>-----Original Message----- >From: Mike Peachey [mailto:mike.peac...@jennic.com] >Sent: 10 May 2010 12:54 >To: Julian Grunnell >Cc: rt-users@lists.bestpractical.com >Subject: Re: [rt-users] RT & mysql / LDAP Auth > >Julian Grunnell wrote: >> Hi - hoping someone can help me, I'm trying to get the >> RT::Authen::ExternalAuth plugin to work so I can use LDAP for >> authentication. Just using mysql at the moment, so want to keep this >as >> well. Running RT 3.8.5 on Centos, I'd like mysql auth first and then >> LDAP next. I've managed to configure this without any errors and my >> mysql authentication still works after a httpd restart. However LDAP >> auth never works, I'm not that familiar with LDAP so am hoping if I >> provide my config and rt.log below someone might be able to point me >in >> the right direction: > >Looks like the whole thing is dying during the MySQL check. > >1. Provide the whole config >2. Are you sure you're supposed to be using ExternalAuth for MySQL auth? >Are you actually using it to check against an external MySQL source, or >are you trying to use MySQL to check RT's own database? > [>]
The whole config is: ## ## Local settings - overrides RT_Config.pm ## Set($WebBaseURL, "https://xxx.xxx.xxx"); Set($rtname, 'xxx'); Set($Organization , "xxx"); Set($MinimumPasswordLength , "8"); Set($OwnerEmail , 'jul...@xxx.xxx'); Set($SMTPFrom, 'supp...@xxx.xxx'); Set($Timezone , 'GB/London'); Set($UsernameFormat, 'concise'); Set($OldestTransactionsFirst, '0'); Set($SenderMustExistInExternalDatabase); Set($LogToSyslog , 'debug'); Set($UseFriendlyFromLine, 0); Set($WebDomain, 'xxx.xxx.xxx'); Set($WebDefaultStylesheet, '3.5-default'); Set($WebPort, 443); Set($MaxInlineBody, 148000); ## Display Webfusion logo / link ## Set($WebImagesURL , $WebPath . "/NoAuth/images/"); # need this for below Set($LogoURL, $WebImagesURL . "xxx-logo.png"); Set($LogoLinkURL, 'http://xxx.xxx.xxx'); Set($LogoImageURL, $WebImagesURL . "xxx.xxx.png"); Set($LogoAltText, "xxx"); # {{{ Logging Set($LogToSyslog ,'critical'); Set($LogToScreen , 'error'); Set($LogToFile , 'debug'); Set($LogDir, '/opt/rt3/var/log/rt3'); Set($LogToFileNamed , "rt.log"); #log to rt.log #Set(@Plugins,(qw(RT::Extension::SLA))); #Set( %ServiceAgreements, # Default => '4h', # QueueDefault => { # 'General' => '4h', # }, # Levels => { # '2h' => { # StartImmediately => 1, # Resolve => { RealMinutes => 60*2 } }, # '4h' => { # StartImmediately => 1, # Resolve => { RealMinutes => 60*4 } }, # }, # ); #Set(@Plugins,(qw(Extension::QuickDelete RT::FM))); ## MySQL / LDAP Configuration # # The order in which the services defined in ExternalSettings # should be used to authenticate users. User is authenticated # if successfully confirmed by any service - no more services # are checked. Set($ExternalAuthPriority, [ 'My_MySQL', 'My_LDAP' ] ); # The order in which the services defined in ExternalSettings # should be used to get information about users. This includes # RealName, Tel numbers etc, but also whether or not the user # should be considered disabled. # # Once user info is found, no more services are checked. # # You CANNOT use a SSO cookie for authentication. Set($ExternalInfoPriority, [ 'My_MySQL', 'My_LDAP' ] ); # If this is set to true, then the relevant packages will # be loaded to use SSL/TLS connections. At the moment, # this just means "use Net::SSLeay;" Set($ExternalServiceUsesSSLorTLS, 0); # If this is set to 1, then users should be autocreated by RT # as internal users if they fail to authenticate from an # external service. Set($AutoCreateNonExternalUsers, 0); # These are the full settings for each external service as a HashOfHashes # Note that you may have as many external services as you wish. They will # be checked in the order specified in the Priority directives above. # e.g. # Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDA P','Other-DB']); # Set($ExternalSettings, { # AN EXAMPLE DB SERVICE 'My_MySQL' => { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' => 'db', # The server hosting the service 'server' => 'resolver-db.xxx.com', ## SERVICE-SPECIFIC SECTION # The database name 'database' => 'rt3', # The database table 'table' => 'Users', # The user to connect to the database as 'user' => 'root', # The password to use to connect with 'pass' => 'xxx', # The