RT version 3.8.0 and RT-Authen-ExternalAuth-0.05

Hi,
I have just installed RT 3.8.0 and RT-Authen-ExternalAuth-0.05.

Before I post a more detailed report, I just would like to know if
this
is known to work with the new RT.

When I start apache I see this this is ‘talking’ initially to my
OpenLDAP,
but when I try to authenticate as an OpenLDAP user I get
"your username and password is incorrect".
I see no activity at this point on my OpenLDAP.

My RT_SiteConfig.pm ldap details look OK (although I do have some
questions
about some options)

I simply see in /var/log/messages: (I presume that
Set($LogToSyslog , ‘debug’);
gives the most details)

Jul 25 10:37:06 rt RT: FAILED LOGIN for jbloggs from 149.157.xx.yy (/
opt/rt3/share/html/autohandler:265)

I see that RT-Authen-ExternalAuth is installed in:

[root@rt plugins]# pwd
/opt/rt3/local/plugins
[root@rt plugins]# ls
RT-Authen-ExternalAuth

which is a different path [I think] to previous versions of RT.

Regards,
Jason Doran
National University of Ireland, Maynooth

smime.p7s (4.51 KB)

I can say it works with Active Directory. I had to install perl-LDAP
though, on my CentOS5 machine. yum install perl-LDAP

I had just got the plugin working under 3.6.6 when 3.8.0 came out. I
moved my 3.6.6 directory out of the way, did it’s install, and then ran
the ExternalAuth install.

I noticed the path changed too when I copied over the plugin’s
RT_SiteConfig.pm file and had to fix the require line in my main
RT_SiteConfig.pm.

In case this can help, here’s a stripped and manually redacted version
of my RT_SiteConfig.pm in the Plugin’s etc/ directory which works in my
Windows 2000 Active Directory environment: (It’s included via the main
RT_SiteConfig.pm with a ‘require
“/opt/rt3/local/plugins/RT-AuthenExternalAuth/etc/RT_SiteConfig.pm”;’
line)

Set($ExternalAuthPriority, [ ‘My_LDAP’
]
);

Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘auth’ => 1,
‘info’ => 1,
‘server’ => ‘adomaincontroller.example.com’,
‘user’ =>
‘CN=RTLDAPLookupUser,OU=someou,DC=example,DC=com’,
‘pass’ => ‘passwordofrtlookupuser’,
‘base’ => ‘DC=example,DC=com’,
‘filter’ => ‘(objectClass=Person)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘net_ldap_args’ => [ version => 3 ],
‘group’ => ‘’,
‘group_attr’ => ‘’,
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
],
}
}
);

1;

I also used ldapdisplay to test the ldap query of the Active Directory:

ldapsearch -LLL -x -D “CN=RTLDAPLookupUser,OU=someou,DC=example,DC=com”
-w passwordofrtlookupuser -h adomaincontroller.example.com
“(&(sAMAccountName=BRIAN)(objectClass=Person))”

BTW, for about an hour I found I was changing the left side of the
password of the RT lookup user in RT_SiteConfig.pm, (The parameter name)
rather than the right side, the value. I don’t know why, I was just
replacing user with the user and pass with the password I guess,
even though I did the correct right-side replacement on everything else.

HTH.

BrianOn Fri, 2008-07-25 at 11:29 +0100, Jason Doran wrote:

Hi,
I have just installed RT 3.8.0 and RT-Authen-ExternalAuth-0.05.

Before I post a more detailed report, I just would like to know if
this
is known to work with the new RT.

Hi Brian,
Thanks for the reply. I have got this working on OpenLDAP. Some comments
for others:

I used: ‘user’ => ‘cn=manager,dc=mydomain,dc=ie’

It is not clear from documentation that this needs to be a full
distinguished name (DN), which I see you use. Above is an example of
the standard openldap admin user, or perhaps better to create a
special user for this in OpenLDAP.

ldapsearch -LLL -x -D “cn=manager,dc=mydomain,dc=ie” -W -h
myldap.mydomain.ie “(&(sn=Doran)(objectClass=posixAccount))”

This worked after I installed ‘yum install openldap-clients’. I also
installed perl-LDAP as you suggested, Good for testing.

