LDAP with AD RT:3.8.4 ExternalAuth

I am running RT 3.8.4 with the RT::Authen::ExternalAuth plugin. My
Request tracker server does not appear to be accessing the AD server
for login. If I run tcpdump I do not see a connection to the AD
server being attempted and the local logins still work. Is there another
config file I need to change? I would be grateful for any help.

The RT_SiteConfig.pm

Set($LogToSyslog,‘debug’);

THE BASICS:

Set($rtname, ‘support.example.org’);

Set($Organization, ‘example.org’);

Set($CorrespondAddress , ‘bsnyder@domain.com’);

Set($CommentAddress , ‘comment-test@domain.com’);

Set($Timezone , ‘US/Mountan’); # obviously choose what suits you

#LDAP

Set(@Plugins,qw(RT::Authen::ExternalAuth));

Set($ExternalAuthPriority, [‘My_LDAP’]);

Set($ExternalInfoPriority, [‘My_LDAP’]);

Set($ExternalSettings, {‘My_LDAP’ => {

GENERIC SECTION

The type of service (db/ldap/cookie)

‘type’ => ‘ldap’,

The server hosting the service

    'server'                    =>  '10.x.x.x', #Ip  Addy is correct

SERVICE-SPECIFIC SECTION

If you can bind to your LDAP server anonymously you should

remove the user and pass config lines, otherwise specify them here:

The username RT should use to connect to the LDAP server

‘user’ => ‘AD_Info\LDAP’,

‘pass’ => ‘pass’,

The LDAP search base

‘base’ => ‘ou=*,dc=DCinfo,dc=local’,

ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!

YOU MUST SPECIFY A filter AND A d_filter!!

The filter to use to match RT-Users

‘filter’ => ‘(objectClass=*)’,

A catch-all example filter: ‘(objectClass=*)’

The filter that will only match disabled users

‘d_filter’ => ‘(objectClass=FooBarBaz))’,

A catch-none example d_filter: ‘(objectClass=FooBarBaz)’

Should we try to use TLS to encrypt connections?

‘tls’ => 0,

SSL Version to provide to Net::SSLeay if using SSL

‘ssl_version’ => 3,

What other args should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’ => [ version => 3 ],

‘attr_match_list’ => [ ‘Name’,‘EmailAddress’],

The mapping of RT attributes on to LDAP attributes

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,

                               'EmailAddress' => 'mail',

}

                                                }

                            }

);

Set($DatabaseType, ‘mysql’); # e.g. Pg or mysql

Set($DatabaseUser , ‘rtuser’);

Set($DatabasePassword , ‘password’);

Set($DatabaseName , ‘rt3’); # Ensure this is set to rt3!

Set($WebPath , “/rt”);

Set($WebBaseURL , “http://support.example.org”);

Set(@Plugins,qw(RT::FM));

1;

Syslog

Sep 18 16:03:49 RequstTracker RT: FAILED LOGIN for testuser from
10.50.1.192 (/opt/rt3/share/html/autohandler:268)

Sep 18 16:04:17 RequstTracker RT: You’ve enabled GD, but we couldn’t
load the module: Can’t locate GD.pm in @INC (@INC contains:
/opt/rt3/bin/…/local/lib /opt/rt3/local/plugins/RT-FM/lib
/opt/rt3/bin/…/lib /etc/perl /usr/local/lib/perl/5.10.0
/usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5
/usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .
/etc/apache2) at /opt/rt3/bin/…/lib/RT/Config.pm line 365.

Sep 18 16:04:17 RequstTracker RT: You’ve enabled GraphViz, but we
couldn’t load the module: Can’t locate GraphViz.pm in @INC (@INC
contains: /opt/rt3/bin/…/local/lib /opt/rt3/local/plugins/RT-FM/lib
/opt/rt3/bin/…/lib /etc/perl /usr/local/lib/perl/5.10.0
/usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5
/usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .
/etc/apache2) at /opt/rt3/bin/…/lib/RT/Config.pm line 352.

Sep 18 16:04:17 RequstTracker RT: RT’s GnuPG libraries couldn’t
successfully read your configured GnuPG home directory
(/opt/rt3/var/data/gpg). PGP support has been disabled

Beryl Snyder

IT Specialist

TMC Design Corporation

4325 Del Rey BLVD

Las Cruces, NM 88012

Phone: 575-382-4600

Fax: 575-523-8588

Set(@Plugins,qw(RT::FM));

You need to turn on the extension by adding the
RT::Authen::ExternalAuth module to that quoted array.

Also, I saw this below:

The username RT should use to connect to the LDAP server

‘user’ => ‘AD_Info\LDAP’,
‘pass’ => ‘pass’,

That may or may not work. If your user is LDAP, you may actually need
to use: LDAP@domain.yourcompany.com, and you may need to add the
@domain.yourcompany.com as an auto-appended suffix so your users can
log on with their basic username.

-RobOn Mon, Sep 21, 2009 at 10:48 AM, Beryl N. Snyder BSnyder@tmcdesign.com wrote:

I am running RT 3.8.4 with the RT::Authen::ExternalAuth plugin. My Request tracker server does not appear to be accessing the AD server for login. If I run tcpdump I do not see a connection to the AD server being attempted and the local logins still work. Is there another config file I need to change? I would be grateful for any help.

