LDAP authentication

Hi all,

This is my first post to the list - and I have had a good general look
around - but couldn’t find the answers I was after.

I am a new administrator of RT and will be implementing it for our
corporate helpdesk along with a few other departments to handle
various requests.

We run a Novell Netware tree and have LDAP servers runnning there. I
have been able to successfully use ldap to authenticate users to
access the rt web server - but not to the RT application.

example : user ‘sdaniels’ exists in both the tree (as
sdaniels.people.ourcompany) and ‘sdaneils’ exists in RT (having been
manually created) but when i turn on ldap authentication to the RT app
(setting WebExternalAuth to 1) i am not loggin in successfully to RT.

I then decided to set WebExternalAuto to 1 to see just who exactly was
authinticating according to LDAP :slight_smile:

The result was the creation of a user called
’cn=sdaniels,ou=people,o=ourcompany’

I am hoping someone has already encountered and conquered this before,
as I am admittedly a little out of my depth.

If I can get LDAP authentication working - ie - just the user name
being created or passed, what happens when people email requests in?
Is there a way to strip the ‘@ourcompany.com’ off the user name upon
autocreation of the account?

Sorry for all the questions, I look forward to any advice you all may
have - and will appreciate comments/suggestions.

cheers,

Sean Daniels
Senior Systems Administrator
Trent University IT
Peterborough Ontario Canada
telemole@gmail.com
or
sdaniels@trentu.ca

In the immortal words of TeleMole (telemole@gmail.com):

We run a Novell Netware tree and have LDAP servers runnning there. I
have been able to successfully use ldap to authenticate users to
access the rt web server - but not to the RT application.

example : user ‘sdaniels’ exists in both the tree (as
sdaniels.people.ourcompany) and ‘sdaneils’ exists in RT (having been
manually created) but when i turn on ldap authentication to the RT app
(setting WebExternalAuth to 1) i am not loggin in successfully to RT.

I then decided to set WebExternalAuto to 1 to see just who exactly was
authinticating according to LDAP :slight_smile:

The result was the creation of a user called
’cn=sdaniels,ou=people,o=ourcompany’

I am hoping someone has already encountered and conquered this before,
as I am admittedly a little out of my depth.

If I can get LDAP authentication working - ie - just the user name
being created or passed, what happens when people email requests in?
Is there a way to strip the ‘@ourcompany.com’ off the user name upon
autocreation of the account?

Although it’s windows-centric, you may find the information here to be
a good starting point:

http://blank.org/memory/output/rt-ad-sso.html

Obviously the bits about mod_ntlm aren’t relevant, but if you mentally
map the ntlm auth bits to ldap auth, the rest of it should apply
pretty cleanly.

-n

------------------------------------------------------------memory@blank.org
"Zombies are the liberal nightmare. Here you have the masses, whom you would
love to love, appearing at your front door and their faces falling off; and
you’re trying to be as humane as you possibly can, but they are, after all,
eating the cat. And the fear of mass activity, of mindlessness on a national
scale, underlies my fear of zombies.’ (–Clive Barker)
http://blank.org/memory/----------------------------------------------------

I went through the guide as suggested - set as many of the variables
as well as I could - but when I start Apache now - I get the following
errors in errlog:

<exerpt from /var/log/httpd/errlog>
Compilation failed in require at /opt/rt3/lib/RT/Record.pm line 69.
BEGIN failed–compilation aborted at /opt/rt3/lib/RT/Record.pm line 69.
Compilation failed in require at /opt/rt3/lib/RT/CurrentUser.pm line 73.
BEGIN failed–compilation aborted at /opt/rt3/lib/RT/CurrentUser.pm line 73.
Compilation failed in require at /opt/rt3/lib/RT.pm line 49.
BEGIN failed–compilation aborted at /opt/rt3/lib/RT.pm line 49.
Compilation failed in require at /opt/rt3/bin/webmux.pl line 66.
BEGIN failed–compilation aborted at /opt/rt3/bin/webmux.pl line 66.
Compilation failed in require at /opt/rt3/bin/mason_handler.fcgi line 52.
[Mon Nov 28 11:30:26 2005] [warn] FastCGI: server
"/opt/rt3/bin/mason_handler.fcgi" (pid 27092) terminated by calling
exit with status ‘2’

I’m really not sure where to go from here - any help is greatly
appreciated - I really need this functionality for the project to be a
go…

Cheers and thanks for your help so far!
SeanOn 11/28/05, Nathan J. Mehl rtusers@memory.blank.org wrote:

In the immortal words of TeleMole (telemole@gmail.com):

We run a Novell Netware tree and have LDAP servers runnning there. I
have been able to successfully use ldap to authenticate users to
access the rt web server - but not to the RT application.

example : user ‘sdaniels’ exists in both the tree (as
sdaniels.people.ourcompany) and ‘sdaneils’ exists in RT (having been
manually created) but when i turn on ldap authentication to the RT app
(setting WebExternalAuth to 1) i am not loggin in successfully to RT.

