RT::Authen::ExternalAuth and multiple LDAP servers

We have RT set up to check 3 AD servers…the theory is that if one is
down, it will try the next one. Unfortunately this does not seem to be
the case…if the first AD server isn’t responding to LDAP queries, the
login just fails. Attached is the section of our config file relating
to ExternalAuth. Any ideas why it’s failing after just one attempt, or
is that how the ExternalAuth extension is supposed to work?

ldapexcerpt.txt (3.88 KB)

Hi Nick,
I’m not an expert myself but could you please paste the relevant bit of
the logs? It might help other users understanding the problem.
We use a similar configuration, but with fallback on mySql rather than
another ldap server and it works without any other parameter.

GiuseppeOn 02/11/10 23:02, Nick Kartsioukas wrote:

We have RT set up to check 3 AD servers…the theory is that if one is
down, it will try the next one. Unfortunately this does not seem to be
the case…if the first AD server isn’t responding to LDAP queries, the
login just fails. Attached is the section of our config file relating
to ExternalAuth. Any ideas why it’s failing after just one attempt, or
is that how the ExternalAuth extension is supposed to work?

Giuseppe Sollazzo
Senior Systems Analyst
Computing Services
Information Services
St. George’s, University Of London
Cranmer Terrace
London SW17 0RE

Email: gsollazz@sgul.ac.uk
Direct Dial: +44 20 8725 5160
Fax: +44 20 8725 3583

On Wed, 03 Nov 2010 09:41:13 +0000, "Giuseppe Sollazzo"
gsollazz@sgul.ac.uk said:

I’m not an expert myself but could you please paste the relevant bit of
the logs? It might help other users understanding the problem.
We use a similar configuration, but with fallback on mySql rather than
another ldap server and it works without any other parameter.

Sure thing. This is all I have (all the entries look like this):
Oct 27 10:12:39 rt compserv_rt:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
server1
(/home/rt/compserv_rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
Oct 27 10:12:39 rt compserv_rt: FAILED LOGIN for some_user from some_ip
(/home/rt/compserv_rt/bin/…/lib/RT/Interface/Web.pm:424)

(usernames and IPs have been removed to protect the paranoid)

Hi Nick,

there’s something weird in here as we have a similar setting: 2 ldap
servers in the file. The interesting thing is that our logs don’t stop
there.

Basically:

Set($ExternalAuthPriority, [
‘My_LDAP’,
‘My_LDAP2’
]
);

Set($ExternalInfoPriority, [
‘My_LDAP’,
‘My_LDAP2’
]
);

Set($ExternalSettings, {
‘My_LDAP’ => {

                                                         },
                             'My_LDAP2'   =>  {

                                                         },
                                         },

);

So, to check your problem I’ve altered the name of the server to
something wrong.

What I see in the logs is a critical error on the connection to My_LDAP,
but a quick fallback to My_LDAP2:

[Thu Nov 4 09:58:46 2010] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj : Cannot connect to
ldap1aaa.mydomain
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:437)
[Thu Nov 4 09:58:46 2010] [debug]: Attempting to use external auth
service: My_LDAP2
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)

What makes me think that the problem is actually different, is that
"FAILED LOGIN" that I see in your log. So I would check

  1. what happens if you leave just the second server

  2. what’s your configuration as far as the following is concerned:
    Set($WebExternalAuth , 1);
    Set($WebFallbackToInternalAuth , 1);
    Set($WebExternalAuto , 1);

  3. what’s your log level, I would set it to ‘debug’ if it’s not:
    Set($LogToFile, ‘debug’);

When you’ve checked the previous, please report back.

All the best,
Giuseppe

Giuseppe Sollazzo
Senior Systems Analyst
Computing Services
Information Services
St. George’s, University Of London
Cranmer Terrace
London SW17 0RE

Email: gsollazz@sgul.ac.uk
Direct Dial: +44 20 8725 5160
Fax: +44 20 8725 3583

While your debugging steps for Nick are sound, I’d just like to point
out that these three configs:On Thu, Nov 04, 2010 at 10:04:14AM +0000, Giuseppe Sollazzo wrote:

  1. what’s your configuration as far as the following is concerned:
    Set($WebExternalAuth , 1);
    Set($WebFallbackToInternalAuth , 1);
    Set($WebExternalAuto , 1);

Are for RT’s external auth (using REMOTE_USER from apache). They
aren’t used by RT::Authen::ExternalAuth

-kevin

Erm, true. I think I got carried away :slight_smile:
Thanks for pointing it out.
GOn 04/11/10 16:38, Kevin Falcone wrote:

While your debugging steps for Nick are sound, I’d just like to point
out that these three configs:

On Thu, Nov 04, 2010 at 10:04:14AM +0000, Giuseppe Sollazzo wrote:

2) what's your configuration as far as the following is concerned:
Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalAuto , 1);

Are for RT’s external auth (using REMOTE_USER from apache). They
aren’t used by RT::Authen::ExternalAuth

-kevin

Giuseppe Sollazzo
Senior Systems Analyst
Computing Services
Information Services
St. George’s, University Of London
Cranmer Terrace
London SW17 0RE

Email: gsollazz@sgul.ac.uk
Direct Dial: +44 20 8725 5160
Fax: +44 20 8725 3583

On Thu, 04 Nov 2010 10:04:14 +0000, "Giuseppe Sollazzo"
gsollazz@sgul.ac.uk said:

there’s something weird in here as we have a similar setting: 2 ldap
servers in the file. The interesting thing is that our logs don’t stop
there.
[snip]
Set($ExternalSettings, {
‘My_LDAP’ => {

                                                         },
                             'My_LDAP2'   =>  {

                                                         },
                                         },

);

Hmm. I wonder if I have an errant curly-brace somewhere. I’ll go
through my config more closely and see if I missed something.

On Thu, 04 Nov 2010 11:25:30 -0700, "Nick Kartsioukas"
change+lists.rt@nightwind.net said:

Hmm. I wonder if I have an errant curly-brace somewhere. I’ll go
through my config more closely and see if I missed something.

Indeed, I had an extra set of curly-braces around the entire set of LDAP
definitions. It’s working right now…