Ldap externalauth problem

Trying to get my RT 3.8.8 on RHEL5 to authenticate against our corporate AD.

I followed this guide here:
http://wiki.bestpractical.com/view/CentOS5InstallPlusSome

I also checked that apache has access to over here (RT-Authen-ExternalAuth
dir was chgrp -R’ed and chmod -R 770’ed):

[root@rt plugins]# pwd
/opt/rt3/local/plugins
[root@rt plugins]# ls -ltr
total 4
drwxrwx— 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth
[root@rt plugins]# ps awwwux |grep httpd
root 2313 0.1 4.1 348008 83360 ? Ss 10:32 0:02
/usr/sbin/httpd
apache 2317 0.0 4.1 350272 82612 ? S 10:32 0:00
/usr/sbin/httpd
apache 2318 0.0 4.1 350272 82616 ? S 10:32 0:00
/usr/sbin/httpd
apache 2319 0.0 4.0 348204 82216 ? S 10:32 0:00
/usr/sbin/httpd
apache 2320 0.0 4.1 350272 82684 ? S 10:32 0:00
/usr/sbin/httpd
apache 2321 0.0 4.1 350928 83388 ? S 10:32 0:00
/usr/sbin/httpd
apache 2322 0.0 4.1 350272 82616 ? S 10:32 0:00
/usr/sbin/httpd
apache 2323 0.0 4.1 350272 82616 ? S 10:32 0:00
/usr/sbin/httpd
apache 2324 0.0 4.1 350668 83172 ? S 10:32 0:00
/usr/sbin/httpd
root 3537 0.0 0.0 61148 708 pts/0 R+ 11:06 0:00 grep httpd
[root@rt plugins]#

when I set this up and tried to login with my AD account for the first
time, here’s what I saw in /var/log/httpd/error_log :

[root@rt autohandler]# tail -f /var/log/httpd/error_log
[Mon Sep 27 14:32:29 2010] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: 101
Truman Avenue, City: Yonkers, Country: United States, Disabled: 0,
EmailAddress: vpolyakov@consumer.org, ExternalAuthId: POLYVA, Gecos:
POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName:
Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip: 10703
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Sep 27 14:32:29 2010] [info]: Autocreated external user POLYVA ( 36 )
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132)
[Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)

And ever since then when I try to login I only see this:

[Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from
192.168.110.125 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

my /opt/rt3/etc/RT_SiteConfig.pm and
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached

Any suggestions?

RT_SiteConfig.pm (2.2 KB)

RT_SiteConfig.pm.externalauth (2.37 KB)

Val,
Have you verified that ldapsearch works for you on this box?

I used something like this to test:

ldapsearch -LLL -x -H ldap://:389 -b ‘DC=corp,DC=something,DC=com’ -D ‘ldapuser@corp.something.com’ -w ‘’ ‘(&(ObjectClass=Person)(cn=<username to search for))’

I had to request from our Windows AD guys to allow the ldapuser to be able to read all user information. I also had to have them open the firewall to our server, because by default, they only allow certain servers to query the AD servers.

JohnOn 09/27/2010 10:14 AM, Val Polyakov wrote:

Trying to get my RT 3.8.8 on RHEL5 to authenticate against our corporate AD.

I followed this guide here:
http://wiki.bestpractical.com/view/CentOS5InstallPlusSome

I also checked that apache has access to over here (RT-Authen-ExternalAuth
dir was chgrp -R'ed and chmod -R 770'ed):

[root@rt plugins]# pwd
/opt/rt3/local/plugins
[root@rt plugins]# ls -ltr
total 4
drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth
[root@rt plugins]# ps awwwux |grep httpd
root      2313  0.1  4.1 348008 83360 ?        Ss   10:32   0:02
/usr/sbin/httpd
apache    2317  0.0  4.1 350272 82612 ?        S    10:32   0:00
/usr/sbin/httpd
apache    2318  0.0  4.1 350272 82616 ?        S    10:32   0:00
/usr/sbin/httpd
apache    2319  0.0  4.0 348204 82216 ?        S    10:32   0:00
/usr/sbin/httpd
apache    2320  0.0  4.1 350272 82684 ?        S    10:32   0:00
/usr/sbin/httpd
apache    2321  0.0  4.1 350928 83388 ?        S    10:32   0:00
/usr/sbin/httpd
apache    2322  0.0  4.1 350272 82616 ?        S    10:32   0:00
/usr/sbin/httpd
apache    2323  0.0  4.1 350272 82616 ?        S    10:32   0:00
/usr/sbin/httpd
apache    2324  0.0  4.1 350668 83172 ?        S    10:32   0:00
/usr/sbin/httpd
root      3537  0.0  0.0  61148   708 pts/0    R+   11:06   0:00 grep httpd
[root@rt plugins]#

