RT::Authen::ExternalAuth debugging

I’m going down the route of integrating a new RT 3.8.1 install in to a
Windows 2003 Active Directory environment, and after going through the
wiki web of information, I found that the “proper” method is now
RT::Authen::ExternalAuth. That was, unfortunately, after I tried
several other methods. :frowning:

Anyhow, I saw a couple of postings on the list (specifically:
http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html),
and managed to get things configured, but not functioning. :frowning:

I am able to successfully ldapsearch :
ldapsearch -LLL -x -D “CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local” -w ourpasswd -h
ad.ourdomain.local “(objectClass=Person)” -b “dc=ourdomain,dc=local”

And I tried a couple of different variants for searching with command
line success: (objectClass=*), (sAMAccountName=user)

However, I cannot seem to get it to work for RT. I’m getting “Your
username or password is incorrect” after only a few seconds of
processing. Probably the thing preventing me from debugging this
further is… well… I’m not sure how to turn up the volume on the
debugging. The most I am seeing in the logs is the login failure.

Any ideas?

Thanks!
-Rich

RT_SiteConfig.pm contains:

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_LDAP’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

Set($ExternalInfoPriority, [
‘My_LDAP’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 1);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, {
# AN EXAMPLE LDAP SERVICE
’My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# Should the service be used for authentication?
‘auth’ => 1,
# Should the service be used for information?
‘info’ => 1,
# The server hosting the service
’server’ => ‘ad.ourdomain.local’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you
should
# remove the user and pass config lines, otherwise
specify them here:
# The username RT should use to connect to the LDAP server
’user’ => ‘CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local’,
# The password RT should use to connect to the LDAP server
’pass’ => ‘ourpasswd’,
# The LDAP search base
’base’ => ‘dc=ourdomain,dc=local’,
# The filter to use to match RT-Users
’filter’ => ‘(objectclass=Person)’,
# The filter that will only match disabled users

‘d_filter’ =>

‘(serAccountControl:1.2.840.113556.1.4.803:=2)’,
‘d_filter’ =>
’(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=2))’,
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# What other args should I pass to
Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What
group name?
‘group’ => ‘’,
# What is the attribute for the group object that
determines membership?
‘group_attr’ => ‘’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
’attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
# The mapping of RT attributes on to LDAP attributes
’attr_map’ => { ‘Name’ =>
‘sAMAccountName’,
‘EmailAddress’ =>
‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘Gecos’ =>
‘sAMAccountName’,
‘WorkPhone’ =>
‘telephoneNumber’,
‘Address1’ =>
‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);
1;

I too was going down this path. What ended up working for me is creating
local accounts on rt first, then ldap authentication worked.
The other problem I ran into is the “give permissions for everyone to create
ticket” error when this plugin was activated. Double checked all
permissions, and ensured that everyone could create a ticket for the given
queue and had no luck.

For now I’ve rolled back the use of the plugin and I am just using local
accounts :frowning:

-aOn Wed, Oct 15, 2008 at 4:17 PM, Rich West Rich.West@wesmo.com wrote:

I’m going down the route of integrating a new RT 3.8.1 install in to a
Windows 2003 Active Directory environment, and after going through the
wiki web of information, I found that the “proper” method is now
RT::Authen::ExternalAuth. That was, unfortunately, after I tried
several other methods. :frowning:

Anyhow, I saw a couple of postings on the list (specifically:
http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html),
and managed to get things configured, but not functioning. :frowning:

I am able to successfully ldapsearch :
ldapsearch -LLL -x -D “CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local” -w ourpasswd -h
ad.ourdomain.local “(objectClass=Person)” -b “dc=ourdomain,dc=local”

And I tried a couple of different variants for searching with command
line success: (objectClass=*), (sAMAccountName=user)

However, I cannot seem to get it to work for RT. I’m getting “Your
username or password is incorrect” after only a few seconds of
processing. Probably the thing preventing me from debugging this
further is… well… I’m not sure how to turn up the volume on the
debugging. The most I am seeing in the logs is the login failure.

Any ideas?

