RT & mysql / LDAP Auth

Hi - hoping someone can help me, I’m trying to get the
RT::Authen::ExternalAuth plugin to work so I can use LDAP for
authentication. Just using mysql at the moment, so want to keep this as
well. Running RT 3.8.5 on Centos, I’d like mysql auth first and then
LDAP next. I’ve managed to configure this without any errors and my
mysql authentication still works after a httpd restart. However LDAP
auth never works, I’m not that familiar with LDAP so am hoping if I
provide my config and rt.log below someone might be able to point me in
the right direction:

AN EXAMPLE LDAP SERVICE

                            'My_LDAP'       =>  {   ## GENERIC

SECTION

                                                    # The type of

service (db/ldap/cookie)

                                                    'type'

=> ‘ldap’,

                                                    # The server

hosting the service

                                                    'server'

=> ‘172.17.2.1’,

SERVICE-SPECIFIC SECTION

                                                    # If you can

bind to your LDAP server anonymously you should

                                                    # remove the

user and pass config lines, otherwise specify them here:

                                                    # The username

RT should use to connect to the LDAP server

                                                    'user'

=> ‘ldap-rt’,

                                                    # The password

RT should use to connect to the LDAP server

                                                    'pass'

=> ‘xxxxxxxxx’,

                                                    # The LDAP

search base

                                                    'base'

=> ‘ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com’,

                                                    # ALL FILTERS

MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!

                                                    # YOU **MUST**

SPECIFY A filter AND A d_filter!!

                                                    # The filter to

use to match RT-Users

                                                    'filter'

=> ‘(objectClass=User)’,

                                                    # A catch-all

example filter: ‘(objectClass=*)’

                                                    # The filter

that will only match disabled users

                                                    'd_filter'

=> ‘(objectClass=FooBarBaz)’,

                                                    # A catch-none

example d_filter: ‘(objectClass=FooBarBaz)’

                                                    # Should we try

to use TLS to encrypt connections?

                                                    'tls'

=> 0,

                                                    # SSL Version to

provide to Net::SSLeay if using SSL

                                                    'ssl_version'

=> 3,

                                                    # What other

args should I pass to Net::LDAP->new($host,@args)?

                                                    'net_ldap_args'

=> [ version => 3 ],

                                                    # Does

authentication depend on group membership? What group name?

                                                    'group'

=> ‘GROUP_NAME’,

                                                    # What is the

attribute for the group object that determines membership?

                                                    'group_attr'

=> ‘GROUP_ATTR’,

                                                    ## RT ATTRIBUTE

MATCHING SECTION

                                                    # The list of RT

attributes that uniquely identify a user

                                                    # This example

shows what you can specify… I recommend reducing this

                                                    # to just the

Name and EmailAddress to save encountering problems later.

‘attr_match_list’ => [ ‘Name’,

‘EmailAddress’,

‘RealName’,

‘WorkPhone’,

‘Address2’

],

                                                    # The mapping of

RT attributes on to LDAP attributes

                                                    'attr_map'

=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

And this is a complete log entry if I try to use my LDAP credentials:

[Sun May 9 10:10:24 2010] [debug]: RT’s GnuPG libraries couldn’t
successfully read your configured GnuPG home directory
(/opt/rt3/var/data/gpg). PGP support has been disabled
(/opt/rt3/bin/…/lib/RT/Config.pm:380)

[Sun May 9 10:10:24 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:14)

[Sun May 9 10:10:24 2010] [debug]: Attempting to use external auth
service: My_MySQL
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)

[Sun May 9 10:10:24 2010] [debug]: Calling UserExists with $username
(jgrunnell) and $service (My_MySQL)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:105)

[Sun May 9 10:10:24 2010] [debug]: Disable Check Failed :: ( My_MySQL )
jgrunnell User not found
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/DBI.pm:234)

[Sun May 9 10:10:24 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)

[Sun May 9 10:10:24 2010] [debug]: Calling UserExists with $username
(jgrunnell) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:105)

[Sun May 9 10:10:24 2010] [debug]: UserExists params:

username: jgrunnell , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:274)

[Sun May 9 10:10:25 2010] [debug]: LDAP Search === Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,
sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:304)

[Sun May 9 10:10:25 2010] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20
with: Disabled: 0, EmailAddress: , Gecos: jgrunnell, Name: jgrunnell,
Privileged: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:450)

[Sun May 9 10:10:25 2010] [debug]: Attempting to get user info using
this external service: My_MySQL
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:458)

