[rt-users] "RT::Authen::ExternalAuth".
Question on "RT::Authen::ExternalAuth". I've set the ExternalAuth and it worked Is there a way to have both auth External and still be able to log with the internal DB ? regards, Ghis -- View this message in context: http://requesttracker.8502.n7.nabble.com/RT-Authen-ExternalAuth-tp61193.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] "RT::Authen::ExternalAuth".
--- Begin Message --- Hi That's the concern that I had about one month ago , but I totally solved it and I 'll be glad to help you solve it sooner that I could :) Yes you can have both of them at the same time by adding the following line in your RT_SiteConfig.pm: set ($AuthMethods, ['LDAP' , Internal']); I,ll be happy if you let me know the result Good Luck -Original Message- From: "ggamache" <ghislaingama...@hotmail.com> Sent: 15/01/2016 17:28 To: "rt-users@lists.bestpractical.com" <rt-users@lists.bestpractical.com> Subject: [rt-users] "RT::Authen::ExternalAuth". Question on "RT::Authen::ExternalAuth". I've set the ExternalAuth and it worked Is there a way to have both auth External and still be able to log with the internal DB ? regards, Ghis -- View this message in context: http://requesttracker.8502.n7.nabble.com/RT-Authen-ExternalAuth-tp61193.html Sent from the Request Tracker - User mailing list archive at Nabble.com. --- End Message ---
Re: [rt-users] "RT::Authen::ExternalAuth".
thank you for your help I tried set ($AuthMethods, ['LDAP' , 'My_MySQL']); but It seem I had to add a new part in the ExternalSettingsSet($ExternalSettings, { 'My_LDAP' 'My_MySQL...' If I add Internal I still have to do this part or it somehow find it automatically? regards, Ghislain Date: Fri, 15 Jan 2016 08:38:47 -0700 From: ml-node+s8502n6119...@n7.nabble.com To: ghislaingama...@hotmail.com Subject: Re: "RT::Authen::ExternalAuth". Hi That's the concern that I had about one month ago , but I totally solved it and I 'll be glad to help you solve it sooner that I could :) Yes you can have both of them at the same time by adding the following line in your RT_SiteConfig.pm: set ($AuthMethods, ['LDAP' , Internal']); I,ll be happy if you let me know the result Good LuckFrom: [hidden email] Sent: 15/01/2016 17:28 To: [hidden email] Subject: [rt-users] "RT::Authen::ExternalAuth". Question on "RT::Authen::ExternalAuth". I've set the ExternalAuth and it worked Is there a way to have both auth External and still be able to log with the internal DB ? regards, Ghis -- View this message in context: http://requesttracker.8502.n7.nabble.com/RT-Authen-ExternalAuth-tp61193.html Sent from the Request Tracker - User mailing list archive at Nabble.com. If you reply to this email, your message will be added to the discussion below: http://requesttracker.8502.n7.nabble.com/RT-Authen-ExternalAuth-tp61193p61196.html To unsubscribe from "RT::Authen::ExternalAuth"., click here. NAML -- View this message in context: http://requesttracker.8502.n7.nabble.com/RT-Authen-ExternalAuth-tp61193p61197.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
[rt-users] RT-Authen-ExternalAuth 0.24 regression with binary content
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is a note that RT-Authen-ExternalAuth version 0.24, released October 9th, has a known bug which adds an extra newline at the beginning of all content returned from RT. This is especially problematic for binary content, such as charts, attachments, upload custom fields, and custom user logos. Note that it only affects content upon transfer -- there is no corruption to the data stored in RT. Version 0.25, released yesterday, addresses this bug. If you are running version 0.24, we do suggest upgrading. - Alex -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlRBTPUACgkQMflWJZZAbqDOXACZAWB8ZQ8FNdFy32PBnDbOmyhq I8UAniTBFoU/W52SXBBxHna4+EVeSyr+ =YFZT -END PGP SIGNATURE- -- RT Training November 4 5 Los Angeles http://bestpractical.com/training
[rt-users] RT::Authen::ExternalAuth + mod_ssl = core dump
I can get RT up and running just fine using LDAP with RT::Authen::ExternalAuth. But as soon as I shut down the server and install mod_ssl, apache won't restart, segfaults. Similarly, I can install mod_ssl just fine but as soon as I install RT::Authen::ExternalAuth and add the known-working LDAP server config to RT_SiteConfig.pm, same problem. I'll be honest that I haven't debugged an apache crash for years. Since I am not even sending the SSL virtual host to RT (the DocumentRoot for the SSL host is the default apache /var/www/html) I am not sure what could be conflicting. I am happy to provide logs but the RT, and apache error logs don't seem to have anything relevant. -- RT Training - Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth + mod_ssl = core dump
On Thu, 2014-03-27 at 16:01 -0500, Dewhirst, Rob wrote: I can get RT up and running just fine using LDAP with RT::Authen::ExternalAuth. But as soon as I shut down the server and install mod_ssl, apache won't restart, segfaults. What version of RT and Apache? I presume you're running with a mod_perl deployment? - Alex -- RT Training - Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth + mod_ssl = core dump
RT 4.0.19 (because of RTIR) mod_perl RHEL 6.5 x64 Server version: Apache/2.2.15 (Unix) Server built: Aug 2 2013 08:02:15 Server's Module Magic Number: 20051115:25 Server loaded: APR 1.3.9, APR-Util 1.3.9 Compiled using: APR 1.3.9, APR-Util 1.3.9 Architecture: 64-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with -D APACHE_MPM_DIR=server/mpm/prefork -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT=/etc/httpd -D SUEXEC_BIN=/usr/sbin/suexec -D DEFAULT_PIDLOG=run/httpd.pid -D DEFAULT_SCOREBOARD=logs/apache_runtime_status -D DEFAULT_LOCKFILE=logs/accept.lock -D DEFAULT_ERRORLOG=logs/error_log -D AP_TYPES_CONFIG_FILE=conf/mime.types -D SERVER_CONFIG_FILE=conf/httpd.conf On Thu, Mar 27, 2014 at 4:30 PM, Alex Vandiver ale...@bestpractical.com wrote: On Thu, 2014-03-27 at 16:01 -0500, Dewhirst, Rob wrote: I can get RT up and running just fine using LDAP with RT::Authen::ExternalAuth. But as soon as I shut down the server and install mod_ssl, apache won't restart, segfaults. What version of RT and Apache? I presume you're running with a mod_perl deployment? - Alex -- RT Training - Dallas May 20-21 http://bestpractical.com/training -- RT Training - Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth + mod_ssl = core dump
