Rt4 and External Auth to AD 2008 non-ssl

I am trying desparately to get this goingnd am not seeing that my externalauth is even being called. I am attaching my RT_SiteConfig.pm for review. I am a newbie and don’t know much about anything RT as yet. I see very little in my /var/log/messages other tham LOGIN failed for xxxxx from web.pm, so I don’t really think my externalauth is really in play as of yet. Any assistance in getting this going would be greatly appreciated.

Thanks.

Brian Murphy
Eastern Illinois University

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

There should only be one @Plugins declaration in your config file.

#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports)));
#Set(@Plugins,(qw(RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));

Set( $CorrespondAddress, ‘’ );
Set( $rtname, ‘EIU ITS Campus Technology’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘8080’ );

Set( $DatabaseType, ‘mysql’ );

Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘localhost’ );

Set( $CommentAddress, ‘’ );
Set($Timezone, “US/Central”);
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);

Set( $OwnerEmail, ‘’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $DatabasePort, ‘’ );
Set( $DatabasePassword, ‘RT_pass1-’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $DatabaseAdminPassword, ‘Mtfbwu+1’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $Organization, ‘ITS’ );
1;

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘EIUAD’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘EIUAD’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘xxxxx.xxx.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘rtauth’,
# The password RT should use to connect to the LDAP server
‘pass’ => 'xxxxxxx,
# The LDAP search base
‘base’ => ‘dc=xxxxx,dc=xxx,dc=edu’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
‘filter’ => ‘(objectclass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘rt_access’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}
}
);

1;

I am trying desparately to get this goingnd am not seeing that my
externalauth is even being called. I am attaching my RT_SiteConfig.pm
for review. I am a newbie and don’t know much about anything RT as
yet. I see very little in my /var/log/messages other tham LOGIN failed
for xxxxx from web.pm, so I don’t really think my externalauth is
really in play as of yet. Any assistance in getting this going would
be greatly appreciated.

You don’t appear to have turned your logging level up, most useful
logs are at the debug level. LogToScreen is probably the easiest,
because they’ll end up in your apache error log.

-kevin

Thanks for the tip on the logging kevin.

Seeing the following, don’t know eactly what to make of it.

[Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

BrianFrom: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Wednesday, August 24, 2011 4:18:08 PM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I am trying desparately to get this goingnd am not seeing that my
externalauth is even being called. I am attaching my RT_SiteConfig.pm
for review. I am a newbie and don’t know much about anything RT as
yet. I see very little in my /var/log/messages other tham LOGIN failed
for xxxxx from web.pm, so I don’t really think my externalauth is
really in play as of yet. Any assistance in getting this going would
be greatly appreciated.

You don’t appear to have turned your logging level up, most useful
logs are at the debug level. LogToScreen is probably the easiest,
because they’ll end up in your apache error log.

-kevin

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

There should only be one @Plugins declaration in your config file.

#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports)));
#Set(@Plugins,(qw(RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));

Set( $CorrespondAddress, ‘’ );
Set( $rtname, ‘EIU ITS Campus Technology’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘8080’ );

Set( $DatabaseType, ‘mysql’ );

Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘localhost’ );

Set( $CommentAddress, ‘’ );
Set($Timezone, “US/Central”);
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);

Set( $OwnerEmail, ‘’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $DatabasePort, ‘’ );
Set( $DatabasePassword, ‘RT_pass1-’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $DatabaseAdminPassword, ‘Mtfbwu+1’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $Organization, ‘ITS’ );
1;

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘EIUAD’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘EIUAD’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘xxxxx.xxx.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
‘user’ => ‘rtauth’,
# The password RT should use to connect to the LDAP server
‘pass’ => 'xxxxxxx,
#
# The LDAP search base
‘base’ => ‘dc=xxxxx,dc=xxx,dc=edu’,
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
‘filter’ => ‘(objectclass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
#
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
#
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘rt_access’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}
}
);

1;

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011

Thanks for the tip on the logging kevin.

Seeing the following, don’t know eactly what to make of it.

[Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

Those are the messages you get when the login page pops up.
What do you get after typing your username and password in?

-kevin

I only get the login failed message back from web.pm.

The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally.

BrianFrom: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 9:46:01 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Thanks for the tip on the logging kevin.

Seeing the following, don’t know eactly what to make of it.

[Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

Those are the messages you get when the login page pops up.
What do you get after typing your username and password in?

-kevin

----- Original Message -----
From: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Wednesday, August 24, 2011 4:18:08 PM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I am trying desparately to get this goingnd am not seeing that my
externalauth is even being called. I am attaching my RT_SiteConfig.pm
for review. I am a newbie and don’t know much about anything RT as
yet. I see very little in my /var/log/messages other tham LOGIN failed
for xxxxx from web.pm, so I don’t really think my externalauth is
really in play as of yet. Any assistance in getting this going would
be greatly appreciated.

You don’t appear to have turned your logging level up, most useful
logs are at the debug level. LogToScreen is probably the easiest,
because they’ll end up in your apache error log.

-kevin

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

There should only be one @Plugins declaration in your config file.

