Please help with RT::Authen::ExternalAuth with nested LDAP/AD groups

Hello,

I have a working mod_authnz_ldap configuration for apache 2.4 (on a virtualhost on the same server) but I cannot seem to convert the configuration to a valid RT::Authen::ExternalAuth::LDAP configuration. At one point I could see in var/log/rt.log that it was at least checking the nested groups for membership but the filter didn’t look quite right. I have since changed that configuration and it seems to stall for a minute and then fail. It gets my real name from the AD service but then cannot match the sub/nested group filter I think?

The apache configuration that works is:
<Location /adirectoryname>
LogLevel debug
AuthName "Password protected. Enter your AD username and password."
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap.server.hostname/OU=iweb,DC=corp,DC=iweb,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
AuthLDAPBindDN "ldapbinduserstring"
AuthLDAPBindPassword ldapbindpass
Require ldap-filter memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com

So far I’ve got this in RT_SiteConfig.pm for RT:
…snipped…
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘corp.iweb.comhttp://corp.iweb.com’,
‘user’ => ‘ldapbinduserstring’,
‘pass’ => ‘ldapbindpass’,
‘base’ => ‘OU=iweb,DC=corp,DC=iweb,DC=com’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘UserAccountControl:1.2.840.113556.1.4.803:=2’,
‘group’ => ‘RTIR_WEB_SC_ACCESS’,
‘group_scope’ => ‘sub’,
‘group_attr’ => ‘memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS’,
‘group_attr_value’ => ‘OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com’,
‘tls’ => 0,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
},
},
} );
…snipped…
Plugin(‘RT::IR’, ‘RT::Authen::ExternalAuth’);

The log entries with the above configuration are:
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Calling UserExists with $username (lstewart) and $service (My_LDAP) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: UserExists params:
username: lstewart , service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: LDAP Search === Base: OU=iweb,DC=corp,DC=iweb,DC=com == Filter: (&(objectClass=)(sAMAccountName=lstewart)) == Attrs: sAMAccountName,physicalDeliveryOfficeName,mail,cn,sAMAccountName,sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Password validation required for service - Executing… (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:517)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Trying external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153)
[28280] [Thu Jul 14 19:14:14 2016] [debug]: LDAP Search === Base: OU=iweb,DC=corp,DC=iweb,DC=com == Filter: (&(sAMAccountName=lstewart)(objectClass=
)) == Attrs: dn,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:186)
[28280] [Thu Jul 14 19:14:14 2016] [debug]: Found LDAP DN: CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Attribute ‘OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com’ has no value; falling back to ‘CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com’ (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:249)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP Search === Base: RTIR_WEB_SC_ACCESS == Scope: sub == Filter: (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)
[28280] [Thu Jul 14 19:14:15 2016] [critical]: Search for (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) failed: LDAP_INVALID_DN_SYNTAX 34 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:696)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:521)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[28280] [Thu Jul 14 19:14:15 2016] [error]: FAILED LOGIN for lstewart from xx.xx.xx.xx (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:810)

Landon Stewart
Lead Analyst - Abuse and Security Management
INTERNAP ®
lstewart@internap.commailto:lstewart@internap.comwww.internap.comhttp://www.internap.com

Hello,

I have a working mod_authnz_ldap configuration for apache 2.4 (on a
virtualhost on the same server) but I cannot seem to convert the configuration
to a valid RT::Authen::ExternalAuth::LDAP configuration. At one point I could
see in var/log/rt.log that it was at least checking the nested groups for
membership but the filter didn’t look quite right. I have since changed that
configuration and it seems to stall for a minute and then fail. It gets my
real name from the AD service but then cannot match the sub/nested group
filter I think?

