RT::Authen::ExternalAuth problem

Hi Folks,

I’ve been passed a working RT 3.6.6 and asked to add the LDAP
component so that we can authenticate against an Active Directory
server.

So I’ve installed the RT::Authen::ExternalAuth module from CPAN and
used my google-fu to get the configuration started, however at this
point I’m stymied.

Right now local users authenticate, but AD users do not.

When I attempt to authenticate as a AD user, I get these errors:

Sep 19 15:25:59 rt RT: Transaction->Create couldn’t, as you didn’t specify an object type and id (/opt/rt3/lib/RT/Record.pm:1486)
Sep 19 15:25:59 rt RT: My_LDAP AUTH FAILED: gridwayAdmin User not found or more than one user found (/opt/rt3/local/lib/RT/User_Vendor.pm:208)
Sep 19 15:25:59 rt RT: RT::User::IsExternalPassword External Auth Failed: gridwayAdmin (/opt/rt3/local/lib/RT/User_Vendor.pm:294)
Sep 19 15:25:59 rt RT: RT::User::IsInternalPassword AUTH FAILED (no passwd): gridwayAdmin (/opt/rt3/local/lib/RT/User_Vendor.pm:305)

I know that RT is connecting to teh AD because when I change the connecting
password, I get the error:

Sep 19 15:24:47 rt RT: RT::User::_GetBoundLdapObj Can’t bind: LDAP_INVALID_CREDENTIALS 49 (/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

So I’m presuming I have either incorrectly defined my my ‘base’, my
‘filter’ my ‘d_filter’, or my ‘group’.

Here’s what I have. I have a domain, abcsystems.com. Inside
abcsystems.com I have a folder ABC, and under there a folder Users
which is where all the users are. I want to restrict access to users
who are members in the group ‘Request Tracker Users’.

So my definitions look like:

[…]

'base' => 'ou=Users,ou=ABC,dc=abcsystems,dc=com',
'filter' => '(objectclass=Person)',
'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'group' => 'Request Tracker Users',

[…]

I’m probably doing something trivially wrong here since I’m not
familiar with LDAP or AD in any depth.

Can someone point me at a web page that can get me started to
figure this out?

Thank you.

/\oo/
/ /()\ \ David Mackintosh |
dave@xdroop.com | http://www.xdroop.com

I can see two things worth pointing out here… but there may be more and
so it might be worth providing me/us with your full RT_SiteConfig.pm
(sanitised of course).

Sep 19 15:24:47 rt RT: RT::User::_GetBoundLdapObj Can’t bind: LDAP_INVALID_CREDENTIALS 49 (/opt/rt3/local/lib/RT/User_Vendor.pm:1056)

This means one of three things:

  1. You have specified a user and pass for LDAP in the configuration that
    is not valid.

  2. AD is somehow configured to only allow search by anonymous bind.

  3. This can be caused by certain versions of Perl Net::LDAP - what
    version do you have?

So I’m presuming I have either incorrectly defined my my ‘base’, my
‘filter’ my ‘d_filter’, or my ‘group’.

[…]

'base' => 'ou=Users,ou=ABC,dc=abcsystems,dc=com',
'filter' => '(objectclass=Person)',
'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'group' => 'Request Tracker Users',

[…]

An LDAP group is a container like anything else, so you will almost
certainly need to specify the full container like this:

‘group’ => ‘cn=Request Tracker Users,ou=Groups,ou=ABC,dc=abcsystems,dc=com’

As I said, it would be easier to see with the full config.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

So my definitions look like:

[…]

'base' => 'ou=Users,ou=ABC,dc=abcsystems,dc=com',
'filter' => '(objectclass=Person)',
'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'group' => 'Request Tracker Users',

[…]

Partially working: if I change ‘base’ to ‘dc=abcsystems,dc=com’, and
comment out the ‘group’ field, I can log in with my AD credentials.
So now my only authentication problem is how to specify the ‘group’
parameter.

I did notice when poking around that the AD user has no privileges by
default except to create a new ticket – and this user doesn’t appear
in the RT user list such that I can apply privileges to it. Is there
a link someone can provide that can show me what privs I need to
assign, and where, to get going?

/\oo/
/ /()\ \ David Mackintosh |
dave@xdroop.com | http://www.xdroop.com

David Mackintosh wrote:

So my definitions look like:

[…]

'base' => 'ou=Users,ou=ABC,dc=abcsystems,dc=com',
'filter' => '(objectclass=Person)',
'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'group' => 'Request Tracker Users',

[…]

Partially working: if I change ‘base’ to ‘dc=abcsystems,dc=com’, and
comment out the ‘group’ field, I can log in with my AD credentials.

It’s the commenting out the group that will do it, your base was fine so
long as it reflects actual OUs in your AD config.

So now my only authentication problem is how to specify the ‘group’
parameter.

As before, try specifying the full container id.

I did notice when poking around that the AD user has no privileges by
default except to create a new ticket

Set($AutoCreate, {Privileged => 0});
Autocreated users are unprivileged.

Set($AutoCreate, {Privileged => 1});
Autocreated users are privileged.

– and this user doesn’t appear
in the RT user list such that I can apply privileges to it. Is there
a link someone can provide that can show me what privs I need to
assign, and where, to get going?

This is simply a misunderstanding. By default, the list of users only
shows privileged users because in many RT installations there may be
thousands or millions of users who’ve raised support tickets, but only a
few users that are support staff that might need to be played around with.

In the users search page, try specifying this search precisely:

“Find users whose username isn’t farfegnugen”

That should show you all users and then allow you to modify them.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England