On Thu, 2014-03-27 at 16:42 -0500, Dewhirst, Rob wrote: RT 4.0.19 (because of RTIR) mod_perl Interesting; we've seen another report of this previously, but I've been unable to replicate it. It's presumably caused by a disagreement of mod_ssl with the SSL libraries that perl uses for LDAPS support -- and since mod_perl is in use, those two exist in the same process, and their disagreements lead to coredumps. We addressed a similar problem with mod_ssl and TLS connections to Postgres early in the 4.0 series. The simple work-around is to switch from mod_perl to one of the fastcgi deployment strategies, which separates the mod_ssl OpenSSL stack from perl's LDAPS OpenSSL stack, allowing them to play well together. However, I'd love to have a simple replication strategy to help track this down and fix it. How stock an RT install is this? I presume you're running with the standard Apache and mod_perl installs from RPMs? Can you provide your RT::Authen::ExternalAuth configuration? - Alex -- RT Training - Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth + mod_ssl = core dump
This is just about as basic an RT install as you can get. everything was installed by CPAN and RPMs. I can give you instructions or if you have a place I can put a 1-2GB file I could probably just build a CentOS VM that exhibits the problem. On Thu, Mar 27, 2014 at 4:53 PM, Alex Vandiver ale...@bestpractical.com wrote: On Thu, 2014-03-27 at 16:42 -0500, Dewhirst, Rob wrote: RT 4.0.19 (because of RTIR) mod_perl Interesting; we've seen another report of this previously, but I've been unable to replicate it. It's presumably caused by a disagreement of mod_ssl with the SSL libraries that perl uses for LDAPS support -- and since mod_perl is in use, those two exist in the same process, and their disagreements lead to coredumps. We addressed a similar problem with mod_ssl and TLS connections to Postgres early in the 4.0 series. The simple work-around is to switch from mod_perl to one of the fastcgi deployment strategies, which separates the mod_ssl OpenSSL stack from perl's LDAPS OpenSSL stack, allowing them to play well together. However, I'd love to have a simple replication strategy to help track this down and fix it. How stock an RT install is this? I presume you're running with the standard Apache and mod_perl installs from RPMs? Can you provide your RT::Authen::ExternalAuth configuration? - Alex -- RT Training - Dallas May 20-21 http://bestpractical.com/training -- RT Training - Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth LDAPS
thanks, I should have clarified that LDAP over TLS on 389 is not an option for us. We can only do LDAPS over 636. On Tue, Mar 4, 2014 at 11:32 AM, k...@rice.edu k...@rice.edu wrote: TLS would still be over port 389 if it was being used. Regards, Ken On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote: I am successfully authenticating via LDAP (cleartext) over TCP 389 using RT::Authen::ExternalAuth However, once I change: Set($ExternalServiceUsesSSLorTLS,1); and in the ExternalSettings for My_LDAP: 'tls' = 1, 'ssl_version' = 3, It still authenticates (successfully) over TCP 389. I noticed someone else had a similar problem but was lacking Net::SSLeay. Not my case here (I don't see how you can use Net::LDAP without Net:SSLeay) [root@rtir-test ~]# cpan -i Net::SSLeay CPAN: Storable loaded ok (v2.20) Reading '/root/.cpan/Metadata' Database was generated on Mon, 03 Mar 2014 20:17:02 GMT CPAN: Module::CoreList loaded ok (v2.18) Net::SSLeay is up to date (1.58). [root@rtir-test ~]# I have debug logging enabled in RT, but it doesn't seem to tell me anything useful since nothing is failing. RT-Authen-ExternalAuth-0.17 -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth LDAPS
On Wed, Mar 05, 2014 at 10:08:53AM -0600, Dewhirst, Rob wrote: thanks, I should have clarified that LDAP over TLS on 389 is not an option for us. We can only do LDAPS over 636. If you want to do LDAPS to the LDAPS port and not STARTTLS on the standard port, you probably want server = 'ldaps://my.server' Net::LDAP's default LDAPS port is 636 so you don't need to specify it. It's possibly you'll need to turn off tls if Net::LDAP::start_tls breaks you. It's also possible you might need some extra things in net_ldap_args, refer to the Net::LDAP documentation for that. -kevin On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote: I am successfully authenticating via LDAP (cleartext) over TCP 389 using RT::Authen::ExternalAuth However, once I change: Set($ExternalServiceUsesSSLorTLS,1); and in the ExternalSettings for My_LDAP: 'tls' = 1, 'ssl_version' = 3, It still authenticates (successfully) over TCP 389. pgpaJDyLyoSFV.pgp Description: PGP signature -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth LDAPS
It' always a judgement call what to post and what to leave out. I can't post the full settings, strictly speaking. 'server'= 'ldaps://server', seems to have fixed it. Thanks all. On Wed, Mar 5, 2014 at 10:22 AM, Gerald Vogt v...@spamcop.net wrote: It's always much easier to help if you post the full settings instead of some parts. Did you use ldaps in the server definition or did you add ldaps or the different port number in net_ldap_args? -Gerald On 05.03.2014 17:08, Dewhirst, Rob wrote: thanks, I should have clarified that LDAP over TLS on 389 is not an option for us. We can only do LDAPS over 636. On Tue, Mar 4, 2014 at 11:32 AM, k...@rice.edu k...@rice.edu wrote: TLS would still be over port 389 if it was being used. Regards, Ken On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote: I am successfully authenticating via LDAP (cleartext) over TCP 389 using RT::Authen::ExternalAuth However, once I change: Set($ExternalServiceUsesSSLorTLS,1); and in the ExternalSettings for My_LDAP: 'tls' = 1, 'ssl_version' = 3, It still authenticates (successfully) over TCP 389. I noticed someone else had a similar problem but was lacking Net::SSLeay. Not my case here (I don't see how you can use Net::LDAP without Net:SSLeay) [root@rtir-test ~]# cpan -i Net::SSLeay CPAN: Storable loaded ok (v2.20) Reading '/root/.cpan/Metadata' Database was generated on Mon, 03 Mar 2014 20:17:02 GMT CPAN: Module::CoreList loaded ok (v2.18) Net::SSLeay is up to date (1.58). [root@rtir-test ~]# I have debug logging enabled in RT, but it doesn't seem to tell me anything useful since nothing is failing. RT-Authen-ExternalAuth-0.17 -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
[rt-users] RT::Authen::ExternalAuth LDAPS
I am successfully authenticating via LDAP (cleartext) over TCP 389 using RT::Authen::ExternalAuth However, once I change: Set($ExternalServiceUsesSSLorTLS,1); and in the ExternalSettings for My_LDAP: 'tls' = 1, 'ssl_version' = 3, It still authenticates (successfully) over TCP 389. I noticed someone else had a similar problem but was lacking Net::SSLeay. Not my case here (I don't see how you can use Net::LDAP without Net:SSLeay) [root@rtir-test ~]# cpan -i Net::SSLeay CPAN: Storable loaded ok (v2.20) Reading '/root/.cpan/Metadata' Database was generated on Mon, 03 Mar 2014 20:17:02 GMT CPAN: Module::CoreList loaded ok (v2.18) Net::SSLeay is up to date (1.58). [root@rtir-test ~]# I have debug logging enabled in RT, but it doesn't seem to tell me anything useful since nothing is failing. RT-Authen-ExternalAuth-0.17 -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth LDAPS
