Problem configuring AD integration

Bruno_Martins · February 2, 2012, 4:21pm

Hello guys,

I’m having the following error when logging in with any Active Directory user on RT:

Can’t call method “as_string” on an undefined value at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm line 304.

I’ve followed instructions at http://requesttracker.wikia.com/wiki/ExternalAuth to set this up.

My /opt/rt4/etc/RT_SiteConfig.pm is as follows:

Set( $DatabaseUser, ‘rt_user’ );
Set( $CorrespondAddress, ‘’ );
Set( $rtname, ‘galileu.pt’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘8080’ );
Set( $Organization, ‘galileu.pt’ );
Set( $DatabaseType, ‘mysql’ );
Set( $DatabasePort, ‘’ );
Set( $DatabasePassword, ‘db_password’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘debian’ );
Set( $DatabaseAdminPassword, ‘db_password’ );
Set( $CommentAddress, ‘’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $OwnerEmail, ‘root@localhost’ );
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’,
‘My_SSO_Cookie’
]
);

Set($ExternalInfoPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_MySQL’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘db’,
# The server hosting the service
‘server’ => ‘localhost’,
## SERVICE-SPECIFIC SECTION
# The database name
‘database’ => ‘rt4’,
# The database table
‘table’ => ‘USERS_TABLE’,
# The user to connect to the database as
‘user’ => ‘DB_USER’,
# The password to use to connect with
‘pass’ => ‘DB_PASS’,
# The port to use to connect with (e.g. 3306)
‘port’ => ‘DB_PORT’,
# The name of the Perl DBI driver to use (e.g. mysql)
‘dbi_driver’ => ‘DBI_DRIVER’,
# The field in the table that holds usernames
‘u_field’ => ‘username’,
# The field in the table that holds passwords
‘p_field’ => ‘password’,
# The Perl package & subroutine used to encrypt passwords
# e.g. if the passwords are stored using the MySQL v3.23 “PASSWORD”
# function, then you will need Crypt::MySQL::password, but for the
# MySQL4+ password function you will need Crypt::MySQL::password41
# Alternatively, you could use Digest::MD5::md5_hex or any other
# encryption subroutine you can load in your perl installation
‘p_enc_pkg’ => ‘Crypt::MySQL’,
‘p_enc_sub’ => ‘password’,
# If your p_enc_sub takes a salt as a second parameter,
# uncomment this line to add your salt
#‘p_salt’ => ‘SALT’,
# The field and values in the table that determines if a user should
# be disabled. For example, if the field is ‘user_status’ and the values
# are [‘0’,‘1’,‘2’,‘disabled’] then the user will be disabled if their
# user_status is set to ‘0’,‘1’,‘2’ or the string ‘disabled’.
# Otherwise, they will be considered enabled.
‘d_field’ => ‘disabled’,
‘d_values’ => [‘0’],
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
‘attr_match_list’ => [ ‘Gecos’,
‘Name’
],
# The mapping of RT attributes on to field names
‘attr_map’ => { ‘Name’ => ‘username’,
‘EmailAddress’ => ‘email’,
‘ExternalAuthId’ => ‘username’,
‘Gecos’ => ‘userID’
}
},
# AN EXAMPLE LDAP SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘jupiter.galileu-f.galileu.pt’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘ldap_domainadmin’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘ldap_password’,
# The LDAP search base
‘base’ => ‘dc=galileu-f,dc=galileu,dc=pt’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
‘filter’ => ‘objectClass=',
# A catch-all example filter: '(objectClass=)’
# The filter that will only match disabled users
‘d_filter’ => ‘UserAccountControl:1.2.840.113556.1.4.803:=2’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 , port => 3268 ],
# Does authentication depend on group membership? What group name?
#‘group’ => ‘GROUP_NAME’,
# What is the attribute for the group object that determines membership?
#‘group_attr’ => ‘GROUP_ATTR’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
},
# An example SSO cookie service
‘My_SSO_Cookie’ => { # # The type of service (db/ldap/cookie)
‘type’ => ‘cookie’,
# The name of the cookie to be used
‘name’ => ‘loginCookieValue’,
# The users table
‘u_table’ => ‘users’,
# The username field in the users table
‘u_field’ => ‘username’,
# The field in the users table that uniquely identifies a user
# and also exists in the cookies table
‘u_match_key’ => ‘userID’,
# The cookies table
‘c_table’ => ‘login_cookie’,
# The field that stores cookie values
‘c_field’ => ‘loginCookieValue’,
# The field in the cookies table that uniquely identifies a user
# and also exists in the users table
‘c_match_key’ => ‘loginCookieUserID’,
# The DB service in this configuration to use to lookup the cookie information
‘db_service_name’ => ‘My_MySQL’
}
}
);

