RT::Authen::ExternalAuth

RT Users
1

Morning people.

So, thanks to Lloyd, we are one step further forward with this issue of
failing to autocreate accounts and the explanation makes a certain
amount of sense.

For anyone else experiencing the same problem (log showing: “[info]:
Autocreated authenticated user foobar ( )”) can you confirm whether
there’s any chance that a user already exists in RT with the username
and or e-mail address of the user you’re trying to auto-create?

Also, it’s prompted me to think about the config directive
attr_match_list. Technically this directive determines what fields
should be unique to every single user and is somewhat legacy to the
original LDAP implementations. At the moment, this is the default:

‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],

This was a mistake and as of the next release the default will be:

‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
],

because, really, the only things that should not be allowed to be the
same for any two users are the username and e-mail address. I don’t
necessarily think this is going to be causing the problem, but it
certainly doesn’t help and recommend to anyone that you reduce your
attr_match_list as above - it may even speed up your user lookups a tiny
bit depending on how your install is being used.

So, in summary… of all the people experiencing the original problem, do
you get the same problem with a clean user database?
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

2

Has anyone used RT::Authen::ExternalAuth for integrating with Active
Directory? I am getting errors on installing RT::Authen::ExternalAuth

I ran the following command ( cpan -i RT::Authen::ExternalAuth ); During
installation, it asked for path to your RT.pm, which I entered as
/data/rt3/lib

Soon after, it failed with the following error.

No ‘Makefile’ created ZORDRAK/RT-Authen-ExternalAuth-0.08.tar.gz

/usr/bin/perl Makefile.PL – NOT OK

Running make test

Make had some problems, won’t test

Running make install

Make had some problems, won’t install

Any ideas?

Thanks, vm

3

testwreq wreq wrote:

Has anyone used RT::Authen::ExternalAuth for integrating with Active
Directory?

That’s primarily what it’s for.

I ran the following command ( cpan -i RT::Authen::ExternalAuth ); During
installation, it asked for path to your RT.pm, which I entered as
/data/rt3/lib

Follow the manual install instructions.
Kind Regards,

Mike Peachey, IT Systems Administrator
Low Power RF Solutions (formerly Jennic Ltd.)
NXP Semiconductors
Furnival Street, Sheffield, S1 4QT, UK
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Comp Reg No: 3191371 - Registered In England
http://www.nxp.com http://www.jennic.com

4

Hello Mike,
This is for integrating our Active Directory with RT.

To install ExternalAuth, I ran the following command ( cpan -i
RT::Authen::ExternalAuth ); During installation, it asked for path to your
RT.pm, which I entered as /data/rt3/lib

Soon after, it failed with the following error.

No ‘Makefile’ created ZORDRAK/RT-Authen-ExternalAuth-0.08.tar.gz
/usr/bin/perl Makefile.PL – NOT OK
Running make test
Make had some problems, won’t test
Running make install
Make had some problems, won’t install

Any ideas?

Thanks, vmOn Mon, Aug 2, 2010 at 5:18 AM, Mike Peachey mike.peachey@jennic.comwrote:

testwreq wreq wrote:

Has anyone used RT::Authen::ExternalAuth for integrating with Active
Directory?

That’s primarily what it’s for.

I ran the following command ( cpan -i RT::Authen::ExternalAuth ); During
installation, it asked for path to your RT.pm, which I entered as
/data/rt3/lib

Follow the manual install instructions.

Kind Regards,

Mike Peachey, IT Systems Administrator
Low Power RF Solutions (formerly Jennic Ltd.)
NXP Semiconductors
Furnival Street, Sheffield, S1 4QT, UK
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Comp Reg No: 3191371 - Registered In England
http://www.nxp.com http://www.jennic.com

5

testwreq wreq wrote:

To install ExternalAuth, I ran the following command ( cpan -i
RT::Authen::ExternalAuth ); During installation, it asked for path to
your RT.pm, which I entered as /data/rt3/lib

Any ideas?

> I ran the following command ( cpan -i RT::Authen::ExternalAuth );

Follow the manual install instructions.

