Problems with external auth and double prompting for authentication

Hi everyone,

I have been trying to get external authentication with ldapauth and
ldapimport working on a brand new rt 4.4 from the latest pull of
4.4-trunk.

I have the ldap authentication and rt-ldapimport working correctly
against our ldap server.

The one issue I can not appear to resolve is that I am prompted first
by the browsers authentication prompt and then by the RT login screen.
So you need to enter your authentication credentials twice.

I am hoping to just have the RT login screen, no browser authentication
prompt.

I’m sure it’s something simple but I’m pulling my hair out :).

If someone could take a look at my config and tell me where the error is
I’d be eternally grateful:

Here is the section of my rt config.

The first few options are commented out as they are part of previous
attempts to make it work as expected.

#* Authentication

configure external authentication

#Set($WebRemoteUserAuth, 1);

check authentication on each request rather than just once

#Set($WebRemoteUserContinuous, 1);

fall back to rt login if external auth fails.

#Set($WebFallbackToRTLogin, 1);

Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, [‘URSYS_LDAP’] );
Set( $ExternalInfoPriority, [‘URSYS_LDAP’] );

Make users created from LDAP Privileged

Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

Users should still be autocreated by RT as internal users if they

fail to exist in an external service; this is so requestors (who

are not in LDAP) can still be created when they email in.

Set($AutoCreateNonExternalUsers, 1);

LDAP configuration; see RT::Authen::ExternalAuth::LDAP for

further details and examples

Set($ExternalSettings, {
‘URSYS_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => 'ldap.xxxxx,
‘base’ => ‘cn=users,cn=accounts,dc=xxxxxx’,
‘user’ => ‘uid=system,cn=sysaccounts,xxxxx’,
‘pass’ => ‘xxxxxx’,
‘filter’ => ‘(&(memberOf=cn=helpdesk-*))’,
‘attr_match_list’ => [
‘Name’,
],
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
},
},
} );

* rt-ldapimport configuration

enable plugin

Plugin( qw(RT::LDAPImport));

Set($LDAPBase,‘cn=users,cn=accounts,xxxxx’);
Set($LDAPHost,‘ldap.xxxxx’);
Set($LDAPUser,‘uid=system,cn=sysaccounts,xxxxxx’);
Set($LDAPPassword,‘xxxxxxxx’);
Set($LDAPFilter, ‘(&(memberOf=cn=helpdesk-*))’);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});

create users as privileged

Set($LDAPCreatePrivileged, 1);

sync Groups from LDAP into RT

Set($LDAPGroupBase, ‘cn=accounts,xxxxx’);
Set($LDAPGroupFilter, ‘(&(objectClass=groupofnames)(cn=helpdesk-*))’);
Set($LDAPGroupMapping, {Name => ‘cn’,
Description => ‘description’,
Member_Attr => ‘member’,
Member_Attr_Value => ‘dn’,
});

As above all the ldap stuff appears to work apart from the double
request for authentication.

Kind regards
Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005

Browser authentication is typically triggered by an Apache
configuration, so if your goal is to have just RT authentication, you
might compare your Apache configuration with the example in the docs:

https://docs.bestpractical.com/rt/4.4.0/web_deployment.htmlOn 5/11/16 3:50 AM, Bart Bunting wrote:

Hi everyone,

I have been trying to get external authentication with ldapauth and
ldapimport working on a brand new rt 4.4 from the latest pull of
4.4-trunk.

I have the ldap authentication and rt-ldapimport working correctly
against our ldap server.

The one issue I can not appear to resolve is that I am prompted first
by the browsers authentication prompt and then by the RT login screen.
So you need to enter your authentication credentials twice.

I am hoping to just have the RT login screen, no browser authentication
prompt.

I’m sure it’s something simple but I’m pulling my hair out :).

If someone could take a look at my config and tell me where the error is
I’d be eternally grateful:

Here is the section of my rt config.

The first few options are commented out as they are part of previous
attempts to make it work as expected.

#* Authentication

configure external authentication

#Set($WebRemoteUserAuth, 1);

check authentication on each request rather than just once

#Set($WebRemoteUserContinuous, 1);

fall back to rt login if external auth fails.

#Set($WebFallbackToRTLogin, 1);

Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, [‘URSYS_LDAP’] );
Set( $ExternalInfoPriority, [‘URSYS_LDAP’] );

Make users created from LDAP Privileged

Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

Users should still be autocreated by RT as internal users if they

fail to exist in an external service; this is so requestors (who

are not in LDAP) can still be created when they email in.

