Hello, I have a working mod_authnz_ldap configuration for apache 2.4 (on a virtualhost on the same server) but I cannot seem to convert the configuration to a valid RT::Authen::ExternalAuth::LDAP configuration. At one point I could see in var/log/rt.log that it was at least checking the nested groups for membership but the filter didn't look quite right. I have since changed that configuration and it seems to stall for a minute and then fail. It gets my real name from the AD service but then cannot match the sub/nested group filter I think?
The apache configuration that works is: <Location /adirectoryname> LogLevel debug AuthName "Password protected. Enter your AD username and password." AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldap://ldap.server.hostname/OU=iweb,DC=corp,DC=iweb,DC=com?sAMAccountName?sub?(objectClass=*)" AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN on AuthLDAPBindDN "ldapbinduserstring" AuthLDAPBindPassword ldapbindpass Require ldap-filter memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com </Location> So far I've got this in RT_SiteConfig.pm for RT: ...snipped... Set($ExternalSettings, { 'My_LDAP' => { 'type' => 'ldap', 'server' => 'corp.iweb.com<http://corp.iweb.com>', 'user' => 'ldapbinduserstring', 'pass' => 'ldapbindpass', 'base' => 'OU=iweb,DC=corp,DC=iweb,DC=com', 'filter' => '(objectClass=*)', 'd_filter' => 'UserAccountControl:1.2.840.113556.1.4.803:=2', 'group' => 'RTIR_WEB_SC_ACCESS', 'group_scope' => 'sub', 'group_attr' => 'memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS', 'group_attr_value' => 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com', 'tls' => 0, 'attr_match_list' => [ 'Name', 'EmailAddress', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'Organization' => 'physicalDeliveryOfficeName', 'RealName' => 'cn', 'ExternalAuthId' => 'sAMAccountName', 'Gecos' => 'sAMAccountName', }, }, } ); ...snipped... Plugin('RT::IR', 'RT::Authen::ExternalAuth'); The log entries with the above configuration are: [28280] [Thu Jul 14 19:12:14 2016] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424) [28280] [Thu Jul 14 19:12:14 2016] [debug]: Calling UserExists with $username (lstewart) and $service (My_LDAP) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465) [28280] [Thu Jul 14 19:12:14 2016] [debug]: UserExists params: username: lstewart , service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439) [28280] [Thu Jul 14 19:12:14 2016] [debug]: LDAP Search === Base: OU=iweb,DC=corp,DC=iweb,DC=com == Filter: (&(objectClass=*)(sAMAccountName=lstewart)) == Attrs: sAMAccountName,physicalDeliveryOfficeName,mail,cn,sAMAccountName,sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469) [28280] [Thu Jul 14 19:12:14 2016] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:517) [28280] [Thu Jul 14 19:12:14 2016] [debug]: Trying external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153) [28280] [Thu Jul 14 19:14:14 2016] [debug]: LDAP Search === Base: OU=iweb,DC=corp,DC=iweb,DC=com == Filter: (&(sAMAccountName=lstewart)(objectClass=*)) == Attrs: dn,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:186) [28280] [Thu Jul 14 19:14:14 2016] [debug]: Found LDAP DN: CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220) [28280] [Thu Jul 14 19:14:15 2016] [debug]: Attribute 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com' has no value; falling back to 'CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com' (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:249) [28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP Search === Base: RTIR_WEB_SC_ACCESS == Scope: sub == Filter: (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) == Attrs: dn (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256) [28280] [Thu Jul 14 19:14:15 2016] [critical]: Search for (memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) failed: LDAP_INVALID_DN_SYNTAX 34 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP password validation result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:696) [28280] [Thu Jul 14 19:14:15 2016] [debug]: Password Validation Check Result: 0 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:521) [28280] [Thu Jul 14 19:14:15 2016] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11) [28280] [Thu Jul 14 19:14:15 2016] [error]: FAILED LOGIN for lstewart from xx.xx.xx.xx (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810) -- Landon Stewart Lead Analyst - Abuse and Security Management INTERNAP ® lstew...@internap.com<mailto:lstew...@internap.com> • www.internap.com<http://www.internap.com>
--------- RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Los Angeles - September, 2016