Follow the manual install instructions. NOT cpan.
Kind Regards,

Mike Peachey, IT Systems Administrator
Low Power RF Solutions (formerly Jennic Ltd.)
NXP Semiconductors
Furnival Street, Sheffield, S1 4QT, UK
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Comp Reg No: 3191371 - Registered In England
http://www.nxp.com http://www.jennic.com

6

make command in the manual installation results in
make: *** No targets specified and no makefile found. Stop.
What does this mean?On Tue, Aug 3, 2010 at 5:25 AM, Mike Peachey mike.peachey@jennic.comwrote:

testwreq wreq wrote:

To install ExternalAuth, I ran the following command ( cpan -i
RT::Authen::ExternalAuth ); During installation, it asked for path to
your RT.pm, which I entered as /data/rt3/lib

Any ideas?

On Mon, Aug 2, 2010 at 5:18 AM, Mike Peachey <mike.peachey@jennic.com mailto:mike.peachey@jennic.com> wrote:

> I ran the following command ( cpan -i RT::Authen::ExternalAuth );

Follow the manual install instructions.

Follow the manual install instructions. NOT cpan.

Kind Regards,

Mike Peachey, IT Systems Administrator
Low Power RF Solutions (formerly Jennic Ltd.)
NXP Semiconductors
Furnival Street, Sheffield, S1 4QT, UK
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Comp Reg No: 3191371 - Registered In England
http://www.nxp.com http://www.jennic.com

7

[root@devwww RT-Authen-ExternalAuth-0.08]# ls -l
total 64
-rwxr-xr-x 1 1177 wheel 10019 Jan 24 2009 ChangeLog
drwxr-xr-x 2 root root 4096 Jan 24 2009 etc
drwxr-xr-x 3 root root 4096 Jan 24 2009 html
drwxr-xr-x 3 root root 4096 Jan 24 2009 inc
drwxr-xr-x 3 root root 4096 Jan 24 2009 lib
-rwxr-xr-x 1 1177 wheel 18018 Nov 7 2008 LICENSE
-rwxr-xr-x 1 root root 499 Jan 18 2009 Makefile.PL
-rwxr-xr-x 1 root root 554 Jan 18 2009 MANIFEST
-rwxr-xr-x 1 root root 415 Jan 16 2009 META.yml
-rwxr-xr-x 1 1177 wheel 3005 Jan 20 2009 README
[root@devwww RT-Authen-ExternalAuth-0.08]#
[root@devwww RT-Authen-ExternalAuth-0.08]# make
make: *** No targets specified and no makefile found. Stop.
[root@devwww RT-Authen-ExternalAuth-0.08]#
]On Tue, Aug 3, 2010 at 10:30 AM, testwreq wreq testwreq@gmail.com wrote:

make command in the manual installation results in
make: *** No targets specified and no makefile found. Stop.
What does this mean?

On Tue, Aug 3, 2010 at 5:25 AM, Mike Peachey mike.peachey@jennic.comwrote:

testwreq wreq wrote:

To install ExternalAuth, I ran the following command ( cpan -i
RT::Authen::ExternalAuth ); During installation, it asked for path to
your RT.pm, which I entered as /data/rt3/lib

Any ideas?

On Mon, Aug 2, 2010 at 5:18 AM, Mike Peachey <mike.peachey@jennic.com mailto:mike.peachey@jennic.com> wrote:

> I ran the following command ( cpan -i RT::Authen::ExternalAuth );

Follow the manual install instructions.

Follow the manual install instructions. NOT cpan.

Kind Regards,

Mike Peachey, IT Systems Administrator
Low Power RF Solutions (formerly Jennic Ltd.)
NXP Semiconductors
Furnival Street, Sheffield, S1 4QT, UK
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Comp Reg No: 3191371 - Registered In England
http://www.nxp.com http://www.jennic.com

8

make command in the manual installation results in
make: *** No targets specified and no makefile found. Stop.
What does this mean?

Look through the README file for manual installation instructions.