1;

Am I missing something?

Thanks for your cooperation.

Best regards,

Bruno Martins

Kevin_Falcone · February 2, 2012, 5:15pm

Can’t call method “as_string” on an undefined value at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm line 304.

I’ve followed instructions at http://requesttracker.wikia.com/wiki/ExternalAuth to set this up.

I suggest the docs in the config and with the module over anything on
the wiki.

Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’,
‘My_SSO_Cookie’
]
);

Set($ExternalInfoPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);

Why do you have all of these turned on? You’ve only configured
My_LDAP. Telling RT to look into a misconfigured My_MySQL will only
cause other errors.

The config as shipped is an example and you should remove the pieces
you aren’t using.

                            'My_LDAP'       =>  {   ## GENERIC SECTION
                                                    # The type of service (db/ldap/cookie) 
                                                    'type'                      =>  'ldap',
                                                    # The server hosting the service
                                                    'server'                    =>  'jupiter.galileu-f.galileu.pt',
                                                    ## SERVICE-SPECIFIC SECTION
                                                    # If you can bind to your LDAP server anonymously you should 
                                                    # remove the user and pass config lines, otherwise specify them here:
                                                    # 
                                                    # The username RT should use to connect to the LDAP server 
                                                    'user'                      =>  'ldap_domainadmin',
                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'ldap_password',
                                                    #
                                                    # The LDAP search base
                                                    'base'                      =>  'dc=galileu-f,dc=galileu,dc=pt',
                                                    #
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!

See this doc ^

                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    #
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  'objectClass=*',

You’re missing parens on this filter which I believe is causing your
problem.

                                                    # A catch-all example filter: '(objectClass=*)'
                                                    #
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  'UserAccountControl:1.2.840.113556.1.4.803:=2',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    #
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  0,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3 , port => 3268  ],
                                                    # Does authentication depend on group membership? What group name?
                                                    #'group'                     =>  'GROUP_NAME',
                                                    # What is the attribute for the group object that determines membership?
                                                    #'group_attr'                =>  'GROUP_ATTR',
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
  					# This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress', 
                                                                                        'RealName',
                                                                                        'WorkPhone', 
                                                                                        'Address2'
                                                                                    ],

You also want to read the doc above attr_match_list. As configured, you
cannot have to Bob Smiths in your RT.

-kevin

Bruno_Martins · February 4, 2012, 10:21pm

Can’t call method “as_string” on an undefined value at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm line 304.

I’ve followed instructions at http://requesttracker.wikia.com/wiki/ExternalAuth to set this up.

I suggest the docs in the config and with the module over anything on
the wiki.

Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’,
‘My_SSO_Cookie’
]
);

Set($ExternalInfoPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);

Why do you have all of these turned on? You’ve only configured
My_LDAP. Telling RT to look into a misconfigured My_MySQL will only
cause other errors.

The config as shipped is an example and you should remove the pieces
you aren’t using.

