sure 'filter' => '(&(ObjectCategory=User))', 'd_filter' => '(userAccountControl=514)',
[Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Sep 27 17:39:08 2010] [debug]: Calling UserExists with $username (polyva) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Sep 27 17:39:08 2010] [debug]: UserExists params: username: polyva , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Mon Sep 27 17:39:08 2010] [debug]: Password validation required for service - Executing... (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155) [Mon Sep 27 17:39:08 2010] [debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16) [Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43) [Mon Sep 27 17:39:08 2010] [debug]: Found LDAP DN: CN=Polyakov\, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75) [Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100) [Mon Sep 27 17:39:08 2010] [info]: My_LDAP AUTH FAILED: polyva (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) [Mon Sep 27 17:39:08 2010] [debug]: LDAP password validation result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334) [Mon Sep 27 17:39:08 2010] [debug]: Password Validation Check Result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159) [Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) [Mon Sep 27 17:39:08 2010] [error]: FAILED LOGIN for polyva from 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) [Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Sep 27 17:39:08 2010] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) > Can you remove the d_filter you have? Its different than what I have > 'd_filter' => '(userAccountControl=514)', > > Jason Ledford > Systems Analyst > The Biltmore Company > One North Pack Square > Asheville, NC 28801 > (828) 225-6127 > ________________________________________ > From: rt-users-boun...@lists.bestpractical.com > [rt-users-boun...@lists.bestpractical.com] On Behalf Of Val Polyakov > [...@polyakov.me] > Sent: Monday, September 27, 2010 1:19 PM > To: John Alberts > Cc: rt-users@lists.bestpractical.com > Subject: Re: [rt-users] ldap externalauth problem > > ldapsearch works, i can find myself using: > > ldapsearch -LLL -x -H ldap://ADserver:389 -b > 'ou=users,ou=yonkers,dc=mydomain,dc=org' -D 'cn=rt,ou=Service > Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org' -w 'rtPassword' > '(&(ObjectClass=Person)(cn=Polyakov, Valeriy))' > > > I also turned on debug loging for externalauth, and here's what I see in > the log. the password im providing is correct, it seems to be able to find > my account, but then I get an auth failure.. why ? :/ > > > [Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a > bug in RT-3.8.0 and RT-3.8.1 > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) > [Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth > service: My_LDAP > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) > [Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username > (polyva) and $service (My_LDAP) > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) > [Mon Sep 27 17:11:18 2010] [debug]: UserExists params: > username: polyva , service: My_LDAP > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) > [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: > ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: > (&(&(ObjectCategory=User))(sAMAccountName=polyva)) == Attrs: > l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) > [Mon Sep 27 17:11:18 2010] [debug]: Password validation required for > service - Executing... > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155) > [Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16) > [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: > ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter: > (&(sAMAccountName=polyva)(&(ObjectCategory=User))) == Attrs: dn > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43) > [Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov\, > Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75) > [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: > ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov, > Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100) > [Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) > [Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0 > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334) > [Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result: 0 > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159) > [Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth. > Response: (0, Password Invalid) > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) > [Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from > 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) > > > >> Val, >> Have you verified that ldapsearch works for you on this box? >> >> I used something like this to test: >> >> >> ldapsearch -LLL -x -H ldap://<ldap server>:389 -b >> 'DC=corp,DC=something,DC=com' -D 'ldapu...@corp.something.com' -w >> '<ldapuser password>' '(&(ObjectClass=Person)(cn=<username to search >> for))' >> >> >> I had to request from our Windows AD guys to allow the ldapuser to be >> able >> to read all user information. I also had to have them open the firewall >> to our server, because by default, they only allow certain servers to >> query the AD servers. >> >> John >> >> >> >> On 09/27/2010 10:14 AM, Val Polyakov wrote: >> >> Trying to get my RT 3.8.8 on RHEL5 to authenticate against our >> corporate >> AD. >> >> I followed this guide here: >> http://wiki.bestpractical.com/view/CentOS5InstallPlusSome >> >> I also checked that apache has access to over here >> (RT-Authen-ExternalAuth >> dir was chgrp -R'ed and chmod -R 770'ed): >> >> [r...@rt plugins]# pwd >> /opt/rt3/local/plugins >> [r...@rt plugins]# ls -ltr >> total 4 >> drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth >> [r...@rt plugins]# ps awwwux |grep httpd >> root 2313 0.1 4.1 348008 83360 ? Ss 10:32 0:02 >> /usr/sbin/httpd >> apache 2317 0.0 4.1 350272 82612 ? S 10:32 0:00 >> /usr/sbin/httpd >> apache 2318 0.0 4.1 350272 82616 ? S 10:32 0:00 >> /usr/sbin/httpd >> apache 2319 0.0 4.0 348204 82216 ? S 10:32 0:00 >> /usr/sbin/httpd >> apache 2320 0.0 4.1 350272 82684 ? S 10:32 0:00 >> /usr/sbin/httpd >> apache 2321 0.0 4.1 350928 83388 ? S 10:32 0:00 >> /usr/sbin/httpd >> apache 2322 0.0 4.1 350272 82616 ? S 10:32 0:00 >> /usr/sbin/httpd >> apache 2323 0.0 4.1 350272 82616 ? S 10:32 0:00 >> /usr/sbin/httpd >> apache 2324 0.0 4.1 350668 83172 ? S 10:32 0:00 >> /usr/sbin/httpd >> root 3537 0.0 0.0 61148 708 pts/0 R+ 11:06 0:00 >> grep >> httpd >> [r...@rt plugins]# >> >> when I set this up and tried to login with my AD account for the >> first >> time, here's what I saw in /var/log/httpd/error_log : >> >> >> [r...@rt autohandler]# tail -f /var/log/httpd/error_log >> [Mon Sep 27 14:32:29 2010] [info]: >> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: >> 101 >> Truman Avenue, City: Yonkers, Country: United States, Disabled: 0, >> EmailAddress: vpolya...@consumer.org, ExternalAuthId: POLYVA, >> Gecos: >> POLYVA, Name: POLYVA, Organization: 1-8D, Privileged: 0, RealName: >> Polyakov, Valeriy, State: NY, WorkPhone: (914) 378-2577, Zip: >> 10703 >> >> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536) >> [Mon Sep 27 14:32:29 2010] [info]: Autocreated external user >> POLYVA ( 36 >> ) >> >> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:132) >> [Mon Sep 27 14:32:29 2010] [info]: My_LDAP AUTH FAILED: polyva >> >> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) >> >> .... >> >> And ever since then when I try to login I only see this: >> >> [Mon Sep 27 14:52:31 2010] [info]: My_LDAP AUTH FAILED: polyva >> >> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) >> [Mon Sep 27 14:52:31 2010] [error]: FAILED LOGIN for polyva from >> 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) >> >> >> my /opt/rt3/etc/RT_SiteConfig.pm and >> /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc are attached >> >> >> Any suggestions? >> >> >> >> RT Training in Washington DC, USA on Oct 25 & 26 2010 >> Last one this year -- Learn how to get the most out of RT! >> >> >> -- >> John Alberts >> Hosted Services >> Exlibris USA >> john.albe...@exlibrisgroup.com >> cell: 1-508-878-2197 >> > > > > RT Training in Washington DC, USA on Oct 25 & 26 2010 > Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 & 26 2010 Last one this year -- Learn how to get the most out of RT!