I then decided to set WebExternalAuto to 1 to see just who exactly was
authinticating according to LDAP :slight_smile:

The result was the creation of a user called
’cn=sdaniels,ou=people,o=ourcompany’

I am hoping someone has already encountered and conquered this before,
as I am admittedly a little out of my depth.

If I can get LDAP authentication working - ie - just the user name
being created or passed, what happens when people email requests in?
Is there a way to strip the ‘@ourcompany.com’ off the user name upon
autocreation of the account?

Although it’s windows-centric, you may find the information here to be
a good starting point:

    http://blank.org/memory/output/rt-ad-sso.html

Obviously the bits about mod_ntlm aren’t relevant, but if you mentally
map the ntlm auth bits to ldap auth, the rest of it should apply
pretty cleanly.

-n

------------------------------------------------------------memory@blank.org
"Zombies are the liberal nightmare. Here you have the masses, whom you would
love to love, appearing at your front door and their faces falling off; and
you’re trying to be as humane as you possibly can, but they are, after all,
eating the cat. And the fear of mass activity, of mindlessness on a national
scale, underlies my fear of zombies.’ (–Clive Barker)
http://blank.org/memory/----------------------------------------------------


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Download a free sample chapter of RT Essentials from O’Reilly Media at http://rtbook.bestpractical.com

WE’RE COMING TO YOUR TOWN SOON - RT Training in Amsterdam, Boston and
San Francisco - Find out more at http://bestpractical.com/services/training.html

ok - apologies for my last post - I discovered those errors were
simply due to my missing a critical step and not have Net::LDAP
installed.

That is recitified - now the only success I am having is getting as
far as attemtping to authenticate to the webserver - entering
credentials in the window - then getting a failure message - my web
log shows the following :

Mon Nov 28 15:15:33 2005] [error] [client 192.75.12.248] FastCGI:
server “/opt/rt3/bin/mason_handler.fcgi” stderr: [Mon Nov 28 20:15:33
2005] [critical]: IsLdapPassword: Cannot bind to LDAP: retval= 48
LDAP_INAPPROPRIATE_AUTH (/opt/rt3/lib/RT/User_Local.pm:382)

I am guessing that I am not configuring the settings for LDAP in my
RT_SiteConfig properly - and I just don’t know enough to know which
value might be wrong…

here’s what I have there - with some privacy stuff renamed - can
anyone offer assistance? We run a Novell LDAP server, and I have
successfully enabled the LDAP authentication to the web server - just
RT I need to get working now…

I was guessing at filling in these values - can anyone check my work?

may thanks…

RT_SiteConfig contains this info for LDAP support:

Set($WebExternalAuth , ‘1’);
Set($WebFallbackToInternalAuth , ‘1’);
Set($WebExternalGecos , undef);
Set($WebExternalAuto , ‘1’);

Set($LDAPExternalAuth, ‘1’); # Enable LDAP auth
Set($LdapServer, “myldapserver.domain.ca”);
#Set($LdapCAFile, undef);
Set($LdapUser, ‘cn=ldap_proxy,o=ourcorp’);
#Set($LdapPass, ‘’);
#Set($LdapAuthStartTLS, ‘1’); # Need to use TLS or ldaps to
check passwords
#Set($LdapAuthBase, “o=ourcorp”);
Set($LdapAuthUidAttr, ‘cn’);
#Set($LdapAuthFilter, ‘(objectClass=user)’);
#Set($LdapMailBase, ‘cn=Users,dc=ourcorp,dc=ca’);
#Set($LdapMailFilter, ‘(objectClass=user)’);
Set($LdapMailScope, ‘sub’);
Set($LdapMailSearchAttr, ‘mail’);
%RT::LdapMailResultMap = (
‘cn’ => ‘Name’,
‘mail’ => ‘EmailAddress’,
‘cn’ => ‘RealName’,
);On 11/28/05, TeleMole telemole@gmail.com wrote:

I went through the guide as suggested - set as many of the variables
as well as I could - but when I start Apache now - I get the following
errors in errlog:

