Hoping someone can point me to where I am going wrong. I have been
trolling the wiki, cpan, this list, and Google for the last couple of
days with no luck so far. Probably something apparent that I’m
missing…
I am after the following behavior:
- A user inside our network and on a machine my company controls
will be auto-logged in via SSO (mod_auth_kerb) - Upon successful SSO login, even if it’s a first time login, the
user info in canonicalized from our LDAP dir (Active Directory) - If the user cannot use SSO, the login fails gracefully back to the
form-based login built in to RT. - If the user successfully authenticates via
RT::Authen::ExternalAuth the user info is again canonicalized even if
it’s a first time login. - If an email is received from a requester, the email is looked up
in LDAP to canonicalize the user info as well. - If the email address does NOT exist in the LDAP directory, go
ahead and create an account anyway using the email address as the
username.
No prob, right??
The basics: RT 4.0.2 from source
server: debian 6.0 (Squeeze)
db: PostgreSQL
Apache2
RT running under modperl
What I have working:
If I have WebExternalAuth turned off, my LDAP connection via
RT::Authen::ExternalAuth is working just fine.
- I have it pointed to our Active Directory server (Server 2008 R2
if it matters). - A user in the directory CAN login via the form based login screen
- If they don’t exist, the user is properly created as desired.
- The user info is also pulled via LDAP via CanonicalizeUserInfo() as desired.
All is well.
If I turn ON $WebExternalAuth (I’m using mod_auth_kerb) I get the
following behavior:
- The user IS logged in with SSO as desired provided they already
have an account. - The user info is NOT canonicalized from the LDAP directory as I
would like. --FAIL– - If the user does not exist, they ARE created, but again, the
user info is NOT canonicalized from the directory. --FAIL– - Also, mod_auth_kerb, does NOT fall back to the form-based login.
It tries to use the KrbPasswd method which I have specifically
disabled. --FAIL–
The message I get in the RT log (via syslog) when a user logs in with
SSO seems to indicate that the user variable is not being set and
passed to the RT::Authen::ExternalAuth extension if I read the error
right. The odd thing to me, is that while the error says SSO is
failing, it most definitely is not. The user is successfully
logged in.
----- error from syslog —
Oct 14 16:41:25 rt RT: Attempting to use external auth service: LDAP_DIR1
Oct 14 16:41:25 rt RT: SSO Failed and no user to test with. Nexting
Oct 14 16:41:25 rt RT: Autohandler called ExternalAuth. Response: (0, No User)
---- info from apache error log ---- (all looks well here, I think?)
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1628): [client
172.27.146.144] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1240): [client
172.27.146.144] Acquiring creds for HTTP/rt.sunnysidehospital.org
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1385): [client
172.27.146.144] Verifying client data using KRB5 GSS-API
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1401): [client
172.27.146.144] Client didn’t delegate us their credential
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1420): [client
172.27.146.144] GSS-API token of length 181 bytes will be sent back
[Fri Oct 14 17:33:54 2011] [debug] src/mod_auth_kerb.c(1534): [client
172.27.146.144] kerb_authenticate_a_name_to_local_name andersjp@SCH.AD
→ andersjp
(Full disclosure, I am also receiving this message on apache startup,
but I believe it is completely unrelated…)
Oct 14 17:33:10 rt RT: The RTAddressRegexp option is not set in the
config. Not setting this option results in additional SQL queries to
check whether each address belongs to RT or not. It is especially
important to set this option if RT recieves emails on addresses that
are not in the database or config.
First, is what I want to do truly possible? Second, can anyone help me
see what I have wrong here?
Apache2 config section:
Redirect everything to https
<VirtualHost *:80>
ServerName rt.sunnysidehospital.org
Redirect permanent / https://rt.sunnysidehospital.org/
Optional apache logs for RT
ErrorLog /opt/rt4/var/log/apache2.error
TransferLog /opt/rt4/var/log/apache2.access
LogLevel debug
AddDefaultCharset UTF-8
DocumentRoot "/opt/rt4/share/html"
<Location />
SetHandler modperl
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /opt/rt4/sbin/rt-server
Kerberos for Single Signon with AD
AuthType Kerberos
AuthName "Sunnyside Hospital Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbMethodK4Passwd off # when I uncomment this I get an error
(Invalid command ‘KrbMethodK4Passwd’, perhaps misspelled or
defined by a module not included in the server configuration)
KrbAuthRealms SCH.AD
Krb5KeyTab /etc/apache2/krb5.keytab
KrbServiceName HTTP/rt.sunnysidehospital.org
KrbSaveCredentials off
KrbLocalUserMapping on
require valid-user
Order allow,deny
Allow from all
</Location>
<Perl>
use Plack::Handler::Apache2;
Plack::Handler::Apache2->preload("/opt/rt4/sbin/rt-server");
</Perl>
Relevant RT_SiteConfig.pm sections:
Set( $WebExternalAuth, 1 );
Set( $WebFallBackToInternalAuth, 1 );
Set( $WebExternalGecos, undef );
Set( $WebExternalAuto, 1 );
Set( $AutoCreate, Privileged => 0 );
Set( @Plugins, qw(
RT::Authen::ExternalAuth
RT::Extension::JSGantt
RT::Extension::MergeUsers
RT::Extension::PriorityAsString
RT::Extension::ReportSpam )
);
Set( $ExternalAuthPriority,[‘LDAP_DIR1’]);
Set( $ExternalInfoPriority,[‘LDAP_DIR1’]);
Set( $ExternalServiceUsesSSLorTLS, 0);
Set( $AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, { # SCH LDAP Settings
‘LDAP_DIR1’ => { ## GENERIC SECTION
'type' => 'ldap',
'server' => 'dir1.sch.ad',
'user' => 'cn=LDAP Auth,ou=SCH Users,dc=sch,dc=ad',
'pass' => '************',
'base' => 'dc=sch,dc=ad',
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
'filter' => '(mail=*)(sAMAccountType=805306368)',
# The filter that will only match disabled users
'd_filter' =>
‘(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)’,
'tls' => 0,
'ssl_version' => 3,
'net_ldap_args' => [ version => 3 ],
#'group' => 'GROUP',
#'group_attr' => 'GROUP_ATTR',
'attr_match_list' => [ 'Name',
'EmailAddress'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'department',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'MobilePhone' => 'mobile',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
}
}
);
FYI, I have tested my ldap filters with ldapsearch and run them
exactly as RT puts them together (according to the logs) and can
successfully return info for both my users filter and my disabled
users filter.
Thanks in advance for the help! (And my sincere apologies for the
short novel I had to write here.)
-John Andersen