when I set this up and tried to login with my AD account for the first
time, here's what I saw in /var/log/httpd/error_log :


[root@rt autohandler]# tail -f /var/log/httpd/error_log
[Mon Sep 27 14:32:29 2010] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: 101
Truman Avenue, City: Yonkers, Country: United States, Disabled: 0,
EmailAddress: vpolyakov@consumer.org, ExternalAuthId: POLYVA, Gecos:
POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName:
Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip: 10703
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Sep 27 14:32:29 2010] [info]: Autocreated external user POLYVA ( 36 )
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132)
[Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)

....

And ever since then when I try to login I only see this:

[Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from
192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)


my /opt/rt3/etc/RT_SiteConfig.pm and
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached


Any suggestions?



RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year -- Learn how to get the most out of RT!

John Alberts
Hosted Services
Exlibris USA
john.alberts@exlibrisgroup.com
cell: 1-508-878-2197

ldapsearch works, i can find myself using:

ldapsearch -LLL -x -H ldap://ADserver:389 -b
’ou=users,ou=yonkers,dc=mydomain,dc=org’ -D ‘cn=rt,ou=Service
Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org’ -w ‘rtPassword’
’(&(ObjectClass=Person)(cn=Polyakov, Valeriy))’

I also turned on debug loging for externalauth, and here’s what I see in
the log. the password im providing is correct, it seems to be able to find
my account, but then I get an auth failure… why ? :confused:

[Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username
(polyva) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Sep 27 17:11:18 2010] [debug]: UserExists params:
username: polyva , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
(&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Sep 27 17:11:18 2010] [debug]: Password validation required for
service - Executing…
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter:
(&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from
192.168.110.125 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

Can you remove the d_filter you have? Its different than what I have
’d_filter’ => ‘(userAccountControl=514)’,

Jason Ledford
Systems Analyst
The Biltmore Company
One North Pack Square
Asheville, NC 28801
(828) 225-6127From: rt-users-bounces@lists.bestpractical.com [rt-users-bounces@lists.bestpractical.com] On Behalf Of Val Polyakov [val@polyakov.me]
Sent: Monday, September 27, 2010 1:19 PM
To: John Alberts
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] ldap externalauth problem

ldapsearch works, i can find myself using:

ldapsearch -LLL -x -H ldap://ADserver:389 -b
’ou=users,ou=yonkers,dc=mydomain,dc=org’ -D ‘cn=rt,ou=Service
Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org’ -w ‘rtPassword’
’(&(ObjectClass=Person)(cn=Polyakov, Valeriy))’

I also turned on debug loging for externalauth, and here’s what I see in
the log. the password im providing is correct, it seems to be able to find
my account, but then I get an auth failure… why ? :confused:

[Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username
(polyva) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Sep 27 17:11:18 2010] [debug]: UserExists params:
username: polyva , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
(&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Sep 27 17:11:18 2010] [debug]: Password validation required for
service - Executing…
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter:
(&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from
192.168.110.125 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

Val,
Have you verified that ldapsearch works for you on this box?

I used something like this to test:

ldapsearch -LLL -x -H ldap://:389 -b
’DC=corp,DC=something,DC=com’ -D ‘ldapuser@corp.something.com’ -w
’’ ‘(&(ObjectClass=Person)(cn=<username to search
for))’

I had to request from our Windows AD guys to allow the ldapuser to be able
to read all user information. I also had to have them open the firewall
to our server, because by default, they only allow certain servers to
query the AD servers.

John

  Trying to get my RT 3.8.8 on RHEL5 to authenticate against our corporate

AD.