<exerpt from /var/log/httpd/errlog>
Compilation failed in require at /opt/rt3/lib/RT/Record.pm line 69.
BEGIN failed–compilation aborted at /opt/rt3/lib/RT/Record.pm line 69.
Compilation failed in require at /opt/rt3/lib/RT/CurrentUser.pm line 73.
BEGIN failed–compilation aborted at /opt/rt3/lib/RT/CurrentUser.pm line 73.
Compilation failed in require at /opt/rt3/lib/RT.pm line 49.
BEGIN failed–compilation aborted at /opt/rt3/lib/RT.pm line 49.
Compilation failed in require at /opt/rt3/bin/webmux.pl line 66.
BEGIN failed–compilation aborted at /opt/rt3/bin/webmux.pl line 66.
Compilation failed in require at /opt/rt3/bin/mason_handler.fcgi line 52.
[Mon Nov 28 11:30:26 2005] [warn] FastCGI: server
"/opt/rt3/bin/mason_handler.fcgi" (pid 27092) terminated by calling
exit with status ‘2’

I’m really not sure where to go from here - any help is greatly
appreciated - I really need this functionality for the project to be a
go…

Cheers and thanks for your help so far!
Sean

On 11/28/05, Nathan J. Mehl rtusers@memory.blank.org wrote:

In the immortal words of TeleMole (telemole@gmail.com):

We run a Novell Netware tree and have LDAP servers runnning there. I
have been able to successfully use ldap to authenticate users to
access the rt web server - but not to the RT application.

example : user ‘sdaniels’ exists in both the tree (as
sdaniels.people.ourcompany) and ‘sdaneils’ exists in RT (having been
manually created) but when i turn on ldap authentication to the RT app
(setting WebExternalAuth to 1) i am not loggin in successfully to RT.

I then decided to set WebExternalAuto to 1 to see just who exactly was
authinticating according to LDAP :slight_smile:

The result was the creation of a user called
’cn=sdaniels,ou=people,o=ourcompany’

I am hoping someone has already encountered and conquered this before,
as I am admittedly a little out of my depth.

If I can get LDAP authentication working - ie - just the user name
being created or passed, what happens when people email requests in?
Is there a way to strip the ‘@ourcompany.com’ off the user name upon
autocreation of the account?

Although it’s windows-centric, you may find the information here to be
a good starting point:

    http://blank.org/memory/output/rt-ad-sso.html

Obviously the bits about mod_ntlm aren’t relevant, but if you mentally
map the ntlm auth bits to ldap auth, the rest of it should apply
pretty cleanly.

-n

------------------------------------------------------------memory@blank.org
"Zombies are the liberal nightmare. Here you have the masses, whom you would
love to love, appearing at your front door and their faces falling off; and
you’re trying to be as humane as you possibly can, but they are, after all,
eating the cat. And the fear of mass activity, of mindlessness on a national
scale, underlies my fear of zombies.’ (–Clive Barker)
http://blank.org/memory/----------------------------------------------------


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Download a free sample chapter of RT Essentials from O’Reilly Media at http://rtbook.bestpractical.com

WE’RE COMING TO YOUR TOWN SOON - RT Training in Amsterdam, Boston and
San Francisco - Find out more at http://bestpractical.com/services/training.html

Hello!

Have you read:

http://wiki.bestpractical.com/index.cgi?LDAP
http://wiki.bestpractical.com/index.cgi?LdapOverlay

I ask this because both mention attributes you’ve not set in your
RT_SiteConfig.pm. Meanwhile, here’s what the pertinent bits of ours look
like:

Set($LDAPExternalAuth, 1);
Set($LdapServer, “ldap.foo.com”);
Set($LdapUser, “”);
Set($LdapPass, “”);
Set($LdapBase, “ou=People,dc=foo,dc=com”);
Set($LdapUidAttr, “uid”);
Set($LdapFilter, “(objectclass=posixAccount)”);

So we look in the People branch of our LDAP tree for a person whose
posixAccount matches the login name, then auth that. While our LDAP
server doesn’t require authentication, I’ve left both fields set as
blank; I don’t know if it matters, but it worked so I haven’t twiddled
it to understand better.

Mon Nov 28 15:15:33 2005] [error] [client 192.75.12.248] FastCGI:
server “/opt/rt3/bin/mason_handler.fcgi” stderr: [Mon Nov 28 20:15:33
2005] [critical]: IsLdapPassword: Cannot bind to LDAP: retval= 48
LDAP_INAPPROPRIATE_AUTH (/opt/rt3/lib/RT/User_Local.pm:382)

I’m guessing this means that the ldap_proxy user you spec’d isn’t able
to authenticate without a password. For our installation I didn’t need a
user/password; access control is via host groups instead.