-kevin> On Tue, Aug 3, 2010 at 5:25 AM, Mike Peachey <[1]mike.peachey@jennic.com> wrote:

 testwreq wreq wrote:

 >
 > To install ExternalAuth, I ran the following command ( cpan -i
 > RT::Authen::ExternalAuth ); During installation, it asked for path to
 > your RT.pm, which I entered as /data/rt3/lib
 >
 > Any ideas?
 >
 > On Mon, Aug 2, 2010 at 5:18 AM, Mike Peachey <[2]mike.peachey@jennic.com <mailto:[3]mike.peachey@jennic.com>> wrote:
 >
 >
 > > I ran the following command ( cpan -i RT::Authen::ExternalAuth );
 >
 > Follow the manual install instructions.
 >

 Follow the manual install instructions. NOT cpan.
9

I was able to install it manually.

I have setup RT_SitConfig.pm file. ExternalAuth does land on the login page
to RT, but when I put my Active Directory username/password in there, it
does not authenticate. It gave me the below error

[Fri Aug 6 18:49:57 2010] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49
(/data/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

[Fri Aug 6 18:49:57 2010] [error]: FAILED LOGIN for vibha from
130.245.14.200 (/data/rt3/share/html/autohandler:268)

It is pointing to LDAP.pm. Do you think I have to change anything there?

regards,
vm

My SiteConfig is changed as follows:

Tell RT to read the plugin for External Authentication.

Set(@Plugins,qw(RT::Authen::ExternalAuth));

Set($ExternalAuthPriority, [‘My_LDAP’]);

Set($ExternalInfoPriority, [‘My_LDAP’]);

Tell RT to trust the webserver to handle authentication.

Set($WebExternalAuth, 3);

If this is set to true, then the relevant packages will be loaded to use

SSL/TLS connections. At the moment this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 1);

If the webserver hands RT a user RT is not familiar with, RT should just

go ahead and create an account

Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, {

                     'My_LDAP'       =>  {   ## GENERIC SECTION

                                              'type'    =>  'ldap',

                                              'server'  =>

‘ad.hostname’,

                                              # 'user'   =>  'ldapuser',

                                               'user'  =>  'CN=Recruit

LDAP user,OU=Users,OU=SysStaff,OU=sb,DC=cs,DC=sb,DC=edu’,

                                               'pass'   =>  'xxx',

                                               'base'   =>

‘ou=sb,dc=cs,dc=sb,DC=edu’,

                                               'filter'   =>

‘((&(objectCategory=Users)))’,

                                               'd_filter'  =>

‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,

                                               'tls'      =>  1,

                                               'ssl_version' =>  3,

                                               'net_ldap_args' => [

version => 3 ],

                                               #'group'        =>

‘GROUP_NAME’,

                                               #'group_attr'   =>

‘GROUP_ATTR’,

                                               'attr_match_list'  =>

[ ‘Name’,

‘EmailAddress’

                                                                     ],

                                               'attr_map'         =>

{ ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’

                                                                      }

                                          }

               }

);

1;

ENDOn Fri, Aug 6, 2010 at 3:15 PM, Kevin Falcone falcone@bestpractical.comwrote:

On Tue, Aug 03, 2010 at 10:30:50AM -0400, testwreq wreq wrote:

make command in the manual installation results in
make: *** No targets specified and no makefile found. Stop.
What does this mean?

Look through the README file for manual installation instructions.

-kevin

On Tue, Aug 3, 2010 at 5:25 AM, Mike Peachey <[1] mike.peachey@jennic.com> wrote:

 testwreq wreq wrote:

 >
 > To install ExternalAuth, I ran the following command ( cpan -i
 > RT::Authen::ExternalAuth ); During installation, it asked for path

to

 > your RT.pm, which I entered as /data/rt3/lib
 >
 > Any ideas?
 >
 > On Mon, Aug 2, 2010 at 5:18 AM, Mike Peachey <[2] mike.peachey@jennic.com <mailto:[3]mike.peachey@jennic.com>> wrote:
 >
 >
 > > I ran the following command ( cpan -i RT::Authen::ExternalAuth

);

 >
 > Follow the manual install instructions.
 >

 Follow the manual install instructions. NOT cpan.

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

10

I was able to install it manually.

I have setup RT_SitConfig.pm file. ExternalAuth does land on the login page to RT, but when I
put my Active Directory username/password in there, it does not authenticate. It gave me the
below error

[Fri Aug 6 18:49:57 2010] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t
bind: LDAP_INVALID_CREDENTIALS 49
(/data/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467)

[Fri Aug 6 18:49:57 2010] [error]: FAILED LOGIN for vibha from 130.245.14.200
(/data/rt3/share/html/autohandler:268)

It is pointing to LDAP.pm. Do you think I have to change anything there?