Set($AutoCreateNonExternalUsers, 1);

LDAP configuration; see RT::Authen::ExternalAuth::LDAP for

further details and examples

Set($ExternalSettings, {
‘URSYS_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => 'ldap.xxxxx,
‘base’ => ‘cn=users,cn=accounts,dc=xxxxxx’,
‘user’ => ‘uid=system,cn=sysaccounts,xxxxx’,
‘pass’ => ‘xxxxxx’,
‘filter’ => ‘(&(memberOf=cn=helpdesk-*))’,
‘attr_match_list’ => [
‘Name’,
],
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
},
},
} );

* rt-ldapimport configuration

enable plugin

Plugin( qw(RT::LDAPImport));

Set($LDAPBase,‘cn=users,cn=accounts,xxxxx’);
Set($LDAPHost,‘ldap.xxxxx’);
Set($LDAPUser,‘uid=system,cn=sysaccounts,xxxxxx’);
Set($LDAPPassword,‘xxxxxxxx’);
Set($LDAPFilter, ‘(&(memberOf=cn=helpdesk-*))’);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});

create users as privileged

Set($LDAPCreatePrivileged, 1);

sync Groups from LDAP into RT

Set($LDAPGroupBase, ‘cn=accounts,xxxxx’);
Set($LDAPGroupFilter, ‘(&(objectClass=groupofnames)(cn=helpdesk-*))’);
Set($LDAPGroupMapping, {Name => ‘cn’,
Description => ‘description’,
Member_Attr => ‘member’,
Member_Attr_Value => ‘dn’,
});

As above all the ldap stuff appears to work apart from the double
request for authentication.

Kind regards
Bart

Hi Jim,

Thanks for the quick reply.

I should have included my apache virtualhost config:

Here it is for reference. I did have ldap auth working at one point but
it is totally commented out in the config.

Apache is apache2 2.4.18-2ubuntu3
amd64 debian Xenial LTS

************************************

Vhost template in module puppetlabs-apache

Managed by Puppet

************************************

<VirtualHost *:80>
ServerName helpdesk.in.urnet.com.au

Vhost docroot

DocumentRoot “/opt/rt4/share/html”

Alias declarations for resources outside the DocumentRoot

AliasMatch /NoAuth/images/ “/opt/rt4/share/html/NoAuth/images/”

Directories, there should at least be a declaration for /opt/rt4/share/html

<Directory “/opt/rt4/share/html”>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted

Logging

ErrorLog "/var/log/apache2/helpdesk.in.urnet.com.au_error.log"
ServerSignature Off
CustomLog “/var/log/apache2/helpdesk.in.urnet.com.au_access.log” combined

Custom fragment

    AddDefaultCharset UTF-8
    ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

    DocumentRoot "/opt/rt4/share/html"
    <Location />

bart: disabled for now until we move towards SSO

AuthType Basic

AuthName “Ursys LDAP”

AuthBasicProvider ldap

AuthLDAPURL ldap://ldap.xxxx:389/cn=accounts,xxxx?uid?sub

AuthLDAPBindDN uid=system,cn=sysaccounts,xxx

AuthLDAPBindPassword xxxxx

Require ldap-group cn=noc,cn=groups,xxxxxx

Require all granted

            Options +ExecCGI
            AddHandler fcgid-script fcgi
    </location>

Is there anything wrong with that, it pritty much mirrors the config
described in the documentation.

If there is a better way of doing things other than mod_fastcgi I’m open to trying that.

Kind regards

Bart

Jim Brandt jbrandt@bestpractical.com writes:

Browser authentication is typically triggered by an Apache
configuration, so if your goal is to have just RT authentication, you
might compare your Apache configuration with the example in the docs:

https://docs.bestpractical.com/rt/4.4.0/web_deployment.html

Hi everyone,

I have been trying to get external authentication with ldapauth and
ldapimport working on a brand new rt 4.4 from the latest pull of
4.4-trunk.

I have the ldap authentication and rt-ldapimport working correctly
against our ldap server.

The one issue I can not appear to resolve is that I am prompted first
by the browsers authentication prompt and then by the RT login screen.
So you need to enter your authentication credentials twice.

I am hoping to just have the RT login screen, no browser authentication
prompt.

I’m sure it’s something simple but I’m pulling my hair out :).

If someone could take a look at my config and tell me where the error is
I’d be eternally grateful:

Here is the section of my rt config.

The first few options are commented out as they are part of previous
attempts to make it work as expected.

#* Authentication

configure external authentication

#Set($WebRemoteUserAuth, 1);

check authentication on each request rather than just once

#Set($WebRemoteUserContinuous, 1);

fall back to rt login if external auth fails.

#Set($WebFallbackToRTLogin, 1);

Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, [‘URSYS_LDAP’] );
Set( $ExternalInfoPriority, [‘URSYS_LDAP’] );

Make users created from LDAP Privileged

Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

Users should still be autocreated by RT as internal users if they

fail to exist in an external service; this is so requestors (who

are not in LDAP) can still be created when they email in.

