Ldap-auth with rt Centos rpm install

I recently set up a new Centos 4.2 machine and installed rt with the
rpm-install found here:

http://wiki.bestpractical.com/index.cgi?RPMInstall

very smooth install, and it worked great with normal rt-internal
authentication. But I wanted to set up ldap authentication using this
overlay and procedure:

http://wiki.bestpractical.com/index.cgi?LDAP

But I never could get the overlay to work. After spending several days
on this, I’ve decided that there is something wrong with my rt
installation that’s preventing the overlay from working. Or maybe I
didn’t install it correctly. (The file paths in the Centos rpm-install
are very different from other rt installations.)

I’m going to start over with ubuntu 5.10 and rt installed from apt-get.
But I’m more comfortable with Redhat-ish distributions. Has anyone
else tried to do ldap-auth overlay with the CentOS rpm install?

Thanks,

-Bill-

Bill Gurley, Technical Director
Department of Chemistry
Univ. of Tennessee, Knoxville

Chaim Rieger wrote:

Bill Gurley wrote:

I recently set up a new Centos 4.2 machine and installed rt with the
rpm-install found here:

http://wiki.bestpractical.com/index.cgi?RPMInstall

very smooth install, and it worked great with normal rt-internal
authentication. But I wanted to set up ldap authentication using this
overlay and procedure:

http://wiki.bestpractical.com/index.cgi?LDAP

But I never could get the overlay to work. After spending several
days on this, I’ve decided that there is something wrong with my rt
installation that’s preventing the overlay from working. Or maybe I
didn’t install it correctly. (The file paths in the Centos
rpm-install are very different from other rt installations.)

I’m going to start over with ubuntu 5.10 and rt installed from
apt-get. But I’m more comfortable with Redhat-ish distributions. Has
anyone else tried to do ldap-auth overlay with the CentOS rpm install?

can you please post the ldap lines from your siteconfig.pm, i’ve used
ldap overlay many times never had too much of an issue.

Chaim:

It seems that this rt system is not even calling the ldap code, but as
you requested, below are the ldap lines from my Site_Config.pm file.
The ldap server is internal to the rt machine, so I did no edits below
the line “### IF YOU USE THE SAME LDAP SERVER FOR AUTH AND INFO STOP
HERE ###”.

My rt log does not mention anything about ldap. The only thing in the
log are lines “FAILED LOGIN for…”, which I think is the failure to
login using the internal rt login. Also let me emphasize that users
that I created in the rt internal system DO login just fine.

This Centos rpm install has all of the overlays, Users.pm, Ticket.pm
etc. in /usr/lib/rt/RT, so that is where I placed the User_Local.pm for
the ldap overlay. The RT_SiteConfig.pm file was placed in /etc/rt.

Also note that the original file has the $LdapUser and $LdapPass lines
commented out. I have tried it with these lines active and not active.

I appreciate any suggestions.

What auth methods do you like and in what order?

Set($AuthMethods, [‘LDAP’, ‘Internal’]);

LDAP Settings

There are two different branches of this: LdapAuth* and LdapInfo*;

additionally, most of the old Ldap* variables are honored, too.

This means if you only have one LDAP server/config you can just set

“LdapServer”, “LdapUser”, etc. and they will be used for both

authentication and information

Enable/Disable LDAP services

Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);

Common Settings: affecting both auth and info services

Map RT attributes to LDAP attributes

Set($LdapAttrMap, {‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘ou’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘uid’,
‘Gecos’ => ‘gecos’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘roomNumber’,
‘Address2’ => ‘physicalDeliveryOfficeName’}
);

A list of RT attrs which can uniquely identify a user,

ordered from most to least preferred.

Set($LdapRTAttrMatchList, [‘ExternalContactInfoId’, ‘Name’,
‘EmailAddress’, ‘RealName’,
‘WorkPhone’, ‘Address2’]
);

A list of LDAP attrs to examine when canonicalizing email addresses,

ordered from most to least preferred

Set($LdapEmailAttrMatchList, [‘mail’, ‘mailRoutingAddress’,
‘mailAlternateAddress’]
);

The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*

Set($LdapServer, ‘localhost’);
Set($LdapBase, ‘ou=Users,dc=chem,dc=utk,dc=edu’);
Set($LdapFilter, “(objectclass=posixAccount)”);
Set($LdapUser, ‘cn=Manager,ou=Users,dc=chem,dc=utk,dc=edu’);
Set($LdapPass, ‘secret’);

If you set these, only members of this group can auth via LDAP

#Set($LdapGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapGroupAttr, ‘uniqueMember’);

These turn on SSL for LDAP

#Set($LdapTLS, 0);
#Set($LdapSSLVersion, 3);

1;

-Bill-

Bill Gurley, Technical Director
Department of Chemistry
Univ. of Tennessee, Knoxville

Jim Meyer wrote:> On Thu, 2006-03-09 at 16:22 -0500, Bill Gurley wrote:

I recently set up a new Centos 4.2 machine and installed rt with the
rpm-install found here:

http://wiki.bestpractical.com/index.cgi?RPMInstall

very smooth install, and it worked great with normal rt-internal
authentication. But I wanted to set up ldap authentication using this
overlay and procedure:

http://wiki.bestpractical.com/index.cgi?LDAP

But I never could get the overlay to work. After spending several days
on this, I’ve decided that there is something wrong with my rt
installation that’s preventing the overlay from working. Or maybe I
didn’t install it correctly. (The file paths in the Centos rpm-install
are very different from other rt installations.)