Your username/password don’t work
Try logging in using the commandline ldapsearch tool, when that works,
RT-Authen-ExternalAuth should work with the same username/pass

-kevin

11

I have been searching all day long and I am having some issues getting
this running. Here is a quick copy of my RT_SiteConfig.pm:

Set(@Plugins, qw(RT::Authen::ExternalAuth));

Set(@Plugins, qw(RTx::Calendar));

Set($LogToFile,‘debug’);

Set($TrustHTMLAttachments, 1);

Set($ExternalAuthPriority, [ ‘My_LDAP’

                        ]

);

Set($ExternalInfoPriority, [ ‘My_LDAP’

                        ]

);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { # AN EXAMPLE DB SERVICE

                            'My_MySQL'   =>  {      ## GENERIC

SECTION

                                                    'type'

=> ‘mysql’,

                                                    'server'

=> ‘localhost’,

                                                    'database'

=> ‘rt3’,

                                                    'table'

=> ‘USERS_TABLE’,

                                                    'user'

=> ‘rt_user’,

                                                    'pass'

=> ‘blahblah’,

                                                    'port'

=> ‘3306’,

                                                    'dbi_driver'

=> ‘mysql’,

                                                    'u_field'

=> ‘username’,

                                                    'p_field'

=> ‘password’,

                                                    'p_enc_pkg'

=> ‘Crypt::MySQL’,

                                                    'p_enc_sub'

=> ‘password’,

                                                    'd_field'

=> ‘disabled’,

                                                    'd_values'

=> [‘0’],

‘attr_match_list’ => [ ‘Gecos’,

‘Name’

],

                                                    'attr_map'

=> { ‘Name’ => ‘username’,

‘EmailAddress’ => ‘email’,

‘ExternalAuthId’ => ‘username’,

‘Gecos’ => ‘userID’

}

                                                },

                            # AN EXAMPLE LDAP SERVICE 

                            'My_LDAP'       =>  {   ## GENERIC

SECTION

                                                    'type'

=> ‘ldap’,

                                                    'server'

=> ‘iesicorp.tf.prv’,

                                                    'user'

=> ‘cn=user,dc=tf,dc=prv’,

                                                    'pass'

=> ‘blahblah’,

                                                    'base'

=> ‘dc=tf,dc=prv’,

                                                    'filter'

=> ‘(objectClass=user)’,

                                                    'd_filter'

=> ‘(objectClass=FooBarBaz)’,

                                                    'tls'

=> 0,

                                                    'ssl_version'

=> 3,

                                                    'net_ldap_args'

=> [ version => 3 ],

‘group’

=> ‘Domain Users’,

‘group_attr’

=> ‘memberof’,

‘attr_match_list’ => [ ‘Name’,

‘EmailAddress’,

‘RealName’,

‘WorkPhone’,

‘Address2’

],

                                                    # The mapping of

RT attributes on to LDAP attributes

                                                    'attr_map'

=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}

                                                },

When I restart apache2 everything works fine. I see no errors. Yet
when I log into the web page I get this:

[Tue Aug 31 21:44:27 2010] [info]: Successful login for pbarton from
192.168.10.60 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:430)

I check the “System Configuration” and I see no reference to
RT::Authen::ExternalAuth anywhere in there. From all the logs it does
not even appear that I am loading this plugin.

BTW, I am running Ubuntu 8.0.4 LTS and RT version 3.8.6 and I installed
RT::Authen::ExternalAuth from cpan version 0.08.

I have successfully run the “rt_logins_email2ldap” script and was able
to make all the necessary changes to accomoodate the change from local
user auth to LDAP auth. Any help anyone

Can provide I would be greatly appreciative.

Thanks,

Peter Barton

12

Peter,

Looks like you have two plugin lines:

Set(@Plugins, qw(RT::Authen::ExternalAuth));
Set(@Plugins, qw(RTx::Calendar));

Try:
Set(@Plugins,(qw(RT::Authen::ExternalAuth RTx::Calendar)));

Your second plugin line is overwriting the first one.