TLS would still be over port 389 if it was being used. Regards, Ken On Tue, Mar 04, 2014 at 11:29:48AM -0600, Dewhirst, Rob wrote: I am successfully authenticating via LDAP (cleartext) over TCP 389 using RT::Authen::ExternalAuth However, once I change: Set($ExternalServiceUsesSSLorTLS,1); and in the ExternalSettings for My_LDAP: 'tls' = 1, 'ssl_version' = 3, It still authenticates (successfully) over TCP 389. I noticed someone else had a similar problem but was lacking Net::SSLeay. Not my case here (I don't see how you can use Net::LDAP without Net:SSLeay) [root@rtir-test ~]# cpan -i Net::SSLeay CPAN: Storable loaded ok (v2.20) Reading '/root/.cpan/Metadata' Database was generated on Mon, 03 Mar 2014 20:17:02 GMT CPAN: Module::CoreList loaded ok (v2.18) Net::SSLeay is up to date (1.58). [root@rtir-test ~]# I have debug logging enabled in RT, but it doesn't seem to tell me anything useful since nothing is failing. RT-Authen-ExternalAuth-0.17 -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth LDAPS
Is the CA certificate which signed your LDAP servers certs on your RT host? It would need to be installed in /etc/ssl/certs or /etc/pki/trust/anchors and hashed to be trusted. -- Later, Darin On Tue, Mar 4, 2014 at 12:29 PM, Dewhirst, Rob robdewhi...@gmail.com wrote: I am successfully authenticating via LDAP (cleartext) over TCP 389 using RT::Authen::ExternalAuth However, once I change: Set($ExternalServiceUsesSSLorTLS,1); and in the ExternalSettings for My_LDAP: 'tls' = 1, 'ssl_version' = 3, It still authenticates (successfully) over TCP 389. I noticed someone else had a similar problem but was lacking Net::SSLeay. Not my case here (I don't see how you can use Net::LDAP without Net:SSLeay) [root@rtir-test ~]# cpan -i Net::SSLeay CPAN: Storable loaded ok (v2.20) Reading '/root/.cpan/Metadata' Database was generated on Mon, 03 Mar 2014 20:17:02 GMT CPAN: Module::CoreList loaded ok (v2.18) Net::SSLeay is up to date (1.58). [root@rtir-test ~]# I have debug logging enabled in RT, but it doesn't seem to tell me anything useful since nothing is failing. RT-Authen-ExternalAuth-0.17 -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training -- RT Training London, March 19-20 and Dallas May 20-21 http://bestpractical.com/training
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hi, After many searches, it works for some of my users and don't work for some others. Is it possible that parameter $RTAddressRegexp interfers with RT::Authen::ExternalAuth ? On Active directory side no error, only successes logs. Do you no about any other debug options I could use ? Thanks On Wed, Aug 21, 2013 at 12:33 PM, Maximilien Drouet mdro...@randco.frwrote: Hi Nathan, After many searchs with your help and our AD Administrator we found that the account was not authorized. I was given another one and now, command line binds and authenticate well but no chance with RT. Here is the command line ldapsearch -LLL -H ldap://myserver.mydomain.local -x -D 'mydomain\ldapuser' -W -b ou=FR,dc=mydomain,dc=local uid=mysuer and the output. dn: CN=Firstname Lastname,OU=z - y - x,OU=city,OU=Users Clients,OU=mydomain,OU=FR,DC=mydomain,DC=local v objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Firstname Lastname sn: Lastname c: FR l: city title: myTitle postalCode: Zipcode physicalDeliveryOfficeName: z - y - x telephoneNumber: myTelephonenumber givenName: FirstName distinguishedName: CN=Firstname Lastname,OU=z - y - x,OU=city,OU=Users Clients,OU=mydomain,OU=FR, DC=mydomain,DC=local instanceType: 4 whenCreated: 20100701014148.0Z whenChanged: 20130821001737.0Z displayName: Firstname Lastname uSNCreated: 73679 memberOf: CN=LL.microsoftproject,OU=SDG Groups,DC=mydomain,DC=local memberOf: CN=LL.Crystal.Reports.XI,OU=SDG Groups,DC=mydomain,DC=local memberOf: CN=LL.IE8,OU=SDG Groups,DC=mydomain,DC=local memberOf: CN=LL.itop,OU=Groups,OU=mydomain,OU=FR,DC=mydomain,DC=local memberOf: CN=LL.msvisio2003,OU=SDG Groups,DC=mydomain,DC=local memberOf: CN=LL.ClickToCall,OU=SDG Groups,DC=mydomain,DC=local memberOf: CN=mydomain.LL.dsi,OU=Groups,OU=mydomain,OU=FR,DC=mydomain,DC=local uSNChanged: 10019507 co: FRANCE department: z - y - x streetAddress: myaddress name: Firstname Lastname objectGUID:: l8cI/GO3KEOyA0E8neccKA== userAccountControl: 544 badPwdCount: 0 codePage: 0 countryCode: 250 badPasswordTime: 130215493735596806 lastLogoff: 0 lastLogon: 130214762950697235 pwdLastSet: 130214610102266437 primaryGroupID: 513 objectSid:: AQUAAAUVEQz3vwuoUpdtKTGZJPEAAA== accountExpires: 1302513840 logonCount: 197 sAMAccountName: mysuer sAMAccountType: 805306368 userPrincipalName: mymail lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=local dSCorePropagationData: 20130524093118.0Z dSCorePropagationData: 20130523093743.0Z dSCorePropagationData: 1601010101.0Z lastLogonTimestamp: 130214610103032919 uid: mysuer mail: mymail I'm quite confused with the RT configuration file and it's option, even looking at the documentation I'm a litte bit lost, maybe the problem is there. Here is the RT_Config extract # External Authentication Configuration Set($ExternalAuthPriority, [ 'My_LDAP']); Set($ExternalInfoPriority, [ 'My_LDAP']); Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE 'My_LDAP' = { 'type' = 'ldap', 'server'= 'myserver.mydomain.local', 'user' = 'ldapaccount', 'pass' = 'ldapaccountpassword', 'base' = 'ou=FR,dc=mydomain,dc=local', 'filter'= '((ObjectCategory=User)(ObjectClass=Person))', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'group' = 'OU=Users Clients,OU=MYDOMAIN,OU=FR,DC=mydomain,DC=local', 'group_attr'= 'member', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'group_scope' = 'base', 'group_attr_value' = '*', 'attr_match_list' = ['Name'], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' }, }, } ); Any other Idea ? -- Regards Maximilien -- Regards Maximilien
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hi Is it possible that parameter $RTAddressRegexp interfers with RT::Authen::ExternalAuth ? I doubt it. On Active directory side no error, only successes logs. Are you saying that a user attempts to log in, you see successful LDAP bind on the LDAP server, and RT login fails? If so, please send us the relevant debug-level RT log excerpt. Also the LDAP server log excerpt if possible. Do you no about any other debug options I could use ? I did notice that, after upgrading to RT 4.0.17 and ExternalAuth 0.12, I get much more detailed debug-level log messages for ExternalAuth. Hope this helps. Nathan
[rt-users] RT::Authen::ExternalAuth SSO config.. tips please..