Thanks!
-Rich

RT_SiteConfig.pm contains:

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_LDAP’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

Set($ExternalInfoPriority, [
‘My_LDAP’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 1);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {
# AN EXAMPLE LDAP SERVICE
’My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# Should the service be used for authentication?
‘auth’ => 1,
# Should the service be used for information?
‘info’ => 1,
# The server hosting the service
’server’ => ‘ad.ourdomain.local’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you
should
# remove the user and pass config lines, otherwise
specify them here:
#
# The username RT should use to connect to the LDAP server
’user’ => ‘CN=Administrator,OU=IT
Department,OU=Users,DC=ourdomain,DC=local’,
# The password RT should use to connect to the LDAP server
’pass’ => ‘ourpasswd’,
#
# The LDAP search base
’base’ => ‘dc=ourdomain,dc=local’,
# The filter to use to match RT-Users
’filter’ => ‘(objectclass=Person)’,
# The filter that will only match disabled users

‘d_filter’ =>

‘(serAccountControl:1.2.840.113556.1.4.803:=2)’,
‘d_filter’ =>
’(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=2))’,
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# What other args should I pass to
Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What
group name?
‘group’ => ‘’,
# What is the attribute for the group object that
determines membership?
‘group_attr’ => ‘’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
’attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
# The mapping of RT attributes on to LDAP attributes
’attr_map’ => { ‘Name’ =>
‘sAMAccountName’,
‘EmailAddress’ =>
‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘Gecos’ =>
‘sAMAccountName’,
‘WorkPhone’ =>
‘telephoneNumber’,
‘Address1’ =>
‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);
1;


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Andrew, if you’d like to get ExternalAuth working there are scores of people who have set it up successfully… so don’t give up. I have 3.8.1 with AuthenExternalAuth LDAP working just fine. It also autocreates users in the RT db as needed. Rich, here is the link for the logging debug setup:

http://wiki.bestpractical.com/view/Debug

Here is the instruction lineup, read them all carefully.

http://wiki.bestpractical.com/view/ExternalAuth - Read the “Post-Install” section

http://www.gossamer-threads.com/lists/rt/users/77286
http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%

If you go to the #rt irc channel I’d be happy to help solve ExternalAuth issues.

Elias (whitman on #rt)From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Andrew Konkol
Sent: Wednesday, October 15, 2008 2:33 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT::Authen::ExternalAuth debugging

I too was going down this path. What ended up working for me is creating local accounts on rt first, then ldap authentication worked.
The other problem I ran into is the “give permissions for everyone to create ticket” error when this plugin was activated. Double checked all permissions, and ensured that everyone could create a ticket for the given queue and had no luck.

For now I’ve rolled back the use of the plugin and I am just using local accounts :frowning:

-a

Thanks for the debug link and the quick help! I wasn’t sure what value
to put in there, but, alas, the Wiki to the rescue. :slight_smile:

Those links were the ones that I followed. It just doesn’t seem to
even attempt an AD auth (“testuser” exists in AD):

[Wed Oct 15 22:42:06 2008] [error]: FAILED LOGIN for testuser from
10.100.10.6
(/var/www/html/help.ourdomain.local/share/html/autohandler:265)

I have this bizarre feeling like I am missing just one important piece
of the puzzle…

-Rich

Eli Altman wrote:

Andrew, if you’d like to get ExternalAuth working there are scores of people who have set it up successfully.. so don’t give up. I have 3.8.1 with AuthenExternalAuth LDAP working just fine. It also autocreates users in the RT db as needed. Rich, here is the link for the logging debug setup:

http://wiki.bestpractical.com/view/Debug

Here is the instruction lineup, read them all carefully.

http://wiki.bestpractical.com/view/ExternalAuth - Read the “Post-Install” section

http://www.gossamer-threads.com/lists/rt/users/77286

http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%

If you go to the #rtirc channel I’d be happy to help solve ExternalAuth issues.