                            'My_LDAP'       =>  {   ## GENERIC SECTION
                                                    # The type of service (db/ldap/cookie)
                                                    'type'                      =>  'ldap',
                                                    # The server hosting the service
                                                    'server'                    =>  'jupiter.galileu-f.galileu.pt',
                                                    ## SERVICE-SPECIFIC SECTION
                                                    # If you can bind to your LDAP server anonymously you should
                                                    # remove the user and pass config lines, otherwise specify them here:
                                                    #
                                                    # The username RT should use to connect to the LDAP server
                                                    'user'                      =>  'ldap_domainadmin',
                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'ldap_password',
                                                    #
                                                    # The LDAP search base
                                                    'base'                      =>  'dc=galileu-f,dc=galileu,dc=pt',
                                                    #
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!

See this doc ^

                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    #
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  'objectClass=*',

You’re missing parens on this filter which I believe is causing your
problem.

                                                    # A catch-all example filter: '(objectClass=*)'
                                                    #
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  'UserAccountControl:1.2.840.113556.1.4.803:=2',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    #
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  0,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3 , port => 3268  ],
                                                    # Does authentication depend on group membership? What group name?
                                                    #'group'                     =>  'GROUP_NAME',
                                                    # What is the attribute for the group object that determines membership?
                                                    #'group_attr'                =>  'GROUP_ATTR',
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
                                                  # This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress',
                                                                                        'RealName',
                                                                                        'WorkPhone',
                                                                                        'Address2'
                                                                                    ],

You also want to read the doc above attr_match_list. As configured, you
cannot have to Bob Smiths in your RT.

-kevin

                                                    # The mapping of RT attributes on to LDAP attributes
                                                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                        'EmailAddress' => 'mail',
                                                                                        'Organization' => 'physicalDeliveryOfficeName',
                                                                                        'RealName' => 'cn',
                                                                                        'ExternalAuthId' => 'sAMAccountName',
                                                                                        'Gecos' => 'sAMAccountName',
                                                                                        'WorkPhone' => 'telephoneNumber',
                                                                                        'Address1' => 'streetAddress',
                                                                                        'City' => 'l',
                                                                                        'State' => 'st',
                                                                                        'Zip' => 'postalCode',
                                                                                        'Country' => 'co'
                                                                                    }
                                                },

Good night,

After some struggles, it’s working now. Here’s the configuration that worked:

joe@debian:~$ su -c ‘cat /opt/rt4/etc/RT_SiteConfig.pm’
Password:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

There should only be one @Plugins declaration in your config file.

#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail)));

Set( $DatabaseUser, ‘rt_user’ );
Set( $CorrespondAddress, ‘’ );
Set( $rtname, ‘galileu.pt’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘8080’ );
Set( $Organization, ‘galileu.pt’ );
Set( $DatabaseType, ‘mysql’ );
Set( $DatabasePort, ‘’ );
Set( $DatabasePassword, ‘Pa$$w0rd’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘debian’ );
Set( $DatabaseAdminPassword, ‘Pa$$w0rd’ );
Set( $CommentAddress, ‘’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $OwnerEmail, ‘root@localhost’ );
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

Configuracao para Active Directory

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_LDAP’ ]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘My_LDAP’ ]

);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘jupiter.galileu-f.galileu.pt’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘ghelpdesk’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘N3s9uik34’,
# The LDAP search base
‘base’ => ‘dc=galileu-f,dc=galileu,dc=pt’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
‘filter’ => ‘(objectClass=)',
# A catch-all example filter: '(objectClass=)’
# The filter that will only match disabled users
‘d_filter’ => ‘(objectClass=FooBarBaz)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 , port => 3268 ],
# Does authentication depend on group membership? What group name?
#‘group’ => ‘GROUP_NAME’,
# What is the attribute for the group object that determines membership?
#‘group_attr’ => ‘GROUP_ATTR’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
},
}
);

1;

Hope this helps anyone in the world.

Thanks for your help. RT community support seems awesome.

Best regards,

Bruno Martins