‘server’ try using IP rather than hostname.****

Second for the ‘user’ field try using the DN name for your AD Binding
user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com****


Hope this helps…****


Jeff****




From: rt-users-bounces@lists.bestpractical.com [mailto:
rt-users-bounces@lists.bestpractical.com] On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
settings, please
**


These are the settings I’ve started with:****


Set($ExternalSettings, {****

'AD'       =>  {****

    'type'                      =>  'ldap',****

    'server'                    =>  'domain_controller.example.com',**

**

    'base'                      =>  'dc=example,dc=com',****

    'user'                      =>  'rtuser',****

    'pass'                      =>  '********',****

    'filter'                    =>  '(ObjectClass=*)',****

    'tls'                       =>  0,****

    'ssl_version'               =>  3,****

    'net_ldap_args'             => [    version =>  3   ],****

    'attr_match_list' => [****

        'EmailAddress',****

    ],****

    'attr_map' => {****

        'Name' => 'sAMAccountName',****

        'EmailAddress' => 'mail',****

        'RealName' => 'cn',****

    },****

They aren’t working. Whenever someone attempts an initial login with just
their username (which should create their RT account) the following error
is logged:****

Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:****

Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not
set user info****

Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
192.168.236.102****


When initial logins are attempted with either example\username or
example.com\username only the FAILED LOGIN line is displayed.****


We also have our Openfire Jabber server authenticating successfully. Those
settings are****

ldap.autoFollowAliasReferrals = true****

ldap.autoFollowReferrals = false****

ldap.baseDN = dc=example,dc=com****

ldap.connectionPoolEnabled = true****

ldap.debugEnabled = false****

ldap.emailField = mail****

ldap.encloseDNs = true****

ldap.groupDescriptionField = description****

ldap.groupMemberField = member****

ldap.groupNameField = cn****

ldap.groupSearchFilter = (objectClass=group)****

ldap.host = domain_controller.example.com****

ldap.ldapDebugEnabled = false****

ldap.nameField = cn****

ldap.port = 389****

ldap.searchFilter = (objectClass=)***

ldap.usernameField = sAMAccountName****



I know they don’t match up exactly in terms of what Openfire calls the
settings vs. what RT does, but I’m hoping someone can help me sort out what
should be plugged in where on the RT side. For example, I don’t know what
the group_attr or group_attr_value setting should contain (if anything) in
the RT_SiteConfig.pm file. Basically, anything from the “group” settings.*



-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****



That error code 49 is a generic LDAP error returned when the account your using to bind has invalid creds, usually a bad or expired password…

Do you have ldap tools installed on your RT server? If so run this command to test your bind account:

ldapsearch -x -W -D"bindaccount@domain.com" "(sAMAccountName=some_user)”

Enter Password of Bind account.

Let us know the results…

JeffFrom: Mathew Snyder [mailto:mathew.snyder@gmail.com]
Sent: Thursday, October 17, 2013 3:32 PM
To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

I’ve tried both the settings indicated by Jeff (excepting the SSO cookie settings) and Glenn. I’m still getting the “RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind: LDAP_INVALID_CREDENTIALS 49” error.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither am I.” - Me

If I run the command the way you’ve formatted it I get “ldapsearch can’t
contact ldap server (-1)”.

However, if I run ‘ldapsearch -x -h dc1.example.com -D rtuser -w xxxxxxxx
-b “dc=example,dc=com”’ “(sAMAccountName=user”) I get all kinds of output:

extended LDIF

LDAPv3

base <dc=example,dc=com> with scope subtree

filter: (sAMAccountName=user)

