Need assistance with rt authentication to Active Directory

Hi folks, I’m trying to run rt 3.8.9 on CentOS 5.5, talking to Active
Directory on a Windows Server 2003 domain controller. I followed the guide
at the wiki at http://requesttracker.wikia.com/wiki/CentOS5InstallPlusSome and
got everything working up to the external plugin.

I consolidated the RT_SiteConfig.pm to not include the ExternalAuth pm to
make it simpler for me to edit just a single file. My RT_SiteConfig.pm looks
like this:

Custom Site Config

Set($rtname , “MyCo Inc.”);
Set($Organization , “rt.mydomain.internal”);
Set($MinimumPasswordLength , “5”);
Set($Timezone , ‘US/Central’);

Set(@Plugins, qw(
RT::Authen::ExternalAuth
));

Set($HomepageComponents, [qw(
QuickCreate
Quicksearch
MyAdminQueues
MySupportQueues
MyReminders
RefreshHomepage
Dashboards
)]);

Set($DatabaseType , ‘mysql’);
Set($DatabaseHost , ‘localhost’);
Set($DatabaseRTHost , ‘localhost’);
Set($DatabasePort , ‘’);
Set($DatabaseUser , ‘rt_user’);
Set($DatabasePassword , ‘XXXXX’);
Set($DatabaseName , ‘rt3’);

Set($OwnerEmail , ‘root’);
Set($LoopsToRTOwner , 1);

Set($SendmailArguments , “-oi -t -f support@rt.mydomain.internal”);

Set($MaxAttachmentSize , 10000000);

Set($RTAddressRegexp , ‘^rt@rt.mydomain.internal$’);
Set($CorrespondAddress , ‘no-reply@rt.mydomain.internal’);
Set($CommentAddress , ‘no-reply@rt.mydomain.internal’);

Set($UseFriendlyFromLine , 1);
Set($FriendlyFromLineFormat , “"%s" <%s>”);
Set($UseFriendlyToLine , 1);
Set($FriendlyToLineFormat, “"%s Ticket #%s":;”);

Set($NotifyActor, 0);
Set($RecordOutgoingEmail, 1);

Set($WebPath , “/ticket”);
Set($WebPort , 80);
Set($WebBaseURL , “http://rt”);
Set($WebURL , $WebBaseURL . $WebPath . “/”);

Set($MessageBoxWidth , 72);
Set($MessageBoxWrap, “HARD”);

Set($MaxInlineBody, 13456);
Set($DefaultSummaryRows, 10);

Set($OldestTransactionsFirst, ‘1’);
Set($ShowTransactionImages, 1);

Set($DateDayBeforeMonth , 0);
Set($AmbiguousDayInPast , 1);

Set($AutoCreate, {Privileged => 1});

Set($ExternalAuthPriority, [ ‘My_LDAP’ ] );
Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, {
‘My_LDAP’ => {

                    'type'                  =>  'ldap',
                    'auth'                  =>  1,
                    'info'                  =>  1,
                    'server'                =>

‘paris.mydomain.internal’,
‘user’ => ‘rtuser’,
‘pass’ => ‘rtuserpassword’,
‘base’ =>
‘dc=newcospares,dc=internal’,

                    'filter'                =>

‘(&(ObjectCategory=User)(ObjectClass=Person))’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,

                    'tls'                   =>  0,

‘ssl_version’ => 3,

                    'net_ldap_args'         => [    version =>  3
],
                    'group'                 =>  'cn=Domain

Users,ou=Users,dc=newcospares,dc=internal’,
‘group_attr’ => ‘member’,

                    'attr_match_list'       => [   'Name',

‘EmailAddress’ ],
‘attr_map’ => { ‘Name’ =>
‘sAMAccountName’,
‘EmailAddress’ =>
‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘Gecos’ =>
‘sAMAccountName’,
‘WorkPhone’ =>
‘telephoneNumber’,
‘Address1’ =>
‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ =>
‘postalCode’,
‘Country’ => ‘co’
}
}
}
);

Steve Stuff

Set ($LogToFileName,“rt3.error”);
Set ($LogDir,‘/var/tmp’);
Set ($LogToFile,‘debug’);

When I restart apache and try to log in, I get the following results in the
rt.log

[Wed Mar 9 22:26:09 2011] [debug]: Reloading RT::User to work around a bug
in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[Wed Mar 9 22:26:09 2011] [debug]: Attempting to use external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Mar 9 22:26:09 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Mar 9 22:26:09 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Wed Mar 9 22:26:21 2011] [error]: FAILED LOGIN for mydomain.internal\steve
from 192.168.88.45 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:555)

I’m an old-school network guy, so I fire up wireshark on the box to see if
it’s even talking to my DC, and there doesn’t appear to be any traffic
between my rt server and the DC. What am I missing here to get this thing
to attempt to authenticate? I’ve looked at a lot of the old mailing list
info and I’m not seeing the thing that says “aha!”

