Regarding External Authentication using LDAP

Dear All,

I followed the link https://metacpan.org/pod/RT::Authen::ExternalAuth and
made required changes and then restarted my apache server. But when I’m
logging into the RT from web it fails with :
“Your username or password is incorrect”

But user exists in the LDAP.

Log file contains :

[22441] [Tue Oct 13 16:58:25 2015] [error]: FAILED LOGIN for <my_user_name>
from 130.245.10.107 (/rt/lib//RT/Interface/Web.pm:810)

From the code(/rt/lib//RT/Interface/Web.pm) it fails at this point :

unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) {
    $RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from

$ENV{‘REMOTE_ADDR’}");

Can any one help me how to change the flow to authenticate from LDAP i.e it
should check the username and password against the LDAP and not from DB.

Any help or pointers to this issue will be appreciated.

Thanks,
Bharath.

Whats the block you put in your RT_SiteConfig relating to external auth?From: rt-users [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of bharath reddy
Sent: Wednesday, 14 October 2015 3:58 AM
To: RT-List rt-users@lists.bestpractical.com
Subject: [rt-users] Regarding External Authentication using LDAP

Dear All,

I followed the link https://metacpan.org/pod/RT::Authen::ExternalAuth and made required changes and then restarted my apache server. But when I’m logging into the RT from web it fails with :
“Your username or password is incorrect”

But user exists in the LDAP.

Log file contains :
[22441] [Tue Oct 13 16:58:25 2015] [error]: FAILED LOGIN for <my_user_name> from 130.245.10.107 (/rt/lib//RT/Interface/Web.pm:810)

From the code(/rt/lib//RT/Interface/Web.pm) it fails at this point :

unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) {
    $RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from $ENV{'REMOTE_ADDR'}");

Can any one help me how to change the flow to authenticate from LDAP i.e it should check the username and password against the LDAP and not from DB.

Any help or pointers to this issue will be appreciated.

Thanks,
Bharath.
The information contained in this email message and any attachments may be confidential information. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. If you have received this email in error, please advise us immediately and delete the email and all copies. The content and opinions in non-business email are not necessarily those of Haircare Australia. [http://thinkbeforeprinting.org/struct/signature-1.gif]

Hi Anton,

I used following block in my RT_SiteConfig :

Set(@Plugins, qw(RT::Authen::ExternalAuth) );

Set($ExternalAuthPriority, [“My_LDAP”]);

Set($ExternalInfoPriority, [“My_LDAP”]);

Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, {

                     'My_LDAP'       =>  {   ## GENERIC SECTION

                                              'type'    =>  'ldap',

                                              'server'  =>  '

vmns1.cs.sunysb.edu’,

                                               'user'  =>  'CN=Recruit

LDAP user,OU=Service Accounts,OU=SBCS,DC=cs,DC=stonybrook,DC=edu’,

                                               'pass'   =>  '*******',

                                               'base'   =>

‘ou=SBCS,dc=cs,dc=stonybrook,DC=edu’,

                                             #  'filter'   =>

‘((&(objectCategory=Users)))’,

                                                filter =>

‘(objectClass=*)’,

                                               'd_filter'  =>

‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,

                                            #    'd_filter' =>

‘(&(objectCategory=User) (ObjectClass=Person))’ ,

                                               'tls'      =>  1,

                                               'ssl_version' =>  3,

                                               'net_ldap_args' => [

version => 3 ],

                                             #  'group'        =>

‘CN=Domain Users,CN=Users,DC=cs,DC=stonybrook,DC=edu’,

                                             #  'group_attr'   =>

‘member’,

                                               'attr_match_list'  => [

‘Name’,

‘EmailAddress’

                                                                     ],

                                               'attr_map'         =>  {

‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’ }

                                          }

               }

);

Is anything that I’m missing ?

Thanks,
Bharath.On Tue, Oct 13, 2015 at 8:04 PM, Anton Panetta < anton.panetta@haircareaust.com> wrote:

Whats the block you put in your RT_SiteConfig relating to external auth?

From: rt-users [mailto:rt-users-bounces@lists.bestpractical.com] *On
Behalf Of *bharath reddy
Sent: Wednesday, 14 October 2015 3:58 AM
To: RT-List rt-users@lists.bestpractical.com
Subject: [rt-users] Regarding External Authentication using LDAP

Dear All,

I followed the link https://metacpan.org/pod/RT::Authen::ExternalAuth and
made required changes and then restarted my apache server. But when I’m
logging into the RT from web it fails with :

Your username or password is incorrect

But user exists in the LDAP.