requesting: ALL

User Name, Information Systems, HQ Users, EXAMPLE Users, Users, ZEN USERS

GROUPS and COMPUTERS, Example.com
dn: CN=User Name,OU=Information Systems,OU=HQ Users,OU=EXAMPLE
Users,OU=Users
,OU=ZEN USERS GROUPS and COMPUTERS,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: User Name
sn: Name
givenName: User
distinguishedName: CN=User Name,OU=Information Systems,OU=HQ
Users,OU=EXAMPLE
Users,OU=Users,OU=ZEN USERS GROUPS and COMPUTERS,DC=example,DC=com
instanceType: 4
whenCreated: 20130930141549.0Z
whenChanged: 20131012190321.0Z
displayName: User Name
uSNCreated: 8802089
uSNChanged: 9320797
name: User Name
objectGUID:: f+PyYZ/6lEqKVGVs4/LT1A==
userAccountControl: 512
codePage: 0
countryCode: 0
pwdLastSet: 130250241494878224
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA4MWjpccIJx5IwuT21g4AAA==
accountExpires: 9223372036854775807
sAMAccountName: user
sAMAccountType: 805306368
userPrincipalName: uname@example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130260782012929006

search reference

ref: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com

search reference

ref: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com

search reference

ref: ldap://example.com/CN=Configuration,DC=example,DC=com

search result

search: 2
result: 0 Success

numResponses: 5

numEntries: 1

numReferences: 3

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither
am I.” - MeOn Thu, Oct 17, 2013 at 6:54 PM, Jeff Solberg jsolberg@intrepidls.comwrote:

That error code 49 is a generic LDAP error returned when the account
your using to bind has invalid creds, usually a bad or expired password…*



Do you have ldap tools installed on your RT server? If so run this command
to test your bind account:****


ldapsearch -x -W -D"bindaccount@domain.com" "(sAMAccountName=some_user)”**
**


Enter Password of Bind account.****


Let us know the results…****


Jeff****


From: Mathew Snyder [mailto:mathew.snyder@gmail.com]
Sent: Thursday, October 17, 2013 3:32 PM

To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth
LDAP settings, please****


I’ve tried both the settings indicated by Jeff (excepting the SSO cookie
settings) and Glenn. I’m still getting the
"RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49" error.****


