RT::Authen::ExternalAuth, Possible Configuration Issue?

Greetings all,

== A Little Background ==

Sorry for the length of this post, TL/DR is at the bottom of this
message. We currently run RT 3.6.6 in a production environment (running
on RHEL 5.3, Tikanga, 2.6.18-128.2.1.el5xen #1 SMP, x86, running on a
Dell PowerEdge R410). We are in the midst of upgrading to 3.8.9 (as we
really liked the new look). The test environment is running on RHEL 5.6
Tikanga, 2.6.18-229.el5 #1 SMP, x86_64, within an ESX virtual
environment (Dell PowerEdge R710 acting as the VM host).

We have already compiled the new RT instance successfully (web GUI runs
really well), ported our current production DB to the new environment
(after some issues related to MyISAM incompatibilities during initial
deployment; we have been running RT since release v2.8), ran any
necessary schema updates, and ensured that there weren’t any CPAN
related inconsistencies.

== The Problem ==

Everything as far as the interface seems to be working as it should. We
are currently attempting to integrate the LDAP piece into the install
(LDAP via RT is a bit new to us). I believe that I may be missing a
configuration piece somewhere, as we cannot seem to get authentication
to occur properly between “RT::Authen::ExternalAuth”, and our Active
Directory (AD) server.

I’ve enabled logging in RT (debug mode), and have attached the actual
"rt.log" file to see if anyone can take a look and see if anything
sticks out. I’ve also included my main “RT_SiteConfig.pm”, as well as
the RT::Authen::External LDAP configuration file
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm), as
the issue could also be a configuration issue with this file. As far as
LDAP authentication, we currently use Active Directory on Windows 2003
R2. Within AD we have setup an initial OU named ‘services’, with an
authentication user named ‘ldap’, and a security group named ‘RTUsers’.

The actual error is as follows:

[Tue Apr 5 16:03:18 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:92)

I’ve searched for this error, but I have only found some threads
addressing a similar issue, but with no actual listed solutions. From
what I can tell from these threads the issue seems to stem from either
an Apache, or a FastCGI configuration issue. The thing is Apache on this
server starts without any errors at all, so it seems to be parsing the
configuration files without a problem. I am attaching any related Apache
configuration files as well (two files actually,
/etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/rt3.conf).

At the moment I am a bit stumped, so if anyone here has any
suggestions/information as to the issues mentioned above I’d certainly
appreciate any and all input.

== TL/DR ==

Installed RT 3.8.9 on a test RHEL server, and cannot seem to get
RT::Authen::ExternalAuth to properly work, please help!

Best Regards,
Eli

Apologies, forgot to include configuration and log file attachment.

Thanks,
Eli-----Original Message-----
From: Eli Guzman
Sent: Tuesday, April 05, 2011 11:50 AM
To: 'rt-users@lists.bestpractical.com’
Subject: RT::Authen::ExternalAuth, Possible Configuration Issue?

Greetings all,

== A Little Background ==

Sorry for the length of this post, TL/DR is at the bottom of this
message. We currently run RT 3.6.6 in a production environment (running
on RHEL 5.3, Tikanga, 2.6.18-128.2.1.el5xen #1 SMP, x86, running on a
Dell PowerEdge R410). We are in the midst of upgrading to 3.8.9 (as we
really liked the new look). The test environment is running on RHEL 5.6
Tikanga, 2.6.18-229.el5 #1 SMP, x86_64, within an ESX virtual
environment (Dell PowerEdge R710 acting as the VM host).

We have already compiled the new RT instance successfully (web GUI runs
really well), ported our current production DB to the new environment
(after some issues related to MyISAM incompatibilities during initial
deployment; we have been running RT since release v2.8), ran any
necessary schema updates, and ensured that there weren’t any CPAN
related inconsistencies.

== The Problem ==

Everything as far as the interface seems to be working as it should. We
are currently attempting to integrate the LDAP piece into the install
(LDAP via RT is a bit new to us). I believe that I may be missing a
configuration piece somewhere, as we cannot seem to get authentication
to occur properly between “RT::Authen::ExternalAuth”, and our Active
Directory (AD) server.

I’ve enabled logging in RT (debug mode), and have attached the actual
"rt.log" file to see if anyone can take a look and see if anything
sticks out. I’ve also included my main “RT_SiteConfig.pm”, as well as
the RT::Authen::External LDAP configuration file
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm), as
the issue could also be a configuration issue with this file. As far as
LDAP authentication, we currently use Active Directory on Windows 2003
R2. Within AD we have setup an initial OU named ‘services’, with an
authentication user named ‘ldap’, and a security group named ‘RTUsers’.