Hi All, I'm moving from RT3.6 - RT4.0.17 and have decided to try going with RT::Authen::ExternalAuth instead of an OverRide I wrote previously. My system sets a cookie for all visitors, which is just a session ID (no other information in the cookie - for security .. this is then linked to the actual user information using Apache::Session to do the dirty work) Inside the cookie retrieved information there is the Username, Email addresses (multiple possible), Real Name, RT ID (single at the moment, but will be multiple in the near future) and a load of other information (address etc.) Currently when someone logs in to the main site and updates their preferences it updates the preferences in the RT user database. Inside the retrieved information there is an 'auth' parameter which contains the current state of the login and it's timeout. My thoughts is for any un-authenticated user to be re-directed to my main login page, get the new authenticated cookie, and be re-directed back to the RT system. The RT system will then load the user information from the DB retrieved by the cookie ID.. and allow access in that method. Is this possible with RT::Authen::ExternalAuth ? If so is it possible for it to update the timeout as necessary (so the login doesn't idle out)? If all of the above... any Docs/Examples on it? (I have modules that can do this as well - but need to know what calls what and what is expected in the return) Glancing at the code, it suggests that it is not possible without extensive work... can anyone confirm or deny? Thanks, -- Michelle Sullivan http://www.mhix.org/
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hi Nathan, After many searchs with your help and our AD Administrator we found that the account was not authorized. I was given another one and now, command line binds and authenticate well but no chance with RT. Here is the command line ldapsearch -LLL -H ldap://myserver.mydomain.local -x -D 'mydomain\ldapuser' -W -b ou=FR,dc=mydomain,dc=local uid=mysuer and the output. dn: CN=Firstname Lastname,OU=z - y - x,OU=city,OU=Users Clients,OU=mydomain,OU=FR,DC=mydomain,DC=local v objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Firstname Lastname sn: Lastname c: FR l: city title: myTitle postalCode: Zipcode physicalDeliveryOfficeName: z - y - x telephoneNumber: myTelephonenumber givenName: FirstName distinguishedName: CN=Firstname Lastname,OU=z - y - x,OU=city,OU=Users Clients,OU=mydomain,OU=FR, DC=mydomain,DC=local instanceType: 4 whenCreated: 20100701014148.0Z whenChanged: 20130821001737.0Z displayName: Firstname Lastname uSNCreated: 73679 memberOf: CN=LL.microsoftproject,OU=SDG Groups,DC=mydomain,DC=local memberOf: CN=LL.Crystal.Reports.XI,OU=SDG Groups,DC=mydomain,DC=local memberOf: CN=LL.IE8,OU=SDG Groups,DC=mydomain,DC=local memberOf: CN=LL.itop,OU=Groups,OU=mydomain,OU=FR,DC=mydomain,DC=local memberOf: CN=LL.msvisio2003,OU=SDG Groups,DC=mydomain,DC=local memberOf: CN=LL.ClickToCall,OU=SDG Groups,DC=mydomain,DC=local memberOf: CN=mydomain.LL.dsi,OU=Groups,OU=mydomain,OU=FR,DC=mydomain,DC=local uSNChanged: 10019507 co: FRANCE department: z - y - x streetAddress: myaddress name: Firstname Lastname objectGUID:: l8cI/GO3KEOyA0E8neccKA== userAccountControl: 544 badPwdCount: 0 codePage: 0 countryCode: 250 badPasswordTime: 130215493735596806 lastLogoff: 0 lastLogon: 130214762950697235 pwdLastSet: 130214610102266437 primaryGroupID: 513 objectSid:: AQUAAAUVEQz3vwuoUpdtKTGZJPEAAA== accountExpires: 1302513840 logonCount: 197 sAMAccountName: mysuer sAMAccountType: 805306368 userPrincipalName: mymail lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=local dSCorePropagationData: 20130524093118.0Z dSCorePropagationData: 20130523093743.0Z dSCorePropagationData: 1601010101.0Z lastLogonTimestamp: 130214610103032919 uid: mysuer mail: mymail I'm quite confused with the RT configuration file and it's option, even looking at the documentation I'm a litte bit lost, maybe the problem is there. Here is the RT_Config extract # External Authentication Configuration Set($ExternalAuthPriority, [ 'My_LDAP']); Set($ExternalInfoPriority, [ 'My_LDAP']); Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE 'My_LDAP' = { 'type' = 'ldap', 'server'= 'myserver.mydomain.local', 'user' = 'ldapaccount', 'pass' = 'ldapaccountpassword', 'base' = 'ou=FR,dc=mydomain,dc=local', 'filter'= '((ObjectCategory=User)(ObjectClass=Person))', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'group' = 'OU=Users Clients,OU=MYDOMAIN,OU=FR,DC=mydomain,DC=local', 'group_attr'= 'member', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'group_scope' = 'base', 'group_attr_value' = '*', 'attr_match_list' = ['Name'], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' }, }, } ); Any other Idea ? -- Regards Maximilien
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hi You are right, i'm using RT::Authen::ExternalAuth. It binds because i receive all aditional fields and even creates the user with those . The problem is really focused on authentication step and i can't understand why :(
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
It binds because i receive all aditional fields and even creates the user with those . Yes, it binds, but anonymously. All the information fields are first retrieved that way. Only then does the authentication phase start, when it attempts to bind as the user with the password that the user enters in the login window. The problem is really focused on authentication step and i can't understand why :( Yes, so the question is (once again): can you bind *as the user* and *with the user's password* from the command line?
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hello, To be more specific, when i remove the user, at next login RT creates again the user with the right values ( i.e. Name, ZIP code, etc. ) but fails at authentication step. Here are the debug logs for that specific scenario. [Wed Jul 31 09:54:41 2013] [debug]: Loading new user ( myUser ) into current session (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:287) [Wed Jul 31 09:54:41 2013] [debug]: Password validation required for service - Executing... (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:304) [Wed Jul 31 09:54:41 2013] [debug]: Trying external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153) Regards On Tue, Jul 30, 2013 at 3:23 PM, Maximilien Drouet mdro...@randco.frwrote: Hi, Unfortunately same problem with this filter :( Regarding the address I tried many times, even fresh install :( Same problem. On Mon, Jul 29, 2013 at 3:37 PM, Nathan Cutler presnyprek...@gmail.comwrote: Any other idea ? Yes. As Kevin indicated, I would start with your 'attr_match_list'. On your testing/development RT instance, try running it with just: 'attr_match_list' = [ 'Name' ], and see if the user can log in. Tell us what happens. Also, judging from the Couldn't create user myuser : Email address in use error I would guess some other user has that email address. Try searching for users with that email address in RT and tell us what you find. Good luck. Nathan -- Cordialement, Maximilien -- Maximilien
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