I’m going to start over with ubuntu 5.10 and rt installed from apt-get.
But I’m more comfortable with Redhat-ish distributions. Has anyone
else tried to do ldap-auth overlay with the CentOS rpm install?

Before you go too far, could you post the result of this command:

egrep -i 'LDAP|Is.*Password' /path/to/rt/var/log/rt.log

… it might provide some clues.

Thanks!

–j

Jim:

Thanks, but that comes up with zilch. The only thing in my rt.log are
lines like this:

[error]: FAILED LOGIN for barnes from 160.36.xxx.xxx
(/var/rt/html/autohandler:191)

Users created in the rt internal system can login. When I try to login
as one of the ldap users, I get a line like the above. Sounds to me
like it’s not even trying ldap.

-Bill-

Bill Gurley, Technical Director
Department of Chemistry
Univ. of Tennessee, Knoxville

Hello!On Fri, 2006-03-10 at 08:51 -0500, Bill Gurley wrote:

Thanks, but that comes up with zilch. The only thing in my rt.log are
lines like this:

[error]: FAILED LOGIN for barnes from 160.36.xxx.xxx
(/var/rt/html/autohandler:191)

Users created in the rt internal system can login. When I try to login
as one of the ldap users, I get a line like the above. Sounds to me
like it’s not even trying ldap.

Aha! It isn’t. There’s a reason.

The user has to have an account in RT before they can log in. RT doesn’t
automatically create the account when they first try. Only the
authentication of that account is handled by the LDAP overlay at
present. I need to document that fact better on the wiki.

Try creating an RT account (Configure->Users->New User) for an existing
LDAP account but with no password, then log in. It should work.

I’ve been considering implementing the autocreate-at-login bit. If I do,
I’ll post it on the wiki. Also, I’m going to try to do a cleanup of the
wiki re: the various approaches, provide a bit of guidance on them from
the main LDAP page, and so forth. When I do that, I’ll toss out a note
here as well.

Cheers!

–j
Jim Meyer, Geek at Large purp@acm.org

Hello!On Fri, 2006-03-10 at 09:56 -0800, Jim Meyer wrote:

The user has to have an account in RT before they can log in. RT doesn’t
automatically create the account when they first try. Only the
authentication of that account is handled by the LDAP overlay at
present. I need to document that fact better on the wiki.

Incidentally, RT does autocreate when you add a user to a ticket or
when they submit a ticket through email. At the moment, I tell users who
want someone added to copy them on (or make them the requestor of) the
applicable ticket … or to tell the user to send an email to rt-
rtdev@rt requesting access which will be automagically granted.

Works, mostly. =]

–j
Jim Meyer, Geek at Large purp@acm.org

Jim Meyer wrote:

Hello!

Thanks, but that comes up with zilch. The only thing in my rt.log are
lines like this:

[error]: FAILED LOGIN for barnes from 160.36.xxx.xxx
(/var/rt/html/autohandler:191)

Users created in the rt internal system can login. When I try to login
as one of the ldap users, I get a line like the above. Sounds to me
like it’s not even trying ldap.

Aha! It isn’t. There’s a reason.

The user has to have an account in RT before they can log in. RT doesn’t
automatically create the account when they first try. Only the
authentication of that account is handled by the LDAP overlay at
present. I need to document that fact better on the wiki.

Try creating an RT account (Configure->Users->New User) for an existing
LDAP account but with no password, then log in. It should work.

I’ve been considering implementing the autocreate-at-login bit. If I do,
I’ll post it on the wiki. Also, I’m going to try to do a cleanup of the
wiki re: the various approaches, provide a bit of guidance on them from
the main LDAP page, and so forth. When I do that, I’ll toss out a note
here as well.

Cheers!

–j

Doh! (…as Homer would say)

Thanks, Jim. I am making progress now.

Immediately after I read this message, I added a couple of usernames in
rt, and I was then able to at least see LDAP debugging information for
the first time. Still had to tweak my ldap config, but now I am able to
login from ldap auth.

I would appreciate some help with an rt-newbie queston:

While I was struggling with all of this, I ended up creating a couple of
users in the internal rt system that I would prefer to have pulled from
ldap (along with their contact info, etc.). What’s the best way to deal
with this, since you can’t really delete users in rt? Would it be safe
to go straight to the mysql database and pull out those users so I can
re-create them from ldap? Or is there an easier way?

Thanks,

-Bill-

Bill Gurley, Technical Director
Department of Chemistry
Univ. of Tennessee, Knoxville

-Bill-

Bill Gurley, Technical Director
Department of Chemistry
Univ. of Tennessee, Knoxville

Hello!

Thanks, Jim. I am making progress now.

Good to hear!

While I was struggling with all of this, I ended up creating a couple of
users in the internal rt system that I would prefer to have pulled from
ldap (along with their contact info, etc.). What’s the best way to deal
with this, since you can’t really delete users in rt? Would it be safe
to go straight to the mysql database and pull out those users so I can
re-create them from ldap? Or is there an easier way?

Well, I’ve tended to go into the database and setting the password field
to ‘NO-PASSWORD’, which forces authentication from LDAP only. After
that, I’ve manually updated the data through the web interface.

That said, another on my list of to-dos is to:

  • Make LDAP-sourced info immutable to all interfaces (with a
    configurable toggle, of course)
  • Add auto-refresh functionality such that if the data, when
    read, is older than a configurable time-to-live, a fresh copy
    is fetched from LDAP.

I don’t know how soon I’ll get to that; baby girl is T-5.5 weeks and
counting. But it’s on my list. =]

Cheers!

–j
Jim Meyer, Geek at Large purp@acm.org