-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****


On Thu, Oct 17, 2013 at 5:00 PM, Jeff Solberg jsolberg@intrepidls.com
wrote:****

Here is a copy of my working ExternalAuth Config…Hope this helps…****


#PLUGINS****

Set( @Plugins, qw(RT::Authen::ExternalAuth));****


#External Auth Settings****

#Set($WebExternalAuth , 1);****

#Set($WebFallbackToInternalAuth , 1);****

#Set(WebExternalAuto , 1);****

Set($ExternalAuthPriority, [ ‘My_LDAP’,] );****

Set($ExternalInfoPriority, [ ‘My_LDAP’,] );****

Set($ExternalServiceUsesSSLorTLS, 0);****

Set($AutoCreateNonExternalUsers, 0);****

Set($ExternalSettings, {****

'My_LDAP'       =>  {****

    'type'                      =>  'ldap',****

    'server'                    =>  '10.10.x.x',****

    'user'                      =>  'cn= Bind

Ldap,ou=User_Logins,dc=xxx,dc=xxx’,****

    'pass'                    =>  'xxxxx',****

    'base'                      =>  'dc=xxx,dc=xxx',****

    'filter'                    =>

‘(&(ObjectCategory=User)(ObjectClass=Person))’,****

    'd_filter'                  =>

‘(userAccountControl:1.2.840.113556.1.4.803=2)’,****

‘group’ => 'cn=Domain

Users,ou=Groups_Security,dc=xxx,dc=xxx’,****

‘group_attr’ => ‘member’,****

    'tls'                       =>  0,****

    'ssl_version'               =>  3,****

    'net_ldap_args'             => [    version =>  3 ],****

    'group_scope'               =>  'base',****

‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,****

    'attr_match_list' => [****

        'Name',****

        'EmailAddress',****

    ],****

    'attr_map' => {****

        'Name' => 'sAMAccountName',****

        'EmailAddress' => 'mail',****

        'Organization' => 'physicalDeliveryOfficeName',****

        'RealName' => 'cn',****

        'ExternalAuthId' => 'sAMAccountName',****

        'Gecos' => 'sAMAccountName',****

        'WorkPhone' => 'telephoneNumber',****

        'Address1' => 'streetAddress',****

        'City' => 'l',****

        'State' => 'st',****

        'Zip' => 'postalCode',****

        'Country' => 'co'****

    },****

},****

# An example SSO cookie service****

'My_SSO_Cookie'  => {****

    'type'                      =>  'cookie',****

    'name'                      =>  'loginCookieValue',****

    'u_table'                   =>  'users',****

    'u_field'                   =>  'username',****

    'u_match_key'               =>  'userID',****

    'c_table'                   =>  'login_cookie',****

    'c_field'                   =>  'loginCookieValue',****

    'c_match_key'               =>  'loginCookieUserID',****

    'db_service_name'           =>  'My_MySQL'****

},****

From: Mathew Snyder [mailto:mathew.snyder@gmail.com]
Sent: Thursday, October 17, 2013 1:50 PM****

To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com****

Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth
LDAP settings, please****


I found another thread that indicated that the solution to the second
problem was to add @domain to the end of the username. That just reverted
to the previous list of errors with a couple new ones.****


Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.****

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.****

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 16:47:50 zen-rt RT: [24673]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged: ****

Oct 17 16:47:50 zen-rt RT: [24673] Couldn’t create user user: Could not
set user info****

Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
192.168.236.102****



-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****


On Thu, Oct 17, 2013 at 4:39 PM, Mathew Snyder mathew.snyder@gmail.com
wrote:****

I didn’t know the OU until a few moments ago so I only entered
"cn=user,dc=example,dc=com". That did seem to make a difference. However,
I’m still not able to log in. Perhaps for other reasons, though:****


Oct 17 16:33:11 zen-rt RT: [24525]
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49****

Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from
192.168.236.102****


I know I’m entering my username and password correctly and have again
tried just the username, example\username, and example.com\username. I’m
wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing
OU. I do know it now, but how do I enter an OU that has two words? I was
told it is example.com/Special Accounts.****


-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****


On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg jsolberg@intrepidls.com
wrote:****

For your ‘server’ try using IP rather than hostname.****

Second for the ‘user’ field try using the DN name for your AD Binding
user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com****


Hope this helps…****


Jeff****




From: rt-users-bounces@lists.bestpractical.com [mailto:
rt-users-bounces@lists.bestpractical.com] On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
settings, please
**


These are the settings I’ve started with:****


Set($ExternalSettings, {****

'AD'       =>  {****

    'type'                      =>  'ldap',****

    'server'                    =>  'domain_controller.example.com',**

**

    'base'                      =>  'dc=example,dc=com',****

    'user'                      =>  'rtuser',****

    'pass'                      =>  '********',****

    'filter'                    =>  '(ObjectClass=*)',****

    'tls'                       =>  0,****

    'ssl_version'               =>  3,****

    'net_ldap_args'             => [    version =>  3   ],****

    'attr_match_list' => [****

        'EmailAddress',****

    ],****

    'attr_map' => {****

        'Name' => 'sAMAccountName',****

        'EmailAddress' => 'mail',****

        'RealName' => 'cn',****

    },****

They aren’t working. Whenever someone attempts an initial login with just
their username (which should create their RT account) the following error
is logged:****

Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:****

Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not
set user info****

Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
192.168.236.102****


When initial logins are attempted with either example\username or
example.com\username only the FAILED LOGIN line is displayed.****


We also have our Openfire Jabber server authenticating successfully. Those
settings are****

ldap.autoFollowAliasReferrals = true****

ldap.autoFollowReferrals = false****

ldap.baseDN = dc=example,dc=com****

ldap.connectionPoolEnabled = true****

ldap.debugEnabled = false****

ldap.emailField = mail****

ldap.encloseDNs = true****

ldap.groupDescriptionField = description****

ldap.groupMemberField = member****

ldap.groupNameField = cn****

ldap.groupSearchFilter = (objectClass=group)****

ldap.host = domain_controller.example.com****

ldap.ldapDebugEnabled = false****

ldap.nameField = cn****

ldap.port = 389****

ldap.searchFilter = (objectClass=)***

ldap.usernameField = sAMAccountName****



I know they don’t match up exactly in terms of what Openfire calls the
settings vs. what RT does, but I’m hoping someone can help me sort out what
should be plugged in where on the RT side. For example, I don’t know what
the group_attr or group_attr_value setting should contain (if anything) in
the RT_SiteConfig.pm file. Basically, anything from the “group” settings.*



-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****




Hi Matthew

It sounds to me like you were authenticating ok initially, but getting an error in creating the user.

