Resend: Problems getting LDAP authentication working

No bites on this so here is additional/updated information.
Using RT 3.8.2
Using Plugin RT-Authen-ExternalAuth to connect to Windows Active Directory for authentication

I cannot get the group E group_attr figured out to allow login by group only. What changes to my configuration do I need to make?

My RT_SiteConfig.pm:
Set( $rtname, ‘XXXXXX’);
Set($LogToFileNamed, “/var/tmp/rt3.error”);
Set($LogToFile, ‘debug’);
Set($ExternalAuthPriority,[‘My_LDAP’]);
Set($ExternalInfoPriority,[‘My_LDAP’]);
Set(@Plugins,qw(RT::Authen::ExternalAuth));
Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
‘auth’ => 1,
‘info’ => 1,
# The server hosting the service
’server’ => ‘XXX.XXX.XXX.XXX’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
’user’ => ‘XXXXX’,
# The password RT should use to connect to the LDAP server
’pass’ => ‘XXXXX’,
# The LDAP search base
’base’ => ‘ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
’filter’ => ‘(objectClass=User)’,
# A catch-all example filter: ‘(objectClass=*)’
# The filter that will only match disabled users
’d_filter’ => ‘(userAccountConrol:1.2.840.113556.1.4.803:=2)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
’ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘CSER’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘member’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
],
# The mapping of RT attributes on to LDAP attributes
’attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
}
}
}
);
1;

Debug output:

[debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[debug]: RT’s GnuPG libraries couldn’t successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled (/opt/rt3/bin/…/lib/RT/Config.pm:339)
[debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14)
[debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[debug]: Calling UserExists with $username (XXXXX) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[debug]: UserExists params:
username: XXXXX , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[debug]: LDAP Search === Base: ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca == Filter: (t(objectClass=User)(sAMAccountName=XXXXX)) == Attrs: mail,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[debug]: Password validation required for service - Executing… (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[debug]: LDAP Search === Base: ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca == Filter: (n(sAMAccountName=XXXXX)(objectClass=User)) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[debug]: Found LDAP DN: CN=XXXXX,OU=CompServices,OU=Users,OU=PG,OU=Campus,DC=ad,DC=cnc,DC=bc,DC=ca (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[debug]: LDAP Search === Base: ou=Campus,dc=ad,dc=cnc,dc=bc,dc=ca == Filter: (member=CN=XXXXX,OU=CompServices,OU=Users,OU=PG,OU=Campus,DC=ad,DC=cnc,DC=bc,DC=ca) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[critical]: Search for (member=CN=XXXXX,OU=CompServices,OU=Users,OU=PG,OU=Campus,DC=ad,DC=cnc,DC=bc,DC=ca) failed: LDAP_INVALID_DN_SYNTAX 34 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:116)
[debug]: LDAP password validation result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[debug]: Password Validation Check Result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[error]: FAILED LOGIN for XXXXX from 142.27.70.153 (/opt/rt3/share/html/autohandler:268)

I can see that the group_attr seems to be incorrect so what group attribute am I supposed to be using? I’ve tried various ones with no success. I’m using ADSIEdit to pick attributes to try but haven’t been able to find the correct one. I’ve spent days researching net with LDAP and trying to figure it out.

Could someone please help me or at least point me to the right resource. I can’t find anymore information on how to integrate this plugin to use my LDAP source.

Kevin W. Gagel
Network Administrator
Local 5448
My blog:
http://mail.cnc.bc.ca/blogs/gagel
My shared files:
http://mail.cnc.bc.ca/users/gagel

I’ve installed RT-Extension-MergeUsers-0.03_02 but get the following when trying to use it from the User account page…

RT::User::MergeInto Unimplemented in HTML::Mason::Commands. (/apps/rt-3.8.2/share/html/Callbacks/RT-Extension-MergeUsers/Admin/Users/Modify.html/RightColumnBottom line 71)

My install is a bit unusual in that I have RT installed in /apps as follows…

find /apps/rt-3.8.2/ -name *erge*

/apps/rt-3.8.2/man/auto/RT/Extension/MergeUsers

/apps/rt-3.8.2/man/man3/RT::Extension::MergeUsers.3pm

/apps/rt-3.8.2/lib/RT/Extension/MergeUsers.pm

/apps/rt-3.8.2/share/html/REST/1.0/ticket/merge

/apps/rt-3.8.2/share/html/REST/1.0/Forms/ticket/merge

/apps/rt-3.8.2/share/html/Callbacks/RT-Extension-MergeUsers

/apps/rt-3.8.2/bin/rt-update-merged-users

/apps/rt-3.8.2/bin/rt-merge-users

/apps/rt-3.8.2/var/mason_data/obj/2362954981/standard/Callbacks/RT-Extension-MergeUsers

grep -i merge /apps/rt-3.8.2/etc/*

/apps/rt-3.8.2/etc/RT_Config.pm: debug info notice warning error critical alert emergency

/apps/rt-3.8.2/etc/RT_SiteConfig.pm:Set(@Plugins, qw(RT::Extension::MergeUsers));

I’m not sure if my non-standard install location is the problem or not.

TIA.

-Jeff

I’ve installed RT-Extension-MergeUsers-0.03_02 but get the following
when trying to use it from the User account page…

RT::User::MergeInto Unimplemented in HTML::Mason::Commands. (/apps/
rt-3.8.2/share/html/Callbacks/RT-Extension-MergeUsers/Admin/Users/
Modify.html/RightColumnBottom line 71)

My install is a bit unusual in that I have RT installed in /apps as
follows…

find /apps/rt-3.8.2/ -name *erge*

/apps/rt-3.8.2/man/auto/RT/Extension/MergeUsers
/apps/rt-3.8.2/man/man3/RT::Extension::MergeUsers.3pm
/apps/rt-3.8.2/lib/RT/Extension/MergeUsers.pm

I wonder what else is unusual about your install,
I’d expect MergeUsers.pm and all the callbacks to live in:

/apps/rt-3.8.2/local/plugins/RT-Extension-MergeUsers/

Otherwise, Set(@Plugins) won’t be able to properly load it.

-kevin