[Sun May 9 10:10:25 2010] [debug]: Attempting to use this
canonicalization key: Gecos
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:472)

[Sun May 9 10:10:25 2010] [warning]: DBD::mysql::db selectall_hashref
failed: Unknown column ‘email’ in ‘field list’ at
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth
/DBI.pm line 163, line 273.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/DBI.pm:163)

[Sun May 9 10:10:25 2010] [warning]: Issuing rollback() for database
handle being DESTROY’d without explicit disconnect() at
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth
/DBI.pm line 163, line 273.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/DBI.pm:163)

[Sun May 9 10:10:25 2010] [error]: FAILED LOGIN for jgrunnell from
212.103.233.1 (/opt/rt3/share/html/autohandler:268)

Thanks in advance.

Julian Grunnell
Unix Sys Admin
Webfusion Limited.

Phone:0208 587 7212
Mobile:07803649593
Email:Julian.Grunnell@webfusion.com

http://www.webfusion.com/

Bringing the world’s ideas online
Webfusion http://www.webfusion.com , 123-reg
http://www.123-reg.co.uk , Donhost http://www.donhost.co.uk ,
Supanames http://www.supanames.co.uk
Follow us on Twitter: Webfusion http://twitter.com/webfusion , 123-reg
http://twitter.com/123reg

This e-mail is subject to: Webfusion disclaimer
http://www.corporate.webfusion.co.uk/disclaimer
Please consider the environment before printing this email

Julian Grunnell wrote:

Hi � hoping someone can help me, I�m trying to get the
RT::Authen::ExternalAuth plugin to work so I can use LDAP for
authentication. Just using mysql at the moment, so want to keep this as
well. Running RT 3.8.5 on Centos, I�d like mysql auth first and then
LDAP next. I�ve managed to configure this without any errors and my
mysql authentication still works after a httpd restart. However LDAP
auth never works, I�m not that familiar with LDAP so am hoping if I
provide my config and rt.log below someone might be able to point me in
the right direction:

Looks like the whole thing is dying during the MySQL check.

  1. Provide the whole config
  2. Are you sure you’re supposed to be using ExternalAuth for MySQL auth?
    Are you actually using it to check against an external MySQL source, or
    are you trying to use MySQL to check RT’s own database?

Kind Regards,

Mike Peachey, IT Systems Administrator
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

The username RT

should use to connect to the LDAP server

‘user’ => ‘ldap-rt’,

                                                    # The password RT

should use to connect to the LDAP server

‘pass’ => ‘xxxxxxxxx’,

                                                    #

this is the part that is probably killing you on your LDAP authentication
piece. Active Directory does not allow anonymous bind for LDAP
authentication. You will need to create a non-privileged user in AD to do
the binding and place the user name and password for that user in your
RT_SiteConfig.pm file. This user will be used buy the
RT::Authen::ExternalAuth plugin to bind to AD LDAP. Once bound
RT::Authen::ExternalAuth will be able to search for the user attempting to
login and use that persons credentials to authenticate into RT.

James

james machado wrote:

this is the part that is probably killing you on your LDAP
authentication piece. Active Directory does not allow anonymous bind
for LDAP authentication.

Not true, you just have to configure it. I use anonymous bind - just
means my own account has to not be a domain admin because anonymous bind
doesn’t seem to return privileged accounts.

Kind Regards,

Mike Peachey, IT Systems Administrator
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

-----Original Message-----
From: Mike Peachey [mailto:mike.peachey@jennic.com]
Sent: 10 May 2010 12:54
To: Julian Grunnell
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT & mysql / LDAP Auth

Julian Grunnell wrote:

Hi - hoping someone can help me, I’m trying to get the
RT::Authen::ExternalAuth plugin to work so I can use LDAP for
authentication. Just using mysql at the moment, so want to keep this
as
well. Running RT 3.8.5 on Centos, I’d like mysql auth first and then
LDAP next. I’ve managed to configure this without any errors and my
mysql authentication still works after a httpd restart. However LDAP
auth never works, I’m not that familiar with LDAP so am hoping if I
provide my config and rt.log below someone might be able to point me
in
the right direction:

Looks like the whole thing is dying during the MySQL check.

  1. Provide the whole config
  2. Are you sure you’re supposed to be using ExternalAuth for MySQL
    auth?
    Are you actually using it to check against an external MySQL source, or
    are you trying to use MySQL to check RT’s own database?