To be more specific, when i remove the user, at next login RT creates again the user with the right values ( i.e. Name, ZIP code, etc. ) but fails at authentication step. IIRC you are using RT::Authen::ExternalAuth, right? That extension authenticates by attempting to bind to the LDAP server with the credentials entered by the user. But before it tries to bind, it first looks up the user in LDAP anonymously. This is consistent with what you are seeing. Here's what I see in my log when a known user attempts to login and fails: Jul 30 11:09:56 myserv RT: My_LDAP AUTH FAILED myuser (can't bind: LDAP_INVALID_CREDENTIALS 49 ) (/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth/LDAP.pm:90) Jul 30 11:09:56 myserv RT: FAILED LOGIN for myuser from 10.120.5.61 (/usr/lib/perl5/vendor_perl/5.10.0/RT/Interface/Web.pm:753) And this is the log when an unknown (to RT) user attempts to login and fails: Jul 29 13:06:44 myserv RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: myuser, Name: myuser, Privileged: (/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth.pm:665) Jul 29 13:06:45 myserv RT: Autocreated external user myuser ( 988 ) (/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth.pm:254) Jul 29 13:06:48 myserv RT: My_LDAP AUTH FAILED myuser (can't bind: LDAP_INVALID_CREDENTIALS 49 ) (/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth/LDAP.pm:90) Jul 29 13:06:48 myserv RT: FAILED LOGIN for myuser from 10.120.4.148 (/usr/lib/perl5/vendor_perl/5.10.0/RT/Interface/Web.pm:753) Note that it first creates the user in RT. Only then does it attempt to bind. Now, in my case the bind fails because the user's credentials are wrong. But this is not the only possible failure modality. There are any number of reasons why bind might be failing. Can you bind to the LDAP server using the 'ldapsearch' command? If you can get bind to work that way, first, that would be a start. In my case, the successful ldapsearch command looked something like this: ldapsearch -LLL -H ldaps://login.example.com -x \ -D cn=myuser,ou=users,dc=example,dc=com -W \ -b ou=users,dc=example,dc=com uid=myuser (Note that you have to know myuser's password -- and enter it correctly -- for this to work.) Hope this helps. Nathan
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hi, Unfortunately same problem with this filter :( Regarding the address I tried many times, even fresh install :( Same problem. On Mon, Jul 29, 2013 at 3:37 PM, Nathan Cutler presnyprek...@gmail.comwrote: Any other idea ? Yes. As Kevin indicated, I would start with your 'attr_match_list'. On your testing/development RT instance, try running it with just: 'attr_match_list' = [ 'Name' ], and see if the user can log in. Tell us what happens. Also, judging from the Couldn't create user myuser : Email address in use error I would guess some other user has that email address. Try searching for users with that email address in RT and tell us what you find. Good luck. Nathan -- Cordialement, Maximilien DROUET Consultant Systèmes Réseaux RANDCO, Cabinet de conseil en Réseau, Sécurité Systèmes 19 Rue Pierre LESCOT 75001 Paris Mob. 06.30.91.70.09 Fax. 01.72.74.44.01 http://www.randco.fr
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hi, Yes the user is found and data retrieved correctly (i.e address, zip, etc. ) . Any other idea ? On Tue, Jul 23, 2013 at 11:19 AM, Maximilien Drouet mdro...@randco.frwrote: Hi, Let me try, i never used ldapsearch before so i need to check the syntax. On Tue, Jul 23, 2013 at 11:04 AM, Craig Ringer cr...@2ndquadrant.comwrote: On 07/04/2013 11:00 PM, Maximilien Drouet wrote: (((ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=myuser )) If you execute this LDAP search directly against your directory with the same base dn as given in the logs, does it find the user? -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training Services -- Cordialement, Maximilien DROUET
[rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Any other idea ? Yes. As Kevin indicated, I would start with your 'attr_match_list'. On your testing/development RT instance, try running it with just: 'attr_match_list' = [ 'Name' ], and see if the user can log in. Tell us what happens. Also, judging from the Couldn't create user myuser : Email address in use error I would guess some other user has that email address. Try searching for users with that email address in RT and tell us what you find. Good luck. Nathan
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hello, Anyone with an idea ? I've tried many times without any success. Thanks for your help. On Fri, Jul 5, 2013 at 4:18 PM, Maximilien Drouet mdro...@randco.fr wrote: Hi, Both AD RT have a user matching email Username. Regarding RealName, yes I read about it but in my case, real names are NEVER the same they use Kevin FALCONE, KEVIN A FALCONE, KEVIN B FALCONE, and so on. But yes you're right about what's documented. On Fri, Jul 5, 2013 at 4:14 PM, Kevin Falcone falc...@bestpractical.comwrote: On Thu, Jul 04, 2013 at 05:00:23PM +0200, Maximilien Drouet wrote: As you can see in the log output I successfully find the user BUT I have an error Couldn't create user myuser which I don't understand because YES user exists but I just want to authenticate not recreate a user. Does the user exist with a matching Email Address AND username? Or is the username different. Also, as documented, you probably shouldn't be using RealName here: 50 'attr_match_list' = [ 51 'Name', 52 'EmailAddress', 53 'RealName', 54 ], It means you can't have two users named Kevin Falcone in your RT. -kevin -- Max -- Cordialement, Maximilien DROUET Consultant Systèmes Réseaux RANDCO, Cabinet de conseil en Réseau, Sécurité Systèmes 19 Rue Pierre LESCOT 75001 Paris Mob. 06.30.91.70.09 Fax. 01.72.74.44.01 http://www.randco.fr
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hi, Let me try, i never used ldapsearch before so i need to check the syntax. On Tue, Jul 23, 2013 at 11:04 AM, Craig Ringer cr...@2ndquadrant.comwrote: On 07/04/2013 11:00 PM, Maximilien Drouet wrote: (((ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=myuser )) If you execute this LDAP search directly against your directory with the same base dn as given in the logs, does it find the user? -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training Services -- Cordialement, Maximilien DROUET Consultant Systèmes Réseaux RANDCO, Cabinet de conseil en Réseau, Sécurité Systèmes 19 Rue Pierre LESCOT 75001 Paris Mob. 06.30.91.70.09 Fax. 01.72.74.44.01 http://www.randco.fr
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
On Thu, Jul 04, 2013 at 05:00:23PM +0200, Maximilien Drouet wrote: As you can see in the log output I successfully find the user BUT I have an error Couldn't create user myuser which I don't understand because YES user exists but I just want to authenticate not recreate a user. Does the user exist with a matching Email Address AND username? Or is the username different. Also, as documented, you probably shouldn't be using RealName here: 50 'attr_match_list' = [ 51 'Name', 52 'EmailAddress', 53 'RealName', 54 ], It means you can't have two users named Kevin Falcone in your RT. -kevin pgpHLwswIkEXa.pgp Description: PGP signature
Re: [rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hi, Both AD RT have a user matching email Username. Regarding RealName, yes I read about it but in my case, real names are NEVER the same they use Kevin FALCONE, KEVIN A FALCONE, KEVIN B FALCONE, and so on. But yes you're right about what's documented. On Fri, Jul 5, 2013 at 4:14 PM, Kevin Falcone falc...@bestpractical.comwrote: On Thu, Jul 04, 2013 at 05:00:23PM +0200, Maximilien Drouet wrote: As you can see in the log output I successfully find the user BUT I have an error Couldn't create user myuser which I don't understand because YES user exists but I just want to authenticate not recreate a user. Does the user exist with a matching Email Address AND username? Or is the username different. Also, as documented, you probably shouldn't be using RealName here: 50 'attr_match_list' = [ 51 'Name', 52 'EmailAddress', 53 'RealName', 54 ], It means you can't have two users named Kevin Falcone in your RT. -kevin -- Max
[rt-users] (RT::Authen::ExternalAuth) email exists problem authenticating trough AD