  I followed this guide here:
  http://wiki.bestpractical.com/view/CentOS5InstallPlusSome

  I also checked that apache has access to over here

(RT-Authen-ExternalAuth
dir was chgrp -R’ed and chmod -R 770’ed):

  [root@rt plugins]# pwd
  /opt/rt3/local/plugins
  [root@rt plugins]# ls -ltr
  total 4
  drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth
  [root@rt plugins]# ps awwwux |grep httpd
  root      2313  0.1  4.1 348008 83360 ?        Ss   10:32   0:02
  /usr/sbin/httpd
  apache    2317  0.0  4.1 350272 82612 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2318  0.0  4.1 350272 82616 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2319  0.0  4.0 348204 82216 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2320  0.0  4.1 350272 82684 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2321  0.0  4.1 350928 83388 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2322  0.0  4.1 350272 82616 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2323  0.0  4.1 350272 82616 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2324  0.0  4.1 350668 83172 ?        S    10:32   0:00
  /usr/sbin/httpd
  root      3537  0.0  0.0  61148   708 pts/0    R+   11:06   0:00 grep

httpd
[root@rt plugins]#

  when I set this up and tried to login with my AD account for the first
  time, here's what I saw in /var/log/httpd/error_log :


  [root@rt autohandler]# tail -f /var/log/httpd/error_log
  [Mon Sep 27 14:32:29 2010] [info]:
  RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: 101
  Truman Avenue, City: Yonkers, Country: United States, Disabled: 0,
  EmailAddress: vpolyakov@consumer.org, ExternalAuthId: POLYVA, Gecos:
  POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName:
  Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip: 10703
  (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
  [Mon Sep 27 14:32:29 2010] [info]: Autocreated external user POLYVA ( 36

)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132)
[Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)

  ....

  And ever since then when I try to login I only see this:

  [Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva
  (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
  [Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from
  192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)


  my /opt/rt3/etc/RT_SiteConfig.pm and
  /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached


  Any suggestions?



  RT Training in Washington DC, USA on Oct 25 & 26 2010
  Last one this year -- Learn how to get the most out of RT!


John Alberts
Hosted Services
Exlibris USA
john.alberts@exlibrisgroup.com
cell: 1-508-878-2197

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

sure

                 'filter'                =>  '(&(ObjectCategory=User))',
                 'd_filter'              =>  '(userAccountControl=514)',

[Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Sep 27 17:39:08 2010] [debug]: Calling UserExists with $username
(polyva) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Sep 27 17:39:08 2010] [debug]: UserExists params:
username: polyva , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
(&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Sep 27 17:39:08 2010] [debug]: Password validation required for
service - Executing…
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Mon Sep 27 17:39:08 2010] [debug]: Trying external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
(&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Mon Sep 27 17:39:08 2010] [debug]: Found LDAP DN: CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Mon Sep 27 17:39:08 2010] [info]: My_LDAP AUTH FAILED: polyva
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Mon Sep 27 17:39:08 2010] [debug]: LDAP password validation result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Mon Sep 27 17:39:08 2010] [debug]: Password Validation Check Result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Sep 27 17:39:08 2010] [error]: FAILED LOGIN for polyva from
192.168.110.125 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)
[Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Sep 27 17:39:08 2010] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

Val,

I think it is your LDAP external settings. We use the LDAP UserID that one
signs in with as the name and we use TLS. Anyway, this is what we have. I’m
remove sensitive stuff, but I think there will be enough to correlate:

User is authenticated if successfully confirmed by any service

No more services are checked

Set($ExternalAuthPriority, [ ‘My_LDAP’ ] );

Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );

Set($ExternalServiceUsesSSLorTLS, 1);

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

No more services are checked

Set(

  • $ExternalSettings,*

  •  {*
    
  •    'My_LDAP' =>*
    
  •       {*
    
  •        ‘type’        => 'ldap',*
    
  •        ‘server’     => 'our server’,*
    
  •        ‘user’        =>  ‘’,*
    
  •        ‘pass’        =>  ‘’,*
    
  •        ‘base’        => 'ou=People,o=company name,c=US’,*
    
  •        ‘filter’       =>
    

'(&(xxxstatus=A)(|(xxxpan=CF*)(xxxpan=EH*)(xxxpan=HR*)(xxxpan=IC*)))’, #
division prefixes we use as a filter on top of “active” stastus*

