RT-External Auth & RT 4.0

Hi,

I’ve replicated our production setup and upgraded it to 4.0 without a
problem. I’ve now thrown External Auth into the mix (new install via
cpan), and I’m having mixed results.

We have 2 directory systems - Open Directory (openldap) and Active
Directory

AD authenticates fine, but OD just will not authenticate at all.

Here’s my RT_SiteConfig.pm

Set($rtname, ‘ourdomain’);
Set($Organization , “ourdomain”);
Set($WebPort, 80);# + ($< * 7274) % 32766 + ($< && 1024));
Set($WebDomain, ‘rt2.ourdomain’ );
my $port = RT->Config->Get(‘WebPort’);
Set($WebBaseURL,
($port == 443? ‘https’: ‘http’) .’://’
. RT->Config->Get(‘WebDomain’)
. ($port != 80 && $port != 443? “:$port” : ‘’)
);
Set($MaxAttachmentSize , 10000000);
Set($MailCommand , ‘sendmail’);
Set($SendmailArguments , “-oi -t”);
Set($CorrespondAddress , ‘Request_Tracker’);
Set($CommentAddress , ‘Request_Tracker_Comment’);
Set($HomePageRefreshInterval, 60);
Set(@Plugins,qw(RT::Authen::ExternalAuth));
Set($ExternalAuthPriority, [ ‘My_AD’,
‘My_OD’
]
);
Set($ExternalInfoPriority, [ ‘My_AD’,
‘My_OD’
]
);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘My_OD’ => { ## ODMaster
# The type of
service (db/ldap/cookie)
‘type’
=> ‘ldap’,
# The server
hosting the service
’server’
=> ‘osxmaster.b6fc.ac.uk’,
# The LDAP search
base
’base’
=> ‘cn=users,dc=osxmaster,dc=b6fc,dc=ac,dc=uk’,
# ALL FILTERS MUST
BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST
SPECIFY A filter AND A d_filter!!
# The filter to
use to match RT-Users
’filter’
=> ‘(description=staff)’,
# A catch-all
example filter: ‘(objectClass=*)’
# The filter that
will only match disabled users
’d_filter’
=> ‘(description=parent)’,
# A catch-none
example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to
use TLS to encrypt connections?
#‘tls’
=> 0,
# SSL Version to
provide to Net::SSLeay if using SSL
#‘ssl_version’
=> 3,
# What other args
should I pass to Net::LDAP->new($host,@args)?
#‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
#‘group’
=> ‘GROUP_NAME’,
# What is the
attribute for the group object that determines membership?
#‘group_attr’
=> ‘GROUP_ATTR’,
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing
this
# to just the Name
and EmailAddress to save encountering problems later.
‘attr_match_list’
=> [ ‘Name’,

             'EmailAddress', 
                                                                      
             
                                                                      
         ],
                                                    # The mapping of

RT attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘cn’,

             'EmailAddress' => 'mail',
                                                                      
         }
						},

‘My_AD’ => { ## ADMaster
# The type of
service (db/ldap/cookie)
‘type’
=> ‘ldap’,
# The server
hosting the service
’server’
=> ‘admaster.b6fc.ac.uk’,
SERVICE-SPECIFIC SECTION
# If you can bind
to your LDAP server anonymously you should
# remove the user
and pass config lines, otherwise specify them here:
# The username RT
should use to connect to the LDAP server
’user’
=> ‘blanked’,
# The password RT
should use to connect to the LDAP server
’pass’
=> ‘blanked’,
# The LDAP search
base
’base’
=> ‘OU=Staff,DC=b6fc,DC=ac,DC=uk’,
# ALL FILTERS MUST
BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST
SPECIFY A filter AND A d_filter!!
# The filter to
use to match RT-Users
’filter’
=> ‘(description=staff)’,
# A catch-all
example filter: ‘(objectClass=*)’
# The filter that
will only match disabled users
’d_filter’
=> ‘(scriptPath=student.bat)’,
# A catch-none
example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to
use TLS to encrypt connections?
#‘tls’
=> 0,
# SSL Version to
provide to Net::SSLeay if using SSL
#‘ssl_version’
=> 3,
# What other args
should I pass to Net::LDAP->new($host,@args)?
#‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
#‘group’
=> ‘All Staff’
# What is the
attribute for the group object that determines membership?
#‘group_attr’
=> ‘GROUP_ATTR’,
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing
this
# to just the Name
and EmailAddress to save encountering problems later.
‘attr_match_list’
=> [ ‘Name’,

             'EmailAddress', 
                                                                      
             
                                                                      
         ],
                                                    # The mapping of

RT attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

             'EmailAddress' => 'mail',
                                                                      
         }
						}

}
#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
);
1;

AD users log in, but then do not show up in the users section so I can’t
assign them permissions.
OD users fail to log in with “Your username or password is incorrect”

The message in the log is: [Tue Jun 7 10:09:10 2011] [error]: Couldn’t
create user Staffuser: Name in use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)

The name is not in use however - anyone got any ideas?

