I think it is your LDAP external settings. We use the LDAP UserID that one
signs in with as the name and we use TLS. Anyway, this is what we have. I’m
remove sensitive stuff, but I think there will be enough to correlate:
We are stating that we use LDAP for both authorization AND the Info we pull.
We turn on External Service using SSL or TLS.
We do NOT autocreate users that do not pass the LDAP auth process.
We do not specify any user or pass.
We specify the LDAP ou, o, & c values.
We specify an additional filter. For us, the status (for the user signing
in) must be active on the LDAP table AND, in addition, we specifiy division
codes. We only want certain company employees from specified division to be
able to use RT.
We specify a “disable” filter for any user signing on if they are not
classified as staff or a guest.
We specify the argument version we use.
We specify what LDAP attributes we want to match against when authorizing.
We specify what LDAP info we want to download into the RT USER Table:
Notice we use the same LDAP UserId (uid) for Name, ExternalAuthID and Gecos.
That’s the best advice I can give you. Hope it’s enough.
ldapsearch works, i can find myself using:
ldapsearch -LLL -x -H ldap://ADserver:389 -b
‘ou=users,ou=yonkers,dc=mydomain,dc=org’ -D ‘cn=rt,ou=Service
Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org’ -w ‘rtPassword’
‘(&(ObjectClass=Person)(cn=Polyakov, Valeriy))’
I also turned on debug loging for externalauth, and here’s what I see in
the log. the password im providing is correct, it seems to be able to find
my account, but then I get an auth failure… why ?
[Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username
(polyva) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Sep 27 17:11:18 2010] [debug]: UserExists params:
username: polyva , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
(&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Sep 27 17:11:18 2010] [debug]: Password validation required for
service - Executing…
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter:
(&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from
192.168.110.125 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)
Val,
Have you verified that ldapsearch works for you on this box?
I used something like this to test:
ldapsearch -LLL -x -H ldap://:389 -b
‘DC=corp,DC=something,DC=com’ -D ‘ldapuser@corp.something.com’ -w
‘’ ‘(&(ObjectClass=Person)(cn=<username to search
for))’
I had to request from our Windows AD guys to allow the ldapuser to be
able
to read all user information. I also had to have them open the firewall
to our server, because by default, they only allow certain servers to
query the AD servers.
John
On 09/27/2010 10:14 AM, Val Polyakov wrote:
Trying to get my RT 3.8.8 on RHEL5 to authenticate against our
corporate
AD.
I followed this guide here:
http://wiki.bestpractical.com/view/CentOS5InstallPlusSome
I also checked that apache has access to over here
(RT-Authen-ExternalAuth
dir was chgrp -R’ed and chmod -R 770’ed):
[root@rt plugins]# pwd
/opt/rt3/local/plugins
[root@rt plugins]# ls -ltr
total 4
drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth
[root@rt plugins]# ps awwwux |grep httpd
root 2313 0.1 4.1 348008 83360 ? Ss 10:32 0:02
/usr/sbin/httpd
apache 2317 0.0 4.1 350272 82612 ? S 10:32 0:00
/usr/sbin/httpd
apache 2318 0.0 4.1 350272 82616 ? S 10:32 0:00
/usr/sbin/httpd
apache 2319 0.0 4.0 348204 82216 ? S 10:32 0:00
/usr/sbin/httpd
apache 2320 0.0 4.1 350272 82684 ? S 10:32 0:00
/usr/sbin/httpd
apache 2321 0.0 4.1 350928 83388 ? S 10:32 0:00
/usr/sbin/httpd
apache 2322 0.0 4.1 350272 82616 ? S 10:32 0:00
/usr/sbin/httpd
apache 2323 0.0 4.1 350272 82616 ? S 10:32 0:00
/usr/sbin/httpd
apache 2324 0.0 4.1 350668 83172 ? S 10:32 0:00
/usr/sbin/httpd
root 3537 0.0 0.0 61148 708 pts/0 R+ 11:06 0:00
grep
httpd
[root@rt plugins]#
when I set this up and tried to login with my AD account for the
first
time, here's what I saw in /var/log/httpd/error_log :
[root@rt autohandler]# tail -f /var/log/httpd/error_log
[Mon Sep 27 14:32:29 2010] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1:
101
Truman Avenue, City: Yonkers, Country: United States, Disabled: 0,
EmailAddress: vpolyakov@consumer.org, ExternalAuthId: POLYVA,
Gecos:
POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName:
Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip: 10703
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Sep 27 14:32:29 2010] [info]: Autocreated external user POLYVA
( 36
)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132)
[Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
....
And ever since then when I try to login I only see this:
[Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from
192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
my /opt/rt3/etc/RT_SiteConfig.pm and
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached
Any suggestions?
RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year -- Learn how to get the most out of RT!
–
John Alberts
Hosted Services
Exlibris USA
john.alberts@exlibrisgroup.com
cell: 1-508-878-2197
RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!