Hello I'm using version 4.0.13 of RT. I'm trying to authenticate via an AD. As you can see in the log output I successfully find the user BUT I have an error Couldn't create user myuser which I don't understand because YES user exists but I just want to authenticate not recreate a user. Any Idea ? You can find below either logs or configuration. Debug Logs Output [Thu Jul 4 09:59:08 2013] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:186) [Thu Jul 4 09:59:08 2013] [debug]: Calling UserExists with $username (myuser ) and $service (My_LDAP) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:227) [Thu Jul 4 09:59:08 2013] [debug]: UserExists params: username: 791286 , service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439) [Thu Jul 4 09:59:08 2013] [debug]: LDAP Search === Base: dc=mydomain,dc=local == Filter: (((ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=myuser)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469) [Thu Jul 4 09:59:08 2013] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::Authen::ExternalAuth /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 675 with: Disabled: , EmailAddress: , Gecos: myuser , Name: myuser , Privileged: (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:572) [Thu Jul 4 09:59:08 2013] [debug]: Attempting to get user info using this external service: My_LDAP (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:580) [Thu Jul 4 09:59:08 2013] [debug]: Attempting to use this canonicalization key: Name (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:594) [Thu Jul 4 09:59:08 2013] [debug]: LDAP Search === Base: dc=mydomain,dc=local == Filter: (((ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=myuser )) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357) [Thu Jul 4 09:59:08 2013] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City: Paris, Country: France, Disabled: , EmailAddress: myaddr...@mydomain.com, ExternalAuthId: myuser , Gecos: myuser , Name: myuser , Organization: , Privileged: , RealName: John DOE, State: , WorkPhone: myTel, Zip: (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:658) [Thu Jul 4 09:59:08 2013] [error]: Couldn't create user myuser : Email address in use (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:251) [Thu Jul 4 09:59:08 2013] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:16) [Thu Jul 4 09:59:08 2013] [error]: FAILED LOGIN for myuser from XX.xxx.XXX.xx (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:753) End Debug Logs Output Configuration # External Authentication Configuration 30 Set($ExternalAuthPriority, [ 'My_LDAP']); 31 Set($ExternalInfoPriority, [ 'My_LDAP']); 32 33 Set($ExternalSettings, { 34 # AN EXAMPLE LDAP SERVICE 35 'My_LDAP' = { 36 'type' = 'ldap', 37 'server'= 'myserver', 38 'user' = 'myuser', 39 'pass' = 'password', 40 'base' = 'dc=domain,dc=local', 41 'filter'= '((ObjectCategory=User)(ObjectClass=Person))', 42 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 43 'group' = 'OU=Users Clients,OU=MyPrincipalOU,OU=FR,DC=mydomain,DC=local', 44 'group_attr'= 'member', 45 'tls' = 0, 46 'ssl_version' = 3, 47 'net_ldap_args' = [version = 3 ], 48 'group_scope' = 'base', 49 'group_attr_value' = '*', 50 'attr_match_list' = [ 51 'Name', 52 'EmailAddress', 53 'RealName', 54 ], 55 'attr_map' = { 56 'Name' = 'sAMAccountName', 57 'EmailAddress' = 'mail', 58 'Organization' = 'physicalDeliveryOfficeName', 59 'RealName' = 'cn', 60 'ExternalAuthId' = 'sAMAccountName', 61 'Gecos' = 'sAMAccountName', 62 'WorkPhone' = 'telephoneNumber', 63 'Address1' =
Re: [rt-users] RT::Authen::ExternalAuth extension loading issue
On Thu, 2013-05-09 at 11:51 +1200, Chris Foster wrote: Error while loading /opt/rt4/sbin/rt-server: Attempt to reload RT/Authen/ExternalAuth.pm aborted. \nCompilation failed in require at /opt/rt4/sbin…/lib/RT.pm line 730. Please show the complete error. There should be an error message above that. I suspect that you don't have all of the dependencies for RT::Authen::ExternalAuth installed. - Alex -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth extension loading issue
Hi Alex, Thanks for your response. I have further looked and yes there does appear to be a couple more of lines of errors before this line, they are: [warning]: Subroutine handle_startup_error redefined at /opt/rt4/sbin rt-server line 240. (/opt/rt4/sbin/rt-server:240) [warning]: Subroutine handle_bind_error redefined at /opt/rt4/sbin/rt-server line 252. (/opt/rt4/sbin/rt-server:252) Hope this helps. Looking forward in being pointed in the right direction to resolve this issue. Regards, Chris. -Original Message- From: Alex Vandiver [mailto:ale...@bestpractical.com] Sent: Friday, 10 May 2013 7:27 a.m. To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT::Authen::ExternalAuth extension loading issue On Thu, 2013-05-09 at 11:51 +1200, Chris Foster wrote: Error while loading /opt/rt4/sbin/rt-server: Attempt to reload RT/Authen/ExternalAuth.pm aborted. \nCompilation failed in require at /opt/rt4/sbin…/lib/RT.pm line 730. Please show the complete error. There should be an error message above that. I suspect that you don't have all of the dependencies for RT::Authen::ExternalAuth installed. - Alex Have you visited Bartercard Maps yet? www.bartercardmaps.co.nz Find us on Facebook www.facebook.com/BartercardNewZealand * From time to time Bartercard may promote goods and services on behalf of members, however Bartercard acts as a third party record keeper and transactions are conducted between members. Bartercard is not a party to these transactions. Any advice or representations made should not be relied upon, and independent advice should be sought. Please refer to the full rules of the Trading Program which are available on request. This e-mail, including attachments, may be confidential and/or privileged. Only the intended recipient may access or use it. Any dissemination, distribution or copying of this e-mail is strictly prohibited. If you are not the intended recipient please notify us immediately by return e-mail and then erase the e-mail. Any confidentiality or privilege is not waived or lost if you have received this e-mail in error. * -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] RT::Authen::ExternalAuth extension loading issue
On Thu, May 9, 2013 at 10:44 PM, Chris Foster chris.fos...@bartercard.co.nz wrote: Hi Alex, Thanks for your response. I have further looked and yes there does appear to be a couple more of lines of errors before this line, they are: [warning]: Subroutine handle_startup_error redefined at /opt/rt4/sbin rt-server line 240. (/opt/rt4/sbin/rt-server:240) [warning]: Subroutine handle_bind_error redefined at /opt/rt4/sbin/rt-server line 252. (/opt/rt4/sbin/rt-server:252) Hope this helps. Looking forward in being pointed in the right direction to resolve this issue. $ cd /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib $ perl -MRT::Authen::ExternalAuth -e 1 $ (should have no output if all dependency is working) -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
[rt-users] RT::Authen::ExternalAuth extension loading issue
Hi, I am new to RT and I am trying to get RT::Authen::ExternalAuth extension working, I have it all installed and configuration to query our Active Directory server all set, but when going into RT I set HTTP 500 Internal Server Error. I have therefore checked the error log and it has the following message: Error while loading /opt/rt4/sbin/rt-server: Attempt to reload RT/Authen/ExternalAuth.pm aborted. \nCompilation failed in require at /opt/rt4/sbin.../lib/RT.pm line 730. I have done a lot of googling searching the archives of this list but has not turned up anything. This is for a brand new instance of RT, if the plugin is commented out in RT_SiteConfig.pm, RT works fine, so it is affecting just this extension. Using the latest downloadable versions as of this week. If someone could point in the right direction that would be great. Regards, Chris. Have you visited Bartercard Maps yet? www.bartercardmaps.co.nz Find us on Facebook www.facebook.com/BartercardNewZealand * From time to time Bartercard may promote goods and services on behalf of members, however Bartercard acts as a third party record keeper and transactions are conducted between members. Bartercard is not a party to these transactions. Any advice or representations made should not be relied upon, and independent advice should be sought. Please refer to the full rules of the Trading Program which are available on request. This e-mail, including attachments, may be confidential and/or privileged. Only the intended recipient may access or use it. Any dissemination, distribution or copying of this e-mail is strictly prohibited. If you are not the intended recipient please notify us immediately by return e-mail and then erase the e-mail. Any confidentiality or privilege is not waived or lost if you have received this e-mail in error. * -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
[rt-users] RT-Authen-ExternalAuth.