[>]

The whole config is:

Local settings - overrides RT_Config.pm

Set($WebBaseURL, “https://xxx.xxx.xxx”);
Set($rtname, ‘xxx’);
Set($Organization , “xxx”);
Set($MinimumPasswordLength , “8”);
Set($OwnerEmail , ‘julian@xxx.xxx’);
Set($SMTPFrom, ‘support@xxx.xxx’);
Set($Timezone , ‘GB/London’);
Set($UsernameFormat, ‘concise’);
Set($OldestTransactionsFirst, ‘0’);
Set($SenderMustExistInExternalDatabase);
Set($LogToSyslog , ‘debug’);
Set($UseFriendlyFromLine, 0);
Set($WebDomain, ‘xxx.xxx.xxx’);
Set($WebDefaultStylesheet, ‘3.5-default’);
Set($WebPort, 443);
Set($MaxInlineBody, 148000);

Display Webfusion logo / link

Set($WebImagesURL , $WebPath . “/NoAuth/images/”); # need this for
below
Set($LogoURL, $WebImagesURL . “xxx-logo.png”);
Set($LogoLinkURL, ‘http://xxx.xxx.xxx’);
Set($LogoImageURL, $WebImagesURL . “xxx.xxx.png”);
Set($LogoAltText, “xxx”);

{{{ Logging

Set($LogToSyslog ,‘critical’);
Set($LogToScreen , ‘error’);
Set($LogToFile , ‘debug’);
Set($LogDir, ‘/opt/rt3/var/log/rt3’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

#Set(@Plugins,(qw(RT::Extension::SLA)));
#Set( %ServiceAgreements,

Default => ‘4h’,

QueueDefault => {

‘General’ => ‘4h’,

},

Levels => {

‘2h’ => {

StartImmediately => 1,

Resolve => { RealMinutes => 60*2 } },

‘4h’ => {

StartImmediately => 1,

Resolve => { RealMinutes => 60*4 } },

},

);

#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));

MySQL / LDAP Configuration

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a

HashOfHashes

Note that you may have as many external services as you wish. They

will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDA
P’,‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
’My_MySQL’ => { ## GENERIC
SECTION
# The type of
service (db/ldap/cookie)
‘type’
=> ‘db’,
# The server
hosting the service
’server’
=> ‘resolver-db.xxx.com’,
SERVICE-SPECIFIC SECTION
# The database
name
’database’
=> ‘rt3’,
# The database
table
’table’
=> ‘Users’,
# The user to
connect to the database as
’user’
=> ‘root’,
# The password
to use to connect with
’pass’
=> ‘xxx’,
# The port to
use to connect with (e.g. 3306)
‘port’
=> ‘3306’,
# The name of
the Perl DBI driver to use (e.g. mysql)
‘dbi_driver’
=> ‘mysql’,
# The field in
the table that holds usernames
’u_field’
=> ‘Name’,
# The field in
the table that holds passwords
’p_field’
=> ‘Password’,
# The Perl
package & subroutine used to encrypt passwords
# e.g. if the
passwords are stored using the MySQL v3.23 “PASSWORD”
# function, then
you will need Crypt::MySQL::password, but for the
# MySQL4+
password function you will need Crypt::MySQL::password41
# Alternatively,
you could use Digest::MD5::md5_hex or any other
# encryption
subroutine you can load in your perl installation
’p_enc_pkg’
=> ‘Crypt::MySQL’,
‘p_enc_sub’
=> ‘password41’,
# If your
p_enc_sub takes a salt as a second parameter,
# uncomment this
line to add your salt
#‘p_salt’
=> ‘SALT’,
# The field and
values in the table that determines if a user should
# be disabled.
For example, if the field is ‘user_status’ and the values
# are
[‘0’,‘1’,‘2’,‘disabled’] then the user will be disabled if their
# user_status is
set to ‘0’,‘1’,‘2’ or the string ‘disabled’.
# Otherwise,
they will be considered enabled.
# ‘d_field’
=> ‘disabled’,
# ‘d_values’
=> [‘0’],
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user

‘attr_match_list’ => [ ‘Gecos’,

‘Name’

],
# The mapping of
RT attributes on to field names
’attr_map’
=> { ‘Name’ => ‘username’,

‘EmailAddress’ => ‘email’,

‘ExternalAuthId’ => ‘username’,

‘Gecos’ => ‘userID’