-DanOn 8/31/10 3:05 PM, Peter Barton wrote:

I have been searching all day long and I am having some issues getting
this running. Here is a quick copy of my RT_SiteConfig.pm:

Set(@Plugins, qw(RT::Authen::ExternalAuth));

Set(@Plugins, qw(RTx::Calendar));

Set($LogToFile,‘debug’);

Set($TrustHTMLAttachments, 1);

Set($ExternalAuthPriority, [ ‘My_LDAP’

]

);

Set($ExternalInfoPriority, [ ‘My_LDAP’

]

);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { # AN EXAMPLE DB SERVICE

‘My_MySQL’ => { ## GENERIC SECTION

‘type’ => ‘mysql’,

‘server’ => ‘localhost’,

‘database’ => ‘rt3’,

‘table’ => ‘USERS_TABLE’,

‘user’ => ‘rt_user’,

‘pass’ => ‘blahblah’,

‘port’ => ‘3306’,

‘dbi_driver’ => ‘mysql’,

‘u_field’ => ‘username’,

‘p_field’ => ‘password’,

‘p_enc_pkg’ => ‘Crypt::MySQL’,

‘p_enc_sub’ => ‘password’,

‘d_field’ => ‘disabled’,

‘d_values’ => [‘0’],

‘attr_match_list’ => [ ‘Gecos’,

‘Name’

],

‘attr_map’ => { ‘Name’ => ‘username’,

‘EmailAddress’ => ‘email’,

‘ExternalAuthId’ => ‘username’,

‘Gecos’ => ‘userID’

}

},

AN EXAMPLE LDAP SERVICE

‘My_LDAP’ => { ## GENERIC SECTION

‘type’ => ‘ldap’,

‘server’ => ‘iesicorp.tf.prv’,

‘user’ => ‘cn=user,dc=tf,dc=prv’,

‘pass’ => ‘blahblah’,

‘base’ => ‘dc=tf,dc=prv’,

‘filter’ => ‘(objectClass=user)’,

‘d_filter’ => ‘(objectClass=FooBarBaz)’,

‘tls’ => 0,

‘ssl_version’ => 3,

‘net_ldap_args’ => [ version => 3 ],

‘group’ => ‘Domain Users’,

‘group_attr’ => ‘memberof’,

‘attr_match_list’ => [ ‘Name’,

‘EmailAddress’,

‘RealName’,

‘WorkPhone’,

‘Address2’

],

The mapping of RT attributes on to LDAP attributes

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}

},

When I restart apache2 everything works fine. I see no errors. Yet when
I log into the web page I get this:

[Tue Aug 31 21:44:27 2010] [info]: Successful login for pbarton from
192.168.10.60 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:430)

I check the �System Configuration� and I see no reference to
RT::Authen::ExternalAuth anywhere in there. From all the logs it does
not even appear that I am loading this plugin.

BTW, I am running Ubuntu 8.0.4 LTS and RT version 3.8.6 and I installed
RT::Authen::ExternalAuth from cpan version 0.08.

I have successfully run the �rt_logins_email2ldap� script and was able
to make all the necessary changes to accomoodate the change from local
user auth to LDAP auth. Any help anyone

Can provide I would be greatly appreciative.

Thanks,

Peter Barton

RT Training in Washington DC, USA on Oct 25& 26 2010
Last one this year – Learn how to get the most out of RT!

13

Thanks a bunch Dan!! That did the trick perfectly! I am now able to
authenticate successfully from AD and from the local system.

Since it was so easy for you to spot my problem maybe you can help me
with one more request. Like I said at the end of my last email I have
run the “rt_logins_email2ldap” script and everyone has appropriate
usernames to match AD. Is there a way to have RT go through and
populate all the user information for each of the users that already
exist in my system? Or is this supposed to be a dynamic step? When I
open a ticket that existed prior to the installation of
RT::Authen::ExternalAuth the user information is not populated with
anything.

Any direction you can give would be greatly appreciated.

