Still struggling with trying to get RT externally authenticating with my 2008 Active Directory.
I have been able to accomplish an ldapsearch with the following options successfully: ldapsearch -x -b "dc=eiuad,dc=eiu,dc=edu" -D "CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu" -h eiuad.eiu.edu -p 389 -W "sAMAccountName=blmurphy" I would like to use the blmurphy as my RT account name. When I execute the above ldapsearch and input the prompted for password I get back my account information from the Active Directory. I have the following set in my RT_SiteConfig.pm but continue to get the externalauth nouser response. Brian Set($ExternalSettings, { # EIUAD Active Directory 'EIUAD' => { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' => 'ldap', # The server hosting the service 'server' => 'eiuad.eiu.edu', ## SERVICE-SPECIFIC SECTION # If you can bind to your LDAP server anonymously you should # remove the user and pass config lines, otherwise specify them here: # # The username RT should use to connect to the LDAP server 'user' => 'CN=RT Auth,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu', # The password RT should use to connect to the LDAP server 'pass' => 'xxxxxxxxx', # # The LDAP search base 'base' => 'dc=eiuad,dc=eiu,dc=edu', # # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES! # YOU **MUST** SPECIFY A filter AND A d_filter!! # # The filter to use to match RT-Users 'filter' => '(sAMAccountName=*)', # A catch-all example filter: '(objectClass=*)' # # The filter that will only match disabled users 'd_filter' => '(objectclass=Foo)', # A catch-none example d_filter: '(objectClass=FooBarBaz)' # # Should we try to use TLS to encrypt connections? 'tls' => 0, # SSL Version to provide to Net::SSLeay *if* using SSL 'ssl_version' => 3, # What other args should I pass to Net::LDAP->new($host,@args)? 'net_ldap_args' => [ version => 3 ], # Does authentication depend on group membership? What group name? 'group' => 'CN=RT_Access,OU=Sensitive,DC=eiuad,DC=eiu,DC=edu', # What is the attribute for the group object that determines membership? 'group_attr' => 'memberOf', ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user # This example shows what you *can* specify.. I recommend reducing this # to just the Name and EmailAddress to save encountering problems later. 'attr_match_list' => [ 'Name' ], # The mapping of RT attributes on to LDAP attributes 'attr_map' => { 'Name' => 'sAMAccountName' } } ----- Original Message ----- From: "Brian Murphy" <blmur...@eiu.edu> To: rt-users@lists.bestpractical.com Sent: Thursday, August 25, 2011 11:59:50 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl I only get the login failed message back from web.pm. The account I am using is already in RT and being used so is this a problem. I was assuming the id would exist and just the auth would be done externally. Brian ----- Original Message ----- From: "Kevin Falcone" <falc...@bestpractical.com> To: rt-users@lists.bestpractical.com Sent: Thursday, August 25, 2011 9:46:01 AM Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl On Wed, Aug 24, 2011 at 04:42:04PM -0500, Brian Murphy wrote: > Thanks for the tip on the logging kevin. > > Seeing the following, don't know eactly what to make of it. > > [Wed Aug 24 21:38:37 2011] [debug]: Attempting to use external auth service: > EIUAD > (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) > [Wed Aug 24 21:38:37 2011] [debug]: SSO Failed and no user to test with. > Nexting > (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) > [Wed Aug 24 21:38:37 2011] [debug]: Autohandler called ExternalAuth. > Response: (0, No User) > (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) Those are the messages you get when the login page pops up. What do you get after typing your username and password in? -kevin > ----- Original Message ----- > From: "Kevin Falcone" <falc...@bestpractical.com> > To: rt-users@lists.bestpractical.com > Sent: Wednesday, August 24, 2011 4:18:08 PM > Subject: Re: [rt-users] rt4 and External Auth to AD 2008 non-ssl > > On Wed, Aug 24, 2011 at 01:09:15PM -0500, Brian Murphy wrote: > > I am trying desparately to get this goingnd am not seeing that my > > externalauth is even being called. I am attaching my RT_SiteConfig.pm > > for review. I am a newbie and don't know much about anything RT as > > yet. I see very little in my /var/log/messages other tham LOGIN failed > > for xxxxx from web.pm, so I don't really think my externalauth is > > really in play as of yet. Any assistance in getting this going would > > be greatly appreciated. > > You don't appear to have turned your logging level up, most useful > logs are at the debug level. LogToScreen is probably the easiest, > because they'll end up in your apache error log. > > -kevin > > > > # Any configuration directives you include here will override > > # RT's default configuration file, RT_Config.pm > > # > > # To include a directive here, just copy the equivalent statement > > # from RT_Config.pm and change the value. We've included a single > > # sample value below. > > # > > # This file is actually a perl module, so you can include valid > > # perl code, as well. > > # > > # The converse is also true, if this file isn't valid perl, you're > > # going to run into trouble. To check your SiteConfig file, use > > # this comamnd: > > # > > # perl -c /path/to/your/etc/RT_SiteConfig.pm > > # > > # You must restart your webserver after making changes to this file. > > > > > > # You must install Plugins on your own, this is only an example > > # of the correct syntax to use when activating them. > > # There should only be one @Plugins declaration in your config