}
},
# AN EXAMPLE LDAP SERVICE
’My_LDAP’ => { ## GENERIC
SECTION
# The type of
service (db/ldap/cookie)
‘type’
=> ‘ldap’,
# The server
hosting the service
’server’
=> ‘172.17.2.1’,
SERVICE-SPECIFIC SECTION
# If you can
bind to your LDAP server anonymously you should
# remove the
user and pass config lines, otherwise specify them here:
# The username
RT should use to connect to the LDAP server
’user’
=> ‘ldap-rt’,
# The password
RT should use to connect to the LDAP server
’pass’
=> ‘xxx’,
# The LDAP
search base
’base’
=> ‘ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com’,
# ALL FILTERS
MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST
SPECIFY A filter AND A d_filter!!
# The filter to
use to match RT-Users
’filter’
=> ‘(objectClass=User)’,
# A catch-all
example filter: ‘(objectClass=*)’
# The filter
that will only match disabled users
’d_filter’
=> ‘(objectClass=FooBarBaz)’,
# A catch-none
example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try
to use TLS to encrypt connections?
‘tls’
=> 0,
# SSL Version to
provide to Net::SSLeay if using SSL
’ssl_version’
=> 3,
# What other
args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’
=> [ version => 3 ],
# Does
authentication depend on group membership? What group name?
‘group’
=> ‘GROUP_NAME’,
# What is the
attribute for the group object that determines membership?
‘group_attr’
=> ‘GROUP_ATTR’,
## RT ATTRIBUTE
MATCHING SECTION
# The list of RT
attributes that uniquely identify a user
# This example
shows what you can specify… I recommend reducing this
# to just the
Name and EmailAddress to save encountering problems later.

‘attr_match_list’ => [ ‘Name’,

‘EmailAddress’,

‘RealName’,

‘WorkPhone’,

‘Address2’

],
# The mapping of
RT attributes on to LDAP attributes
’attr_map’
=> { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’,

‘Gecos’ => ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘streetAddress’,

‘City’ => ‘l’,

‘State’ => ‘st’,

‘Zip’ => ‘postalCode’,

‘Country’ => ‘co’

}
}
}
);

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

1;

So at present users are just authenticating against RT’s own DB for user
access. What I’d like to do is keep this but also have LDAP. The reason
being users now have multiple usernames / passwords for different
services we run and I want to use LDAP as a way to simplify this - BUT
in order for this to be done I also need to be able to keep the MySQL
access for now and not break RT for all the users.

The RT DB is on a different physical server and the fact that after I
restarted httpd with the config above and could still login with my
usual (mysql) credentials assumed that atleast part of it was working -
is this not the case?

Thanks.

Julian Grunnell wrote:

-----Original Message-----
From: Mike Peachey [mailto:mike.peachey@jennic.com]
Sent: 10 May 2010 12:54
To: Julian Grunnell
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT & mysql / LDAP Auth

So at present users are just authenticating against RT’s own DB for user
access. What I’d like to do is keep this but also have LDAP. The reason
being users now have multiple usernames / passwords for different
services we run and I want to use LDAP as a way to simplify this - BUT
in order for this to be done I also need to be able to keep the MySQL
access for now and not break RT for all the users.

The RT DB is on a different physical server and the fact that after I
restarted httpd with the config above and could still login with my
usual (mysql) credentials assumed that atleast part of it was working -
is this not the case?

No, you’ve misunderstood and it has massively complicated your debugging
of the situation.

ExternalAuth only adds to the available authentication mechanisms. It
does not replace RT’s own. The use of ExternalAuth MySQL authentication
is if you want to be able to authenticate against some other MySQL
source such as a custom website database or the database of another
web-application. This is /in addition/ to checking against RT’s own
internal database (whether this is hosted locally or not).

So, authentication happens in this order:

  1. ExternalAuth
  2. RT-Internal

And you can have as many ExternalAuth sources as you wish.

For your setup, what you want is to only specify the LDAP source which
is then checked for a valid user. If there’s no user in LDAP, RT’s
internal DB will be checked.
Kind Regards,

Mike Peachey, IT Systems Administrator
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Julian Grunnell
This email is subject to: www.corporate.webfusion.co.uk/disclaimer

-----Original Message-----
From: Mike Peachey [mailto:mike.peachey@jennic.com]
Sent: 13 May 2010 13:56
To: Julian Grunnell
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT & mysql / LDAP Auth

Julian Grunnell wrote:

-----Original Message-----
From: Mike Peachey [mailto:mike.peachey@jennic.com]
Sent: 10 May 2010 12:54
To: Julian Grunnell
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT & mysql / LDAP Auth

So at present users are just authenticating against RT’s own DB for
user
access. What I’d like to do is keep this but also have LDAP. The
reason
being users now have multiple usernames / passwords for different
services we run and I want to use LDAP as a way to simplify this -
BUT

in order for this to be done I also need to be able to keep the MySQL
access for now and not break RT for all the users.