#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports)));
#Set(@Plugins,(qw(RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));

Set( $CorrespondAddress, ‘’ );
Set( $rtname, ‘EIU ITS Campus Technology’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘8080’ );

Set( $DatabaseType, ‘mysql’ );

Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘localhost’ );

Set( $CommentAddress, ‘’ );
Set($Timezone, “US/Central”);
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);

Set( $OwnerEmail, ‘’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $DatabasePort, ‘’ );
Set( $DatabasePassword, ‘RT_pass1-’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $DatabaseAdminPassword, ‘Mtfbwu+1’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $Organization, ‘ITS’ );
1;

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘EIUAD’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘EIUAD’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘xxxxx.xxx.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
‘user’ => ‘rtauth’,
# The password RT should use to connect to the LDAP server
‘pass’ => 'xxxxxxx,
#
# The LDAP search base
‘base’ => ‘dc=xxxxx,dc=xxx,dc=edu’,
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
‘filter’ => ‘(objectclass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
#
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
#
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘rt_access’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}
}
);

1;


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011

I only get the login failed message back from web.pm.

The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally.

i would try using ldapsearch from your RT machine against your AD
server and verify that you can do a bind/seach against AD wiithout
SSL.

you might also want to change the filter
‘filter’ =>
‘(objectclass=person)’,
to
‘filter’ =>
‘(objectclass=user)’,

Brian

james

I only get the login failed message back from web.pm.
The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally.

If you get those 3 lines while loading the page, you’re going to get at
least those three lines when typing in your username and password before
getting the LOGIN FAILED.

In reality, it’ll probably look more like (I’m using a sqlite db for
this example, but the code path is the same)

Attempting to use external auth service: mydb
Calling UserExists with $username (bob) and $service (mydb)
Password validation required for service - Executing…
Trying external auth service: mydb
RT::Authen::ExternalAuth::DBI::GetAuth External Auth OK ( mydb ): bob
Authentication successful. Now updating user information and attempting login.
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::Authen::ExternalAuth
Attempting to get user info using this external service: mydb
Attempting to use this canonicalization key: Name
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning EmailAddress: bob@example.com, ExternalAuthId: bob, Name: bob, RealName:
UPDATED user ( bob ) from External Service
Successful login for bob from 127.0.0.1
Autohandler called ExternalAuth. Response: (1, Successful login)

-kevin

Still struggling with trying to get RT externally authenticating with my 2008 Active Directory.

I have been able to accomplish an ldapsearch with the following options successfully:

ldapsearch -x -b “dc=eiuad,dc=eiu,dc=edu” -D “CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu” -h eiuad.eiu.edu -p 389 -W “sAMAccountName=blmurphy”

I would like to use the blmurphy as my RT account name. When I execute the above ldapsearch and input the prompted for password I get back my account information from the Active Directory. I have the following set in my RT_SiteConfig.pm but continue to get the externalauth nouser response.

Brian

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘eiuad.eiu.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘xxxxxxxxx’,
# The LDAP search base
‘base’ => ‘dc=eiuad,dc=eiu,dc=edu’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
‘filter’ => ‘(sAMAccountName=)',
# A catch-all example filter: '(objectClass=
)’
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}From: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 11:59:50 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I only get the login failed message back from web.pm.

The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally.

Brian

From: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 9:46:01 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Thanks for the tip on the logging kevin.

Seeing the following, don’t know eactly what to make of it.

[Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

Those are the messages you get when the login page pops up.
What do you get after typing your username and password in?

-kevin

----- Original Message -----
From: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Wednesday, August 24, 2011 4:18:08 PM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I am trying desparately to get this goingnd am not seeing that my
externalauth is even being called. I am attaching my RT_SiteConfig.pm
for review. I am a newbie and don’t know much about anything RT as
yet. I see very little in my /var/log/messages other tham LOGIN failed
for xxxxx from web.pm, so I don’t really think my externalauth is
really in play as of yet. Any assistance in getting this going would
be greatly appreciated.

You don’t appear to have turned your logging level up, most useful
logs are at the debug level. LogToScreen is probably the easiest,
because they’ll end up in your apache error log.

-kevin

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

There should only be one @Plugins declaration in your config file.

#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports)));
#Set(@Plugins,(qw(RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));

Set( $CorrespondAddress, ‘’ );
Set( $rtname, ‘EIU ITS Campus Technology’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘8080’ );

Set( $DatabaseType, ‘mysql’ );

Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘localhost’ );

Set( $CommentAddress, ‘’ );
Set($Timezone, “US/Central”);
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);

Set( $OwnerEmail, ‘’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $DatabasePort, ‘’ );
Set( $DatabasePassword, ‘RT_pass1-’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $DatabaseAdminPassword, ‘Mtfbwu+1’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $Organization, ‘ITS’ );
1;

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘EIUAD’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘EIUAD’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘xxxxx.xxx.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
‘user’ => ‘rtauth’,
# The password RT should use to connect to the LDAP server
‘pass’ => 'xxxxxxx,
#
# The LDAP search base
‘base’ => ‘dc=xxxxx,dc=xxx,dc=edu’,
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
‘filter’ => ‘(objectclass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
#
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
#
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘rt_access’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}
}
);

1;


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011
    RT Training Sessions (http://bestpractical.com/services/training.html)
  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011

Brian,

In my RT_SiteConfig.pm we use group_attr => ‘member’ rather than
memberOf. Might be worth a shot.

Andrew Wagner
Assistant Network Administrator
aawagner@wisc.edu
265-5710
Room 370B
Wisconsin Center for Education Research (WCER)
www.wcer.wisc.eduOn 8/29/2011 11:32 AM, Brian Murphy wrote:

Still struggling with trying to get RT externally authenticating with my 2008 Active Directory.

I have been able to accomplish an ldapsearch with the following options successfully:

ldapsearch -x -b “dc=eiuad,dc=eiu,dc=edu” -D “CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu” -h eiuad.eiu.edu -p 389 -W “sAMAccountName=blmurphy”

I would like to use the blmurphy as my RT account name. When I execute the above ldapsearch and input the prompted for password I get back my account information from the Active Directory. I have the following set in my RT_SiteConfig.pm but continue to get the externalauth nouser response.