Hi, I would like to have some informations about the differents possibilities of RT with this extension RT-Authen-ExternalAuth. In fact, we work with the RT 3.8.8 and I would like to export to an other DB (Linux, Mysql...) some information about tickets. Some personnes of my company have to clock their works (TimeWorked) everyday, there is an application to load their time worked, I would like to do that with RT from What I did today HTML page. When they click on Record all updates, they update all their tickets and I would like to load on the other DB these timeworks. I wrote the Perl code that I wanted to insert in the MyDay.html. In fact, the begening of the function is : use warnings; use strict; use Time::Local; use base qw(RT::CustomFieldValues); use DBI;# Charger le module DBI use vars qw/ $VERSION /;# Version du script $VERSION = '1.0'; # Paramètres de connexion à la base de données my $bd = 'pointage'; my $serveur = 'sqlxxx; my $identifiant = 'xxx'; my $motdepasse = ''; # Connexion à la base de données MySQL my $dbh = DBI-connect( dbi:x:dbname=$bd;host=$serveur;, $identifiant, $motdepasse ) or die Connexion impossible à la base de données $bd !; # Insertion des données my $requete_sql_pointage = SQL; INSERT INTO pointage ( matricule, sect, type-pointage, ordre, temps_passe, date_pointage, nom ) VALUES ( $owner, 'S760044', '2', $args{Ordre Byo}, $worked, $day/$mon/$yr $hr:$min:$sec, $user ); SQL my $sth_pointage = $dbh-prepare($requete_sql_pointage) or die $dbh-errstr; $sth_pointage-execute( $owner, 'S760044', '2', $args{Ordre Byo}, $worked, $day/$mon/$yr $hr:$min:$sec, $user ) or die Echec Requête $requete_sql_pointage : $DBI::errstr; # Déconnexion de la base de données $dbh-disconnect(); Can you tell me how can I do that ? And extension RT-Authen-ExternalAuth, would be it work in my case ? I 've this extension in my RT for an other function and it works. Thank you for your help. Best regards, Julien CAUNAN Support Moyens De Tests Av. Paul Gellos, BP 531 - 64105 - BAYONNE Cedex - FRANCE julien.cau...@bmscircuits.com Tél : +33 (0)5 59 58 41 51 Mob : Fax : +33 (0)5 59 58 57 01 www.bmscircuits.com [http://nsa22.casimages.com/img/2012/03/06//120306085532380989.jpg] [http://nsa21.casimages.com/img/2012/03/06//120306090312371802.jpg]Please consider your environmental responsibility before printing this e-mail # Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés. ** This e-mail and any attached documents may contain confidential or proprietary information. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system. # Final RT training for 2012 in Atlanta, GA - October 23 24 http://bestpractical.com/training We're hiring! http://bestpractical.com/jobs
[rt-users] RT-Authen-ExternalAuth - how to confirm that ssl ldap bind is used?
I have been using rt4 for some time now in plain protocols (site is on http, fetchmail is plain pop3, external auth is done from ldap without ssl). Now, I am increasing security by switching to encrypted protocols. Switching apache to https was easy thing to do, and I spent a few hours with fetchmail and certificates but it also works now. RT::Extension::LDAPimport just worked when switching ldaphost to ldaps: Set($LDAPHost,'ldaps://ldap.company.tld'); Also, after setting Set($ExternalAuthPriority,['My_LDAP']); Set($ExternalInfoPriority,['My_LDAP']); Set($ExternalServiceUsesSSLorTLS,1); Set($ExternalSettings,{ 'My_LDAP' = { ... 'tls' = 1, 'ssl_version' = 3, ... } } ... i can still authenticate. I can not believe this can be so simple :) Is there a way to check that ssl is really used? Thank you in advance, Marko Cupać Final RT training for 2012 in Atlanta, GA - October 23 24 http://bestpractical.com/training We're hiring! http://bestpractical.com/jobs
Re: [rt-users] RT-Authen-ExternalAuth - how to confirm that ssl ldap bind is used?
On Tue, Oct 16, 2012 at 6:46 AM, Marko Cupać marko.cu...@gmail.com wrote: I have been using rt4 for some time now in plain protocols (site is on http, fetchmail is plain pop3, external auth is done from ldap without ssl). Now, I am increasing security by switching to encrypted protocols. Switching apache to https was easy thing to do, and I spent a few hours with fetchmail and certificates but it also works now. RT::Extension::LDAPimport just worked when switching ldaphost to ldaps: Set($LDAPHost,'ldaps://ldap.company.tld'); Also, after setting Set($ExternalAuthPriority,['My_LDAP']); Set($ExternalInfoPriority,['My_LDAP']); Set($ExternalServiceUsesSSLorTLS,1); Set($ExternalSettings,{ 'My_LDAP' = { ... 'tls' = 1, 'ssl_version' = 3, ... } } ... i can still authenticate. I can not believe this can be so simple :) Is there a way to check that ssl is really used? Check your ldap servers logs or run wireshark/tcpdump from the RT server and inspect the traffic. Final RT training for 2012 in Atlanta, GA - October 23 24 http://bestpractical.com/training We're hiring! http://bestpractical.com/jobs
Re: [rt-users] RT-Authen-ExternalAuth - how to confirm that ssl ldap bind is used?