The actual error is as follows:

[Tue Apr 5 16:03:18 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:92)

I’ve searched for this error, but I have only found some threads
addressing a similar issue, but with no actual listed solutions. From
what I can tell from these threads the issue seems to stem from either
an Apache, or a FastCGI configuration issue. The thing is Apache on this
server starts without any errors at all, so it seems to be parsing the
configuration files without a problem. I am attaching any related Apache
configuration files as well (two files actually,
/etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/rt3.conf).

At the moment I am a bit stumped, so if anyone here has any
suggestions/information as to the issues mentioned above I’d certainly
appreciate any and all input.

== TL/DR ==

Installed RT 3.8.9 on a test RHEL server, and cannot seem to get
RT::Authen::ExternalAuth to properly work, please help!

Best Regards,
Eli

config-and-logs.tar.gz (13.4 KB)

Eli Guzman wrote:

Greetings all,

== A Little Background ==

Sorry for the length of this post, TL/DR is at the bottom of this
message. We currently run RT 3.6.6 in a production environment
(running on RHEL 5.3, Tikanga, 2.6.18-128.2.1.el5xen #1 SMP, x86,
running on a Dell PowerEdge R410). We are in the midst of upgrading
to 3.8.9 (as we really liked the new look). The test environment is
running on RHEL 5.6 Tikanga, 2.6.18-229.el5 #1 SMP, x86_64, within an
ESX virtual environment (Dell PowerEdge R710 acting as the VM host).

We have already compiled the new RT instance successfully (web GUI
runs really well), ported our current production DB to the new
environment (after some issues related to MyISAM incompatibilities
during initial deployment; we have been running RT since release
v2.8), ran any necessary schema updates, and ensured that there
weren’t any CPAN related inconsistencies.

== The Problem ==

Everything as far as the interface seems to be working as it should.
We are currently attempting to integrate the LDAP piece into the
install (LDAP via RT is a bit new to us). I believe that I may be
missing a configuration piece somewhere, as we cannot seem to get
authentication to occur properly between “RT::Authen::ExternalAuth”,
and our Active Directory (AD) server.

I’ve enabled logging in RT (debug mode), and have attached the actual
"rt.log" file to see if anyone can take a look and see if anything
sticks out. I’ve also included my main “RT_SiteConfig.pm”, as well as
the RT::Authen::External LDAP configuration file
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm),
as the issue could also be a configuration issue with this file. As
far as LDAP authentication, we currently use Active Directory on
Windows 2003 R2. Within AD we have setup an initial OU named
’services’, with an authentication user named ‘ldap’, and a security
group named ‘RTUsers’.

The actual error is as follows:

[Tue Apr 5 16:03:18 2011] [debug]: SSO Failed and no user to test
with.
Nexting

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut

h.pm:92)

I’ve searched for this error, but I have only found some threads
addressing a similar issue, but with no actual listed solutions. From
what I can tell from these threads the issue seems to stem from
either an Apache, or a FastCGI configuration issue. The thing is
Apache on this server starts without any errors at all, so it seems
to be parsing the configuration files without a problem. I am
attaching any related Apache configuration files as well (two files
actually, /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/rt3.conf).

At the moment I am a bit stumped, so if anyone here has any
suggestions/information as to the issues mentioned above I’d
certainly appreciate any and all input.

== TL/DR ==

Installed RT 3.8.9 on a test RHEL server, and cannot seem to get
RT::Authen::ExternalAuth to properly work, please help!

Best Regards,
Eli

Sorry for the bump to this topic, just needed to see if anyone can still
assist with
this issue. If this is a problem with the module itself, what would be
another possible
workaround for getting LDAP connected?

I’ve seen quite a few different solutions, so I am just wondering what
solutions are more
successful in implementing than others (would a manual overlay or
perhaps Apache authentication
Over OpenLDAP be a better choice?).

If anyone has had any success with any of these other methods any input
you may have would be very
useful specially since we seem to be having an issue getting
RT:Authen:ExternalAuth configured
correctly.

Best Regards,
Eli

== TL/DR ==

Installed RT 3.8.9 on a test RHEL server, and cannot seem to get
RT::Authen::ExternalAuth to properly work, please help!

Sorry for the bump to this topic, just needed to see if anyone can still
assist with
this issue. If this is a problem with the module itself, what would be
another possible
workaround for getting LDAP connected?