Brian

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘eiuad.eiu.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
‘user’ => ‘CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘xxxxxxxxx’,
#
# The LDAP search base
‘base’ => ‘dc=eiuad,dc=eiu,dc=edu’,
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
‘filter’ => ‘(sAMAccountName=)',
# A catch-all example filter: '(objectClass=
)’
#
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
#
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}

----- Original Message -----
From: "Brian Murphy"blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 11:59:50 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I only get the login failed message back from web.pm.

The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally.

Brian
----- Original Message -----
From: "Kevin Falcone"falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 9:46:01 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

On Wed, Aug 24, 2011 at 04:42:04PM -0500, Brian Murphy wrote:

Thanks for the tip on the logging kevin.

Seeing the following, don’t know eactly what to make of it.

[Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
Those are the messages you get when the login page pops up.
What do you get after typing your username and password in?

-kevin

----- Original Message -----
From: "Kevin Falcone"falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Wednesday, August 24, 2011 4:18:08 PM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote:

I am trying desparately to get this goingnd am not seeing that my
externalauth is even being called. I am attaching my RT_SiteConfig.pm
for review. I am a newbie and don’t know much about anything RT as
yet. I see very little in my /var/log/messages other tham LOGIN failed
for xxxxx from web.pm, so I don’t really think my externalauth is
really in play as of yet. Any assistance in getting this going would
be greatly appreciated.
You don’t appear to have turned your logging level up, most useful
logs are at the debug level. LogToScreen is probably the easiest,
because they’ll end up in your apache error log.

-kevin

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

There should only be one @Plugins declaration in your config file.

#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports)));
#Set(@Plugins,(qw(RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));

Set( $CorrespondAddress, ‘’ );
Set( $rtname, ‘EIU ITS Campus Technology’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘8080’ );

Set( $DatabaseType, ‘mysql’ );

Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘localhost’ );

Set( $CommentAddress, ‘’ );
Set($Timezone, “US/Central”);
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);

Set( $OwnerEmail, ‘’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $DatabasePort, ‘’ );
Set( $DatabasePassword, ‘RT_pass1-’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $DatabaseAdminPassword, ‘Mtfbwu+1’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $Organization, ‘ITS’ );
1;

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘EIUAD’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘EIUAD’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘xxxxx.xxx.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
‘user’ => ‘rtauth’,
# The password RT should use to connect to the LDAP server
‘pass’ => 'xxxxxxx,
#
# The LDAP search base
‘base’ => ‘dc=xxxxx,dc=xxx,dc=edu’,
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
‘filter’ => ‘(objectclass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
#
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
#
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘rt_access’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}
}
);

1;


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26& 27, 2011
  • San Francisco, CA, USA � October 18& 19, 2011
  • Washington DC, USA � October 31& November 1, 2011
  • Melbourne VIC, Australia � November 28& 29, 2011
  • Barcelona, Spain � November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA September 26& 27, 2011
  • San Francisco, CA, USA October 18& 19, 2011
  • Washington DC, USA October 31& November 1, 2011
  • Melbourne VIC, Australia November 28& 29, 2011
  • Barcelona, Spain November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26& 27, 2011
  • San Francisco, CA, USA � October 18& 19, 2011
  • Washington DC, USA � October 31& November 1, 2011
  • Melbourne VIC, Australia � November 28& 29, 2011
  • Barcelona, Spain � November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA September 26& 27, 2011
  • San Francisco, CA, USA October 18& 19, 2011
  • Washington DC, USA October 31& November 1, 2011
  • Melbourne VIC, Australia November 28& 29, 2011
  • Barcelona, Spain November 28& 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA September 26& 27, 2011
  • San Francisco, CA, USA October 18& 19, 2011
  • Washington DC, USA October 31& November 1, 2011
  • Melbourne VIC, Australia November 28& 29, 2011
  • Barcelona, Spain November 28& 29, 2011

smime.p7s (7.24 KB)

I have been trying to do a little debugging.

I am using RT version 4.0.0 and it appears the ExternalAuth I am using is version 0.08, is that versioning a match?

Secondly, I went to ExternalAuth.pm and added a debug statment and it appears as though I am not getting any value passed for $given_user or $given_pass to my external authentication explaining why it appears that I am not even calling my actual ldap active directory and attempting external auth, I continue to receive:

Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:66)
[Tue Aug 30 14:08:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:94)
[Tue Aug 30 14:08:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

as my only debug messages out of external authentication, it appears to not be getting any given_user to work with.

Thanks

BrianFrom: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Monday, August 29, 2011 11:32:47 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Still struggling with trying to get RT externally authenticating with my 2008 Active Directory.

I have been able to accomplish an ldapsearch with the following options successfully:

ldapsearch -x -b “dc=eiuad,dc=eiu,dc=edu” -D “CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu” -h eiuad.eiu.edu -p 389 -W “sAMAccountName=blmurphy”

I would like to use the blmurphy as my RT account name. When I execute the above ldapsearch and input the prompted for password I get back my account information from the Active Directory. I have the following set in my RT_SiteConfig.pm but continue to get the externalauth nouser response.

Brian

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘eiuad.eiu.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘xxxxxxxxx’,
# The LDAP search base
‘base’ => ‘dc=eiuad,dc=eiu,dc=edu’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
‘filter’ => ‘(sAMAccountName=)',
# A catch-all example filter: '(objectClass=
)’
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}

From: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 11:59:50 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I only get the login failed message back from web.pm.

The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally.