Elias (whitman on #rt)

From:rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Andrew Konkol

Sent: Wednesday, October 15, 2008 2:33 PM

To:rt-users@lists.bestpractical.com

Subject: Re: [rt-users] RT::Authen::ExternalAuth debugging

I too was going down this path. What ended up working for me is creating local accounts on rt first, then ldap authentication worked.

The other problem I ran into is the “give permissions for everyone to
create ticket” error when this plugin was activated. Double checked
all permissions, and ensured that everyone could create a ticket for
the given
queue and had no luck.

For now I’ve rolled back the use of the plugin and I am just using
local
accounts :frowning:

-a

On Wed, Oct 15, 2008 at 4:17 PM, Rich West <Rich.West@wesmo.com> wrote:

I'm going down the route of integrating a new RT 3.8.1 install in to a

Windows 2003 Active Directory environment, and after going through the

wiki web of information, I found that the “proper” method is now

RT::Authen::ExternalAuth. That was, unfortunately, after I tried

several other methods. :frowning:

Anyhow, I saw a couple of postings on the list (specifically:

http://lists.bestpractical.com/pipermail/rt-users/2008-July/052959.html),

and managed to get things configured, but not functioning. :frowning:

I am able to successfully ldapsearch :

ldapsearch -LLL -x -D "CN=Administrator,OU=IT

Department,OU=Users,DC=ourdomain,DC=local" -w ourpasswd -h

ad.ourdomain.local “(objectClass=Person)” -b
"dc=ourdomain,dc=local"

And I tried a couple of different variants for searching with command

line success: (objectClass=*), (sAMAccountName=user)

However, I cannot seem to get it to work for RT. I’m getting "Your

username or password is incorrect" after only a few seconds of

processing. Probably the thing preventing me from debugging this

further is… well… I’m not sure how to turn up the volume on the

debugging. The most I am seeing in the logs is the login failure.

Any ideas?

Thanks!

-Rich

RT_SiteConfig.pm contains:

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_LDAP’

 ]

);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

Set($ExternalInfoPriority, [

     'My_LDAP'


                 
 ]

);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 1);

These are the full settings for each external service as a

HashOfHashes

Note that you may have as many external services as you wish. They

will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {

   # AN EXAMPLE LDAP SERVICE


   'My_LDAP'       =&gt;  {  

GENERIC SECTION

           # The type of service

(db/ldap/cookie)

           'type'    
             =&gt;

‘ldap’,

           # Should the service be

used for authentication?

           'auth'    
             =&gt;  1,


           # Should the service be

used for information?

           'info'    
             =&gt;  1,


           # The server hosting the

service

           'server'    
           =&gt;

‘ad.ourdomain.local’,

           ## SERVICE-SPECIFIC

SECTION

           # If you can bind to

your LDAP server anonymously you

should

           # remove the user and

pass config lines, otherwise

specify them here:

           # The username RT should

use to connect to the LDAP server

           'user'    
             =&gt;

'CN=Administrator,OU=IT

Department,OU=Users,DC=ourdomain,DC=local’,

           # The password RT should

use to connect to the LDAP server

           'pass'    
           =&gt;  'ourpasswd',




           # The LDAP search base


           'base'    
             =&gt;

‘dc=ourdomain,dc=local’,

           # The filter to use to

match RT-Users

           'filter'    
           =&gt;

‘(objectclass=Person)’,

           # The filter that will

only match disabled users

‘d_filter’

           =&gt;

‘(serAccountControl:1.2.840.113556.1.4.803:=2)’,

           'd_filter'    
         =&gt;

'(&(objectCategory=person)(objectClass=user)

(userAccountControl:1.2.840.113556.1.4.803:=2))’,

           # Should we try to use

TLS to encrypt connections?

           'tls'    
              =&gt;  0,


           # What other args should

I pass to

Net::LDAP->new($host,@args)?

           'net_ldap_args'  
      =&gt; [    version =&gt;  3

],

           # Does authentication

depend on group membership? What

group name?

           'group'    
            =&gt;  '',


           # What is the attribute

for the group object that

determines membership?

