RT 5.0.1 : ExternalAuth LDAP stopped working

matjolic · May 4, 2021, 3:12pm

Hello, new user here.

I am currently setting up an install of RT 5.0.1 on CentOS 8. Everything has gone pretty smoothly so far. Last week, I successfully configured LDAPimport to pull in our user credentials from Windows AD server.
Our users could login without a hitch as per the following log:

[20370] [Mon May  3 14:18:57 2021] [info]: My_LDAP AUTH FAILED xxxxxxx@xyz.com (can't bind: LDAP_INVALID_CREDENTIALS 49 ) (/opt/rt5/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[20370] [Mon May  3 14:19:07 2021] [info]: RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP ): xxxxxxx@xyz.com (/opt/rt5/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:348)

Yesterday, I changed the config file to allow creation of a “generic” user that doesn’t existing on LDAP. I added the following line to my RT_Siteconfig.d/

Set($AutoCreateNonExternalUsers, 1);

I was able to create a “local” user and login to that account. Since I have done that, all the Active Directory users are not able to login anymore. The following log shows that the LDAP.pm module isn’t queried upon login, only the Web.pm now.

[20370] [Mon May  3 14:18:57 2021] [error]: FAILED LOGIN for xxxxxxx@xyz.com from 1.2.3.4    (/opt/rt5/sbin/../lib/RT/Interface/Web.pm:840)

If I reset the password of the user on RT through the root account, then that user is able to login, but still through Web.pm, not the ExternalAuth.

I have tried reverting the config and remove the $AutoCreateNonExternalUsers variable, but the same thing keeps on happening.

matjolic · May 4, 2021, 3:25pm

Here is my ExternalAuth config

# Use the below LDAP source for both authentication, as well as user
# information
Set($ExternalAuthPriority, [ "My_LDAP"]);
Set($ExternalInfoPriority, [ "My_LDAP"]);

# Make users created from LDAP Privileged
Set($UserAutocreateDefaultsOnLogin, { Privileged => 1});

# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
#Set($AutoCreateNonExternalUsers, 1);

# LDAP configuration
Set($ExternalSettings, {
	    'My_LDAP' => {
		'type' => 'ldap',
		'tls' => 0,
		'server' => 'ad.domain.com',
		'user' => 'AD\Administrator',
		'pass' => 'password',
		'base' => 'ou=Users,ou=Company,dc=ad,dc=domain,dc=com',
		'filter' => '(&(objectClass=person))',
		'attr_match_list' => [
			'Name',
			'EmailAddress',
		],
		'attr_map' => {
			'Name' => 'userPrincipalName',
			'EmailAddress' => 'mail',
			'RealName' => 'name',
		},
	},
});

And my LDAP config

Set($LDAPHost, 'ad.domain.com');
Set($LDAPUser, 'ad\Administrator');
Set($LDAPPassword, 'password');

Set($LDAPBase, 'ou=Users,ou=Company,DC=ad,DC=domain,DC=com');
Set($LDAPFilter, '(&(objectClass=person))');
Set($LDAPMapping, {Name  => 'userPrincipalName',
	EmailAddress => 'mail',
	RealName  => 'name'});
Set($LDAPCreatePrivileged, 1);
Set($LDAPUpdateUsers, 1);
Set($LDAPImportGroupMembers, 1);

I have confirmed that I can query the AD server from RT

ldapsearch -x -H ldap://1.2.3.4:389 -D "ad\Administrator" -w password -b "ou=Users,ou=Company,dc=ad,dc=domain,dc=com" "cn=User Name"

matjolic · May 4, 2021, 4:44pm

I am highly suspicious of the fact that the log doesn’t show the system attempting to use LDAP anymore

[21610] [Mon May  3 18:40:44 2021] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt5/sbin/../lib/RT/Authen/ExternalAuth.pm:364)

This doesn’t happen anymore, since yesterday, when I added the ability to create non-LDAP users. This line hasn’t appeared in the RT log since the change, even after reverting, even after rebooting.