  •        ‘d_filter’   => '(!(|(xxxEmpStat=Staff)(xxxEmpStat=Guest)))', #
    

staff or guest*

  •        ‘tls’            => 1,*
    
  •        ‘net_ldap_args’    => [ version => 3],*
    
  •        ‘attr_match_list’  => ['Name',*
    
  •                                             'EmailAddress',*
    
  •                                             'RealName',*
    
  •                                             'uid'*
    
  •                                            ],*
    
  •        ‘attr_map’            =>  {'Name'                  => 'uid',*
    
  •                                              'EmailAddress'    =>
    

‘mail’,*

  •                                              'Organization'      =>
    

‘o’,*

  •                                              'RealName'           =>
    

‘cn’,*

  •                                              'ExternalAuthId'  =>
    

‘uid’,*

  •                                              'Gecos'
                => 'uid',*
    
  •                                              'WorkPhone'         =>
    

‘telephonenumber’,*

  •                                              'Address1'             =>
    

‘xxxmailstop’,*

  •                                              'Address2'             =>
    

'postaladdress’*

  •                                             }*
    
  •       }*
    
  •  }*
    
  • );*
    1;

An explanation of our settings:

We are stating that we use LDAP for both authorization AND the Info we pull.
We turn on External Service using SSL or TLS.
We do NOT autocreate users that do not pass the LDAP auth process.
We do not specify any user or pass.
We specify the LDAP ou, o, & c values.
We specify an additional filter. For us, the status (for the user signing
in) must be active on the LDAP table AND, in addition, we specifiy division
codes. We only want certain company employees from specified division to be
able to use RT.
We specify a “disable” filter for any user signing on if they are not
classified as staff or a guest.
We specify the argument version we use.
We specify what LDAP attributes we want to match against when authorizing.
We specify what LDAP info we want to download into the RT USER Table:

  • Name will be the LDAP UserID they sign on with
  • Email address is the LDAP email address associated with this LDAP UserId.
  • Organization info will be what we set in ‘o’ to earlier (base=>o= company
    name).
  • and on.

Notice we use the same LDAP UserId (uid) for Name, ExternalAuthID and Gecos.

I guess the main thing to look for is a consistency in what LDAP fields
you use for Auth and what you save. If I say I use the LDAP 'uid" for *
Name*, then I must make sure that all references to Name are expecting
that it be the LDAP UserID ('uid’).

That’s the best advice I can give you. Hope it’s enough.

Kenn
LBNLOn Mon, Sep 27, 2010 at 10:19 AM, Val Polyakov val@polyakov.me wrote:

ldapsearch works, i can find myself using:

ldapsearch -LLL -x -H ldap://ADserver:389 -b
’ou=users,ou=yonkers,dc=mydomain,dc=org’ -D ‘cn=rt,ou=Service
Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org’ -w ‘rtPassword’
’(&(ObjectClass=Person)(cn=Polyakov, Valeriy))’

I also turned on debug loging for externalauth, and here’s what I see in
the log. the password im providing is correct, it seems to be able to find
my account, but then I get an auth failure… why ? :confused:

[Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth
service: My_LDAP

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username
(polyva) and $service (My_LDAP)

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Sep 27 17:11:18 2010] [debug]: UserExists params:
username: polyva , service: My_LDAP

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter:
(&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs:

l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Sep 27 17:11:18 2010] [debug]: Password validation required for
service - Executing…

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter:
(&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base:
ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov,
Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result: 0

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from
192.168.110.125 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

Val,
Have you verified that ldapsearch works for you on this box?

I used something like this to test:

ldapsearch -LLL -x -H ldap://:389 -b
’DC=corp,DC=something,DC=com’ -D ‘ldapuser@corp.something.com’ -w
’’ ‘(&(ObjectClass=Person)(cn=<username to search
for))’

I had to request from our Windows AD guys to allow the ldapuser to be
able
to read all user information. I also had to have them open the firewall
to our server, because by default, they only allow certain servers to
query the AD servers.