The RT DB is on a different physical server and the fact that after I
restarted httpd with the config above and could still login with my
usual (mysql) credentials assumed that atleast part of it was working

is this not the case?

No, you’ve misunderstood and it has massively complicated your
debugging
of the situation.

ExternalAuth only adds to the available authentication mechanisms. It
does not replace RT’s own. The use of ExternalAuth MySQL authentication
is if you want to be able to authenticate against some other MySQL
source such as a custom website database or the database of another
web-application. This is /in addition/ to checking against RT’s own
internal database (whether this is hosted locally or not).

So, authentication happens in this order:

  1. ExternalAuth
  2. RT-Internal

And you can have as many ExternalAuth sources as you wish.

For your setup, what you want is to only specify the LDAP source which
is then checked for a valid user. If there’s no user in LDAP, RT’s
internal DB will be checked.

Kind Regards,

[>]
Right, thanks - that makes sense now. I misunderstood the use of this
and thought you had to define ALL the authentication methods you wanted
to use. So I have removed the MySQL section completely from the config
and tried again with different results. Using my LDAP credentials I
still get “Your username or password is incorrect” BUT RT has created me
as a user, the “Let this user be granted rights” box is unchecked and
I’m NOT a member of any Groups. The logs created when this was done are:

[Fri May 14 08:22:41 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)
[Fri May 14 08:22:41 2010] [debug]: Calling UserExists with $username
(jgrunnell) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:105)
[Fri May 14 08:22:41 2010] [debug]: UserExists params:
username: jgrunnell , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:274)
[Fri May 14 08:22:41 2010] [debug]: LDAP Search === Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,
sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:304)
[Fri May 14 08:22:41 2010] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20
with: Disabled: 0, EmailAddress: , Gecos: jgrunnell, Name: jgrunnell,
Privileged: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:450)
[Fri May 14 08:22:41 2010] [debug]: Attempting to get user info using
this external service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:458)
[Fri May 14 08:22:41 2010] [debug]: Attempting to use this
canonicalization key: Name
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:472)
[Fri May 14 08:22:41 2010] [debug]: LDAP Search === Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,
sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:195)
[Fri May 14 08:22:41 2010] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Country: , Disabled: 0, EmailAddress:
Julian.Grunnell@webfusion.com, ExternalAuthId: jgrunnell, Gecos:
jgrunnell, Name: jgrunnell, Organization: Leeds, Privileged: 0,
RealName: Julian Grunnell, State: , WorkPhone: 0208 587 7212, Zip:
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:536)
[Fri May 14 08:22:41 2010] [debug]: About to think about scrips for
transaction #30149954
(/opt/rt3/bin/…/lib/RT/Transaction_Overlay.pm:163)
[Fri May 14 08:22:42 2010] [debug]: About to think about scrips for
transaction #30149955
(/opt/rt3/bin/…/lib/RT/Transaction_Overlay.pm:163)
[Fri May 14 08:22:42 2010] [info]: Autocreated external user jgrunnell (
8078757 )
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:132)
[Fri May 14 08:22:42 2010] [debug]: Loading new user ( jgrunnell ) into
current session
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:138)
[Fri May 14 08:22:42 2010] [debug]: Password validation required for
service - Executing…
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:155)
[Fri May 14 08:22:42 2010] [debug]: Trying external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:16)
[Fri May 14 08:22:42 2010] [debug]: LDAP Search === Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(&(sAMAccountName=jgrunnell)(objectClass=User)) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:43)
[Fri May 14 08:22:42 2010] [debug]: Found LDAP DN: CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp,
DC=internal,DC=hosteurope,DC=com
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:75)
[Fri May 14 08:22:42 2010] [debug]: LDAP Search === Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(GROUP_ATTR=CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp,
DC=internal,DC=hosteurope,DC=com) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:100)
[Fri May 14 08:22:42 2010] [critical]: Search for (GROUP_ATTR=CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp,
DC=internal,DC=hosteurope,DC=com) failed: LDAP_INVALID_DN_SYNTAX 34
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:116)
[Fri May 14 08:22:42 2010] [debug]: LDAP password validation result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:334)
[Fri May 14 08:22:42 2010] [debug]: Password Validation Check Result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:159)
[Fri May 14 08:22:42 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:26)
[Fri May 14 08:22:42 2010] [error]: FAILED LOGIN for jgrunnell from
212.103.233.1 (/opt/rt3/share/html/autohandler:268)

So making some progress, but not quite there.