Thanks in advance,

Peter BartonFrom: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Dan
Stilts
Sent: Tuesday, August 31, 2010 5:38 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT::Authen::ExternalAuth

Peter,

Looks like you have two plugin lines:

Set(@Plugins, qw(RT::Authen::ExternalAuth));
Set(@Plugins, qw(RTx::Calendar));

Try:
Set(@Plugins,(qw(RT::Authen::ExternalAuth RTx::Calendar)));

Your second plugin line is overwriting the first one.

-Dan

I have been searching all day long and I am having some issues getting
this running. Here is a quick copy of my RT_SiteConfig.pm:

Set(@Plugins, qw(RT::Authen::ExternalAuth));

Set(@Plugins, qw(RTx::Calendar));

Set($LogToFile,‘debug’);

Set($TrustHTMLAttachments, 1);

Set($ExternalAuthPriority, [ ‘My_LDAP’

]

);

Set($ExternalInfoPriority, [ ‘My_LDAP’

]

);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { # AN EXAMPLE DB SERVICE

‘My_MySQL’ => { ## GENERIC SECTION

‘type’ => ‘mysql’,

‘server’ => ‘localhost’,

‘database’ => ‘rt3’,

‘table’ => ‘USERS_TABLE’,

‘user’ => ‘rt_user’,

‘pass’ => ‘blahblah’,

‘port’ => ‘3306’,

‘dbi_driver’ => ‘mysql’,

‘u_field’ => ‘username’,

‘p_field’ => ‘password’,

‘p_enc_pkg’ => ‘Crypt::MySQL’,

‘p_enc_sub’ => ‘password’,

‘d_field’ => ‘disabled’,

‘d_values’ => [‘0’],

‘attr_match_list’ => [ ‘Gecos’,

‘Name’

],

‘attr_map’ => { ‘Name’ => ‘username’,

‘EmailAddress’ => ‘email’,

‘ExternalAuthId’ => ‘username’,

‘Gecos’ => ‘userID’

}

},

AN EXAMPLE LDAP SERVICE

‘My_LDAP’ => { ## GENERIC SECTION

‘type’ => ‘ldap’,

‘server’ => ‘iesicorp.tf.prv’,

‘user’ => ‘cn=user,dc=tf,dc=prv’,

‘pass’ => ‘blahblah’,

‘base’ => ‘dc=tf,dc=prv’,

‘filter’ => ‘(objectClass=user)’,

‘d_filter’ => ‘(objectClass=FooBarBaz)’,

‘tls’ => 0,

‘ssl_version’ => 3,

‘net_ldap_args’ => [ version => 3 ],

‘group’ => ‘Domain Users’,

‘group_attr’ => ‘memberof’,

‘attr_match_list’ => [ ‘Name’,

‘EmailAddress’,

‘RealName’,

‘WorkPhone’,

‘Address2’

],

The mapping of RT attributes on to LDAP attributes

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}

},

When I restart apache2 everything works fine. I see no errors. Yet
when
I log into the web page I get this:

[Tue Aug 31 21:44:27 2010] [info]: Successful login for pbarton from
192.168.10.60 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:430)

I check the “System Configuration” and I see no reference to
RT::Authen::ExternalAuth anywhere in there. From all the logs it does
not even appear that I am loading this plugin.

BTW, I am running Ubuntu 8.0.4 LTS and RT version 3.8.6 and I
installed
RT::Authen::ExternalAuth from cpan version 0.08.

I have successfully run the “rt_logins_email2ldap” script and was able
to make all the necessary changes to accomoodate the change from local
user auth to LDAP auth. Any help anyone

Can provide I would be greatly appreciative.

Thanks,

Peter Barton

RT Training in Washington DC, USA on Oct 25& 26 2010
Last one this year – Learn how to get the most out of RT!

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

14

As far as I know, this only gets updated when the user goes to login.
However, I’m sure it’s also very easily scriptable to pull rt3.Users and
then pull the users from LDAP (AD) and update the user via sql in
rt3.Users. Whether this would end up breaking anything, I’m not sure as
this is just off the top of my head thinking, but I wouldn’t think so.

Just a thought.

-DanOn 9/1/10 8:21 AM, Peter Barton wrote:

Thanks a bunch Dan!! That did the trick perfectly! I am now able to
authenticate successfully from AD and from the local system.

