User Authentication with Active Directory

Sachin_Murudkar1 · September 1, 2017, 6:52am

Hi Team
I am using “RT 4.4.2” on “CentOS Linux release 7.3.1611”
I am trying to get user authentication via windows Active Directory but some how not able to succeed in it.

I also tried installing “RT::Authen::ExternalAuth” but it gives the below error
Error: Your installed version of RT (4.4.2) is too new; this extension only works with versions older than 4.4.0.

So ignoring above error assuming Externalauth is by default supported in this latest version followed the setting provided on internet site, below is my RT_SiteConfig.pm file for your reference. Let me know in case any more information is needed.

RT_SiteConfig.pm file for reference.

Set( $CommentAddress, ‘a@abc.com’ );
Set( $CorrespondAddress, ‘a@abc.com’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $DatabasePassword, ‘xxxxxxx’ );
Set( $DatabasePort, ‘’ );
Set( $DatabaseType, ‘SQLite’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $Organization, ‘tkt-01’ );
Set( $OwnerEmail, ‘b@abc.com’ );
Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘tkt-01’ );
Set( $WebPort, ‘80’ );
Set( $rtname, ‘tkt-01’ );

LDAP Configurations

LDAP Authentication

Set( @Plugins, qw(RT::Authen::ExternalAuth RT::Extension::LDAPImport));

LDAP USER IMPORT

Set($LDAPCreatePrivileged, 1);
Set($LDAPUpdateUsers, 1);
Set($LDAPHost,‘activedirectory.abc.com’);
Set($LDAPUser,‘activedirectory\LDAPBind’);
Set($LDAPPassword,‘xxxxxxxx’);

#my base OU for users, yours will probably differ
Set($LDAPBase,‘ou=Users,dc=abc,dc=com’);
Set($LDAPFilter, ‘(&(objectClass=person))’);
Set($LDAPMapping, {
Name => ‘sAMAccountName’,
EmailAddress => ‘mail’,
Organization => ‘department’,
RealName => ‘cn’,
NickName => ‘givenName’,
ExternalAuthId => ‘sAMAccountName’,
Gecos => ‘sAMAccountName’,
WorkPhone => ‘telephoneNumber’,
MobilePhone => ‘mobile’,
Address1 => ‘streetAddress’,
City => ‘l’,
State => ‘st’,
Zip => ‘postalCode’,
Country => ‘co’
});
1;

Jeff_Voskamp · September 1, 2017, 12:16pm

Don’t ignore the warning: “RT::Authen::ExternalAuth” is now in core.
Remove the plugin line, but leave the configuration.

Sachin_Murudkar1 · September 1, 2017, 12:42pm

Hi Jeff

Thanks for the reply, when u say :

“Don’t ignore the warning: “RT::Authen::ExternalAuth” is now in core.”
Do you mean I need to install “RT::Authen::ExternalAuth” anyways ?
Remove the plugin line, but leave the configuration.
Remove below line
Set( @Plugins, qw(RT::Authen::ExternalAuth RT::Extension::LDAPImport));

And keep
Set($LDAPCreatePrivileged, 1);
Set($LDAPUpdateUsers, 1);
Set($LDAPHost,‘activedirectory.abc.com’);
Set($LDAPUser,‘activedirectory\LDAPBind’);
Set($LDAPPassword,‘xxxxxxxx’);
Set($LDAPBase,‘ou=Users,dc=abc,dc=com’);
Set($LDAPFilter, ‘(&(objectClass=person))’);
Set($LDAPMapping, {
Name => ‘sAMAccountName’,
EmailAddress => ‘mail’,
Organization => ‘department’,
RealName => ‘cn’,
NickName => ‘givenName’,
ExternalAuthId => ‘sAMAccountName’,
Gecos => ‘sAMAccountName’,
WorkPhone => ‘telephoneNumber’,
MobilePhone => ‘mobile’,
Address1 => ‘streetAddress’,
City => ‘l’,
State => ‘st’,
Zip => ‘postalCode’,
Country => ‘co’
});
1;

Is this what you want me to do ?

Jeff_Voskamp · September 1, 2017, 1:03pm

Yes. Both RT::Authen::ExternalAuth and RT::Extension::LDAPImport are now bundled in RT (see lib/RT/Authen/ExternalAuth.pm and lib/RT/LDAPImport.pm).
There are further details in docs/authentication.pod and docs/UPGRADING-4.4

Sachin_Murudkar1 · September 1, 2017, 2:49pm

Hi Jeff

I installed both the plugins “RT::Authen::ExternalAuth and RT::Extension::LDAPImport” and updated RT_SiteConfig.pm as shown below but now its giving me “Internal Server Error” on the web page with below error logs

[root@tktmum-01 ~]# tail -f /var/log/httpd/error_log
[3491] [Fri Sep 1 14:39:54 2017] [warning]: DBI connect(‘dbname=rt4;host=localhost’,‘rt_user’,…) failed: Access denied for user ‘rt_user’@‘localhost’ (using password: YES) at /usr/local/share/perl5/DBIx/SearchBuilder/Handle.pm line 105. (/usr/share/perl5/vendor_perl/Carp.pm:102)
WARNING: RT couldn’t start up a web server on port 80.
This is often the case if the port is already in use or you’re running /opt/rt4/sbin/rt-server.fcgi
as someone other than your system’s “root” user. You may also specify a
temporary port with: /opt/rt4/sbin/rt-server.fcgi --port
[Fri Sep 01 10:39:55.540236 2017] [fcgid:warn] [pid 3453] (104)Connection reset by peer: [client 1.1.1.143:38805] mod_fcgid: error reading data from FastCGI server
[Fri Sep 01 10:39:55.540363 2017] [core:error] [pid 3453] [client 1.1.1.143:38805] End of script output before headers: rt-server.fcgi
[Fri Sep 01 10:39:55.557517 2017] [authz_core:error] [pid 3455] [client 1.1.1.143:38806] AH01630: client denied by server configuration: /opt/rt4/share/html/favicon.ico