Set($WebExternalAuth , ‘1’);
Set($WebFallbackToInternalAuth , ‘1’);
Set($WebExternalGecos , undef);
Set($WebExternalAuto , ‘1’);

Interestingly, I don’t have any of these set in my config. It works just
fine without them, it seems.

Good luck!

–j
Jim Meyer, Geek at Large purp@acm.org

I used the attached file for doing the LDAP authentication and it
worked. Hope it’s helpful.

Ahalya Nathan
Senior Programmer / Analyst
Information Technology, Metropolitan Utilities District
(402) 504-7180 phone
(402) 504-5180 faxFrom: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jim Meyer
Sent: Monday, November 28, 2005 3:07 PM
To: TeleMole
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] LDAP authentication…

Hello!

Have you read:

http://wiki.bestpractical.com/index.cgi?LDAP
http://wiki.bestpractical.com/index.cgi?LdapOverlay

I ask this because both mention attributes you’ve not set in your
RT_SiteConfig.pm. Meanwhile, here’s what the pertinent bits of ours look
like:

Set($LDAPExternalAuth, 1);
Set($LdapServer, “ldap.foo.com”);
Set($LdapUser, “”);
Set($LdapPass, “”);
Set($LdapBase, “ou=People,dc=foo,dc=com”);
Set($LdapUidAttr, “uid”);
Set($LdapFilter, “(objectclass=posixAccount)”);

So we look in the People branch of our LDAP tree for a person whose
posixAccount matches the login name, then auth that. While our LDAP
server doesn’t require authentication, I’ve left both fields set as
blank; I don’t know if it matters, but it worked so I haven’t twiddled
it to understand better.

Mon Nov 28 15:15:33 2005] [error] [client 192.75.12.248] FastCGI:
server “/opt/rt3/bin/mason_handler.fcgi” stderr: [Mon Nov 28 20:15:33
2005] [critical]: IsLdapPassword: Cannot bind to LDAP: retval= 48
LDAP_INAPPROPRIATE_AUTH (/opt/rt3/lib/RT/User_Local.pm:382)

I’m guessing this means that the ldap_proxy user you spec’d isn’t able
to authenticate without a password. For our installation I didn’t need a
user/password; access control is via host groups instead.

Set($WebExternalAuth , ‘1’);
Set($WebFallbackToInternalAuth , ‘1’);
Set($WebExternalGecos , undef);
Set($WebExternalAuto , ‘1’);

Interestingly, I don’t have any of these set in my config. It works just
fine without them, it seems.

Good luck!

–j
Jim Meyer, Geek at Large purp@acm.org

http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Download a free sample chapter of RT Essentials from O’Reilly Media at
http://rtbook.bestpractical.com

WE’RE COMING TO YOUR TOWN SOON - RT Training in Amsterdam, Boston and
San Francisco - Find out more at
http://bestpractical.com/services/training.html

RT_SiteConfig_LDAP.pm (1.61 KB)

In the immortal words of TeleMole (telemole@gmail.com):

That is recitified - now the only success I am having is getting as
far as attemtping to authenticate to the webserver - entering
credentials in the window - then getting a failure message - my web
log shows the following :

Mon Nov 28 15:15:33 2005] [error] [client 192.75.12.248] FastCGI:
server “/opt/rt3/bin/mason_handler.fcgi” stderr: [Mon Nov 28 20:15:33
2005] [critical]: IsLdapPassword: Cannot bind to LDAP: retval= 48
LDAP_INAPPROPRIATE_AUTH (/opt/rt3/lib/RT/User_Local.pm:382)

Well, that seems like a pretty straightfoward error: user_local.pm is
trying to perform an ldap bind, and failing.

Can you manually use a tool like ldapsearch to bind and search with
the same username/password you’re providing to RT?

Set($LdapUser, ‘cn=ldap_proxy,o=ourcorp’);
#Set($LdapPass, ‘’);

Question the first: is “cn=ldap_proxy,o=ourcorp”, with no password,
actually a DN that can bind and search?

#Set($LdapAuthBase, “o=ourcorp”);

You probably want to actually set $LdapAuthBase to something
reasonable here, just so that every search doesn’t have to traverse
the whoel tree.