file. > > #Set(@Plugins,(qw(RT::Extension::QuickDelete RT::Extension::CommandByMail > > RT::Extension::ActivityReports))); > > #Set(@Plugins,(qw(RT::Extension::ActivityReports))); > > Set(@Plugins,(qw(RT::Extension::ActivityReports RT::Authen::ExternalAuth))); > > > > Set( $CorrespondAddress, '' ); > > Set( $rtname, 'EIU ITS Campus Technology' ); > > Set( $DatabaseRequireSSL, '' ); > > Set( $WebPort, '8080' ); > > > > Set( $DatabaseType, 'mysql' ); > > > > Set( $SendmailPath, '/usr/sbin/sendmail' ); > > Set( $WebDomain, 'localhost' ); > > > > Set( $CommentAddress, '' ); > > Set($Timezone, "US/Central"); > > Set($UnsafeEmailCommands, 1); > > Set($ParseNewMessageForTicketCcs, 1); > > Set($NotifyActor, 1); > > > > Set( $OwnerEmail, '' ); > > Set( $DatabaseUser, 'rt_user' ); > > Set( $DatabasePort, '' ); > > Set( $DatabasePassword, 'RT_pass1-' ); > > Set( $DatabaseAdmin, 'root' ); > > Set( $DatabaseAdminPassword, 'Mtfbwu+1' ); > > Set( $DatabaseHost, 'localhost' ); > > Set( $DatabaseName, 'rt4' ); > > Set( $Organization, 'ITS' ); > > 1; > > # The order in which the services defined in ExternalSettings > > # should be used to authenticate users. User is authenticated > > # if successfully confirmed by any service - no more services > > # are checked. > > Set($ExternalAuthPriority, [ 'EIUAD' > > ] > > ); > > > > # The order in which the services defined in ExternalSettings > > # should be used to get information about users. This includes > > # RealName, Tel numbers etc, but also whether or not the user > > # should be considered disabled. > > # > > # Once user info is found, no more services are checked. > > # > > # You CANNOT use a SSO cookie for authentication. > > Set($ExternalInfoPriority, [ 'EIUAD' > > ] > > ); > > > > # If this is set to true, then the relevant packages will > > # be loaded to use SSL/TLS connections. At the moment, > > # this just means "use Net::SSLeay;" > > Set($ExternalServiceUsesSSLorTLS, 0); > > > > # If this is set to 1, then users should be autocreated by RT > > # as internal users if they fail to authenticate from an > > # external service. > > Set($AutoCreateNonExternalUsers, 0); > > > > # These are the full settings for each external service as a HashOfHashes > > # Note that you may have as many external services as you wish. They will > > # be checked in the order specified in the Priority directives above. > > # e.g. > > # > > Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDAP','Other-DB']); > > # > > Set($ExternalSettings, { > > # EIUAD Active Directory > > 'EIUAD' => { ## GENERIC SECTION > > # The type of > > service (db/ldap/cookie) > > 'type' > > => 'ldap', > > # The server > > hosting the service > > 'server' > > => 'xxxxx.xxx.edu', > > ## SERVICE-SPECIFIC > > SECTION > > # If you can bind > > to your LDAP server anonymously you should > > # remove the user > > and pass config lines, otherwise specify them here: > > # > > # The username RT > > should use to connect to the LDAP server > > 'user' > > => 'rtauth', > > # The password RT > > should use to connect to the LDAP server > > 'pass' > > => 'xxxxxxx, > > # > > # The LDAP search > > base > > 'base' > > => 'dc=xxxxx,dc=xxx,dc=edu', > > # > > # ALL FILTERS MUST > > BE VALID LDAP FILTERS ENCASED IN PARENTHESES! > > # YOU **MUST** > > SPECIFY A filter AND A d_filter!! > > # > > # The filter to use > > to match RT-Users > > 'filter' > > => '(objectclass=person)', > > # A catch-all > > example filter: '(objectClass=*)' > > # > > # The filter that > > will only match disabled users > > 'd_filter' > > => '(objectclass=Foo)', > > # A catch-none > > example d_filter: '(objectClass=FooBarBaz)' > > # > > # Should we try to > > use TLS to encrypt connections? > > 'tls' > > => 0, > > # SSL Version to > > provide to Net::SSLeay *if* using SSL > > 'ssl_version' > > => 3, > > # What other args > > should I pass to Net::LDAP->new($host,@args)? > > 'net_ldap_args' > > => [ version => 3 ], > > # Does > > authentication depend on group membership? What group name? > > 'group' > > => 'rt_access', > > # What is the > > attribute for the group object that determines membership? > > 'group_attr' > > => 'memberOf', > > ## RT ATTRIBUTE > > MATCHING SECTION > > # The list of RT > > attributes that uniquely identify a user > > # This example shows > > what you *can* specify.. I recommend reducing this > > # to just the Name > > and EmailAddress to save encountering problems later. > > 'attr_match_list' > > => [ 'Name' > > > > ], > > # The mapping of RT > > attributes on to LDAP attributes > > 'attr_map' > > => { 'Name' => 'sAMAccountName' > > > > } > > } > > } > > ); > > > > 1; > > -------- > RT Training Sessions (http://bestpractical.com/services/training.html) > * Chicago, IL, USA � September 26 & 27, 2011 > * San Francisco, CA, USA � October 18 & 19, 2011 > * Washington DC, USA � October 31 & November 1, 2011 > * Melbourne VIC, Australia � November 28 & 29, 2011 > * Barcelona, Spain � November 28 & 29, 2011 > -------- > RT Training Sessions (http://bestpractical.com/services/training.html) > * Chicago, IL, USA September 26 & 27, 2011 > * San Francisco, CA, USA October 18 & 19, 2011 > * Washington DC, USA October 31 & November 1, 2011 > * Melbourne VIC, Australia November 28 & 29, 2011 > * Barcelona, Spain November 28 & 29, 2011 -------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA � September 26 & 27, 2011 * San Francisco, CA, USA � October 18 & 19, 2011 * Washington DC, USA � October 31 & November 1, 2011 * Melbourne VIC, Australia � November 28 & 29, 2011 * Barcelona, Spain � November 28 & 29, 2011 -------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011 -------- RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011