John

On 09/27/2010 10:14 AM, Val Polyakov wrote:

  Trying to get my RT 3.8.8 on RHEL5 to authenticate against our

corporate

AD.

  I followed this guide here:
  http://wiki.bestpractical.com/view/CentOS5InstallPlusSome

  I also checked that apache has access to over here

(RT-Authen-ExternalAuth
dir was chgrp -R’ed and chmod -R 770’ed):

  [root@rt plugins]# pwd
  /opt/rt3/local/plugins
  [root@rt plugins]# ls -ltr
  total 4
  drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth
  [root@rt plugins]# ps awwwux |grep httpd
  root      2313  0.1  4.1 348008 83360 ?        Ss   10:32   0:02
  /usr/sbin/httpd
  apache    2317  0.0  4.1 350272 82612 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2318  0.0  4.1 350272 82616 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2319  0.0  4.0 348204 82216 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2320  0.0  4.1 350272 82684 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2321  0.0  4.1 350928 83388 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2322  0.0  4.1 350272 82616 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2323  0.0  4.1 350272 82616 ?        S    10:32   0:00
  /usr/sbin/httpd
  apache    2324  0.0  4.1 350668 83172 ?        S    10:32   0:00
  /usr/sbin/httpd
  root      3537  0.0  0.0  61148   708 pts/0    R+   11:06   0:00

grep

httpd
[root@rt plugins]#

  when I set this up and tried to login with my AD account for the

first

  time, here's what I saw in /var/log/httpd/error_log :


  [root@rt autohandler]# tail -f /var/log/httpd/error_log
  [Mon Sep 27 14:32:29 2010] [info]:
  RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1:

101

  Truman Avenue, City: Yonkers, Country: United States, Disabled: 0,
  EmailAddress: vpolyakov@consumer.org, ExternalAuthId: POLYVA,

Gecos:

  POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName:
  Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip: 10703

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)

  [Mon Sep 27 14:32:29 2010] [info]: Autocreated external user POLYVA

( 36

)

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132)

  [Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)

  ....

  And ever since then when I try to login I only see this:

  [Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)

  [Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from
  192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)


  my /opt/rt3/etc/RT_SiteConfig.pm and
  /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached


  Any suggestions?



  RT Training in Washington DC, USA on Oct 25 & 26 2010
  Last one this year -- Learn how to get the most out of RT!


John Alberts
Hosted Services
Exlibris USA
john.alberts@exlibrisgroup.com
cell: 1-508-878-2197

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

so i’ve rewritten the file from scratch, and it works now (however i still
have some questions at the bottom)

final/working version:

Set($ExternalAuthPriority, [ ‘My_LDAP’ ] );
Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($LogToFile, ‘debug’);
Set($LogDir, ‘/var/log/rt’);

Set($ExternalSettings, {
‘My_LDAP’ => {

                 'type'                  =>  'ldap',
                 'server'                =>  'cudctwo.mydomain.org',
                 'user'                  =>  'cn=rt,ou=Service

Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org’,
‘pass’ => ‘rtpasswd’,
‘base’ =>
‘ou=Users,ou=Yonkers,dc=mydomain,dc=org’,

                 'filter'                => 

‘(&(ObjectCategory=User)(ObjectClass=Person))’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,

                 'tls'                   =>  0,

‘ssl_version’ => 3,

                 'net_ldap_args'         => [    version =>  3        

],

‘group’ => 'cn=Domain

Users,ou=Groups,dc=mydomain,dc=org’,

‘group_attr’ => ‘member’,

                 'attr_match_list'       => [   'Name', 'EmailAddress'

],
‘attr_map’ => { ‘Name’ =>
‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘Gecos’ =>
‘sAMAccountName’,
‘WorkPhone’ =>
‘telephoneNumber’,
‘Address1’ =>
‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);

1;

now a question:

my users are spread across many OUs, there is not a single OU which I can
point RT to and say “search for the username over here!”. there are 5 OUs
that the user can be in. is there a way for me to specify all of them? I
kinda need to, otherwise 4/5th of our users wouldnt be able to login :confused:

so… how do I have 5 bases to look in? heh