-- Julian Grunnell This email is subject to: www.corporate.webfusion.co.uk/disclaimer
>-----Original Message----- >From: Mike Peachey [mailto:mike.peac...@jennic.com] >Sent: 13 May 2010 13:56 >To: Julian Grunnell >Cc: rt-users@lists.bestpractical.com >Subject: Re: [rt-users] RT & mysql / LDAP Auth > >Julian Grunnell wrote: >>> -----Original Message----- >>> From: Mike Peachey [mailto:mike.peac...@jennic.com] >>> Sent: 10 May 2010 12:54 >>> To: Julian Grunnell >>> Cc: rt-users@lists.bestpractical.com >>> Subject: Re: [rt-users] RT & mysql / LDAP Auth >>> >> >> So at present users are just authenticating against RT's own DB for >user >> access. What I'd like to do is keep this but also have LDAP. The >reason >> being users now have multiple usernames / passwords for different >> services we run and I want to use LDAP as a way to simplify this - BUT >> in order for this to be done I also need to be able to keep the MySQL >> access for now and not break RT for all the users. >> >> The RT DB is on a different physical server and the fact that after I >> restarted httpd with the config above and could still login with my >> usual (mysql) credentials assumed that atleast part of it was working >- >> is this not the case? > >No, you've misunderstood and it has massively complicated your debugging >of the situation. > >ExternalAuth *only* adds to the available authentication mechanisms. It >does not replace RT's own. The use of ExternalAuth MySQL authentication >is if you want to be able to authenticate against some other MySQL >source such as a custom website database or the database of another >web-application. This is /in addition/ to checking against RT's own >internal database (whether this is hosted locally or not). > >So, authentication happens in this order: > >1. ExternalAuth >2. RT-Internal > >And you can have as many ExternalAuth sources as you wish. > > >For your setup, what you want is to only specify the LDAP source which >is then checked for a valid user. If there's no user in LDAP, RT's >internal DB will be checked. >-- >Kind Regards, > [>] Right, thanks - that makes sense now. I misunderstood the use of this and thought you had to define ALL the authentication methods you wanted to use. So I have removed the MySQL section completely from the config and tried again with different results. Using my LDAP credentials I still get "Your username or password is incorrect" BUT RT has created me as a user, the "Let this user be granted rights" box is unchecked and I'm NOT a member of any Groups. The logs created when this was done are: [Fri May 14 08:22:41 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:64) [Fri May 14 08:22:41 2010] [debug]: Calling UserExists with $username (jgrunnell) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:105) [Fri May 14 08:22:41 2010] [debug]: UserExists params: username: jgrunnell , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:274) [Fri May 14 08:22:41 2010] [debug]: LDAP Search === Base: ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter: (&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber, sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:304) [Fri May 14 08:22:41 2010] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with: Disabled: 0, EmailAddress: , Gecos: jgrunnell, Name: jgrunnell, Privileged: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:450) [Fri May 14 08:22:41 2010] [debug]: Attempting to get user info using this external service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:458) [Fri May 14 08:22:41 2010] [debug]: Attempting to use this canonicalization key: Name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:472) [Fri May 14 08:22:41 2010] [debug]: LDAP Search === Base: ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter: (&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber, sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:195) [Fri May 14 08:22:41 2010] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City: , Country: , Disabled: 0, EmailAddress: julian.grunn...@webfusion.com, ExternalAuthId: jgrunnell, Gecos: jgrunnell, Name: jgrunnell, Organization: Leeds, Privileged: 0, RealName: Julian Grunnell, State: , WorkPhone: 0208 587 7212, Zip: (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:536) [Fri May 14 08:22:41 2010] [debug]: About to think about scrips for transaction #30149954 (/opt/rt3/bin/../lib/RT/Transaction_Overlay.pm:163) [Fri May 14 08:22:42 2010] [debug]: About to think about scrips for transaction #30149955 (/opt/rt3/bin/../lib/RT/Transaction_Overlay.pm:163) [Fri May 14 08:22:42 2010] [info]: Autocreated external user jgrunnell ( 8078757 ) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:132) [Fri May 14 08:22:42 2010] [debug]: Loading new user ( jgrunnell ) into current session (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:138) [Fri May 14 08:22:42 2010] [debug]: Password validation required for service - Executing... (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:155) [Fri May 14 08:22:42 2010] [debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:16) [Fri May 14 08:22:42 2010] [debug]: LDAP Search === Base: ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter: (&(sAMAccountName=jgrunnell)(objectClass=User)) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:43) [Fri May 14 08:22:42 2010] [debug]: Found LDAP DN: CN=Julian Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp, DC=internal,DC=hosteurope,DC=com (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:75) [Fri May 14 08:22:42 2010] [debug]: LDAP Search === Base: ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter: (GROUP_ATTR=CN=Julian Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp, DC=internal,DC=hosteurope,DC=com) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:100) [Fri May 14 08:22:42 2010] [critical]: Search for (GROUP_ATTR=CN=Julian Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp, DC=internal,DC=hosteurope,DC=com) failed: LDAP_INVALID_DN_SYNTAX 34 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:116) [Fri May 14 08:22:42 2010] [debug]: LDAP password validation result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:334) [Fri May 14 08:22:42 2010] [debug]: Password Validation Check Result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:159) [Fri May 14 08:22:42 2010] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu th/autohandler/Auth:26) [Fri May 14 08:22:42 2010] [error]: FAILED LOGIN for jgrunnell from 212.103.233.1 (/opt/rt3/share/html/autohandler:268) So making some progress, but not quite there. Thanks. Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com