Hello,
I have a working mod_authnz_ldap configuration for apache 2.4 (on a virtualhost
on the same server) but I cannot seem to convert the configuration to a valid
RT::Authen::ExternalAuth::LDAP configuration. At one point I could see in
var/log/rt.log that it was at least checking the nested groups for membership
but the filter didn't look quite right. I have since changed that
configuration and it seems to stall for a minute and then fail. It gets my
real name from the AD service but then cannot match the sub/nested group filter
I think?
The apache configuration that works is:
<Location /adirectoryname>
LogLevel debug
AuthName "Password protected. Enter your AD username and password."
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL
"ldap://ldap.server.hostname/OU=iweb,DC=corp,DC=iweb,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
AuthLDAPBindDN "ldapbinduserstring"
AuthLDAPBindPassword ldapbindpass
Require ldap-filter
memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com
</Location>
So far I've got this in RT_SiteConfig.pm for RT:
...snipped...
Set($ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'server' => 'corp.iweb.com<http://corp.iweb.com>',
'user' => 'ldapbinduserstring',
'pass' => 'ldapbindpass',
'base' => 'OU=iweb,DC=corp,DC=iweb,DC=com',
'filter' => '(objectClass=*)',
'd_filter' => 'UserAccountControl:1.2.840.113556.1.4.803:=2',
'group' => 'RTIR_WEB_SC_ACCESS',
'group_scope' => 'sub',
'group_attr' =>
'memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS',
'group_attr_value' => 'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com',
'tls' => 0,
'attr_match_list' => [
'Name',
'EmailAddress',
],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
},
},
} );
...snipped...
Plugin('RT::IR', 'RT::Authen::ExternalAuth');
The log entries with the above configuration are:
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Calling UserExists with $username
(lstewart) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: UserExists params:
username: lstewart , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: LDAP Search === Base:
OU=iweb,DC=corp,DC=iweb,DC=com == Filter:
(&(objectClass=*)(sAMAccountName=lstewart)) == Attrs:
sAMAccountName,physicalDeliveryOfficeName,mail,cn,sAMAccountName,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Password validation required for
service - Executing...
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:517)
[28280] [Thu Jul 14 19:12:14 2016] [debug]: Trying external auth service:
My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153)
[28280] [Thu Jul 14 19:14:14 2016] [debug]: LDAP Search === Base:
OU=iweb,DC=corp,DC=iweb,DC=com == Filter:
(&(sAMAccountName=lstewart)(objectClass=*)) == Attrs:
dn,OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:186)
[28280] [Thu Jul 14 19:14:14 2016] [debug]: Found LDAP DN: CN=Landon
Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Attribute
'OU=Groupes,OU=iWeb,DC=corp,DC=iweb,DC=com' has no value; falling back to
'CN=Landon Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com'
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:249)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP Search === Base:
RTIR_WEB_SC_ACCESS == Scope: sub == Filter:
(memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon
Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) == Attrs: dn
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)
[28280] [Thu Jul 14 19:14:15 2016] [critical]: Search for
(memberOf:1.2.840.113556.1.4.1941:=CN=RTIR_WEB_SC_ACCESS=CN=Landon
Stewart,OU=Utilisateurs,OU=iWeb,DC=corp,DC=iweb,DC=com) failed:
LDAP_INVALID_DN_SYNTAX 34
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: LDAP password validation result: 0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:696)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Password Validation Check Result:
0
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:521)
[28280] [Thu Jul 14 19:14:15 2016] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[28280] [Thu Jul 14 19:14:15 2016] [error]: FAILED LOGIN for lstewart from
xx.xx.xx.xx (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)
--
Landon Stewart
Lead Analyst - Abuse and Security Management
INTERNAP ®
lstew...@internap.com<mailto:lstew...@internap.com> •
www.internap.com<http://www.internap.com>
---------
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Los Angeles - September, 2016