Since it was so easy for you to spot my problem maybe you can help me
with one more request. Like I said at the end of my last email I have
run the “rt_logins_email2ldap” script and everyone has appropriate
usernames to match AD. Is there a way to have RT go through and
populate all the user information for each of the users that already
exist in my system? Or is this supposed to be a dynamic step? When I
open a ticket that existed prior to the installation of
RT::Authen::ExternalAuth the user information is not populated with
anything.

Any direction you can give would be greatly appreciated.

Thanks in advance,

Peter Barton

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Dan
Stilts
Sent: Tuesday, August 31, 2010 5:38 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT::Authen::ExternalAuth

Peter,

Looks like you have two plugin lines:

Set(@Plugins, qw(RT::Authen::ExternalAuth));
Set(@Plugins, qw(RTx::Calendar));

Try:
Set(@Plugins,(qw(RT::Authen::ExternalAuth RTx::Calendar)));

Your second plugin line is overwriting the first one.

-Dan

On 8/31/10 3:05 PM, Peter Barton wrote:

I have been searching all day long and I am having some issues getting
this running. Here is a quick copy of my RT_SiteConfig.pm:

Set(@Plugins, qw(RT::Authen::ExternalAuth));

Set(@Plugins, qw(RTx::Calendar));

Set($LogToFile,‘debug’);

Set($TrustHTMLAttachments, 1);

Set($ExternalAuthPriority, [ ‘My_LDAP’

]

);

Set($ExternalInfoPriority, [ ‘My_LDAP’

]

);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, { # AN EXAMPLE DB SERVICE

‘My_MySQL’ => { ## GENERIC SECTION

‘type’ => ‘mysql’,

‘server’ => ‘localhost’,

‘database’ => ‘rt3’,

‘table’ => ‘USERS_TABLE’,

‘user’ => ‘rt_user’,

‘pass’ => ‘blahblah’,

‘port’ => ‘3306’,

‘dbi_driver’ => ‘mysql’,

‘u_field’ => ‘username’,

‘p_field’ => ‘password’,

‘p_enc_pkg’ => ‘Crypt::MySQL’,

‘p_enc_sub’ => ‘password’,

‘d_field’ => ‘disabled’,

‘d_values’ => [‘0’],

‘attr_match_list’ => [ ‘Gecos’,

‘Name’

],

‘attr_map’ => { ‘Name’ => ‘username’,

‘EmailAddress’ => ‘email’,

‘ExternalAuthId’ => ‘username’,

‘Gecos’ => ‘userID’

}

},

AN EXAMPLE LDAP SERVICE

‘My_LDAP’ => { ## GENERIC SECTION

‘type’ => ‘ldap’,

‘server’ => ‘iesicorp.tf.prv’,

‘user’ => ‘cn=user,dc=tf,dc=prv’,

‘pass’ => ‘blahblah’,

‘base’ => ‘dc=tf,dc=prv’,

‘filter’ => ‘(objectClass=user)’,

‘d_filter’ => ‘(objectClass=FooBarBaz)’,

‘tls’ => 0,

‘ssl_version’ => 3,

‘net_ldap_args’ => [ version => 3 ],

‘group’ => ‘Domain Users’,

‘group_attr’ => ‘memberof’,

‘attr_match_list’ => [ ‘Name’,

‘EmailAddress’,

‘RealName’,

‘WorkPhone’,

‘Address2’

],

The mapping of RT attributes on to LDAP attributes

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}

},

When I restart apache2 everything works fine. I see no errors. Yet
when
I log into the web page I get this:

[Tue Aug 31 21:44:27 2010] [info]: Successful login for pbarton from
192.168.10.60 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:430)

I check the “System Configuration” and I see no reference to
RT::Authen::ExternalAuth anywhere in there. From all the logs it does
not even appear that I am loading this plugin.

BTW, I am running Ubuntu 8.0.4 LTS and RT version 3.8.6 and I
installed
RT::Authen::ExternalAuth from cpan version 0.08.

I have successfully run the “rt_logins_email2ldap” script and was able
to make all the necessary changes to accomoodate the change from local
user auth to LDAP auth. Any help anyone

Can provide I would be greatly appreciative.