The apache configuration that works is:
<Location /adirectoryname>
LogLevel debug
AuthName "Password protected. Enter your AD username and password."
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL
"ldap://ldap.server.hostname/OU=iweb,DC=corp,DC=iweb,DC=com?sAMAccountName?sub
?(objectClass=*)"
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
AuthLDAPBindDN "ldapbinduserstring"
AuthLDAPBindPassword ldapbindpass
Require ldap-filter
memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS,OU=Groupes,OU=iWeb,DC=
corp,DC=iweb,DC=com

So far I’ve got this in RT_SiteConfig.pm for RT:
…snipped…
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘corp.iweb.com’,
‘user’ => ‘ldapbinduserstring’,
‘pass’ => ‘ldapbindpass’,
‘base’ => ‘OU=iweb,DC=corp,DC=iweb,DC=com’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘UserAccountControl:1.2.840.113556.1.4.803:=2’,
‘group’ => ‘RTIR_WEB_SC_ACCESS’,
‘group_scope’ => ‘sub’,

‘group_attr’ => ‘memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS’,
‘group_attr_value’ => ‘OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com’,
‘tls’ => 0,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
},
},
} );
…snipped…
Plugin(‘RT::IR’, ‘RT::Authen::ExternalAuth’);

The log entries with the above configuration are:
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Attempting to use external auth
service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Calling UserExists with $username
(lstewart) and $service (My_LDAP) (/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: UserExists params:
username: lstewart , service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: LDAP Search === Base:
OU=iweb,DC=corp,DC=iweb,DC=com == Filter:
(&(objectClass=)(sAMAccountName=lstewart)) ==
Attrs: sAMAccountName,physicalDeliveryOfficeName,mail,cn,sAMAccountName,sAMAcc
ountName (/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Password validation required for
service - Executing… (/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth.pm:517)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Trying external auth service:
My_LDAP (/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153)
[28280] [Thu Jul 14 19:14:14 2016] [debug]: LDAP Search === Base:
OU=iweb,DC=corp,DC=iweb,DC=com == Filter:
(&(sAMAccountName=lstewart)(objectClass=
)) == Attrs:
dn,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT-
Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:186)
[28280] [Thu Jul 14 19:14:14 2016] [debug]: Found LDAP DN: CN=Landon
Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com
(/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Attribute
’OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com’ has no value; falling back to
’CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com’
(/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:249)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP Search === Base:
RTIR_WEB_SC_ACCESS == Scope: sub == Filter:
(memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU=
Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)
[28280] [Thu Jul 14 19:14:15 2016] [critical]: Search for
(memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon
Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) failed:
LDAP_INVALID_DN_SYNTAX 34 (/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP password validation result: 0
(/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth.pm:696)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Password Validation Check
Result: 0 (/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth.pm:521)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-
ExternalAuth/html/Elements/DoAuth:11)
[28280] [Thu Jul 14 19:14:15 2016] [error]: FAILED LOGIN for lstewart from
xx.xx.xx.xx (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:810)


Landon Stewart
Lead Analyst - Abuse and Security Management
INTERNAP ®
lstewart@internap.comwww.internap.com


RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Los Angeles - September, 2016

Your setup looks perfectly fine, but I may be missing something because I
haven’t used AD. I use OpenLDAP with rt-ldapimport script for authentication and
rt-ldapimport --no-users --import to sync users (enabled Group member syncing in
the importer). Works good. May be give that a try?

Nilesh

Your setup looks perfectly fine, but I may be missing something because I
haven’t used AD. I use OpenLDAP with rt-ldapimport script for authentication and
rt-ldapimport --no-users --import to sync users (enabled Group member syncing in
the importer). Works good. May be give that a try?

I guess my next step would be figuring out how to sync the groups so that our RTIR_WEB_SC_ACCESS group users would be within the “DutyTeam” group in RTIR. I believe you are right in that rt-ldapimport would help with that I think but it looks like a nightmare to set up. I’ll burn that barn down when I come to it I guess.

I think my issues with authentication lay within the following part of the configuration. I’m not sure what the group* configuration variables are for exactly because they are loosely documented and there are I’ve found very few examples via google and (almost?) none related to nested groups.

    'base' => 'OU=iweb,DC=corp,DC=iweb,DC=com',
    'filter' => '(objectClass=*)',
    'd_filter' => 'UserAccountControl:1.2.840.113556.1.4.803:=2',
    'group' => 'RTIR_WEB_SC_ACCESS',
    'group_scope' => 'sub',
    'group_attr' => 'memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS',
    'group_attr_value' => 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com',

Landon Stewart
Lead Analyst - Abuse and Security Management
INTERNAP ®
:e-mail: lstewart@internap.commailto:lstewart@internap.com
:earth_africa: www.internap.comhttp://www.internap.com