You didn’t actually include the log or configuration files that you said
you did. However I suspect you’re running version 0.08 of ExternalAuth
which is known not to work with RT 3.8.9. You should download and
install ExternalAuth 0.08_01 from CPAN at the link below. 0.08_01 is a
developer release containing a known fix for the problem.

http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAuth-0.08_01.tar.gz

Thomas

[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Thomas
Sibley Sent: Thursday, April 07, 2011 6:33 PM To:
rt-users@lists.bestpractical.com Subject: Re: [rt-users]
RT::Authen::ExternalAuth,Possible Configuration Issue?

== TL/DR ==

Installed RT 3.8.9 on a test RHEL server, and cannot seem to get
RT::Authen::ExternalAuth to properly work, please help!

Sorry for the bump to this topic, just needed to see if anyone can
still assist with this issue. If this is a problem with the module
itself, what would be another possible workaround for getting LDAP
connected?

You didn’t actually include the log or configuration files that you
said you did. However I suspect you’re running version 0.08 of
ExternalAuth which is known not to work with RT 3.8.9. You should
download and install ExternalAuth 0.08_01 from CPAN at the link
below. 0.08_01 is a developer release containing a known fix for the
problem.

http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAu
th-0.08_01.tar.gz

Thomas

Hey Thomas,

Thanks a lot for the information, I went ahead and queried the cpan
packages and you are
correct I am running:

RT::Authen::ExternalAuth 0.08

I will give try at downloading 0.08_01 and see how it goes. I did
include the logs
in another email, not sure if that one made the list. I am including the
logs on this
email (just in case anyone wants a quick glance at them), please do let
me know if they
do not go through (sometimes our AV server strips off attachments). If
they don’t I’ll
just do a pastebin from the logs I do have. I’ll make sure to update the
list with the
results.

Thanks,
Eli

config-and-logs.tar.gz (13.4 KB)

[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Eli
Guzman Sent: Friday, April 08, 2011 10:36 AM To: Thomas Sibley;
rt-users@lists.bestpractical.com Subject: Re: [rt-users]
RT::Authen::ExternalAuth,Possible Configuration Issue?

----Original Message----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Thomas
Sibley Sent: Thursday, April 07, 2011 6:33 PM To:
rt-users@lists.bestpractical.com Subject: Re: [rt-users]
RT::Authen::ExternalAuth,Possible Configuration Issue?

== TL/DR ==

Installed RT 3.8.9 on a test RHEL server, and cannot seem to get
RT::Authen::ExternalAuth to properly work, please help!

Sorry for the bump to this topic, just needed to see if anyone can
still assist with this issue. If this is a problem with the module
itself, what would be another possible workaround for getting LDAP
connected?

You didn’t actually include the log or configuration files that you
said you did. However I suspect you’re running version 0.08 of
ExternalAuth which is known not to work with RT 3.8.9. You should
download and install ExternalAuth 0.08_01 from CPAN at the link
below.
0.08_01 is a developer release containing a known fix for the
problem.

http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAu

th-0.08_01.tar.gz

Thomas

Hey Thomas,

Thanks a lot for the information, I went ahead and queried the cpan
packages and you are correct I am running:

RT::Authen::ExternalAuth 0.08

I will give try at downloading 0.08_01 and see how it goes. I did
include the logs in another email, not sure if that one made the
list. I am including the logs on this email (just in case anyone
wants a quick glance at them), please do let me know if they do not
go through (sometimes our AV server strips off attachments). If they
don’t I’ll just do a pastebin from the logs I do have. I’ll make sure
to update the list with the results.

Thanks,
Eli

I went ahead and updated RT::Authen::ExternalAuth to version 0.8_01,
but for some reason I am still getting the same error as before:

[Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth
service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)
[Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:92)
[Fri Apr 8 23:34:13 2011] [debug]: Autohandler called ExternalAuth.
Response:
(0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:26)

So I am not sure what else could be causing the issue, I am guessing
that
this is a configuration issue at this point (as to where exactly the
issue
may be, that is the 64,000 dollar question).

I’ll continue to have a look and see if I can fix the issue, but I think

I may have to use an alternate method of connecting to AD (i.e. OpenLDAP

Synchronization from our AD server, or a manual overlay). If there is
any additional
insight on the problem please feel free to reply, as I’d be willing to
try other solutions
as needed.

Thanks,
Eli

[Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth
service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)
[Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test with.
Nexting

This implies that the username you typed into the login box isn’t
getting to the plugin.

You did clear the mason cache when you updated the module, right?

-kevin

[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin
Falcone Sent: Monday, April 11, 2011 8:00 AM To:
rt-users@lists.bestpractical.com Subject: Re: [rt-users]
RT::Authen::ExternalAuth, Possible Configuration Issue?

[Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth
service: My_LDAP

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA

ut h.pm:64)
[Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test
with. Nexting

This implies that the username you typed into the login box isn’t
getting to the plugin.