           'group_attr'  
         =&gt;  '',


           ## RT ATTRIBUTE MATCHING

SECTION

           # The list of RT

attributes that uniquely identify a user

           'attr_match_list'  
    =&gt; [    'Name',


                 
                 
   'EmailAddress',


                 
                 
   'RealName',


                 
                 
   'WorkPhone',


                 
                 
   'Address2'

],

           # The mapping of RT

attributes on to LDAP attributes

           'attr_map'    
         =&gt;  {   'Name'

=>

‘sAMAccountName’,

   'EmailAddress' =&gt;

‘mail’,

   'Organization' =&gt;

‘physicalDeliveryOfficeName’,

   'RealName' =&gt; 'cn',


                 
                 
   'ExternalAuthId' =&gt;

‘sAMAccountName’,

   'Gecos' =&gt;

‘sAMAccountName’,

   'WorkPhone' =&gt;

‘telephoneNumber’,

   'Address1' =&gt;

‘streetAddress’,

   'City' =&gt; 'l',


                 
                 
   'State' =&gt; 'st',


                 
                 
   'Zip' =&gt; 'postalCode',


                 
                 
   'Country' =&gt; 'co'

}

       }


   }

);

1;

http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com

Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.

Buy a copy at http://rtbook.bestpractical.com


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sales@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com

Rich,

(1) You should see something similar in your RT log if it is indeed
trying to authenticate against your AD.

[Thu Oct 16 00:25:12 2008] [info]: RT::User::IsExternalPassword External
Auth OK
( MY_LDAP ): alan (/usr/local/rt381/bin/…/local/lib/RT/User_Vendor.pm:281)

[Thu Oct 16 00:25:12 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED
(/usr/local/rt381/bin/…/local/lib/RT/User_Vendor.pm:360)

(2) Backup your RT_SiteConfig.pm and reduce the match_list to something
like this and test again:

The list of RT attributes that uniquely identify a user

      'attr_match_list' => [    'Name',
                                'EmailAddress',
                           ],

It took me some efforts to get LDAP authentication against SUN Directory
Server 6.3 to work so keep trying! :slight_smile:
http://www.gossamer-threads.com/lists/rt/users/79313?search_string=TLS;#79313

Good Luck!

Alan

Rich West wrote:

Spoke with a few of the folks on the #rt irc channel off of irc.perl.org
and managed to get this working. Hooray. I do have one question,
though… if a ticket is submitted via email, how will it get associated
to the proper user? or: How can I make sure that user with the account
"testuser" in Active Directory / LDAP can send email in to RT using
their testuser@mydomain.coom email address, and it would be associated
properly to “testuser”?

The simple piece was that was missing from my setup was the fact that I
needed to activate the plugin (duh) via the following in RT_SiteConfig.pm:
Set(@Plugins, qw(RT::Authen::ExternalAuth));

Additionally, I had to copy:
local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth
to:
local/html/Callbacks/ExternalAuth/autohandler/Auth

Then patch that file (local/html/Callbacks/ExternalAuth/autohandler/Auth):

— lib/RT/User_Vendor.pm (revision 40675)
+++ lib/RT/User_Vendor.pm (revision 40676)
@@ -348,7 +348,7 @@
return (undef);
}

  • if ( $self->PrincipalObj->Disabled ) {
  • if ( $self->PrincipalObj && $self->PrincipalObj->Disabled ) {
    $RT::Logger->info(“Disabled user " . $self->Name .
    ” tried to log in" );
    return (undef);

Once I did that and restarted the web server, AD and local
authentication started working. Hooray. :slight_smile:

-Rich

Alan Cheng wrote:

Rich, grant CreateTicket ReplyToTicket, ShowTicket to Unprivileged group. Have you successfully setup the mailgate to accept emails? IMHO I think the best setup is creating an rt user on the RT box, use fetchmail to retrieve the mail from another server on a cron and set the mta to the rt-mailgate within .fetchmailrc directly. This way, if the RT box itself goes down you’ll have a normal email account to check for incoming requests. Otherwise, if the mailgate or a mail server on the RT box is malfunctioning, it could bounce the mail back to the user.