Thanks.

Julian Grunnell wrote:

Right, thanks - that makes sense now. I misunderstood the use of this
and thought you had to define ALL the authentication methods you wanted
to use. So I have removed the MySQL section completely from the config
and tried again with different results. Using my LDAP credentials I
still get “Your username or password is incorrect” BUT RT has created me
as a user, the “Let this user be granted rights” box is unchecked and
I’m NOT a member of any Groups. The logs created when this was done are:

  1. It found you and loaded your information from LDAP just as it should.
  2. ExternalAuth cannot currently add you to any internal RT groups based
    on LDAP information, this must be done in the RT administration panels.
  3. If you want LDAP users to be automatically assigned “Let this user be
    granted rights” then you may do so with this config setting:
    Set($AutoCreate, {Privileged => 1});
    Otherwise it will need setting manually along with group membership.

The only thing that is now failing for you is authentication and the
reason is now obvious:

Your config

Does authentication depend on group membership? What group name?

‘group’ => ‘GROUP_NAME’,

What is the attribute for the group object that determines membership?

‘group_attr’ => ‘GROUP_ATTR’,

Your log
[Fri May 14 08:22:42 2010]

[critical]:

Search for (GROUP_ATTR=CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp,DC=internal,DC=hosteurope,DC=com)

failed: LDAP_INVALID_DN_SYNTAX 34

You have told ExternalAuth that all ldap users must be in an ldap group
named GROUP_NAME and that in order to confirm that the users are a
member of that group, the members should be in the GROUP_ATTR attribute
of that group.

If you simply comment out group and group_attr it should work fine. If
in future you wish to restrict access by group, ensure the group name is
specified in full ldap dn form.
Kind Regards,

Mike Peachey, IT Systems Administrator
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

-----Original Message-----
From: Mike Peachey [mailto:mike.peachey@jennic.com]
Sent: 14 May 2010 10:33
To: Julian Grunnell; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT & mysql / LDAP Auth

Julian Grunnell wrote:

Right, thanks - that makes sense now. I misunderstood the use of this
and thought you had to define ALL the authentication methods you
wanted
to use. So I have removed the MySQL section completely from the
config

and tried again with different results. Using my LDAP credentials I
still get “Your username or password is incorrect” BUT RT has created
me
as a user, the “Let this user be granted rights” box is unchecked and
I’m NOT a member of any Groups. The logs created when this was done
are:

  1. It found you and loaded your information from LDAP just as it
    should.
  2. ExternalAuth cannot currently add you to any internal RT groups
    based
    on LDAP information, this must be done in the RT administration panels.
  3. If you want LDAP users to be automatically assigned “Let this user
    be
    granted rights” then you may do so with this config setting:
    Set($AutoCreate, {Privileged => 1});
    Otherwise it will need setting manually along with group membership.

The only thing that is now failing for you is authentication and the
reason is now obvious:

Your config
#######################################################################

Does authentication depend on group membership? What group name?

‘group’ => ‘GROUP_NAME’,

What is the attribute for the group object that determines

membership?

‘group_attr’ => ‘GROUP_ATTR’,
#######################################################################

Your log
#######################################################################
[Fri May 14 08:22:42 2010]

[critical]:

Search for (GROUP_ATTR=CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp
,
DC=internal,DC=hosteurope,DC=com)

failed: LDAP_INVALID_DN_SYNTAX 34

#######################################################################

You have told ExternalAuth that all ldap users must be in an ldap group
named GROUP_NAME and that in order to confirm that the users are a
member of that group, the members should be in the GROUP_ATTR attribute
of that group.

If you simply comment out group and group_attr it should work fine. If
in future you wish to restrict access by group, ensure the group name
is
specified in full ldap dn form.

[>]
Thanks Mike - appreciate your help with this, made the changes you
suggest and it works a treat now. Now to look at the script that can
convert to ldap style logins.

Julian.