Brian

From: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 9:46:01 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Thanks for the tip on the logging kevin.

Seeing the following, don’t know eactly what to make of it.

[Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

Those are the messages you get when the login page pops up.
What do you get after typing your username and password in?

-kevin

----- Original Message -----
From: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Wednesday, August 24, 2011 4:18:08 PM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I am trying desparately to get this goingnd am not seeing that my
externalauth is even being called. I am attaching my RT_SiteConfig.pm
for review. I am a newbie and don’t know much about anything RT as
yet. I see very little in my /var/log/messages other tham LOGIN failed
for xxxxx from web.pm, so I don’t really think my externalauth is
really in play as of yet. Any assistance in getting this going would
be greatly appreciated.

You don’t appear to have turned your logging level up, most useful
logs are at the debug level. LogToScreen is probably the easiest,
because they’ll end up in your apache error log.

-kevin

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

There should only be one @Plugins declaration in your config file.

#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports)));
#Set(@Plugins,(qw(RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));

Set( $CorrespondAddress, ‘’ );
Set( $rtname, ‘EIU ITS Campus Technology’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘8080’ );

Set( $DatabaseType, ‘mysql’ );

Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘localhost’ );

Set( $CommentAddress, ‘’ );
Set($Timezone, “US/Central”);
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);

Set( $OwnerEmail, ‘’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $DatabasePort, ‘’ );
Set( $DatabasePassword, ‘RT_pass1-’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $DatabaseAdminPassword, ‘Mtfbwu+1’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $Organization, ‘ITS’ );
1;

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘EIUAD’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘EIUAD’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘xxxxx.xxx.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
‘user’ => ‘rtauth’,
# The password RT should use to connect to the LDAP server
‘pass’ => 'xxxxxxx,
#
# The LDAP search base
‘base’ => ‘dc=xxxxx,dc=xxx,dc=edu’,
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
‘filter’ => ‘(objectclass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
#
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
#
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘rt_access’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}
}
);

1;


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011
    RT Training Sessions (http://bestpractical.com/services/training.html)
  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011
    RT Training Sessions (http://bestpractical.com/services/training.html)
  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011

I am making progress in that I am at least now getting some indication that the code is trying to authenticate my user in my active directory.

I now receive the following after I upgraded my RT::Auth::External to 0.09.

[debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 14:32:12 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 14:32:12 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 14:32:12 2011] [debug]: LDAP Search === Base: ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu.dc=edu == Filter: (&(objectClass=person)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 14:32:12 2011] [debug]: User Check Failed :: ( EIUAD ) blmurphy User not found (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)

Anyone have any other pointers for trying to debug this thing?

Thanks.

BrianFrom: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 9:13:51 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I have been trying to do a little debugging.

I am using RT version 4.0.0 and it appears the ExternalAuth I am using is version 0.08, is that versioning a match?

Secondly, I went to ExternalAuth.pm and added a debug statment and it appears as though I am not getting any value passed for $given_user or $given_pass to my external authentication explaining why it appears that I am not even calling my actual ldap active directory and attempting external auth, I continue to receive:

Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:66)
[Tue Aug 30 14:08:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:94)
[Tue Aug 30 14:08:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

as my only debug messages out of external authentication, it appears to not be getting any given_user to work with.

Thanks

Brian

From: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Monday, August 29, 2011 11:32:47 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Still struggling with trying to get RT externally authenticating with my 2008 Active Directory.

I have been able to accomplish an ldapsearch with the following options successfully:

ldapsearch -x -b “dc=eiuad,dc=eiu,dc=edu” -D “CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu” -h eiuad.eiu.edu -p 389 -W “sAMAccountName=blmurphy”

I would like to use the blmurphy as my RT account name. When I execute the above ldapsearch and input the prompted for password I get back my account information from the Active Directory. I have the following set in my RT_SiteConfig.pm but continue to get the externalauth nouser response.

Brian

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘eiuad.eiu.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘xxxxxxxxx’,
# The LDAP search base
‘base’ => ‘dc=eiuad,dc=eiu,dc=edu’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
‘filter’ => ‘(sAMAccountName=)',
# A catch-all example filter: '(objectClass=
)’
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}

From: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 11:59:50 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I only get the login failed message back from web.pm.

The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally.

Brian

From: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Thursday, August 25, 2011 9:46:01 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Thanks for the tip on the logging kevin.

Seeing the following, don’t know eactly what to make of it.

[Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

Those are the messages you get when the login page pops up.
What do you get after typing your username and password in?

-kevin

----- Original Message -----
From: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Wednesday, August 24, 2011 4:18:08 PM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I am trying desparately to get this goingnd am not seeing that my
externalauth is even being called. I am attaching my RT_SiteConfig.pm
for review. I am a newbie and don’t know much about anything RT as
yet. I see very little in my /var/log/messages other tham LOGIN failed
for xxxxx from web.pm, so I don’t really think my externalauth is
really in play as of yet. Any assistance in getting this going would
be greatly appreciated.

You don’t appear to have turned your logging level up, most useful
logs are at the debug level. LogToScreen is probably the easiest,
because they’ll end up in your apache error log.

-kevin

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

There should only be one @Plugins declaration in your config file.

