That error code 49 is a generic LDAP error returned when the account
your using to bind has invalid creds, usually a bad or expired password…*
Do you have ldap tools installed on your RT server? If so run this command
to test your bind account:****
ldapsearch -x -W -D"bindaccount@domain.com" "(sAMAccountName=some_user)”**
**
Enter Password of Bind account.****
Let us know the results…****
Jeff****
From: Mathew Snyder [mailto:mathew.snyder@gmail.com]
Sent: Thursday, October 17, 2013 3:32 PM
To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth
LDAP settings, please****
I’ve tried both the settings indicated by Jeff (excepting the SSO cookie
settings) and Glenn. I’m still getting the
“RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49” error.****
-Mathew
“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****
“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****
On Thu, Oct 17, 2013 at 5:00 PM, Jeff Solberg jsolberg@intrepidls.com
wrote:****
Here is a copy of my working ExternalAuth Config…Hope this helps…****
#PLUGINS****
Set( @Plugins, qw(RT::Authen::ExternalAuth));****
#External Auth Settings****
#Set($WebExternalAuth , 1);****
#Set($WebFallbackToInternalAuth , 1);****
#Set(WebExternalAuto , 1);****
Set($ExternalAuthPriority, [ ‘My_LDAP’,] );****
Set($ExternalInfoPriority, [ ‘My_LDAP’,] );****
Set($ExternalServiceUsesSSLorTLS, 0);****
Set($AutoCreateNonExternalUsers, 0);****
Set($ExternalSettings, {****
'My_LDAP' => {****
'type' => 'ldap',****
'server' => '10.10.x.x',****
'user' => 'cn= Bind
Ldap,ou=User_Logins,dc=xxx,dc=xxx’,****
'pass' => 'xxxxx',****
'base' => 'dc=xxx,dc=xxx',****
'filter' =>
‘(&(ObjectCategory=User)(ObjectClass=Person))’,****
'd_filter' =>
‘(userAccountControl:1.2.840.113556.1.4.803=2)’,****
‘group’ => 'cn=Domain
Users,ou=Groups_Security,dc=xxx,dc=xxx’,****
‘group_attr’ => ‘member’,****
'tls' => 0,****
'ssl_version' => 3,****
'net_ldap_args' => [ version => 3 ],****
'group_scope' => 'base',****
‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,****
'attr_match_list' => [****
'Name',****
'EmailAddress',****
],****
'attr_map' => {****
'Name' => 'sAMAccountName',****
'EmailAddress' => 'mail',****
'Organization' => 'physicalDeliveryOfficeName',****
'RealName' => 'cn',****
'ExternalAuthId' => 'sAMAccountName',****
'Gecos' => 'sAMAccountName',****
'WorkPhone' => 'telephoneNumber',****
'Address1' => 'streetAddress',****
'City' => 'l',****
'State' => 'st',****
'Zip' => 'postalCode',****
'Country' => 'co'****
},****
},****
# An example SSO cookie service****
'My_SSO_Cookie' => {****
'type' => 'cookie',****
'name' => 'loginCookieValue',****
'u_table' => 'users',****
'u_field' => 'username',****
'u_match_key' => 'userID',****
'c_table' => 'login_cookie',****
'c_field' => 'loginCookieValue',****
'c_match_key' => 'loginCookieUserID',****
'db_service_name' => 'My_MySQL'****
},****
From: Mathew Snyder [mailto:mathew.snyder@gmail.com]
Sent: Thursday, October 17, 2013 1:50 PM****
To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com****
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth
LDAP settings, please****
I found another thread that indicated that the solution to the second
problem was to add @domain to the end of the username. That just reverted
to the previous list of errors with a couple new ones.****
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.****
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.****
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****
Oct 17 16:47:50 zen-rt RT: [24673]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged: ****
Oct 17 16:47:50 zen-rt RT: [24673] Couldn’t create user user: Could not
set user info****
Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
192.168.236.102****
-Mathew
“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****
“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****
On Thu, Oct 17, 2013 at 4:39 PM, Mathew Snyder mathew.snyder@gmail.com
wrote:****
I didn’t know the OU until a few moments ago so I only entered
“cn=user,dc=example,dc=com”. That did seem to make a difference. However,
I’m still not able to log in. Perhaps for other reasons, though:****
Oct 17 16:33:11 zen-rt RT: [24525]
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49****
Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from
192.168.236.102****
I know I’m entering my username and password correctly and have again
tried just the username, example\username, and example.com\username. I’m
wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing
OU. I do know it now, but how do I enter an OU that has two words? I was
told it is example.com/Special Accounts.****
-Mathew
“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****
“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****
On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg jsolberg@intrepidls.com
wrote:****
For your ‘server’ try using IP rather than hostname.****
Second for the ‘user’ field try using the DN name for your AD Binding
user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com****
Hope this helps…****
Jeff****
From: rt-users-bounces@lists.bestpractical.com [mailto:
rt-users-bounces@lists.bestpractical.com] On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
settings, please**
These are the settings I’ve started with:****
Set($ExternalSettings, {****
'AD' => {****
'type' => 'ldap',****
'server' => 'domain_controller.example.com',**
**
'base' => 'dc=example,dc=com',****
'user' => 'rtuser',****
'pass' => '********',****
'filter' => '(ObjectClass=*)',****
'tls' => 0,****
'ssl_version' => 3,****
'net_ldap_args' => [ version => 3 ],****
'attr_match_list' => [****
'EmailAddress',****
],****
'attr_map' => {****
'Name' => 'sAMAccountName',****
'EmailAddress' => 'mail',****
'RealName' => 'cn',****
},****
They aren’t working. Whenever someone attempts an initial login with just
their username (which should create their RT account) the following error
is logged:****
Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq
at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.****
Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:****
Oct 17 16:14:01 zen-rt RT: [24382] Couldn’t create user user: Could not
set user info****
Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
192.168.236.102****
When initial logins are attempted with either example\username or
example.com\username only the FAILED LOGIN line is displayed.****
We also have our Openfire Jabber server authenticating successfully. Those
settings are****
ldap.autoFollowAliasReferrals = true****
ldap.autoFollowReferrals = false****
ldap.baseDN = dc=example,dc=com****
ldap.connectionPoolEnabled = true****
ldap.debugEnabled = false****
ldap.emailField = mail****
ldap.encloseDNs = true****
ldap.groupDescriptionField = description****
ldap.groupMemberField = member****
ldap.groupNameField = cn****
ldap.groupSearchFilter = (objectClass=group)****
ldap.host = domain_controller.example.com****
ldap.ldapDebugEnabled = false****
ldap.nameField = cn****
ldap.port = 389****
ldap.searchFilter = (objectClass=)***
ldap.usernameField = sAMAccountName****
I know they don’t match up exactly in terms of what Openfire calls the
settings vs. what RT does, but I’m hoping someone can help me sort out what
should be plugged in where on the RT side. For example, I don’t know what
the group_attr or group_attr_value setting should contain (if anything) in
the RT_SiteConfig.pm file. Basically, anything from the “group” settings.*
-Mathew
“When you do things right, people won’t be sure you’ve done anything at
all.” - God; Futurama****
“We’ll get along much better once you accept that you’re wrong and
neither am I.” - Me****