RT 4.4.4 and AD ExternalAuth

tyuhas · December 13, 2019, 4:10pm

Hi all,

RT 4.4.4 (new installation)
MariaDB 10.3
CentOS 8 (Perl 5.26.3)
AD server is WS 2016

I’ve been working on this a couple of days but am stuck and hope I can get a few thoughts on where else to look.

Part of my RT_SiteConfig.pm:

Set($ExternalAuthPriority, [‘AD’]);
Set($ExternalInfoPriority, [‘AD’]);
Set($UserAutocreateDefaultsOnLogin, { Privileged => 1 });
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
‘AD’ => {
‘type’ => ‘ldap’,
‘server’ => ‘myldap.mydomain.edu’,
‘user’ => ‘myldapauthuser@mydomain.edu’,
‘password’ => ‘mypassword’,
‘base’ => ‘dc=mydomain,dc=edu’,
‘filter’ => ‘(objectCategory=User)’,
‘tls’ => { verify => ‘none’ },
‘net_ldap_args’ => [ version => 3, scheme => ‘ldaps’, port => 636],
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
‘group_scope’ => ‘sub’,
},
} );

This bit is for ldapimport

Set($LDAPHost,‘myldap.mydomain.edu’);
Set($LDAPOptions, [ port => 636,
scheme => ‘ldaps’,
raw => qr/(;binary)/,
version => 3,
verify => ‘none’]);
Set($LDAPUser,‘CN=Myldapauth User,CN=Users,DC=mydomain,DC=edu’);
Set($LDAPPassword,‘mypassword’);
Set($LDAPBase, ‘dc=mydomain,dc=edu’);
Set($LDAPFilter, ‘(&(objectCategory=User)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))’);
Set($LDAPMapping, {Name => ‘sAMAccountName’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Address1 => ‘streetAddress’,
City => ‘l’,
State => ‘st’,
Zip => ‘postalCode’,
Country => ‘co’});
Set($LDAPGroupBase, ‘ou=Groups,dc=mydomain,dc=edu’);
Set($LDAPGroupFilter, ‘(|(cn=Staff)(cn=Consultant))’);
Set($LDAPGroupMapping, {Name => ‘cn’,
Member_Attr => ‘member’,
Member_Attr_Value => ‘dn’ });

The importer does seem to work: /opt/rt4/sbin/rt-ldapimport --verbose
and so does: ldapsearch -x -H ldaps://myldap.mydomain.edu:636 -D myldapauthuser@mydomain.edu -w mypassword -b “dc=mydomain,dc=edu” “(&(objectCategory=User)(sAMAccountName=testuser))”
The filter part is copied from the log entries of the failed login on the web gui.

Logging in via the web gui gives:

[19085] [Fri Dec 13 15:42:15 2019] [debug]: Attempting to use external auth service: AD (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:288)
[19085] [Fri Dec 13 15:42:15 2019] [debug]: Calling UserExists with $username (testuser) and $service (AD) (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:329)
[19085] [Fri Dec 13 15:42:15 2019] [debug]: UserExists params: username: testuser , service: AD (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:486)
[19085] [Fri Dec 13 15:42:15 2019] [debug]: LDAP Search === Base: dc=mydomain,dc=edu == Filter: (&(objectCategory=User)(sAMAccountName=testuser)) == Attrs: postalCode,streetAddress,telephoneNumber,st,co,mail,cn,l,sAMAccountName (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:516)
[19085] [Fri Dec 13 15:42:15 2019] [debug]: User Check Failed :: ( AD ) testuser User not found (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:530)
[19085] [Fri Dec 13 15:42:15 2019] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/share/html/Elements/DoAuth:58)
[19085] [Fri Dec 13 15:42:15 2019] [error]: FAILED LOGIN for testuser from 1.2.3.4 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:827)

Based on other posts, mine doesn’t appear to be a server connectivity issue or an LDAP account problem that I can tell. Sorta stuck on what to try next.

Thanks!

knation · December 13, 2019, 4:36pm

I haven’t done LDAP personally on my RT, since you are trying to login with a username can you confirm that this mapping is correct ‘Name’ => ‘sAMAccountName’,I know that is the default value in the docs

tyuhas · December 13, 2019, 5:05pm

Yeah, I’m taking that mostly on faith from the docs as I’m new to RT but a similar mapping of username to sAMAccountName works on our other perl-based ticket system as well as a few other LDAP/AD authenticated systems.

A few other folks on this forum with the same mappings tried “myname@mydomain” to login which worked for them but doesn’t in my case (same user not found error).

knation · December 13, 2019, 5:19pm

Are you using Active Directory for LDAP?

tyuhas · December 13, 2019, 5:29pm

Yeah, Active Directory on Windows Server 2016

tyuhas · December 13, 2019, 6:35pm

It’s starting to appear like a binding issue. In the Event Viewer on the AD server, the login attempts with the binding credentials throws a substatus code of 0xC000006A which is (according to Google searches) “user name is correct but the password is wrong.” I’ve double-checked the password and have even tried other accounts to bind with (and verifying passwords) but they all end up failing.

Interesting sidenote is if I put in bad bind info, like a non-existent account, no errors about binding show up in the RT log (currently set at debug level)

tyuhas · December 13, 2019, 7:42pm

Ok, I feel dumb… with all the copying and pasting to test configs, somehow ‘password’ => ended up were it should’ve been ‘pass’ =>

I can now log in with AD credentials now!

Thanks for jumping in here knation!

knation · December 13, 2019, 7:57pm

Glad you figured it out !