RT4/ExternalAuth/AD issues:

Hello,

I’ve been staring at this for hours now and I’m not getting anywhere.

CentOS 5.9, RT 4.0.10, RT-Authen-ExternalAuth 0.13

RT is installed and I can connect to it from a browser, can login as root, trying to login as a domain user and it’s saying my password is wrong.

I’ve got logging enabled (best as I can find out how to…), but I can’t see any LDAP messages, just failed logins.

RT_SiteConfig.pm:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

You must restart your webserver after making changes to this file.

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them.

There should only be one @Plugins declaration in your config file.

#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail RT::Authen::ExternalAuth)));

Set($LogToFile, ‘debug’);
Set($LogDir, ‘/var/log/rt’);

Set( $CommentAddress, ‘rt-comment@domain.com’ );
Set( $CorrespondAddress, ‘rt-correspond@domain.com’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $DatabasePassword, ‘password’ );
Set( $DatabasePort, ‘’ );
Set( $DatabaseRequireSSL, ‘’ );
Set( $DatabaseType, ‘mysql’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $Organization, ‘domain.com’ );
Set( $OwnerEmail, ‘it-support@domain.com’ );
Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘10.x.x.x’ );
Set( $WebPort, ‘80’ );
Set( $rtname, ‘domain.com’ );

#ExtAuth:

Set($ExternalAuthPriority, [ ‘My_LDAP’
]
);

Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘ad01.domain.local’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘ad-rt-user’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘password’,
# The LDAP search base
‘base’ => ‘ou=OrgUnit,dc=domain,dc=local’,

            # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
            # YOU **MUST** SPECIFY A filter AND A d_filter!!
            # The filter to use to match RT-Users
            'filter'                    =>  '(sAMAccountType=805306368)',
            # A catch-all example filter: '(objectClass=*)'
            # The filter that will only match disabled users
            'd_filter'                  =>  '(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))',
            # A catch-none example d_filter: '(objectClass=FooBarBaz)'
            # Should we try to use TLS to encrypt connections?
            'tls'                       =>  0,
            # SSL Version to provide to Net::SSLeay *if* using SSL
            'ssl_version'               =>  3,
            # What other args should I pass to Net::LDAP->new($host,@args)?
            'net_ldap_args'             => [    version =>  3   ],
            # Does authentication depend on group membership? What group name?
            'group'                     =>  'RTusers',
            # What is the scope of the group search? (base, one, sub)
            # Optional; defaults to 'base', which is good enough for most cases. 'sub' is appropriate when you have nested groups
            'group_scope'               =>  'base',
            # What is the attribute for the group object that determines membership?
            'group_attr'                =>  'member',
            # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
            #'group_attr_value'          =>  'GROUP_ATTR_VALUE',
            ## RT ATTRIBUTE MATCHING SECTION
            # The list of RT attributes that uniquely identify a user
            # This example shows what you *can* specify.. I recommend reducing this
            # to just the Name and EmailAddress to save encountering problems later.
            'attr_match_list' =>    [       'Name',
                                            'EmailAddress',
                                            'RealName'
                                    ],
            # The mapping of RT attributes on to LDAP attributes
            'attr_map' =>   {       'Name' => 'sAMAccountName',
                                    'EmailAddress' => 'mail',
                                    'RealName' => 'cn',
                                    'ExternalAuthId' => 'sAMAccountName',
                                    'Gecos' => 'sAMAccountName'
                            }
            },
    }

);
1;

Can someone please point me in the right direction, whether it’s more detailed documentation on how to configure AD authentication, or hints as to where I may be going wrong?

Many thanks in advance,

Hi,

Try the following:

            # The username RT should use to connect to the LDAP server

            'user'      =>  'ad-rt-user',

set this to be the LDAP DN, i.e. ‘cn=ad-rt-user’,ou=OrgUnit,dc=domain,dc-local’

            'filter'                    =>

‘(sAMAccountType=805306368)’,

I’ve used the (objectClass=user) as my filter.

            # The filter that will only match disabled users

            'd_filter'                  =>

‘(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))’,

I’ve used (objectClass=ThisWillNeverMatch)

            'group'                     =>  'RTusers',

cn=RTusers,ou=OrgUnit,dc=domain,dc=local

Shaineel Singh
e: shain.singh@gmail.com
p: +61 422 921 951
w: http://buffet.shainsingh.com

“Too many have dispensed with generosity to practice charity” - Albert Camus

Hi Shain,

Hasn’t helped I’m afraid, double checked the settings, restarted Apache, tried to login and same errors received on web site and in logs.

Kind regards,

Hi,

Try the following:

            # The username RT should use to connect to the LDAP server
            'user'      =>  'ad-rt-user',

set this to be the LDAP DN, i.e. ‘cn=ad-rt-user’,ou=OrgUnit,dc=domain,dc-local’

            'filter'                    =>

‘(sAMAccountType=805306368)’,
I’ve used the (objectClass=user) as my filter.

            # The filter that will only match disabled users

            'd_filter'                  =>

‘(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))’,
I’ve used (objectClass=ThisWillNeverMatch)

            'group'                     =>  'RTusers',

cn=RTusers,ou=OrgUnit,dc=domain,dc=local

Take a tcpdump of the LDAP traffic to see if its binding properly.

Shain Singh
+61 422 921 951

// sent from mobile deviceOn 17/05/2013, at 10:51 PM, Duncan Carter duncan.carter@trustonic.com wrote:

Hi Shain,

Hasn’t helped I’m afraid, double checked the settings, restarted Apache, tried to login and same errors received on web site and in logs.

Kind regards,

-----Original Message-----
From: Shain Singh [mailto:shain.singh@gmail.com]

Hi,

Try the following:

           # The username RT should use to connect to the LDAP server
           'user'      =>  'ad-rt-user',

set this to be the LDAP DN, i.e. ‘cn=ad-rt-user’,ou=OrgUnit,dc=domain,dc-local’

           'filter'                    =>

‘(sAMAccountType=805306368)’,
I’ve used the (objectClass=user) as my filter.

           # The filter that will only match disabled users

           'd_filter'                  =>

‘(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))’,
I’ve used (objectClass=ThisWillNeverMatch)

           'group'                     =>  'RTusers',

cn=RTusers,ou=OrgUnit,dc=domain,dc=local

There should only be one @Plugins declaration in your config file.****

#Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail
RT::Authen::ExternalAuth)));

Looks like @Plugins commented out?

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?