#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Extension::ActivityReports)));
#Set(@Plugins,(qw(RT::Extension::ActivityReports)));
Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth)));

Set( $CorrespondAddress, ‘’ );
Set( $rtname, ‘EIU ITS Campus Technology’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $WebPort, ‘8080’ );

Set( $DatabaseType, ‘mysql’ );

Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘localhost’ );

Set( $CommentAddress, ‘’ );
Set($Timezone, “US/Central”);
Set($UnsafeEmailCommands, 1);
Set($ParseNewMessageForTicketCcs, 1);
Set($NotifyActor, 1);

Set( $OwnerEmail, ‘’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $DatabasePort, ‘’ );
Set( $DatabasePassword, ‘RT_pass1-’ );
Set( $DatabaseAdmin, ‘root’ );
Set( $DatabaseAdminPassword, ‘Mtfbwu+1’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $Organization, ‘ITS’ );
1;

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘EIUAD’
]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘EIUAD’
]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘xxxxx.xxx.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
‘user’ => ‘rtauth’,
# The password RT should use to connect to the LDAP server
‘pass’ => 'xxxxxxx,
#
# The LDAP search base
‘base’ => ‘dc=xxxxx,dc=xxx,dc=edu’,
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
‘filter’ => ‘(objectclass=person)’,
# A catch-all example filter: ‘(objectClass=*)’
#
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
#
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘rt_access’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘memberOf’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}
}
);

1;


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011
    RT Training Sessions (http://bestpractical.com/services/training.html)
  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011
    RT Training Sessions (http://bestpractical.com/services/training.html)
  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011
    RT Training Sessions (http://bestpractical.com/services/training.html)
  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011

I am making progress in that I am at least now getting some indication that the code is trying to authenticate my user in my active directory.
I now receive the following after I upgraded my RT::Auth::External to 0.09.

Yes, you must use the newest version (0.09) for it to work with RT4

[Tue Aug 30 14:32:12 2011] [debug]: LDAP Search === Base: ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu.dc=edu == Filter: (&(objectClass=person)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)

Is that the right OU and Filter? Does that OU and Filter work from
ldapsearch?

-kevin

A bit confused about that whole filter thing.

If I specify objectClass=person and the sAMAccountName on the same filter it does not work with ldapsearch. if I use either one by titself, I get back my user record from AD.

BrianFrom: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 9:41:57 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I am making progress in that I am at least now getting some indication that the code is trying to authenticate my user in my active directory.
I now receive the following after I upgraded my RT::Auth::External to 0.09.

Yes, you must use the newest version (0.09) for it to work with RT4

[Tue Aug 30 14:32:12 2011] [debug]: LDAP Search === Base: ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu.dc=edu == Filter: (&(objectClass=person)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)

Is that the right OU and Filter? Does that OU and Filter work from
ldapsearch?

-kevin

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011

I can do the following with ldapsearch notice the filter:

Enter LDAP Password:

extended LDIF

LDAPv3

base <dc=eiuad,dc=eiu,dc=edu> with scope subtree

filter: (&(sAMAccountName=blmurphy))

requesting: ALL

Murphy\2C Brian, ITS Employees, Employee Accounts, EIU USERS, eiuad.eiu.edu

dn: CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=ei
uad,DC=eiu,DC=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Murphy, Brian
sn: Murphy
title: Associate Director
description: Information Technology Services
physicalDeliveryOfficeName: Technical Support & Operations
telephoneNumber: 581-7618
givenName: Brian
distinguishedName: CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=
EIU USERS,DC=eiuad,DC=eiu,DC=edu
instanceType: 4
whenCreated: 20011219230613.0Z
whenChanged: 20110829133938.0Z
displayName: Murphy, Brian
uSNCreated: 43124
info: Associate Director - higher limits allowed
memberOf: CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=Outlook SSL Change,OU=GPO Scripting Groups,OU=Groups,DC=eiuad,DC=
eiu,DC=edu
memberOf: CN=Hyperic Administrators,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=Global Psynch Helpdesk Staff,OU=ITS Groups,OU=Business Affairs Re
source Sharing Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=Xythos Users,OU=Groups,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=ITS group for Xythos sharing,OU=ITS Groups,OU=Business Affairs Re
source Sharing Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=BannerINBJavaUpdater,OU=Groups,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=ITS PLs Prgmrs,OU=ITS Groups,OU=Business Affairs Resource Sharing
Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=ITSDEPT,OU=ITS Groups,OU=Business Affairs Resource Sharing Groups
,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=Tech Support,OU=ITS Groups,OU=Business Affairs Resource Sharing G
roups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=Systems & Tech Supt,OU=ITS Groups,OU=Business Affairs Resource Sh
aring Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=Server Ops,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=ONORDER,OU=ITS Groups,OU=Business Affairs Resource Sharing Groups
,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=ILOM Admins,OU=Infrastructure Management,OU=Groups,DC=eiuad,DC=ei
u,DC=edu
memberOf: CN=Brian Murphys Group,OU=ITS Groups,OU=Business Affairs Resource Sh
aring Groups,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=Others,OU=EISE Project,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC
=eiu,DC=edu
memberOf: CN=Degree Audit Process Team,OU=EISE Project,OU=EIU RESOURCE SHARING
GROUPS,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=EIU Faculty and Staff for Citrix Access,OU=Citrix,DC=eiuad,DC=eiu
,DC=edu
memberOf: CN=DISASTER,OU=ITS Groups,OU=Business Affairs Resource Sharing Group
s,OU=EIU RESOURCE SHARING GROUPS,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=SECURITY,OU=Lumpkin Hall Computer Labs,DC=eiuad,DC=eiu,DC=edu
memberOf: CN=Backup Operators,CN=Builtin,DC=eiuad,DC=eiu,DC=edu
uSNChanged: 12145001
department: Information Technology Services
company: Eastern Illinois University
streetAddress:: U3R1ZGVudCBTZXJ2aWNlcyBCdWlsZGluZw0KQjk=
directReports: CN=Bensley, Brett,OU=ITS Employees,OU=Employee Accounts,OU=EIU
USERS,DC=eiuad,DC=eiu,DC=edu
directReports: CN=Clayton, Allen,OU=ITS Employees,OU=Employee Accounts,OU=EIU
USERS,DC=eiuad,DC=eiu,DC=edu
directReports: CN=Wilson, Julie,OU=Net Admin OU,OU=Sensitive,DC=eiuad,DC=eiu,
DC=edu
name: Murphy, Brian
objectGUID:: RlmmJv+FGEWZvik8YlZYmw==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129495066522016517
lastLogoff: 0
lastLogon: 129591191145074682
logonHours:: ////////////////////////////
pwdLastSet: 129470205541973909
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAkDCgJUtYtjLperlb6gMAAA==
adminCount: 1
accountExpires: 0
logonCount: 122
sAMAccountName: blmurphy
sAMAccountType: 805306368
userPrincipalName: blmurphy@eiuad.eiu.edu
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=eiuad,DC=eiu,DC=edu
dSCorePropagationData: 20110809183717.0Z
dSCorePropagationData: 20110803191151.0Z
dSCorePropagationData: 20110628195950.0Z
dSCorePropagationData: 20110525205317.0Z
dSCorePropagationData: 16010714223651.0Z
lastLogonTimestamp: 129590987787492303
mail: blmurphy@eiu.edu