Log file contains :

[22441] [Tue Oct 13 16:58:25 2015] [error]: FAILED LOGIN for
<my_user_name> from 130.245.10.107 (/rt/lib//RT/Interface/Web.pm:810)

From the code(/rt/lib//RT/Interface/Web.pm) it fails at this point :

unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) {

    $RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from

$ENV{‘REMOTE_ADDR’}");

Can any one help me how to change the flow to authenticate from LDAP i.e
it should check the username and password against the LDAP and not from DB.

Any help or pointers to this issue will be appreciated.

Thanks,

Bharath.
The information contained in this email message and any attachments may be
confidential information. If you are not the intended recipient, any use,
interference with, disclosure or copying of this material is unauthorised
and prohibited. If you have received this email in error, please advise us
immediately and delete the email and all copies. The content and opinions
in non-business email are not necessarily those of Haircare Australia.

What Version of RT are you running? If you are using 4.2 or greater (you should be if you’re setting up a new instance) you need to
Replace this line

Set(@Plugins, qw(RT::Authen::ExternalAuth) );
With this line
Plugin(‘RT::Authen::ExternalAuth’);From: rt-users [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of bharath reddy
Sent: Tuesday, October 13, 2015 10:38 PM
To: Anton Panetta anton.panetta@haircareaust.com
Cc: RT-List rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Regarding External Authentication using LDAP

Hi Anton,

I used following block in my RT_SiteConfig :

Set(@Plugins, qw(RT::Authen::ExternalAuth) );

Set($ExternalAuthPriority, [“My_LDAP”]);

Set($ExternalInfoPriority, [“My_LDAP”]);

Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, {

                     'My_LDAP'       =>  {   ## GENERIC SECTION

                                              'type'    =>  'ldap',

                                              'server'  =>  'vmns1.cs.sunysb.edu<http://vmns1.cs.sunysb.edu>',

                                               'user'  =>  'CN=Recruit LDAP user,OU=Service Accounts,OU=SBCS,DC=cs,DC=stonybrook,DC=edu',

                                               'pass'   =>  '*******',

                                               'base'   =>  'ou=SBCS,dc=cs,dc=stonybrook,DC=edu',

                                             #  'filter'   =>  '((&(objectCategory=Users)))',

                                                filter => '(objectClass=*)',

                                               'd_filter'  =>  '(userAccountControl:1.2.840.113556.1.4.803:=2)',

                                            #    'd_filter' => '(&(objectCategory=User) (ObjectClass=Person))' ,

                                               'tls'      =>  1,

                                               'ssl_version' =>  3,

                                               'net_ldap_args' => [    version =>  3   ],

                                             #  'group'        =>  'CN=Domain Users,CN=Users,DC=cs,DC=stonybrook,DC=edu',

                                             #  'group_attr'   =>  'member',

                                               'attr_match_list'  => [    'Name',

                                                                          'EmailAddress'

                                                                     ],

                                               'attr_map'         =>  {   'Name' => 'sAMAccountName',

                                                                          'EmailAddress' => 'mail'  }

                                          }

               }

);

Is anything that I’m missing ?

Thanks,
Bharath.

Ugh. Turn off the HTML mail - please.On Wed, Oct 14, 2015 at 7:53 AM, Bob Shaker rshaker@ardencompanies.com wrote:

What Version of RT are you running? If you are using 4.2 or greater (you should be if you’re setting up a new instance) you need to

Replace this line

Set(@Plugins, qw(RT::Authen::ExternalAuth) );

With this line

Plugin(‘RT::Authen::ExternalAuth’);

Plugin(‘RT::Authen::ExternalAuth’);

and

Set(@Plugins, qw(RT::Authen::ExternalAuth) );

are two different interfaces to setting the backend data.

That is, they should both work.

-m

Hi Bob,

I’m using RT version greater than 4.2 but I don’t think that line is
causing the issue. I found following in the log file :

[1755] [Thu Oct 15 16:04:59 2015] [debug]: Attempting to use external auth
service: My_LDAP
(/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[1755] [Thu Oct 15 16:04:59 2015] [debug]: SSO Failed and no user to test
with. Nexting
(/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[1755] [Thu Oct 15 16:04:59 2015] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/rt/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

The user is not getting passed to LDAP I guess.