port to use to connect with (e.g. 3306) 'port' => '3306', # The name of the Perl DBI driver to use (e.g. mysql) 'dbi_driver' => 'mysql', # The field in the table that holds usernames 'u_field' => 'Name', # The field in the table that holds passwords 'p_field' => 'Password', # The Perl package & subroutine used to encrypt passwords # e.g. if the passwords are stored using the MySQL v3.23 "PASSWORD" # function, then you will need Crypt::MySQL::password, but for the # MySQL4+ password function you will need Crypt::MySQL::password41 # Alternatively, you could use Digest::MD5::md5_hex or any other # encryption subroutine you can load in your perl installation 'p_enc_pkg' => 'Crypt::MySQL', 'p_enc_sub' => 'password41', # If your p_enc_sub takes a salt as a second parameter, # uncomment this line to add your salt #'p_salt' => 'SALT', # # The field and values in the table that determines if a user should # be disabled. For example, if the field is 'user_status' and the values # are ['0','1','2','disabled'] then the user will be disabled if their # user_status is set to '0','1','2' or the string 'disabled'. # Otherwise, they will be considered enabled. # 'd_field' => 'disabled', # 'd_values' => ['0'], ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user 'attr_match_list' => [ 'Gecos', 'Name' ], # The mapping of RT attributes on to field names 'attr_map' => { 'Name' => 'username', 'EmailAddress' => 'email', 'ExternalAuthId' => 'username', 'Gecos' => 'userID' } }, # AN EXAMPLE LDAP SERVICE 'My_LDAP' => { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' => 'ldap', # The server hosting the service 'server' => '172.17.2.1', ## SERVICE-SPECIFIC SECTION # If you can bind to your LDAP server anonymously you should # remove the user and pass config lines, otherwise specify them here: # # The username RT should use to connect to the LDAP server 'user' => 'ldap-rt', # The password RT should use to connect to the LDAP server 'pass' => 'xxx', # # The LDAP search base 'base' => 'ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com', # # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES! # YOU **MUST** SPECIFY A filter AND A d_filter!! # # The filter to use to match RT-Users 'filter' => '(objectClass=User)', # A catch-all example filter: '(objectClass=*)' # # The filter that will only match disabled users 'd_filter' => '(objectClass=FooBarBaz)', # A catch-none example d_filter: '(objectClass=FooBarBaz)' # # Should we try to use TLS to encrypt connections? 'tls' => 0, # SSL Version to provide to Net::SSLeay *if* using SSL 'ssl_version' => 3, # What other args should I pass to Net::LDAP->new($host,@args)? 'net_ldap_args' => [ version => 3 ], # Does authentication depend on group membership? What group name? 'group' => 'GROUP_NAME', # What is the attribute for the group object that determines membership? 'group_attr' => 'GROUP_ATTR', ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user # This example shows what you *can* specify.. I recommend reducing this # to just the Name and EmailAddress to save encountering problems later. 'attr_match_list' => [ 'Name', 'EmailAddress', 'RealName', 'WorkPhone', 'Address2' ], # The mapping of RT attributes on to LDAP attributes 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'Organization' => 'physicalDeliveryOfficeName', 'RealName' => 'cn', 'ExternalAuthId' => 'sAMAccountName', 'Gecos' => 'sAMAccountName', 'WorkPhone' => 'telephoneNumber', 'Address1' => 'streetAddress', 'City' => 'l', 'State' => 'st', 'Zip' => 'postalCode', 'Country' => 'co' } } } ); Set( @Plugins, qw(RT::Authen::ExternalAuth) ); 1; So at present users are just authenticating against RT's own DB for user access. What I'd like to do is keep this but also have LDAP. The reason being users now have multiple usernames / passwords for different services we run and I want to use LDAP as a way to simplify this - BUT in order for this to be done I also need to be able to keep the MySQL access for now and not break RT for all the users. The RT DB is on a different physical server and the fact that after I restarted httpd with the config above and could still login with my usual (mysql) credentials assumed that atleast part of it was working - is this not the case? Thanks. Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com