My final comment. I was assuming that users were automatically created
from the external data source when they tried to log on. So when I
tried user ‘jbloggs’ I got the ‘Your username or password is
incorrect’ error. However, when I simply added a user (just the user
id) from the RT web interface up pops all the mapped attributes in the
add user form, and the authentication is then successful.

I stupidly assumed that external sourced users were automatically
created after authentication from
the external source.

I mis-read:

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 1);

as something like, AutoCreateExternalUsers. Ah well!

Thanks again,
Jason

I can say it works with Active Directory. I had to install perl-LDAP
though, on my CentOS5 machine. yum install perl-LDAP

I had just got the plugin working under 3.6.6 when 3.8.0 came out. I
moved my 3.6.6 directory out of the way, did it’s install, and then
ran
the ExternalAuth install.

I noticed the path changed too when I copied over the plugin’s
RT_SiteConfig.pm file and had to fix the require line in my main
RT_SiteConfig.pm.

In case this can help, here’s a stripped and manually redacted version
of my RT_SiteConfig.pm in the Plugin’s etc/ directory which works in
my
Windows 2000 Active Directory environment: (It’s included via the
main
RT_SiteConfig.pm with a ‘require
“/opt/rt3/local/plugins/RT-AuthenExternalAuth/etc/RT_SiteConfig.pm”;’
line)

typo for people copying above location (dash missing!)
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm

smime.p7s (4.51 KB)

Jason Doran wrote:

Hi Brian,
Thanks for the reply. I have got this working on OpenLDAP. Some comments
for others:

The primary problem here is that I haven’t yet had enough available time
to even run RT3.8 and so haven’t yet got around to making the necessary
modifications to ExternalAuth to make it properly compatible with 3.8.

I will though, when I can.

BTW… re: using a full DN… what username you try to use depends on your
server and Net::LDAP. RT and ExternalAuth don’t touch it, it just gets
sent straight into Net::LDAP.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

I know Mike Peachy hasn’t had any time to look at this, but is there
anyone who’s got RT-Authen-ExternalAuth working with RT 3.8.x with LDAP
(Sun Directory Service)?
I wasn’t sure if RT-Authen-ExternalAuth is either totally not working
with 3.8.x, or working in some cases?

After an upgrade from 3.6.6 LDAP authentication is not working here, but
if there is no chance of it working I won’t waste my time playing with
the configuration and push back the upgrade to 3.8.x.

Best regards,
Justin

Mike Peachey wrote:

I know Mike Peachy hasn’t had any time to look at this, but is there
anyone who’s got RT-Authen-ExternalAuth working with RT 3.8.x with
LDAP (Sun Directory Service)?
I wasn’t sure if RT-Authen-ExternalAuth is either totally not
working with 3.8.x, or working in some cases?

I’ve found it works as far as LDAP authentication is concerned, but
only if the account already exists within RT; in other words account
autocreation isn’t working.

Tim

The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.

Tim Cutts tjrc@sanger.ac.uk writes:> On 7 Aug 2008, at 10:45 am, justin@brighton.ac.uk wrote:

I know Mike Peachy hasn’t had any time to look at this, but is there
anyone who’s got RT-Authen-ExternalAuth working with RT 3.8.x with
LDAP (Sun Directory Service)?
I wasn’t sure if RT-Authen-ExternalAuth is either totally not
working with 3.8.x, or working in some cases?
I’ve found it works as far as LDAP authentication is concerned, but
only if the account already exists within RT; in other words account
autocreation isn’t working.

Autocreation works if you copy
local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth
to local/html/Callbacks/ExternalAuth/autohandler/Auth and apply the
following patch to User_Vendor.pm:

— local/lib/RT/User_Vendor.pm~ 2008-04-09 10:40:44.000000000 +0200
+++ ./local/lib/RT/User_Vendor.pm 2008-08-04 17:46:32.000000000 +0200
@@ -348,7 +348,7 @@
return (undef);
}

  • if ( $self->PrincipalObj->Disabled ) {
  • if ( $self->PrincipalObj and $self->PrincipalObj->Disabled ) {
    $RT::Logger->info(“Disabled user " . $self->Name .
    " tried to log in” );
    return (undef);

At least I got it to work, and I think those were the only two changes I
made.

Espen Wiborg espen.wiborg@telio.no
All that blue light from Orthanc at night? That was Saruman, trying to
moderate news.admin.palantir-abuse.sightings.
Mike Andrews in the Monastery