And to answer your initial question about the group and group_attr settings, I don’t use those at all and it works fine for me.

I would recommend putting things back to how you first had them (to generate the error your originally posted), turn the log level up to debug, and try again.
There are some debug statements within that method that may help identify where it is choking.

  •      BrentFrom: Mathew Snyder [mailto:mathew.snyder@gmail.com<mailto:mathew.snyder@gmail.com>]
    

Sent: Thursday, October 17, 2013 1:50 PM

To: Jeff Solberg
Cc: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

I found another thread that indicated that the solution to the second problem was to add @domain to the end of the username. That just reverted to the previous list of errors with a couple new ones.

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in hash element at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 611.
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613.
Oct 17 16:47:50 zen-rt RT: [24673] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:47:50 zen-rt RT: [24673] Couldn’t create user user: Could not set user info
Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from 192.168.236.102

From: rt-users-bounces@lists.bestpractical.commailto:rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.commailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

These are the settings I’ve started with:

Set($ExternalSettings, {
‘AD’ => {
‘type’ => ‘ldap’,
‘server’ => ‘domain_controller.example.comhttp://domain_controller.example.com’,
‘base’ => ‘dc=example,dc=com’,
‘user’ => ‘rtuser’,
‘pass’ => ‘********’,
‘filter’ => ‘(ObjectClass=*)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
},

They aren’t working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged:
Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613.
Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not set user info
Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102

When initial logins are attempted with either example\username or example.comhttp://example.com\username only the FAILED LOGIN line is displayed.

We also have our Openfire Jabber server authenticating successfully. Those settings are
ldap.autoFollowAliasReferrals = true
ldap.autoFollowReferrals = false
ldap.baseDN = dc=example,dc=com
ldap.connectionPoolEnabled = true
ldap.debugEnabled = false
ldap.emailField = mail
ldap.encloseDNs = true
ldap.groupDescriptionField = description
ldap.groupMemberField = member
ldap.groupNameField = cn
ldap.groupSearchFilter = (objectClass=group)
ldap.host = domain_controller.example.comhttp://domain_controller.example.com
ldap.ldapDebugEnabled = false
ldap.nameField = cn
ldap.port = 389
ldap.searchFilter = (objectClass=*)
ldap.usernameField = sAMAccountName

I know they don’t match up exactly in terms of what Openfire calls the settings vs. what RT does, but I’m hoping someone can help me sort out what should be plugged in where on the RT side. For example, I don’t know what the group_attr or group_attr_value setting should contain (if anything) in the RT_SiteConfig.pm file. Basically, anything from the “group” settings.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither am I.” - Me

I’ve actually been trying to get debugging turned on for a few days now.
I’ve set all of the variables:

Set( $LogToSTDERR, ‘debug’ );
Set( $LogToFile, ‘debug’ );
Set( $LogDir, ‘/var/log/’ );
Set( $LogToFileNamed, ‘rt.log’ );
Set( $LogToSyslog, ‘debug’ );

I’m not getting any detailed information at all. In fact, the rt.log file
isn’t even being created. I had tried to set the directory to /opt/rt4/log,
but the file wasn’t being created there, either.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither
am I.” - MeOn Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent bparish@cognex.com wrote:

Hi Matthew****


It sounds to me like you were authenticating ok initially, but getting an
error in creating the user.****


And to answer your initial question about the group and group_attr
settings, I don’t use those at all and it works fine for me.****


I would recommend putting things back to how you first had them (to
generate the error your originally posted), turn the log level up to debug,
and try again.****

There are some debug statements within that method that may help identify
where it is choking.****


- Brent




From: Mathew Snyder [mailto:mathew.snyder@gmail.com]
Sent: Thursday, October 17, 2013 1:50 PM****

To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com****

Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth
LDAP settings, please****


I found another thread that indicated that the solution to the second
problem was to add @domain to the end of the username. That just reverted
to the previous list of errors with a couple new ones.****


Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.****

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.****

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 16:47:50 zen-rt RT: [24673]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged: ****

Oct 17 16:47:50 zen-rt RT: [24673] Couldn’t create user user: Could not
set user info****

Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
192.168.236.102****




From: rt-users-bounces@lists.bestpractical.com [mailto:
rt-users-bounces@lists.bestpractical.com] *On Behalf Of *Mathew Snyder

Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
settings, please



These are the settings I’ve started with:****


Set($ExternalSettings, {****

'AD'       =>  {****

    'type'                      =>  'ldap',****

    'server'                    =>  'domain_controller.example.com',**

**

    'base'                      =>  'dc=example,dc=com',****

    'user'                      =>  'rtuser',****

    'pass'                      =>  '********',****

    'filter'                    =>  '(ObjectClass=*)',****

    'tls'                       =>  0,****

    'ssl_version'               =>  3,****

    'net_ldap_args'             => [    version =>  3   ],****

    'attr_match_list' => [****

        'EmailAddress',****

    ],****

    'attr_map' => {****

        'Name' => 'sAMAccountName',****

        'EmailAddress' => 'mail',****

        'RealName' => 'cn',****

    },****

They aren’t working. Whenever someone attempts an initial login with just
their username (which should create their RT account) the following error
is logged:****

Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:****

Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not
set user info****

Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
192.168.236.102****


When initial logins are attempted with either example\username or
example.com\username only the FAILED LOGIN line is displayed.****


We also have our Openfire Jabber server authenticating successfully. Those
settings are****

ldap.autoFollowAliasReferrals = true****

ldap.autoFollowReferrals = false****

ldap.baseDN = dc=example,dc=com****

ldap.connectionPoolEnabled = true****

ldap.debugEnabled = false****

ldap.emailField = mail****

ldap.encloseDNs = true****

ldap.groupDescriptionField = description****

ldap.groupMemberField = member****

ldap.groupNameField = cn****

ldap.groupSearchFilter = (objectClass=group)****

ldap.host = domain_controller.example.com****

ldap.ldapDebugEnabled = false****

ldap.nameField = cn****

ldap.port = 389****

ldap.searchFilter = (objectClass=)***

ldap.usernameField = sAMAccountName****



I know they don’t match up exactly in terms of what Openfire calls the
settings vs. what RT does, but I’m hoping someone can help me sort out what
should be plugged in where on the RT side. For example, I don’t know what
the group_attr or group_attr_value setting should contain (if anything) in
the RT_SiteConfig.pm file. Basically, anything from the “group” settings.*



-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****





I seem to be getting closer. I’m down to only the “FAILED LOGIN for user
from…” error.

I’ve found that in order to get down to just that I have to include the
domain in the username either as

  • domain\user
  • domain.local\user
  • user@domain
  • user@domain.local

However, if I use just the username I get

[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
$_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607)
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
$service in hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:611)
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value in
string eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:613)
[3221] [Sat Oct 19 00:44:37 2013] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:685)
[3221] [Sat Oct 19 00:44:37 2013] [error]: Couldn’t create user user: Could
not set user info
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:278)
[3221] [Sat Oct 19 00:44:37 2013] [error]: FAILED LOGIN for user from
192.168.236.119 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:814)

The domain does not seem to be getting passed as part of the username when
I attempt to log in. Interestingly, though, when I don’t use the domain, I
do get the info line in the log which contains bits of information that
wouldn’t otherwise be returned from AD. If I do use the domain that doesn’t
get returned, but I’m still unable to log in.

I know my credentials are accurate because they are the same as I use to
log into our VPN and that is tied to AD.