search reference

ref: ldap://DomainDnsZones.eiuad.eiu.edu/DC=DomainDnsZones,DC=eiuad,DC=eiu,DC=
edu

search reference

ref: ldap://ForestDnsZones.eiuad.eiu.edu/DC=ForestDnsZones,DC=eiuad,DC=eiu,DC=
edu

search reference

ref: ldap://eiuad.eiu.edu/CN=Configuration,DC=eiuad,DC=eiu,DC=edu

search result

search: 2
result: 0 Success

numResponses: 5

numEntries: 1

numReferences: 3From: “Brian Murphy” blmurphy@eiu.edu

To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:08:56 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

A bit confused about that whole filter thing.

If I specify objectClass=person and the sAMAccountName on the same filter it does not work with ldapsearch. if I use either one by titself, I get back my user record from AD.

Brian

From: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 9:41:57 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I am making progress in that I am at least now getting some indication that the code is trying to authenticate my user in my active directory.
I now receive the following after I upgraded my RT::Auth::External to 0.09.

Yes, you must use the newest version (0.09) for it to work with RT4

[Tue Aug 30 14:32:12 2011] [debug]: LDAP Search === Base: ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu.dc=edu == Filter: (&(objectClass=person)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)

Is that the right OU and Filter? Does that OU and Filter work from
ldapsearch?

-kevin

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011
    RT Training Sessions (http://bestpractical.com/services/training.html)
  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011

Yet I am getting the following out of the external auth:

[Tue Aug 30 15:29:48 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:29:48 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 15:29:48 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 15:29:48 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu.dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 15:29:48 2011] [debug]: User Check Failed :: ( EIUAD ) blmurphy User not found (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)
[Tue Aug 30 15:29:48 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)From: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:08:56 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

A bit confused about that whole filter thing.

If I specify objectClass=person and the sAMAccountName on the same filter it does not work with ldapsearch. if I use either one by titself, I get back my user record from AD.

Brian

From: “Kevin Falcone” falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 9:41:57 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I am making progress in that I am at least now getting some indication that the code is trying to authenticate my user in my active directory.
I now receive the following after I upgraded my RT::Auth::External to 0.09.

Yes, you must use the newest version (0.09) for it to work with RT4

[Tue Aug 30 14:32:12 2011] [debug]: LDAP Search === Base: ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu.dc=edu == Filter: (&(objectClass=person)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)

Is that the right OU and Filter? Does that OU and Filter work from
ldapsearch?

-kevin

RT Training Sessions (http://bestpractical.com/services/training.html)

  • Chicago, IL, USA � September 26 & 27, 2011
  • San Francisco, CA, USA � October 18 & 19, 2011
  • Washington DC, USA � October 31 & November 1, 2011
  • Melbourne VIC, Australia � November 28 & 29, 2011
  • Barcelona, Spain � November 28 & 29, 2011
    RT Training Sessions (http://bestpractical.com/services/training.html)
  • Chicago, IL, USA September 26 & 27, 2011
  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Melbourne VIC, Australia November 28 & 29, 2011
  • Barcelona, Spain November 28 & 29, 2011

I’m guessing your base should have a comma b/w “eiu” and “dc” – I.e.,
“dc=eiuad,dc=eiu,dc=edu”.

–DOn 8/30/11 11:34 AM, “Brian Murphy” blmurphy@eiu.edu wrote:

[Tue Aug 30 15:29:48 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu.dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs:
sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/
LDAP.pm:304)

Well, sh**! Sometimes the simplest are the most difficult. I was way too close to the forest to see the trees on that one. Having a . instead of the , in my base string was causing me to not be able to find the entry. I have my filter set to () and am using the sAMAccountName and finding the user account, but now it refuses my password. here is what I get in the log. Any ideas. I know my password and am using it for other accounts.

[Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 15:48:14 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 15:48:14 2011] [debug]: Password validation required for service - Executing… (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 15:48:14 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 15:48:14 2011] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Tue Aug 30 15:48:14 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Tue Aug 30 15:48:14 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)
[Tue Aug 30 15:48:17 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:17 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Tue Aug 30 15:48:17 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)From: “David Chandek-Stark” david.chandek.stark@duke.edu
To: “Brian Murphy” blmurphy@eiu.edu, rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:41:54 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I’m guessing your base should have a comma b/w “eiu” and “dc” – I.e.,
“dc=eiuad,dc=eiu,dc=edu”.