Once that’s setup correctly, the user will be autocreated the first time they send an email to RT. They will also show up as the Requestor for the ticket. The owner of the ticket can be set any number of ways, but by default it is owned by Nobody. This way the ticket shows up in the ‘top 10 unowned tickets.’

EliasFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Rich West
Sent: Thursday, October 16, 2008 2:38 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT::Authen::ExternalAuth debugging

Spoke with a few of the folks on the #rt irc channel off of irc.perl.org
and managed to get this working. Hooray. I do have one question,
though… if a ticket is submitted via email, how will it get associated
to the proper user? or: How can I make sure that user with the account
"testuser" in Active Directory / LDAP can send email in to RT using
their testuser@mydomain.coom email address, and it would be associated
properly to “testuser”?

The simple piece was that was missing from my setup was the fact that I
needed to activate the plugin (duh) via the following in RT_SiteConfig.pm:
Set(@Plugins, qw(RT::Authen::ExternalAuth));

Additionally, I had to copy:
local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth
to:
local/html/Callbacks/ExternalAuth/autohandler/Auth

Then patch that file (local/html/Callbacks/ExternalAuth/autohandler/Auth):

— lib/RT/User_Vendor.pm (revision 40675)
+++ lib/RT/User_Vendor.pm (revision 40676)
@@ -348,7 +348,7 @@
return (undef);
}

  • if ( $self->PrincipalObj->Disabled ) {
  • if ( $self->PrincipalObj && $self->PrincipalObj->Disabled ) {
    $RT::Logger->info(“Disabled user " . $self->Name .
    ” tried to log in" );
    return (undef);

Once I did that and restarted the web server, AD and local
authentication started working. Hooray. :slight_smile:

-Rich

Alan Cheng wrote:

Rich,

(1) You should see something similar in your RT log if it is indeed
trying to authenticate against your AD.

[Thu Oct 16 00:25:12 2008] [info]: RT::User::IsExternalPassword
External Auth OK
( MY_LDAP ): alan
(/usr/local/rt381/bin/…/local/lib/RT/User_Vendor.pm:281)

[Thu Oct 16 00:25:12 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED
(/usr/local/rt381/bin/…/local/lib/RT/User_Vendor.pm:360)

(2) Backup your RT_SiteConfig.pm and reduce the match_list to
something like this and test again:

The list of RT attributes that uniquely identify a user

      'attr_match_list' => [    'Name',
                                'EmailAddress',
                           ],

It took me some efforts to get LDAP authentication against SUN
Directory Server 6.3 to work so keep trying! :slight_smile:
http://www.gossamer-threads.com/lists/rt/users/79313?search_string=TLS;#79313

Good Luck!

Alan

Rich West wrote:

Thanks for the debug link and the quick help! I wasn’t sure what
value to put in there, but, alas, the Wiki to the rescue. :slight_smile:

Those links were the ones that I followed. It just doesn’t seem to
even attempt an AD auth (“testuser” exists in AD):
[Wed Oct 15 22:42:06 2008] [error]: FAILED LOGIN for testuser from
10.100.10.6
(/var/www/html/help.ourdomain.local/share/html/autohandler:265)

I have this bizarre feeling like I am missing just one important
piece of the puzzle…

-Rich

Eli Altman wrote:

Andrew, if you’d like to get ExternalAuth working there are scores
of people who have set it up successfully… so don’t give up. I
have 3.8.1 with AuthenExternalAuth LDAP working just fine. It also
autocreates users in the RT db as needed. Rich, here is the link
for the logging debug setup:

http://wiki.bestpractical.com/view/Debug

Here is the instruction lineup, read them all carefully.

http://wiki.bestpractical.com/view/ExternalAuth - Read the
“Post-Install” section

http://www.gossamer-threads.com/lists/rt/users/77286

http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%
http://www.gossamer-threads.com/lists/rt/users/77139?search_string=ldap%

If you go to the #rt irc channel I’d be happy to help solve
ExternalAuth issues.

Elias (whitman on #rt)

http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com