Thanks.

Regards,

Guy

This email and any attachments are confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error. Emails are not secure and cannot be guaranteed to be free of errors or viruses. It is your responsibility to scan emails and attachments for viruses before opening them.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of The Blackpool Sixth Form College.

Scanned by MailMarshal - Marshal’s comprehensive email content security solution.
Download a free evaluation of MailMarshal at www.marshal.com

AD users log in, but then do not show up in the users section so I can’t
assign them permissions.
OD users fail to log in with “Your username or password is incorrect”

They default to Unprivileged - search for them using the admin UI.

The message in the log is: [Tue Jun 7 10:09:10 2011] [error]: Couldn’t
create user Staffuser: Name in use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)

The name is not in use however - anyone got any ideas?

How are you checking that it isn’t in use, have you searched for them
or are you just looking at the list of Privileged users?

-kevin

Hi,

Thanks for that - My AD Users were unprivileged as you said they would be

  • letting them be assigned rights made them show in the list.

As far as the OD users are concerned, it’s still not working:

[Wed Jun 8 08:14:11 2011] [error]: Couldn’t create user 070888: Name in
use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[Wed Jun 8 08:14:11 2011] [error]: FAILED LOGIN for 070888 from
192.164.0.67 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)
[Wed Jun 8 08:14:23 2011] [error]: FAILED LOGIN for A Weetman from
192.164.0.67 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

The users names are not in use - searching for disabled users via the UI
still doesn’t show them. Browsing the database tables via mysql show does
not show up identical users either. Very strange.

Regards,

Guy

This email and any attachments are confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error. Emails are not secure and cannot be guaranteed to be free of errors or viruses. It is your responsibility to scan emails and attachments for viruses before opening them.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of The Blackpool Sixth Form College.

Scanned by MailMarshal - Marshal’s comprehensive email content security solution.
Download a free evaluation of MailMarshal at www.marshal.com

Hi,

Thanks for that - My AD Users were unprivileged as you said they would be

  • letting them be assigned rights made them show in the list.

As far as the OD users are concerned, it’s still not working:

[Wed Jun 8 08:14:11 2011] [error]: Couldn’t create user 070888: Name in
use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[Wed Jun 8 08:14:11 2011] [error]: FAILED LOGIN for 070888 from
192.164.0.67 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)
[Wed Jun 8 08:14:23 2011] [error]: FAILED LOGIN for A Weetman from
192.164.0.67 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

The users names are not in use - searching for disabled users via the UI
still doesn’t show them. Browsing the database tables via mysql show does
not show up identical users either. Very strange.

That’s a different problem. You can’t have numerical usernames in RT

-kevin

070888 is the shortname for A Weetman - neither of these seem to work

I’m specifying the correct ldap attribute, it’s just not working!

Has anyone succeeded in getting external auth working with open directory?

Regards,

Guy

This email and any attachments are confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error. Emails are not secure and cannot be guaranteed to be free of errors or viruses. It is your responsibility to scan emails and attachments for viruses before opening them.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of The Blackpool Sixth Form College.

Scanned by MailMarshal - Marshal’s comprehensive email content security solution.
Download a free evaluation of MailMarshal at www.marshal.com

070888 is the shortname for A Weetman - neither of these seem to work

I’m specifying the correct ldap attribute, it’s just not working!

Has anyone succeeded in getting external auth working with open directory?

Please show the error logs when you have RT creating an account with a
non-numeric attribute.

-kevin

Hi,

Apologies for the delay:

[Tue Jun 21 10:42:11 2011] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0,
EmailAddress: gbaxter@b6fc.ac.uk, Gecos: A Weetman, Name: gbaxter,
Privileged: 0, RealName:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Tue Jun 21 10:42:11 2011] [error]: Couldn’t create user A Weetman: Name
in use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[Tue Jun 21 10:42:11 2011] [error]: FAILED LOGIN for A Weetman from
192.164.0.67 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

Unsure what the first line is as that’s my UPN account details from AD.
The user I logged in as was A Weetman from OD

Thanks

Regards,

Guy

This email and any attachments are confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error. Emails are not secure and cannot be guaranteed to be free of errors or viruses. It is your responsibility to scan emails and attachments for viruses before opening them.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of The Blackpool Sixth Form College.

Scanned by MailMarshal - Marshal’s comprehensive email content security solution.
Download a free evaluation of MailMarshal at www.marshal.com

Hi Guy,
this might be a problem with your attr_match_list, which is possible
done on Name and not just on user id / EmailAddress.

Can you verify this and report back?