My current settings:

Set($ExternalAuthPriority, [ ‘AD’ ] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘AD’ => {
‘type’ => ‘ldap’,
‘server’ => ‘dc1.domain.local’,
‘base’ => ‘dc=domain,dc=local’,
‘user’ => ‘rtuser’,
‘pass’ => ‘xxxxxxxx’,
‘filter’ => ‘(ObjectClass=*)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803=2)’,
‘group_scope’ => ‘base’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [
‘Name’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
},
},
} );

Further assistance will be appreciated.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither
am I.” - MeOn Fri, Oct 18, 2013 at 8:08 PM, Mathew Snyder mathew.snyder@gmail.comwrote:

I’ve actually been trying to get debugging turned on for a few days now.
I’ve set all of the variables:

Set( $LogToSTDERR, ‘debug’ );
Set( $LogToFile, ‘debug’ );
Set( $LogDir, ‘/var/log/’ );
Set( $LogToFileNamed, ‘rt.log’ );
Set( $LogToSyslog, ‘debug’ );

I’m not getting any detailed information at all. In fact, the rt.log file
isn’t even being created. I had tried to set the directory to /opt/rt4/log,
but the file wasn’t being created there, either.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me

On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent bparish@cognex.com wrote:

Hi Matthew****


It sounds to me like you were authenticating ok initially, but getting an
error in creating the user.****


And to answer your initial question about the group and group_attr
settings, I don’t use those at all and it works fine for me.****


I would recommend putting things back to how you first had them (to
generate the error your originally posted), turn the log level up to debug,
and try again.****

There are some debug statements within that method that may help identify
where it is choking.****


- Brent




From: Mathew Snyder [mailto:mathew.snyder@gmail.com]
Sent: Thursday, October 17, 2013 1:50 PM****

To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com****

Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth
LDAP settings, please****


I found another thread that indicated that the solution to the second
problem was to add @domain to the end of the username. That just reverted
to the previous list of errors with a couple new ones.****


Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.****

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.****

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string
eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 16:47:50 zen-rt RT: [24673]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged: ****

Oct 17 16:47:50 zen-rt RT: [24673] Couldn’t create user user: Could not
set user info****

Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
192.168.236.102****




From: rt-users-bounces@lists.bestpractical.com [mailto:
rt-users-bounces@lists.bestpractical.com] *On Behalf Of *Mathew Snyder

Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
settings, please



These are the settings I’ve started with:****


Set($ExternalSettings, {****

'AD'       =>  {****

    'type'                      =>  'ldap',****

    'server'                    =>  'domain_controller.example.com',*

    'base'                      =>  'dc=example,dc=com',****

    'user'                      =>  'rtuser',****

    'pass'                      =>  '********',****

    'filter'                    =>  '(ObjectClass=*)',****

    'tls'                       =>  0,****

    'ssl_version'               =>  3,****

    'net_ldap_args'             => [    version =>  3   ],****

    'attr_match_list' => [****

        'EmailAddress',****

    ],****

    'attr_map' => {****

        'Name' => 'sAMAccountName',****

        'EmailAddress' => 'mail',****

        'RealName' => 'cn',****

    },****

They aren’t working. Whenever someone attempts an initial login with just
their username (which should create their RT account) the following error
is logged:****

Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string
eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:****

Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not
set user info****

Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
192.168.236.102****


When initial logins are attempted with either example\username or
example.com\username only the FAILED LOGIN line is displayed.****


We also have our Openfire Jabber server authenticating successfully.
Those settings are****

ldap.autoFollowAliasReferrals = true****

ldap.autoFollowReferrals = false****

ldap.baseDN = dc=example,dc=com****

ldap.connectionPoolEnabled = true****

ldap.debugEnabled = false****

ldap.emailField = mail****

ldap.encloseDNs = true****

ldap.groupDescriptionField = description****

ldap.groupMemberField = member****

ldap.groupNameField = cn****

ldap.groupSearchFilter = (objectClass=group)****

ldap.host = domain_controller.example.com****

ldap.ldapDebugEnabled = false****

ldap.nameField = cn****

ldap.port = 389****

ldap.searchFilter = (objectClass=)***

ldap.usernameField = sAMAccountName****



I know they don’t match up exactly in terms of what Openfire calls the
settings vs. what RT does, but I’m hoping someone can help me sort out what
should be plugged in where on the RT side. For example, I don’t know what
the group_attr or group_attr_value setting should contain (if anything) in
the RT_SiteConfig.pm file. Basically, anything from the “group” settings.



-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****





I have solved this problem!

I had the $AutoCreateNonExternalUsers set to 0. I changed it to 1.

