RT 4.4.1 on Debian with RT::Authen::ExternalAuth?

I’ve set up RT, and am testing it with rt-server. Everything seems to
be going smoothly except LDAP with RT::Authen::ExternalAuth. I read
the docs and have implemented the suggested changes in
/opt/rt4/etc/RT_SiteConfig.pm like so:

Set( $ExternalAuthPriority, [“My_LDAP”] );
Set( $ExternalInfoPriority, [“My_LDAP”] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ggdc1.domain.int’,
‘user’ => ‘LDAP_ACCOUNT’,
‘pass’ => ‘LDAP_ACCOUNT_PASS’,
‘base’ => ‘ou=Production,dc=domain,dc=int’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},
} );

The issue is when I try to login the users aren’t allowed access, and I
get the following error from rt-server:

[error]: FAILED LOGIN for username_redacted from IP_REDACTED
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:826)

Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
I get:
[critical]: Expected ‘PeerHost’ at
/usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
(/opt/rt4/sbin/…/lib/RT.pm:390)

Any ideas? I read every document I could find, but it’s hard to know
which non-official ones you can trust since RT has been around so long
and ExternalAuth was just added to the core. Also, the official docs
are a bit terse.

Hi Malcolm,

You are missing the LDAP import configuration, which is separate from
the External auth config.
The following will help:

https://docs.bestpractical.com/rt/4.4.1/RT/LDAPImport.html

Best Regards

MartinOn 2016-10-19 13:37, Malcolm Galland wrote:

I’ve set up RT, and am testing it with rt-server. Everything seems to
be going smoothly except LDAP with RT::Authen::ExternalAuth. I read
the docs and have implemented the suggested changes in
/opt/rt4/etc/RT_SiteConfig.pm like so:

Set( $ExternalAuthPriority, [“My_LDAP”] );
Set( $ExternalInfoPriority, [“My_LDAP”] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ggdc1.domain.int’,
‘user’ => ‘LDAP_ACCOUNT’,
‘pass’ => ‘LDAP_ACCOUNT_PASS’,
‘base’ => ‘ou=Production,dc=domain,dc=int’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},
} );

The issue is when I try to login the users aren’t allowed access, and I
get the following error from rt-server:

[error]: FAILED LOGIN for username_redacted from IP_REDACTED
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:826)

Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
I get:
[critical]: Expected ‘PeerHost’ at
/usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
(/opt/rt4/sbin/…/lib/RT.pm:390)

Any ideas? I read every document I could find, but it’s hard to know
which non-official ones you can trust since RT has been around so long
and ExternalAuth was just added to the core. Also, the official docs
are a bit terse.

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Boston - October 24-26
  • Los Angeles - Q1 2017

Hi Malcolm,

Are you able to get any results from the LDAP server when you try the
same search
using ldapsearch from the commandline on the Debian box?

Something like:
ldapsearch -D LDAP_ACCOUNT -x -w -ZZ -H ldap://ggdc1.domain.int/ -b
ou=Production,dc=domain,dc=int “(objectClass=inetOrgPerson)”

I’m guessing your LDAP server is MS AD so you will probably need to
configure TLS.
The following items come from my configuration.

Set( $ExternalAuthPriority, [“My_LDAP”] );
Set( $ExternalInfoPriority, [“My_LDAP”] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);

Use TLS

Set($ExternalServiceUsesSSLorTLS,1);

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ggdc1.domain.int’,

Configure TLS settings

     'tls'               =>  {
         'verify'        =>  'require',
         'cafile'        =>  '/etc/ssl/certs/CACert.pem',  # Path CA 

file
},

    'user'             =>  'LDAP_ACCOUNT',
    'pass'             =>  'LDAP_ACCOUNT_PASS',
    'base'             =>  'ou=Production,dc=domain,dc=int',
    'filter'           =>  '(objectClass=inetOrgPerson)',
    'attr_match_list'  => [
        'Name',
        'EmailAddress',
    ],
    'attr_map' => {
            'Name'         => 'sAMAccountName',
            'EmailAddress' => 'mail',
            'RealName'     => 'cn',
            'WorkPhone'    => 'telephoneNumber',
            'Address1'     => 'streetAddress',
            'City'         => 'l',
            'State'        => 'st',
            'Zip'          => 'postalCode',
            'Country'      => 'co',
    },
},

} );

Best Regards

MartinOn 2016-10-19 13:37, Malcolm Galland wrote:

I’ve set up RT, and am testing it with rt-server. Everything seems to
be going smoothly except LDAP with RT::Authen::ExternalAuth. I read
the docs and have implemented the suggested changes in
/opt/rt4/etc/RT_SiteConfig.pm like so:

Set( $ExternalAuthPriority, [“My_LDAP”] );
Set( $ExternalInfoPriority, [“My_LDAP”] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ggdc1.domain.int’,
‘user’ => ‘LDAP_ACCOUNT’,
‘pass’ => ‘LDAP_ACCOUNT_PASS’,
‘base’ => ‘ou=Production,dc=domain,dc=int’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},
} );

The issue is when I try to login the users aren’t allowed access, and I
get the following error from rt-server:

[error]: FAILED LOGIN for username_redacted from IP_REDACTED
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:826)

Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
I get:
[critical]: Expected ‘PeerHost’ at
/usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
(/opt/rt4/sbin/…/lib/RT.pm:390)

Any ideas? I read every document I could find, but it’s hard to know
which non-official ones you can trust since RT has been around so long
and ExternalAuth was just added to the core. Also, the official docs
are a bit terse.

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Boston - October 24-26
  • Los Angeles - Q1 2017

Hi Malcolm,

The output from rt-ldapimport is normal if no changes are required, as
I’ve just tried it here in my lab and it is working.

Incidentally LDAPImport doesn’t currently support TLS, I’ve written a
patch which
you are welcome to have if you would like it. I’m afraid I haven’t
submitted it to BP
yet, but intend too when I get some time.

Best Regards

MartinOn 2016-10-19 14:21, Malcolm Galland wrote:

Ah, yes. It looks like I had commented it out during testing, and
that’s what was causing the PeerHost error. Below is the section of
SiteConfig dedicated to LDAPImport:

Set($LDAPHost,‘ggdc1.domain.int’);
Set($LDAPUser,‘LDAP_ACCOUNT’);
Set($LDAPPassword,‘LDAP_ACCOUNT_PASS’);
Set($LDAPBase, ‘dc=domain,dc=int’);
Set($LDAPFilter, ‘(&(cn = users))’);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});

# If you want to sync Groups from LDAP into RT

Set($LDAPGroupBase, 'dc=domain,dc=int'); 
Set($LDAPGroupFilter, '(&(cn = Groups))'); 
Set($LDAPGroupMapping, {Name               => 'cn', 
                        Member_Attr        => 'member', 
                        Member_Attr_Value  => 'dn' });

Interesting follow up question though, when I run rt-ldapimport I don’t
get any errors, but the output doesn’t exactly instill a feeling of
sucess either:

/opt/rt4/sbin/rt-ldapimport --debug
Running test import, no data will be changed
Rerun command with --import to perform the import
Rerun command with --debug for more information
Testing group import
Finished test

On Wed, 2016-10-19 at 14:09 +0000, Martin Wheldon wrote:

Hi Malcolm,

You are missing the LDAP import configuration, which is separate
from
the External auth config.
The following will help:

https://docs.bestpractical.com/rt/4.4.1/RT/LDAPImport.html

Best Regards

Martin

On 2016-10-19 13:37, Malcolm Galland wrote:

I’ve set up RT, and am testing it with rt-server. Everything seems
to
be going smoothly except LDAP with RT::Authen::ExternalAuth. I
read
the docs and have implemented the suggested changes in
/opt/rt4/etc/RT_SiteConfig.pm like so:

Set( $ExternalAuthPriority, [“My_LDAP”] );
Set( $ExternalInfoPriority, [“My_LDAP”] );
Set($ExternalAuth, 1);
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ggdc1.domain.int’,
‘user’ => ‘LDAP_ACCOUNT’,
‘pass’ => ‘LDAP_ACCOUNT_PASS’,
‘base’ => ‘ou=Production,dc=domain,dc=int’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},
} );

The issue is when I try to login the users aren’t allowed access,
and I
get the following error from rt-server:

[error]: FAILED LOGIN for username_redacted from IP_REDACTED
(/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:826)

Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug
I get:
[critical]: Expected ‘PeerHost’ at
/usr/local/share/perl/5.20.2/Net/LDAP.pm line 164.
(/opt/rt4/sbin/…/lib/RT.pm:390)

Any ideas? I read every document I could find, but it’s hard to
know
which non-official ones you can trust since RT has been around so
long
and ExternalAuth was just added to the core. Also, the official
docs
are a bit terse.

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Boston - October 24-26
  • Los Angeles - Q1 2017