–D

Complaing about validating the password after locating the user entry.

I am now receiving the following out of the external auth:

[Tue Aug 30 16:15:09 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 16:15:09 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 16:15:09 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(objectClass=)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 16:15:09 2011] [debug]: Password validation required for service - Executing… (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Tue Aug 30 16:15:09 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)(objectClass=
)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Tue Aug 30 16:15:09 2011] [debug]: Found LDAP DN: CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Tue Aug 30 16:15:09 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Tue Aug 30 16:15:09 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

Using the following RT_SiteConfig.pm settings:

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘eiuad.eiu.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘xxxxxxxxx!’,
# The LDAP search base
#‘base’ => ‘ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu,dc=edu’,
‘base’ => ‘dc=eiuad,dc=eiu,dc=edu’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
‘filter’ => ‘(objectClass=)',
# A catch-all example filter: '(objectClass=
)’
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘member’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}
}
);From: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:59:08 AM
Subject: Fwd: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Well, sh**! Sometimes the simplest are the most difficult. I was way too close to the forest to see the trees on that one. Having a . instead of the , in my base string was causing me to not be able to find the entry. I have my filter set to () and am using the sAMAccountName and finding the user account, but now it refuses my password. here is what I get in the log. Any ideas. I know my password and am using it for other accounts.

[Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 15:48:14 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 15:48:14 2011] [debug]: Password validation required for service - Executing… (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 15:48:14 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 15:48:14 2011] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Tue Aug 30 15:48:14 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Tue Aug 30 15:48:14 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)
[Tue Aug 30 15:48:17 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:17 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Tue Aug 30 15:48:17 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)

From: “David Chandek-Stark” david.chandek.stark@duke.edu
To: “Brian Murphy” blmurphy@eiu.edu, rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:41:54 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I’m guessing your base should have a comma b/w “eiu” and “dc” – I.e.,
“dc=eiuad,dc=eiu,dc=edu”.

–D

I have actually gotten auth to work through my active directory.

I still have to debug my group membership attribute as that is what was tripping me up this last time. Not real sure how to code it.

seeing this failure:
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)

I removed the group check form the SiteConfig and now I can login using my external active directory credentials. Anyone have an idea what I might be coding or placing wrong on tryin to use the group memebership?

Thanks for all your input(s).

BrianFrom: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 11:33:53 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Complaing about validating the password after locating the user entry.

I am now receiving the following out of the external auth:

[Tue Aug 30 16:15:09 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 16:15:09 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 16:15:09 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(objectClass=)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 16:15:09 2011] [debug]: Password validation required for service - Executing… (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Tue Aug 30 16:15:09 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)(objectClass=
)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Tue Aug 30 16:15:09 2011] [debug]: Found LDAP DN: CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Tue Aug 30 16:15:09 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Tue Aug 30 16:15:09 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

Using the following RT_SiteConfig.pm settings:

Set($ExternalSettings, {
# EIUAD Active Directory
‘EIUAD’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘eiuad.eiu.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘xxxxxxxxx!’,
# The LDAP search base
#‘base’ => ‘ou=its employees,ou=employee accounts,ou=eiu users,dc=eiuad,dc=eiu,dc=edu’,
‘base’ => ‘dc=eiuad,dc=eiu,dc=edu’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
‘filter’ => ‘(objectClass=)',
# A catch-all example filter: '(objectClass=
)’
# The filter that will only match disabled users
‘d_filter’ => ‘(objectclass=Foo)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘member’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘Name’
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}
}
);

From: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:59:08 AM
Subject: Fwd: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Well, sh**! Sometimes the simplest are the most difficult. I was way too close to the forest to see the trees on that one. Having a . instead of the , in my base string was causing me to not be able to find the entry. I have my filter set to () and am using the sAMAccountName and finding the user account, but now it refuses my password. here is what I get in the log. Any ideas. I know my password and am using it for other accounts.

[Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username (blmurphy) and $service (EIUAD) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 15:48:14 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 15:48:14 2011] [debug]: Password validation required for service - Executing… (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base: dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 15:48:14 2011] [info]: EIUAD AUTH FAILED: blmurphy (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 15:48:14 2011] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Tue Aug 30 15:48:14 2011] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Tue Aug 30 15:48:14 2011] [error]: FAILED LOGIN for blmurphy from 139.67.17.30 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)
[Tue Aug 30 15:48:17 2011] [debug]: Attempting to use external auth service: EIUAD (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:17 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Tue Aug 30 15:48:17 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)

From: “David Chandek-Stark” david.chandek.stark@duke.edu
To: “Brian Murphy” blmurphy@eiu.edu, rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:41:54 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

I’m guessing your base should have a comma b/w “eiu” and “dc” – I.e.,
“dc=eiuad,dc=eiu,dc=edu”.

–D

There is one bug with group check. If user who tries to login has no rights
in ldap to see the group then check fails and error in the logs is not very
helpful.

Regards, Ruslan. From phone.

I have actually gotten auth to work through my active directory.

I still have to debug my group membership attribute as that is what was
tripping me up this last time. Not real sure how to code it.

seeing this failure:
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS
Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) ==
Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)

I removed the group check form the SiteConfig and now I can login using my
external active directory credentials. Anyone have an idea what I might be
coding or placing wrong on tryin to use the group memebership?

Thanks for all your input(s).

Brian

----- Original Message -----
From: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 11:33:53 AM
Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Complaing about validating the password after locating the user entry.