Set($LdapAuthUidAttr, ‘cn’);

Urk, this is almost certainly wrong. I say “almost”, because I’ve
never used the Novell Directory Server here, but what you’re looking
for here is your LDAP schema’s equivilant to a unix/posix “uid"
attribute. In an ActiveDirectory server, that would be
"sAMAaccountNAme”. I believe most OpenLDAP and SunONE/Netscape LDAP
servers use “username”, although don’t quote me on that. :slight_smile:

#Set($LdapAuthFilter, ‘(objectClass=user)’);
#Set($LdapMailBase, ‘cn=Users,dc=ourcorp,dc=ca’);
#Set($LdapMailFilter, ‘(objectClass=user)’);

Again, probably best to set up filters here, just to keep the results
tree manageable.

Set($LdapMailSearchAttr, ‘mail’);

You’ll want to make sure that ‘mail’ is, in fact, the attribute name
in your schema for the user’s email address.

%RT::LdapMailResultMap = (
‘cn’ => ‘Name’,
‘mail’ => ‘EmailAddress’,
‘cn’ => ‘RealName’,
);

The first use of ‘cn’ there is almost certainly wrong: cn should map
to RealName, but something else, probably ‘uid’ or ‘username’ will map
to the Name field.

-n

------------------------------------------------------memory@blank.org
"You’ve got to hand it to postmodernism: no other literary movement in
history ever spread so much boredom in the name of playfulness."
(–B.R. Myers)
http://blank.org/memory/----------------------------------------------

Hi - Thanks aagin for all your help - I’m crawling along :slight_smile: I do have
a whack more questions if you have the stomach for it…

Well, that seems like a pretty straightfoward error: user_local.pm is
trying to perform an ldap bind, and failing.

Yes - I am now an LDAP error expert :slight_smile: I have a chart of errors on my
desk in front of me for troubleshooting…

Can you manually use a tool like ldapsearch to bind and search with
the same username/password you’re providing to RT?

Our apache config authenticates by ldap to allow access to the root of
the web server - using these credentials and using CN as the unique
identifier - successfully… so I have to expect these to be correct.

Set($LdapAuthUidAttr, ‘cn’);

Urk, this is almost certainly wrong. I say “almost”, because I’ve
never used the Novell Directory Server here, but what you’re looking
for here is your LDAP schema’s equivilant to a unix/posix “uid"
attribute. In an ActiveDirectory server, that would be
"sAMAaccountNAme”. I believe most OpenLDAP and SunONE/Netscape LDAP
servers use “username”, although don’t quote me on that. :

we want teh behaviour to be people using their ‘account’ name (the
first part of their email address) as the login - and from all
indicators, it does look to be CN in novell ldap - this is mapped to
CN in our tree - which IS the users account name (mine returns
cn=sdaniels,ou=people,o=ourcorp) successfully when authenticating by
ldap through apache to SEE the web pages

Set($LdapMailSearchAttr, ‘mail’);

You’ll want to make sure that ‘mail’ is, in fact, the attribute name
in your schema for the user’s email address.

%RT::LdapMailResultMap = (
‘cn’ => ‘Name’,
‘mail’ => ‘EmailAddress’,
‘cn’ => ‘RealName’,
);

The first use of ‘cn’ there is almost certainly wrong: cn should map
to RealName, but something else, probably ‘uid’ or ‘username’ will map
to the Name field.

I think it’s clear I dont understand the process that these variables
are used for - but if I am trying to define what piece of data I want
used for their username in rt - it should be cn to match their
username in Novell netware.

The whole mod is a little unclear to me in it’s function, though what
I read about it’s behaviour is definately what i want in the end - I’m
just still not sure how to get there - the example configs everyone
has sent have been helpful in improving my understanding - but dont
offer me a working example in my environment.

THanks again to all for your help thus far - I hope to hear back from you!

Cheers,

Sean Daniels

TeleMole,
It seems to me that rather than LDAP, you are really wanting to
authenticate against NDS/eDir…
I was thinking about the way that Novell uses Apache2 for some of their
existing products however, and figured that they must have something
that would work, so I found this:
http://developer.novell.com/wiki/index.php/MOD_EDIR_-_Apache_2.0_Web_Server_eDirectory_Services_Module
This is an Apache2 module for Novell’s eDirectory - souce is provided, so
it seems like that would fit your bill a little better.
I have a colleague that uses LDAP authentication with AD, and they just
deal with the LDAP syntax of cn=blah,ou=blah,o=blah since only their techs
actually login to the web interface. I would imagine that you would need
the NetWare client for true single signon.
Best of luck! If I get a chance, I’ll give it a try in our lab over here
(we have eDir 8.7.) and see if I can get it working. We rolled out eDir
AFTER RT, so I haven’t thought much about a cutover yet.