Set($AutoCreateNonExternalUsers, 1);

LDAP configuration; see RT::Authen::ExternalAuth::LDAP for

further details and examples

Set($ExternalSettings, {
‘URSYS_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => 'ldap.xxxxx,
‘base’ => ‘cn=users,cn=accounts,dc=xxxxxx’,
‘user’ => ‘uid=system,cn=sysaccounts,xxxxx’,
‘pass’ => ‘xxxxxx’,
‘filter’ => ‘(&(memberOf=cn=helpdesk-*))’,
‘attr_match_list’ => [
‘Name’,
],
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
},
},
} );

* rt-ldapimport configuration

enable plugin

Plugin( qw(RT::LDAPImport));

Set($LDAPBase,‘cn=users,cn=accounts,xxxxx’);
Set($LDAPHost,‘ldap.xxxxx’);
Set($LDAPUser,‘uid=system,cn=sysaccounts,xxxxxx’);
Set($LDAPPassword,‘xxxxxxxx’);
Set($LDAPFilter, ‘(&(memberOf=cn=helpdesk-*))’);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});

create users as privileged

Set($LDAPCreatePrivileged, 1);

sync Groups from LDAP into RT

Set($LDAPGroupBase, ‘cn=accounts,xxxxx’);
Set($LDAPGroupFilter, ‘(&(objectClass=groupofnames)(cn=helpdesk-*))’);
Set($LDAPGroupMapping, {Name => ‘cn’,
Description => ‘description’,
Member_Attr => ‘member’,
Member_Attr_Value => ‘dn’,
});

As above all the ldap stuff appears to work apart from the double
request for authentication.

Kind regards
Bart


RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Washington DC - May 23 & 24, 2016
    Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005

Jim,

Found it.

There was a random apache process running that was causing the error.
Somehow it must have been started by hand.

Resulted in odd behaviour as sometimes it would work and sometimes not.

Thanks for your help!

Kind regards

Bart

Jim Brandt jbrandt@bestpractical.com writes:

Browser authentication is typically triggered by an Apache
configuration, so if your goal is to have just RT authentication, you
might compare your Apache configuration with the example in the docs:

https://docs.bestpractical.com/rt/4.4.0/web_deployment.html

Hi everyone,

I have been trying to get external authentication with ldapauth and
ldapimport working on a brand new rt 4.4 from the latest pull of
4.4-trunk.

I have the ldap authentication and rt-ldapimport working correctly
against our ldap server.

The one issue I can not appear to resolve is that I am prompted first
by the browsers authentication prompt and then by the RT login screen.
So you need to enter your authentication credentials twice.

I am hoping to just have the RT login screen, no browser authentication
prompt.

I’m sure it’s something simple but I’m pulling my hair out :).

If someone could take a look at my config and tell me where the error is
I’d be eternally grateful:

Here is the section of my rt config.

The first few options are commented out as they are part of previous
attempts to make it work as expected.

#* Authentication

configure external authentication

#Set($WebRemoteUserAuth, 1);

check authentication on each request rather than just once

#Set($WebRemoteUserContinuous, 1);

fall back to rt login if external auth fails.

#Set($WebFallbackToRTLogin, 1);

Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, [‘URSYS_LDAP’] );
Set( $ExternalInfoPriority, [‘URSYS_LDAP’] );

Make users created from LDAP Privileged

Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

Users should still be autocreated by RT as internal users if they

fail to exist in an external service; this is so requestors (who

are not in LDAP) can still be created when they email in.

Set($AutoCreateNonExternalUsers, 1);

LDAP configuration; see RT::Authen::ExternalAuth::LDAP for

further details and examples

Set($ExternalSettings, {
‘URSYS_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => 'ldap.xxxxx,
‘base’ => ‘cn=users,cn=accounts,dc=xxxxxx’,
‘user’ => ‘uid=system,cn=sysaccounts,xxxxx’,
‘pass’ => ‘xxxxxx’,
‘filter’ => ‘(&(memberOf=cn=helpdesk-*))’,
‘attr_match_list’ => [
‘Name’,
],
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
},
},
} );

* rt-ldapimport configuration

enable plugin

Plugin( qw(RT::LDAPImport));

Set($LDAPBase,‘cn=users,cn=accounts,xxxxx’);
Set($LDAPHost,‘ldap.xxxxx’);
Set($LDAPUser,‘uid=system,cn=sysaccounts,xxxxxx’);
Set($LDAPPassword,‘xxxxxxxx’);
Set($LDAPFilter, ‘(&(memberOf=cn=helpdesk-*))’);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});

create users as privileged

Set($LDAPCreatePrivileged, 1);

sync Groups from LDAP into RT

Set($LDAPGroupBase, ‘cn=accounts,xxxxx’);
Set($LDAPGroupFilter, ‘(&(objectClass=groupofnames)(cn=helpdesk-*))’);
Set($LDAPGroupMapping, {Name => ‘cn’,
Description => ‘description’,
Member_Attr => ‘member’,
Member_Attr_Value => ‘dn’,
});

As above all the ldap stuff appears to work apart from the double
request for authentication.

Kind regards
Bart


RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Washington DC - May 23 & 24, 2016
    Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005