You did clear the mason cache when you updated the module, right?

-kevin

Hey Kevin,

No I did not clear the cache at that time, so I made sure to do so now:

[root@xx ~]# rm -fr /opt/rt3/var/mason_data/obj
[root@xx ~]# rm -rf /opt/rt3/var/mason_data/*

And then restarted httpd services, this goes ok, and once again I get
the
same message:

All of the “ExternalAuth” messages listed on the pastebin came up as I
opened the browser,
with our designated test domain user named “jjdoe”.

On the pastebin you may also notice that there is a message when httpd
services are initializing
stating that "RT’s GnuPG libraries couldn’t successfully read your
configured GnuPG home directory"
and thereupon Disables PGP support for RT. Could this have something to
do with the
RT::Authen::ExternalAuth error?

[Mon Apr 11 16:30:02 2011] [debug]: RT’s GnuPG libraries couldn’t
successfully read your
configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has
been disabled /opt/rt3/bin/…/lib/RT/Config.pm:449)

If there is anything else I can try please let me know.

Thanks,
Eli

On the pastebin you may also notice that there is a message when httpd
services are initializing
stating that "RT’s GnuPG libraries couldn’t successfully read your
configured GnuPG home directory"
and thereupon Disables PGP support for RT. Could this have something to
do with the
RT::Authen::ExternalAuth error?

Nope, this is completely unrelated to ExternalAuth.

If there is anything else I can try please let me know.

Please send the output of: ls -lR
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/

Thomas

[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Thomas
Sibley Sent: Monday, April 11, 2011 11:06 AM To:
rt-users@lists.bestpractical.com Subject: Re: [rt-users]
RT::Authen::ExternalAuth,Possible Configuration Issue?> On 04/11/2011 12:43 PM, Eli Guzman wrote:

On the pastebin you may also notice that there is a message when
httpd services are initializing stating that "RT’s GnuPG libraries
couldn’t successfully read your configured GnuPG home directory"
and thereupon Disables PGP support for RT. Could this have something
to do with the RT::Authen::ExternalAuth error?

Nope, this is completely unrelated to ExternalAuth.

If there is anything else I can try please let me know.

Please send the output of: ls -lR
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/

Thomas

Hey Thomas,

Here it is:

I think I see where you are going, maybe the permissions under the:

_/autohandler,
_/Elements/Header

directories could be incorrect?

Thanks,
Eli

I think I see where you are going, maybe the permissions under the:

_/autohandler,
_/Elements/Header

directories could be incorrect?

This is unlikely to be a problem, or nothing would run, but you should
check it anyway.On Mon, Apr 11, 2011 at 09:59:54AM -0400, Kevin Falcone wrote:

[Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth
service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)
[Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test with.
Nexting

You are basically at the point where you need to start enhancing this
debugging line to include more about what was captured from the form
so you can figure out why the username isn’t available.

-kevin

[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin
Falcone Sent: Wednesday, April 13, 2011 7:50 AM To:
rt-users@lists.bestpractical.com Subject: Re: [rt-users]
RT::Authen::ExternalAuth, Possible Configuration Issue?> On Mon, Apr 11, 2011 at 11:22:19AM -0600, Eli Guzman wrote:

I think I see where you are going, maybe the permissions under the:

_/autohandler,
_/Elements/Header

directories could be incorrect?

This is unlikely to be a problem, or nothing would run, but you
should check it anyway.

On Mon, Apr 11, 2011 at 09:59:54AM -0400, Kevin Falcone wrote:

[Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lAut h.pm:64)
[Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test
with. NextingHey Thomas (and Kevin)

You are basically at the point where you need to start enhancing this
debugging line to include more about what was captured from the form
so you can figure out why the username isn’t available.

-kevin

Thanks Kevin, adjusting the permissions to the file may have worked as
we are now able to authenticate via LDAP (there is no automatic log-on,
the users just need to enter their credentials, however it is pulling
user information via the module properly).

Oddly enough even though the Auth piece is working, when a user within
the RTUsers group (via AD) accesses the RT main login page, on the
’rt.log’ I still get the same error:

[Tue Apr 12 23:37:15 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:92)

But as I stated, at least now I can actually authenticate, so my
question is could this then just be related to a misconfigured
RT_SiteConfig.pm file? I did make some changes to the file as well, and
this change could have had an effect as well, since previous to the
change, authentication was not taking place (besides just adjusting the
permissions of the files).

Here is my RT_SiteConfig (for the Auth plug-in) as well, perhaps
something listed in this file is incorrect:

http://pastebin.com/zEF44vHr

I’ll go ahead and enhance the debug line a bit more, and once I have
that information I will post it.

Thanks,
Eli