I am now receiving the following out of the external auth:

[Tue Aug 30 16:15:09 2011] [debug]: Attempting to use external auth
service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 16:15:09 2011] [debug]: Calling UserExists with $username
(blmurphy) and $service (EIUAD)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 16:15:09 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter:
(&(objectClass=)(sAMAccountName=blmurphy)) == Attrs: sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 16:15:09 2011] [debug]: Password validation required for
service - Executing…
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Tue Aug 30 16:15:09 2011] [debug]: Trying external auth service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter:
(&(sAMAccountName=blmurphy)(objectClass=
)) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Tue Aug 30 16:15:09 2011] [debug]: Found LDAP DN: CN=Murphy,
Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU
USERS,DC=eiuad,DC=eiu,DC=edu
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS
Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) ==
Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 16:15:09 2011] [info]: EIUAD AUTH FAILED: blmurphy
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 16:15:09 2011] [debug]: LDAP password validation result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 16:15:09 2011] [debug]: Password Validation Check Result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Tue Aug 30 16:15:09 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Tue Aug 30 16:15:09 2011] [error]: FAILED LOGIN for blmurphy from
139.67.17.30 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

Using the following RT_SiteConfig.pm settings:

Set($ExternalSettings, {

EIUAD Active Directory

‘EIUAD’ => { ## GENERIC SECTION

The type of service (db/ldap/cookie)

‘type’ => ‘ldap’,

The server hosting the service

‘server’ => ‘eiuad.eiu.edu’,

SERVICE-SPECIFIC SECTION

If you can bind to your LDAP server anonymously you should

remove the user and pass config lines, otherwise specify them here:

The username RT should use to connect to the LDAP server

‘user’ => ‘CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,

The password RT should use to connect to the LDAP server

‘pass’ => ‘xxxxxxxxx!’,

The LDAP search base

#‘base’ => ‘ou=its employees,ou=employee accounts,ou=eiu
users,dc=eiuad,dc=eiu,dc=edu’,
‘base’ => ‘dc=eiuad,dc=eiu,dc=edu’,

ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!

YOU MUST SPECIFY A filter AND A d_filter!!

The filter to use to match RT-Users

‘filter’ => ‘(objectClass=*)’,

A catch-all example filter: ‘(objectClass=*)’

The filter that will only match disabled users

‘d_filter’ => ‘(objectclass=Foo)’,

A catch-none example d_filter: ‘(objectClass=FooBarBaz)’

Should we try to use TLS to encrypt connections?

‘tls’ => 0,

SSL Version to provide to Net::SSLeay if using SSL

‘ssl_version’ => 3,

What other args should I pass to Net::LDAP->new($host,@args)?

‘net_ldap_args’ => [ version => 3 ],

Does authentication depend on group membership? What group name?

‘group’ => ‘CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu’,

What is the attribute for the group object that determines membership?

‘group_attr’ => ‘member’,

RT ATTRIBUTE MATCHING SECTION

The list of RT attributes that uniquely identify a user

This example shows what you can specify… I recommend reducing this

to just the Name and EmailAddress to save encountering problems later.

‘attr_match_list’ => [ ‘Name’
],

The mapping of RT attributes on to LDAP attributes

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’
}
}
}
);

----- Original Message -----
From: “Brian Murphy” blmurphy@eiu.edu
To: rt-users@lists.bestpractical.com
Sent: Tuesday, August 30, 2011 10:59:08 AM
Subject: Fwd: [rt-users] rt4 and External Auth to AD 2008 non-ssl

Well, sh**! Sometimes the simplest are the most difficult. I was way too
close to the forest to see the trees on that one. Having a . instead of the
, in my base string was causing me to not be able to find the entry. I have
my filter set to () and am using the sAMAccountName and finding the user
account, but now it refuses my password. here is what I get in the log. Any
ideas. I know my password and am using it for other accounts.

[Tue Aug 30 15:48:14 2011] [debug]: Attempting to use external auth
service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:14 2011] [debug]: Calling UserExists with $username
(blmurphy) and $service (EIUAD)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Tue Aug 30 15:48:14 2011] [debug]: UserExists params:
username: blmurphy , service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs:
sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Tue Aug 30 15:48:14 2011] [debug]: Password validation required for
service - Executing…
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155)
[Tue Aug 30 15:48:14 2011] [debug]: Trying external auth service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: (&(sAMAccountName=blmurphy)) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43)
[Tue Aug 30 15:48:14 2011] [debug]: Found LDAP DN: CN=Murphy,
Brian,OU=ITS Employees,OU=Employee Accounts,OU=EIU
USERS,DC=eiuad,DC=eiu,DC=edu
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP Search === Base:
dc=eiuad,dc=eiu,dc=edu == Filter: (member=CN=Murphy, Brian,OU=ITS
Employees,OU=Employee Accounts,OU=EIU USERS,DC=eiuad,DC=eiu,DC=edu) ==
Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100)
[Tue Aug 30 15:48:14 2011] [info]: EIUAD AUTH FAILED: blmurphy
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
[Tue Aug 30 15:48:14 2011] [debug]: LDAP password validation result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334)
[Tue Aug 30 15:48:14 2011] [debug]: Password Validation Check Result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159)
[Tue Aug 30 15:48:14 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Tue Aug 30 15:48:14 2011] [error]: FAILED LOGIN for blmurphy from
139.67.17.30 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)
[Tue Aug 30 15:48:17 2011] [debug]: Attempting to use external auth
service: EIUAD
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Aug 30 15:48:17 2011] [debug]: SSO Failed and no user to test with.
Nexting
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Tue Aug 30 15:48:17 2011] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)