Thanks,
Bharath.On Wed, Oct 14, 2015 at 8:53 AM, Bob Shaker rshaker@ardencompanies.com wrote:

What Version of RT are you running? If you are using 4.2 or greater (you
should be if you’re setting up a new instance) you need to

Replace this line

Set(@Plugins, qw(RT::Authen::ExternalAuth) );

With this line

Plugin(‘RT::Authen::ExternalAuth’);

From: rt-users [mailto:rt-users-bounces@lists.bestpractical.com] *On
Behalf Of *bharath reddy
Sent: Tuesday, October 13, 2015 10:38 PM
To: Anton Panetta anton.panetta@haircareaust.com
Cc: RT-List rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Regarding External Authentication using LDAP

Hi Anton,

I used following block in my RT_SiteConfig :

Set(@Plugins, qw(RT::Authen::ExternalAuth) );

Set($ExternalAuthPriority, [“My_LDAP”]);

Set($ExternalInfoPriority, [“My_LDAP”]);

Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, {

                     'My_LDAP'       =>  {   ## GENERIC SECTION

                                              'type'    =>  'ldap',

                                              'server'  =>  '

vmns1.cs.sunysb.edu’,

                                               'user'  =>  'CN=Recruit

LDAP user,OU=Service Accounts,OU=SBCS,DC=cs,DC=stonybrook,DC=edu’,

                                               'pass'   =>  '*******',

                                               'base'   =>

‘ou=SBCS,dc=cs,dc=stonybrook,DC=edu’,

                                             #  'filter'   =>

‘((&(objectCategory=Users)))’,

                                                filter =>

‘(objectClass=*)’,

                                               'd_filter'  =>

‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,

                                            #    'd_filter' =>

‘(&(objectCategory=User) (ObjectClass=Person))’ ,

                                               'tls'      =>  1,

                                               'ssl_version' =>  3,

                                               'net_ldap_args' => [

version => 3 ],

                                             #  'group'        =>

‘CN=Domain Users,CN=Users,DC=cs,DC=stonybrook,DC=edu’,

                                             #  'group_attr'   =>

‘member’,

                                               'attr_match_list'  =>

[ ‘Name’,

'EmailAddress'

                                                                     ],

                                               'attr_map'         =>

{ ‘Name’ => ‘sAMAccountName’,

'EmailAddress' => 'mail'  }

                                          }

               }

);

Is anything that I’m missing ?

Thanks,

Bharath.

On Tue, Oct 13, 2015 at 8:04 PM, Anton Panetta < anton.panetta@haircareaust.com> wrote:

Whats the block you put in your RT_SiteConfig relating to external auth?

From: rt-users [mailto:rt-users-bounces@lists.bestpractical.com] *On
Behalf Of *bharath reddy
Sent: Wednesday, 14 October 2015 3:58 AM
To: RT-List rt-users@lists.bestpractical.com
Subject: [rt-users] Regarding External Authentication using LDAP

Dear All,

I followed the link https://metacpan.org/pod/RT::Authen::ExternalAuth and
made required changes and then restarted my apache server. But when I’m
logging into the RT from web it fails with :

Your username or password is incorrect

But user exists in the LDAP.

Log file contains :

[22441] [Tue Oct 13 16:58:25 2015] [error]: FAILED LOGIN for
<my_user_name> from 130.245.10.107 (/rt/lib//RT/Interface/Web.pm:810)

From the code(/rt/lib//RT/Interface/Web.pm) it fails at this point :

unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) {

    $RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from

$ENV{‘REMOTE_ADDR’}");

Can any one help me how to change the flow to authenticate from LDAP i.e
it should check the username and password against the LDAP and not from DB.

Any help or pointers to this issue will be appreciated.

Thanks,

Bharath.

The information contained in this email message and any attachments may be
confidential information. If you are not the intended recipient, any use,
interference with, disclosure or copying of this material is unauthorised
and prohibited. If you have received this email in error, please advise us
immediately and delete the email and all copies. The content and opinions
in non-business email are not necessarily those of Haircare Australia. [image:
Image removed by sender.]


ARDEN
A Global Company
Celebrating over 50 years of making your life more comfortable!

This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the addressee,
you must not use, copy, disclose, or take any action based on this message
or any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this
message.

This OUTBOUND E-mail and Document(s) has been scanned by an Antivirus
Server.