Thanks,

Peter Barton

RT Training in Washington DC, USA on Oct 25& 26 2010
Last one this year – Learn how to get the most out of RT!

RT Training in Washington DC, USA on Oct 25& 26 2010
Last one this year – Learn how to get the most out of RT!

RT Training in Washington DC, USA on Oct 25& 26 2010
Last one this year – Learn how to get the most out of RT!

15

I think this is what you need

RT-Extension-LDAPImport (in case the url gets stripped).

It’s what I use along with the externalauth, that way I import all the users. I then run the script nightly to import changes. The external auth plugin will also update the details when the login. But you can’t assign permissions to a user that’s never logged in.From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Dan Stilts
Sent: Wednesday, September 01, 2010 2:16 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT::Authen::ExternalAuth

As far as I know, this only gets updated when the user goes to login.
However, I’m sure it’s also very easily scriptable to pull rt3.Users and
then pull the users from LDAP (AD) and update the user via sql in
rt3.Users. Whether this would end up breaking anything, I’m not sure as
this is just off the top of my head thinking, but I wouldn’t think so.

Just a thought.

-Dan

16

I think this is what you need
RT-Extension-LDAPImport-0.36 - Import Users from an LDAP store - metacpan.org
RT-Extension-LDAPImport (in case the url gets stripped).

It’s what I use along with the externalauth, that way I import all
the users. I then run the script nightly to import changes. The
external auth plugin will also update the details when the login.

LDAPImport is what I often recommend for folks, there is current work
in the git repo that should be looked at if you’re missing features.

But you can’t assign permissions to a user that’s never logged in.

If you run LDAPImport, that user should be there to find and make
privileged so you can grant them rights

-kevin

17

But you can’t assign permissions to a user that’s never logged in.

If you run LDAPImport, that user should be there to find and make privileged so you can grant them rights

Sorry, that’s what I meant. If you just use the external auth plugin you can’t assign them permissions until they have logged in, unless you are using ldapimport.

Can you point me in the direction of the current work in the git repo so I can take a look?

18

But you can’t assign permissions to a user that’s never logged in.

If you run LDAPImport, that user should be there to find and make privileged so you can grant them rights


Sorry, that’s what I meant. If you just use the external auth plugin you can’t assign them permissions until they have logged in, unless you are using ldapimport.

Ok, good, just wanted to clarify for the list archives.

Can you point me in the direction of the current work in the git repo so I can take a look?

It is due for a developer’s release, but that hasn’t been a priority

-kevin

19

But you can’t assign permissions to a user that’s never logged in.

If you run LDAPImport, that user should be there to find and make
privileged so you can grant them rights


Sorry, that’s what I meant. If you just use the external auth plugin
you can’t assign them permissions until they have logged in, unless you
are using >ldapimport.

Ok, good, just wanted to clarify for the list archives.

Can you point me in the direction of the current work in the git repo
so I can take a look?

GitHub - bestpractical/rt-extension-ldapimport

It is due for a developer’s release, but that hasn’t been a priority

-kevin

After I wrote this email earlier I did some searches and found the
LDAPImport script. I have messed with it all day and now have it
working pretty reliably. I have two questions though.

  1. If I try to search from the top of my AD Tree the script crashes and
    says the search is too large, so I am forced to run this multiple times
    and refine my baseDN each time. Anyone know of a way to increase the
    size of the search so I can do my entire tree each night?

  2. I have Custom Fields added to my user information ( Manager, Title )
    and I was wondering if the LDAPImport script can import into the custom
    fields?

Thanks for any help,

Peter Barton

20

After I wrote this email earlier I did some searches and found the
LDAPImport script. I have messed with it all day and now have it
working pretty reliably. I have two questions though.

  1. If I try to search from the top of my AD Tree the script crashes and
    says the search is too large, so I am forced to run this multiple times
    and refine my baseDN each time. Anyone know of a way to increase the
    size of the search so I can do my entire tree each night?

How many users? I have it importing/updating 50-60K users without
issue.

  1. I have Custom Fields added to my user information ( Manager, Title )
    and I was wondering if the LDAPImport script can import into the custom
    fields?

CF.Foo should work

patches for README welcome

-kevin