I completely misinterpreted this setting. I have an AD account which I
thought would be considered internal and therefore be created when I first
logged in.

Frankly, I’m still confused about what I was thinking. Either way, it works.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither
am I.” - MeOn Fri, Oct 18, 2013 at 8:57 PM, Mathew Snyder mathew.snyder@gmail.comwrote:

I seem to be getting closer. I’m down to only the “FAILED LOGIN for user
from…” error.

I’ve found that in order to get down to just that I have to include the
domain in the username either as

  • domain\user
  • domain.local\user
  • user@domain
  • user@domain.local

However, if I use just the username I get

[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
$_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607)
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
$service in hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:611)
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value in
string eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:613)
[3221] [Sat Oct 19 00:44:37 2013] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:685)
[3221] [Sat Oct 19 00:44:37 2013] [error]: Couldn’t create user user:
Could not set user info
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:278)
[3221] [Sat Oct 19 00:44:37 2013] [error]: FAILED LOGIN for user from
192.168.236.119 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:814)

The domain does not seem to be getting passed as part of the username when
I attempt to log in. Interestingly, though, when I don’t use the domain, I
do get the info line in the log which contains bits of information that
wouldn’t otherwise be returned from AD. If I do use the domain that doesn’t
get returned, but I’m still unable to log in.

I know my credentials are accurate because they are the same as I use to
log into our VPN and that is tied to AD.

My current settings:

Set($ExternalAuthPriority, [ ‘AD’ ] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘AD’ => {
‘type’ => ‘ldap’,
‘server’ => ‘dc1.domain.local’,
‘base’ => ‘dc=domain,dc=local’,
‘user’ => ‘rtuser’,
‘pass’ => ‘xxxxxxxx’,
‘filter’ => ‘(ObjectClass=*)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803=2)’,
‘group_scope’ => ‘base’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [
‘Name’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
},
},
} );

Further assistance will be appreciated.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me

On Fri, Oct 18, 2013 at 8:08 PM, Mathew Snyder mathew.snyder@gmail.comwrote:

I’ve actually been trying to get debugging turned on for a few days now.
I’ve set all of the variables:

Set( $LogToSTDERR, ‘debug’ );
Set( $LogToFile, ‘debug’ );
Set( $LogDir, ‘/var/log/’ );
Set( $LogToFileNamed, ‘rt.log’ );
Set( $LogToSyslog, ‘debug’ );

I’m not getting any detailed information at all. In fact, the rt.log file
isn’t even being created. I had tried to set the directory to /opt/rt4/log,
but the file wasn’t being created there, either.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me

On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent bparish@cognex.comwrote:

Hi Matthew****


It sounds to me like you were authenticating ok initially, but getting
an error in creating the user.****


And to answer your initial question about the group and group_attr
settings, I don’t use those at all and it works fine for me.****


I would recommend putting things back to how you first had them (to
generate the error your originally posted), turn the log level up to debug,
and try again.****

There are some debug statements within that method that may help
identify where it is choking.****


- Brent




From: Mathew Snyder [mailto:mathew.snyder@gmail.com]
Sent: Thursday, October 17, 2013 1:50 PM****

To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com****

Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth
LDAP settings, please****


I found another thread that indicated that the solution to the second
problem was to add @domain to the end of the username. That just reverted
to the previous list of errors with a couple new ones.****


Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.****

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service
in hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.****

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string
eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 16:47:50 zen-rt RT: [24673]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged: ****

Oct 17 16:47:50 zen-rt RT: [24673] Couldn’t create user user: Could not
set user info****

Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
192.168.236.102****




From: rt-users-bounces@lists.bestpractical.com [mailto:
rt-users-bounces@lists.bestpractical.com] *On Behalf Of *Mathew Snyder

Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
settings, please



These are the settings I’ve started with:****


Set($ExternalSettings, {****

'AD'       =>  {****

    'type'                      =>  'ldap',****

    'server'                    =>  'domain_controller.example.com',

    'base'                      =>  'dc=example,dc=com',****

    'user'                      =>  'rtuser',****

    'pass'                      =>  '********',****

    'filter'                    =>  '(ObjectClass=*)',****

    'tls'                       =>  0,****

    'ssl_version'               =>  3,****

    'net_ldap_args'             => [    version =>  3   ],****

    'attr_match_list' => [****

        'EmailAddress',****

    ],****

    'attr_map' => {****

        'Name' => 'sAMAccountName',****

        'EmailAddress' => 'mail',****

        'RealName' => 'cn',****

    },****

They aren’t working. Whenever someone attempts an initial login with
just their username (which should create their RT account) the following
error is logged:****

Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string
eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****

Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:****

Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not
set user info****

Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
192.168.236.102****


When initial logins are attempted with either example\username or
example.com\username only the FAILED LOGIN line is displayed.****


We also have our Openfire Jabber server authenticating successfully.
Those settings are****

ldap.autoFollowAliasReferrals = true****

ldap.autoFollowReferrals = false****

ldap.baseDN = dc=example,dc=com****

ldap.connectionPoolEnabled = true****

ldap.debugEnabled = false****

ldap.emailField = mail****

ldap.encloseDNs = true****

ldap.groupDescriptionField = description****

ldap.groupMemberField = member****

ldap.groupNameField = cn****

ldap.groupSearchFilter = (objectClass=group)****

ldap.host = domain_controller.example.com****

ldap.ldapDebugEnabled = false****

ldap.nameField = cn****

ldap.port = 389****

ldap.searchFilter = (objectClass=)***

ldap.usernameField = sAMAccountName****



I know they don’t match up exactly in terms of what Openfire calls the
settings vs. what RT does, but I’m hoping someone can help me sort out what
should be plugged in where on the RT side. For example, I don’t know what
the group_attr or group_attr_value setting should contain (if anything) in
the RT_SiteConfig.pm file. Basically, anything from the “group” settings.



-Mathew

“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****


“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****





If this is working for you as expected, then that’s wonderful and congratulations!

You are correct in your original thinking – I have the AutoCreateNonExternalUsers turned on, but that’s not required to authenticate against AD.
That setting is used if you want to go ahead and create the new user in RT when they first hit RT, even if they don’t currently exist in AD.
With this turned on, I can now add tickets for new hires, with the new hire as the requestor, even though I have not created their account in AD yet.
Then I use the LDAPImport extension to sync the account details later, after they have been added to AD.

As to logging:

I created a log directory under /opt/rt4/var for all my logs. I then touched the rt.log file to create it and I changed owner and group of the log dir (and rt.log file) so that the web server could write to it.

Set($LogToFile, ‘debug’);
Set($LogDir, ‘/opt/rt4/var/log’);
Set($LogToFileNamed, “rt.log”);

Good luck, glad to hear you are making progress!

  •      BrentFrom: Mathew Snyder [mailto:mathew.snyder@gmail.com]
    

Sent: Friday, October 18, 2013 9:10 PM
To: Parish, Brent
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

I have solved this problem!

I had the $AutoCreateNonExternalUsers set to 0. I changed it to 1.

I completely misinterpreted this setting. I have an AD account which I thought would be considered internal and therefore be created when I first logged in.

Frankly, I’m still confused about what I was thinking. Either way, it works.

-Mathew

“When you do things right, people won’t be sure you’ve done anything at all.” - God; Futurama

“We’ll get along much better once you accept that you’re wrong and neither am I.” - Me

Hi.

In our RT setup, a user chooses a value from a drop down list (a custom field called ‘application’) to indicate what software they want help with when they submit a new ticket.
I set up a scrip that checks the value of that custom field and moves the ticket into the appropriate queue (based on which application they need help with).
Instead of hard coding a mapping of each application value to a queue name, I’d like to put the name of the queue into the custom field description.

For example, the custom fields might look like this:

Sort Name Description Category
0 Microsoft Word helpdesk
0 Microsoft Excel helpdesk
0 SharePoint developers
0 PeopleSoft hr

If the user selected “SharePoint” as the application they wanted help with, the scrip would read the description field and see that it should move the ticket into the “developers” queue.

I’ve got everything working great with static mapping, I just can’t figure out a way to retrieve that Description within a scrip.

Has anyone done this before?

Thanks!
Brent