GiuseppeOn 21/06/11 11:48, Guy Baxter wrote:

Hi,

Apologies for the delay:

[Tue Jun 21 10:42:11 2011] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0,
EmailAddress: gbaxter@b6fc.ac.uk, Gecos: A Weetman, Name: gbaxter,
Privileged: 0, RealName:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Tue Jun 21 10:42:11 2011] [error]: Couldn’t create user A Weetman: Name
in use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[Tue Jun 21 10:42:11 2011] [error]: FAILED LOGIN for A Weetman from
192.164.0.67 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

Unsure what the first line is as that’s my UPN account details from AD.
The user I logged in as was A Weetman from OD

Thanks

Regards,

Guy

This email and any attachments are confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error. Emails are not secure and cannot be guaranteed to be free of errors or viruses. It is your responsibility to scan emails and attachments for viruses before opening them.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of The Blackpool Sixth Form College.

#####################################################################################
Scanned by MailMarshal - Marshal’s comprehensive email content security solution.
Download a free evaluation of MailMarshal at www.marshal.com
#####################################################################################


2011 Training: http://bestpractical.com/services/training.html

Giuseppe Sollazzo
Senior Systems Analyst
Computing Services
Information Services
St. George’s, University Of London
Cranmer Terrace
London SW17 0RE

Email: gsollazz@sgul.ac.uk
Direct Dial: +44 20 8725 5160
Fax: +44 20 8725 3583

Hello,

i’ve had such messages when a user already exists in my RT instance with
the same email adress, may it be disabled… try to search your users
list.

Rapha�l

“Guy Baxter” GBaxter@blackpoolsixth.ac.uk
Envoy� par : rt-users-bounces@lists.bestpractical.com
21/06/2011 12:47

A
rt-users@lists.bestpractical.com
cc

Objet
Re: [rt-users] RT-External Auth & RT 4.0

Hi,

Apologies for the delay:

[Tue Jun 21 10:42:11 2011] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0,
EmailAddress: gbaxter@b6fc.ac.uk, Gecos: A Weetman, Name: gbaxter,
Privileged: 0, RealName:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Tue Jun 21 10:42:11 2011] [error]: Couldn’t create user A Weetman: Name
in use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[Tue Jun 21 10:42:11 2011] [error]: FAILED LOGIN for A Weetman from
192.164.0.67 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

Unsure what the first line is as that’s my UPN account details from AD.
The user I logged in as was A Weetman from OD

Thanks

Regards,

Guy

This email and any attachments are confidential and are intended solely
for the use of the individual to whom it is addressed. If you are not the
intended recipient of this email and its attachments, you must take no
action based upon them, nor must you copy or show them to anyone. Please
contact the sender if you believe you have received this email in error.
Emails are not secure and cannot be guaranteed to be free of errors or
viruses. It is your responsibility to scan emails and attachments for
viruses before opening them.

Any views or opinions expressed are solely those of the author and do not
necessarily represent those of The Blackpool Sixth Form College.

Scanned by MailMarshal - Marshal’s comprehensive email content security
solution.
Download a free evaluation of MailMarshal at www.marshal.com

2011 Training: http://bestpractical.com/services/training.html

" Ce courriel et les documents qui lui sont joints peuvent contenir des
informations confidentielles ou ayant un caract�re priv�. S’ils ne vous sont
pas destin�s, nous vous signalons qu’il est strictement interdit de les
divulguer, de les reproduire ou d’en utiliser de quelque mani�re que ce
soit le contenu. Si ce message vous a �t� transmis par erreur, merci d’en
informer l’exp�diteur et de supprimer imm�diatement de votre syst�me
informatique ce courriel ainsi que tous les documents qui y sont attach�s."

" This e-mail and any attached documents may contain confidential or
proprietary information. If you are not the intended recipient, you are
notified that any dissemination, copying of this e-mail and any attachments
thereto or use of their contents by any means whatsoever is strictly
prohibited. If you have received this e-mail in error, please advise the
sender immediately and delete this e-mail and all attached documents
from your computer system."

[Tue Jun 21 10:42:11 2011] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0,
EmailAddress: gbaxter@b6fc.ac.uk, Gecos: A Weetman, Name: gbaxter,
Privileged: 0, RealName:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Tue Jun 21 10:42:11 2011] [error]: Couldn’t create user A Weetman: Name
in use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[Tue Jun 21 10:42:11 2011] [error]: FAILED LOGIN for A Weetman from
192.164.0.67 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

Unsure what the first line is as that’s my UPN account details from AD.
The user I logged in as was A Weetman from OD

Are the usernames the same? Since it certainly seems that AD matched
and proceeded with auth. The extension should have logged the query
it ran in AD to do the match.

The other points in this thread about your attr_match_list and shared
email/usernames are well worth pursuing.

-kevin