I already granted permissions to rt_user via mysql

my RT_SiteConfig.pm file
#Set( @Plugins, qw(RT::Authen::ExternalAuth RT::Extension::LDAPImport));
Set( $LDAPCreatePrivileged, 1);
Set( $LDAPUpdateUsers, 1);
Set( $LDAPHost,‘mf-ad.vfx.net’);
Set( $LDAPUser,‘mf-ad\LDAPBind’);
Set( $LDAPPassword,‘fgrejau3’);
Set( $LDAPBase,‘ou=Users,dc=vfx,dc=net’);
Set( $LDAPFilter, ‘(&(objectClass=person))’);
Set( $LDAPMapping, {
Name => ‘sAMAccountName’,
EmailAddress => ‘mail’,
Organization => ‘department’,
RealName => ‘cn’,
NickName => ‘givenName’,
ExternalAuthId => ‘sAMAccountName’,
Gecos => ‘sAMAccountName’,
WorkPhone => ‘telephoneNumber’,
MobilePhone => ‘mobile’,
Address1 => ‘streetAddress’,
City => ‘l’,
State => ‘st’,
Zip => ‘postalCode’,
Country => ‘co’
});
1;

rt.conf for your reference
AddDefaultCharset UTF-8
Alias /rt/NoAuth/images /opt/rt4/share/html/NoAuth/images/
ScriptAlias /rt /opt/rt4/sbin/rt-server.fcgi/
DocumentRoot “/opt/rt4/share/html”
Location /rt>
Require all granted
Options +ExecCGI
AddHandler fcgid-script fcgi
/Location>

Is there anything still missing in this file ?

Sachin_Murudkar1 · September 2, 2017, 6:18am

HI

I somehow manage to over come the above mentioned error but when I am trying to import ldap database its giving me the below error now.

/opt/rt4/local/plugins/RT-Extension-LDAPImport/bin/rtldapimport --import > ldapimport.debug 2>&1

less ldapimport.debug file
[17164] [Sat Sep 2 06:11:01 2017] [warning]: RT::Extension::LDAPImport has been cored since RT 4.4, please check the upgrade document for more details (/opt/rt4/lib/RT.pm:754)
[17164] [Sat Sep 2 06:11:01 2017] [warning]: RT::Extension::LDAPImport has been cored since RT 4.4, please check the upgrade document for more details (/opt/rt4/lib/RT.pm:754)
Starting import
[17164] [Sat Sep 2 06:11:02 2017] [error]: LDAP bind failed 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772^@ (/opt/rt4/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:1579)
LDAP bind failed 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772^@
[17164] [Sat Sep 2 06:11:02 2017] [error]: fetching an LDAP connection failed (/opt/rt4/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:1579)
fetching an LDAP connection failed
Starting group import
[17164] [Sat Sep 2 06:11:02 2017] [warning]: Not running a group import, configuration not set (/opt/rt4/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:1587)
Not running a group import, configuration not set
Finished import

My RT_SiteConfig.pm looks like this.
Plugin(‘RT::Authen::ExternalAuth’);
Set( @Plugins, qw(RT::Authen::ExternalAuth RT::Extension::LDAPImport));
Set($CommentAddress, ‘data@xyz.com’ );
Set($CorrespondAddress, ‘data@xyz.com’ );
Set($DatabaseHost, ‘1.1.1.116’ );
Set($DatabaseName, ‘rt4’ );
Set($DatabasePassword, ‘xxxxxxxx’ );
Set($DatabasePort, ‘’ );
Set($DatabaseType, ‘mysql’ );
Set($DatabaseUser, ‘rt_user’ );
Set($Organization, ‘tkt-01’ );
Set($OwnerEmail, ‘abc@xyz.com’ );
Set($SendmailPath, ‘/usr/sbin/sendmail’ );
Set($WebDomain, ‘tkt-1’ );
Set($WebPort, ‘80’ );
Set($WebPath, ‘/rt’ );
Set($rtname, ‘tkt-01’ );
Set($LDAPCreatePrivileged, 1);
Set($LDAPUpdateUsers, 1);
#Set($LDAPHost,‘activedirectorydomain.net’);
Set($LDAPHost, ‘ldaps://activedirectorydomain.net’);
Set($LDAPUser,‘activedirectorydomain.net\ldapbind’);
Set($LDAPPassword,‘xxxxxxxx’);
Set($LDAPBase,‘ou=Users,dc=vfx,dc=net’);
Set($LDAPFilter, ‘(&(objectClass=person))’);
Set($LDAPMapping, {
Name => ‘sAMAccountName’,
EmailAddress => ‘mail’,
Organization => ‘department’,
RealName => ‘cn’,
NickName => ‘givenName’,
ExternalAuthId => ‘sAMAccountName’,
Gecos => ‘sAMAccountName’,
WorkPhone => ‘telephoneNumber’,
MobilePhone => ‘mobile’,
Address1 => ‘streetAddress’,
City => ‘l’,
State => ‘st’,
Zip => ‘postalCode’,
Country => ‘co’
});
1;

tsaylor · September 4, 2017, 10:10pm

Hello Sachin,

It is good to see you’ve made some progress. You should begin troubleshooting on the following line:

AcceptSecurityContext error, data 525, v1772^@ (/opt/rt4/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:1579)
LDAP bind failed 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772^@

Check your LDAP credentials, and failing that check your AD security settings.