I’m not sure what format my username is supposed to be as well, is it
“domainname\username” or just my domain username or “username@domainname”?
I’ve tried all variations but since I don’t see traffic between the servers
I doubt I’m getting that far yet.

Many thanks in advance!

  • Steve

Hi folks, I’m trying to run rt 3.8.9 on CentOS 5.5, talking to Active
Directory on a Windows Server 2003 domain controller. I followed the
guide at the wiki
at http://requesttracker.wikia.com/wiki/CentOS5InstallPlusSome and got
everything working up to the external plugin.

RT 3.8.9 broke version 0.08 of ExternalAuth. 0.08_01 is the developer
release which fixes the issue. You probably have 0.08.

Thomas

That definitely did the trick for making it fire off, thanks Thomas. Now I
can’t seem to get authenticated however. Here’s output from the debug
rt.log:

[Mon Mar 14 15:40:45 2011] [debug]: Calling UserExists with $username
(steve) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Mon Mar 14 15:40:45 2011] [debug]: UserExists params:
username: steve , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Mon Mar 14 15:40:45 2011] [debug]: LDAP Search === Base:
dc=mydomain,DC=internal == Filter:
(&(&(ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=steve)) ==
Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Mon Mar 14 15:40:45 2011] [debug]: Password validation required for service

  • Executing…
    (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
    [Mon Mar 14 15:40:45 2011] [debug]: Trying external auth service: My_LDAP
    (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
    [Mon Mar 14 15:40:45 2011] [debug]: LDAP Search === Base:
    dc=mydomain,DC=internal == Filter:
    (&(sAMAccountName=steve)(&(ObjectCategory=User)(ObjectClass=Person))) ==
    Attrs: dn
    (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
    [Mon Mar 14 15:40:45 2011] [debug]: Found LDAP DN: CN=Steve,OU=Information
    Technology,OU=Main,OU=Offices,DC=mydomain,DC=internal
    (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
    [Mon Mar 14 15:40:45 2011] [debug]: LDAP Search === Base:
    dc=mydomain,DC=internal == Filter: (member=CN=Steve,OU=Information
    Technology,OU=Main,OU=Offices,DC=mydomain,DC=internal) == Attrs: dn
    (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
    [Mon Mar 14 15:40:45 2011] [critical]: Search for
    (member=CN=Steve,OU=Information
    Technology,OU=Main,OU=Offices,DC=mydomain,DC=internal) failed:
    LDAP_NO_SUCH_OBJECT 32
    (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)
    [Mon Mar 14 15:40:45 2011] [debug]: LDAP password validation result: 0
    (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
    [Mon Mar 14 15:40:45 2011] [debug]: Password Validation Check Result: 0
    (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
    [Mon Mar 14 15:40:45 2011] [debug]: Autohandler called ExternalAuth.
    Response: (0, Password Invalid)
    (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:26)
    [Mon Mar 14 15:40:45 2011] [error]: FAILED LOGIN for steve from 192.168.X.X
    (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:555)

So I’m closer, it find my users because it finds the LDAP DN, but then it’s
fails with LDAP_NO_SUCH_OBJECT 32. It seems odd it wouldn’t find the object
it located in the previous LDAP search?

I’m sure I’m missing something silly here, any additional help is
appreciated!

On 09 Mar 2011 17:57, m0bilitee wrote:

Hi folks, I’m trying to run rt 3.8.9 on CentOS 5.5, talking to Active
Directory on a Windows Server 2003 domain controller. I followed the
guide at the wiki
at http://requesttracker.wikia.com/wiki/CentOS5InstallPlusSome and got
everything working up to the external plugin.

RT 3.8.9 broke version 0.08 of ExternalAuth. 0.08_01 is the developer
release which fixes the issue. You probably have 0.08.

RT-Authen-ExternalAuth-0.08_01 - RT Authen-ExternalAuth Extension - metacpan.org

Thomas

The music business is a cruel and shallow money trench, a long plastic

hallway where thieves and pimps run free, and good men die like dogs.
There’s also a negative side. - Hunter S. Thompson

Enjoy the documented stupidity at http://beatdown.blogspot.com