The RT_SiteConfig.pm

Set($LogToSyslog,‘debug’);

THE BASICS:

Set($rtname, ‘support.example.org’);

Set($Organization, ‘example.org’);

Set($CorrespondAddress , ‘bsnyder@domain.com’);

Set($CommentAddress , ‘comment-test@domain.com’);

Set($Timezone , ‘US/Mountan’); # obviously choose what suits you

#LDAP

Set(@Plugins,qw(RT::Authen::ExternalAuth));

Set($ExternalAuthPriority, [‘My_LDAP’]);

Set($ExternalInfoPriority, [‘My_LDAP’]);

Set($ExternalSettings, {‘My_LDAP’ => {

GENERIC SECTION

The type of service (db/ldap/cookie)

‘type’ => ‘ldap’,

The server hosting the service

    'server'                    =>  '10.x.x.x', #Ip  Addy is correct

SERVICE-SPECIFIC SECTION

If you can bind to your LDAP server anonymously you should

remove the user and pass config lines, otherwise specify them here:

The username RT should use to connect to the LDAP server

‘user’ => ‘AD_Info\LDAP’,

‘pass’ => ‘pass’,

                                                    #

The LDAP search base

‘base’ => ‘ou=*,dc=DCinfo,dc=local’,

ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!

YOU MUST SPECIFY A filter AND A d_filter!!

The filter to use to match RT-Users

‘filter’ => ‘(objectClass=*)’,

A catch-all example filter: ‘(objectClass=*)’

The filter that will only match disabled users

‘d_filter’ => ‘(objectClass=FooBarBaz))’,

A catch-none example d_filter: ‘(objectClass=FooBarBaz)’

Should we try to use TLS to encrypt connections?

‘tls’ => 0,

SSL Version to provide to Net::SSLeay if using SSL

‘ssl_version’ => 3,

What other args should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’ => [ version => 3 ],

‘attr_match_list’ => [ ‘Name’,‘EmailAddress’],

The mapping of RT attributes on to LDAP attributes

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,

                               'EmailAddress' => 'mail',

}

                                                }

                            }

);

Set($DatabaseType, ‘mysql’); # e.g. Pg or mysql

Set($DatabaseUser , ‘rtuser’);

Set($DatabasePassword , ‘password’);

Set($DatabaseName , ‘rt3’); # Ensure this is set to rt3!

Set($WebPath , “/rt”);

Set($WebBaseURL , “http://support.example.org”);

Set(@Plugins,qw(RT::FM));

1;

Syslog

Sep 18 16:03:49 RequstTracker RT: FAILED LOGIN for testuser from 10.50.1.192 (/opt/rt3/share/html/autohandler:268)

Sep 18 16:04:17 RequstTracker RT: You’ve enabled GD, but we couldn’t load the module: Can’t locate GD.pm in @INC (@INC contains: /opt/rt3/bin/…/local/lib /opt/rt3/local/plugins/RT-FM/lib /opt/rt3/bin/…/lib /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl . /etc/apache2) at /opt/rt3/bin/…/lib/RT/Config.pm line 365.

Sep 18 16:04:17 RequstTracker RT: You’ve enabled GraphViz, but we couldn’t load the module: Can’t locate GraphViz.pm in @INC (@INC contains: /opt/rt3/bin/…/local/lib /opt/rt3/local/plugins/RT-FM/lib /opt/rt3/bin/…/lib /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl . /etc/apache2) at /opt/rt3/bin/…/lib/RT/Config.pm line 352.

Sep 18 16:04:17 RequstTracker RT: RT’s GnuPG libraries couldn’t successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled

Beryl Snyder

IT Specialist

TMC Design Corporation

4325 Del Rey BLVD

Las Cruces, NM 88012

Phone: 575-382-4600

Fax: 575-523-8588


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Thanks Robert, That’s what I was missing. Secondly it had to be User@domain.tdl for the LDAP to work

Beryl Snyder

IT Specialist
TMC Design Corporation
4325 Del Rey BLVD
Las Cruces, NM 88012
Phone: 575-382-4600
Fax: 575-523-8588From: Robert Nesius [mailto:nesius@gmail.com]
Sent: Monday, September 21, 2009 10:16 AM
To: Beryl N. Snyder; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] LDAP with AD RT:3.8.4 ExternalAuth

Set(@Plugins,qw(RT::FM));

You need to turn on the extension by adding the
RT::Authen::ExternalAuth module to that quoted array.

Also, I saw this below:

The username RT should use to connect to the LDAP server

‘user’ => ‘AD_Info\LDAP’,
‘pass’ => ‘pass’,

That may or may not work. If your user is LDAP, you may actually need
to use: LDAP@domain.yourcompany.com, and you may need to add the
@domain.yourcompany.com as an auto-appended suffix so your users can
log on with their basic username.

-Rob

Set(@Plugins,qw(RT::FM));

You need to turn on the extension by adding the
RT::Authen::ExternalAuth module to that quoted array.

Also, I saw this below:

The username RT should use to connect to the LDAP server

‘user’ => ‘AD_Info\LDAP’,
‘pass’ => ‘pass’,

That may or may not work. If your user is LDAP, you may actually need
to use: LDAP@domain.yourcompany.com, and you may need to add the
@domain.yourcompany.com as an auto-appended suffix so your users can
log on with their basic username.

-Rob

As long as you’re in a single domain forest, you don’t need to specify the
NetBIOS name of the domain. When in a multi-domain forest, you should use
the Windows 2000 syntax (user@domain.tld) and then make sure you’re pointing
RT at a domain controller for that given domain that has a trust
relationship with the others in the forest.

Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell: (650) 704-6633
Phone: (408) 240-1239