You know, I looked into the same thing. What I found was that it was *not* so easy to use RT-Authen-ExternlAuth -- that is, if your LDAP server is secure enough. My LDAP server requires a certificate to build an SSL or STARTTLS connection, as part of our baseline security. RT-Authen-ExternalAuth, by default, does not support a method to pass the path to a certificate, and the reqcert setting, to the underlying perl-Net-LDAP library (even though this library supports all that stuff). I had to apply this patch to RT-Authen-ExternalAuth http://old.nabble.com/attachment/23889671/0/RT-Authen-ExternalAuth-19912-start_tls-options.patch Patch applies perfectly. Afterwards, I did something like this in my config (note the tls_args segment): Set($ExternalSettings, { 'LDAP' = { 'type' = 'ldap', 'auth' = 1, 'info' = 1, 'server' = 'ldap.example.com', 'base' = 'dc=example,dc=com', 'filter' = '(objectClass=posixAccount)', 'tls' = 1, # What other args should I pass to net::LDAP-new($host,@args)? 'net_ldap_args' = [ version = 3, port = 389, debug = 8, ], # Special argument for start_tls (see perldoc com::LDAP for details) 'tls_args' = [ 'verify' = 'require', 'cafile' = '/etc/openldap/cacerts/example_ca.pem', ], # This MUST be a full DN 'group' = 'cn=admins,ou=PosixGroups,dc=example,dc=com', 'group_attr' = 'memberUid', 'group_attr_value' = 'uid', 'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName', 'Gecos', ], 'attr_map' = { 'Name' = 'uid', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'Gecos' = 'cn', } # end NAME }, # end LDAP }, # end $ExternalSettings ); # end Set (Server is OpenLDAP 2.4.x using rfc2307 style posixAccount and posixGroup objectclasses) -- Jonathan Mills Systems Administrator Renaissance Computing Institute UNC-Chapel Hill On 10/16/2012 08:19 AM, Darin Perusich wrote: On Tue, Oct 16, 2012 at 6:46 AM, Marko Cupać marko.cu...@gmail.com wrote: I have been using rt4 for some time now in plain protocols (site is on http, fetchmail is plain pop3, external auth is done from ldap without ssl). Now, I am increasing security by switching to encrypted protocols. Switching apache to https was easy thing to do, and I spent a few hours with fetchmail and certificates but it also works now. RT::Extension::LDAPimport just worked when switching ldaphost to ldaps: Set($LDAPHost,'ldaps://ldap.company.tld'); Also, after setting Set($ExternalAuthPriority,['My_LDAP']); Set($ExternalInfoPriority,['My_LDAP']); Set($ExternalServiceUsesSSLorTLS,1); Set($ExternalSettings,{ 'My_LDAP' = { ... 'tls' = 1, 'ssl_version' = 3, ... } } ... i can still authenticate. I can not believe this can be so simple :) Is there a way to check that ssl is really used? Check your ldap servers logs or run wireshark/tcpdump from the RT server and inspect the traffic. Final RT training for 2012 in Atlanta, GA - October 23 24 http://bestpractical.com/training We're hiring! http://bestpractical.com/jobs Final RT training for 2012 in Atlanta, GA - October 23 24 http://bestpractical.com/training We're hiring! http://bestpractical.com/jobs
Re: [rt-users] RT::Authen::ExternalAuth with AD...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/20/12 2:52 AM, Joop wrote: Glenn Sieb wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/19/12 9:23 PM, Jeff Blaine wrote: Share the solution? In the LDAP definition of RT_SiteConfig, where you set up the user to query as, and such, the ldap user login wasn't working until we added the @domain.ou bit to the end of it. So if the AD domain is dc=intranet,dc=local, the user had to be user@intranet.local then it started working. I'm also using AD and I don't have to add the @domain.local to my login. I had a look at your RT_SiteConfig but didn't see the obvious. Will check later to see what difference there is between my and yours. Unsure--the one I posted to pastebin was the one that wasn't working. I'm just happy it's working :) I'm also happy we were able to demo this to the company on Friday afternoon, and it was a big hit. Now to figure out Approvals.. :) Best, - --Glenn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+S1vMACgkQf5MxTDXTimEI3wCeLaCWQ3b7fAtxyMIthvc0ATk+ ejYAn2TBnBhn6DVS4hibyhfRq1NEbdpI =AMs6 -END PGP SIGNATURE-
Re: [rt-users] RT::Authen::ExternalAuth with AD...
Glenn Sieb wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/19/12 9:23 PM, Jeff Blaine wrote: Share the solution? In the LDAP definition of RT_SiteConfig, where you set up the user to query as, and such, the ldap user login wasn't working until we added the @domain.ou bit to the end of it. So if the AD domain is dc=intranet,dc=local, the user had to be user@intranet.local then it started working. I'm also using AD and I don't have to add the @domain.local to my login. I had a look at your RT_SiteConfig but didn't see the obvious. Will check later to see what difference there is between my and yours. Joop
[rt-users] RT::Authen::ExternalAuth with AD...
Greetings.. :) I'm at $work, trying to set up AD authentication for RT 4.0.5. I'm getting the following error: [Thu Apr 19 18:38:57 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 (/data/IH-Websites/rt/sbin/../local/lib/RT/Authen/ExternalAuth/LDAP.pm:492) [Thu Apr 19 18:38:57 2012] [error]: FAILED LOGIN for gsieb from 10.200.4.5 (/data/IH-Websites/rt/sbin/../lib/RT/Interface/Web.pm:665) We created a user to authenticate to AD for RT to use (RT_AD_USER). The goal is to be able to log in as USERNAME (as opposed to USERNAME@intranet.local). Any help would be greatly appreciated. I have to have this live by EOB today.. (yay for last minute projects)! Thanks in advance, everyone. My RT_SiteConfig.pm follows... Best, --Glenn RT_SiteConfig.pm: Set( $rtname, '$WORK.TLD'); Set( $Organization , '$WORK.TLD'); Set( $UseTransactionBatch , 1); @EmailInputEncodings = qw(utf-8 big5 us-ascii); Set( $WebBaseURL, 'https://helpdesk.$WORK.TLD'); Set( $WebDomain, 'helpdesk.$WORK.TLD'); Set( $CompanySpecific , '$WORK'); Set( $DatabaseUser , 'rt_user'); Set( $DatabasePassword , 'rt_user_password'); Set( $NotifyActor , 0); Set( $WebPath , ); Set( $WebURL , $WebBaseURL . $WebPath . /); Set( $WebImagesURL , $WebPath . /NoAuth/images/); Set( $CorrespondAddress , 'help@$WORK.TLD'); Set( $CommentAddress , 'help-comment@$WORK.TLD'); Set( $SendmailPath , /usr/local/sbin/sendmail); Set( $Timezone , 'US/Eastern'); Set( $ParseNewMessageForTicketCcs, 1); Set( $RTAddressRegexp , '^(help|help-comment)+\@$WORK\.TLD$'); Set( $LogToSyslog, info); Set( @Plugins, qw(RT::Authen::ExternalAuth) ); Set( $ExternalAuthPriority, ['eFS_LDAP']); Set( $ExternalServiceUsesSSLorTLS, 0); Set( $AutoCreateNonExternalUsers, 0); Set( $ExternalInfoPriority, ['eFS_LDAP']); Set( $ExternalSettings, {'eFS_LDAP' = { 'type' = 'ldap', 'server'= 'DC01.intranet.local', 'user' = 'RT_AD_USER', 'pass' = 'RT_AD_USER_PASS', 'base' = 'dc=intranet,dc=local', 'filter'= '(objectClass=*)', 'd_filter' = '(objectclass=pwdPolicy)', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'attr_match_list' = ['Name', 'EmailAddress' ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', } }, }); 1;
Re: [rt-users] RT::Authen::ExternalAuth with AD...
Thanks to jibsheet Paul in the IRC channel for their help! Best, --Glenn
Re: [rt-users] RT::Authen::ExternalAuth with AD...
Share the solution? On 4/19/2012 6:46 PM, Glenn Sieb wrote: Thanks to jibsheet Paul in the IRC channel for their help! Best, --Glenn
Re: [rt-users] RT::Authen::ExternalAuth with AD...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/19/12 9:23 PM, Jeff Blaine wrote: Share the solution? In the LDAP definition of RT_SiteConfig, where you set up the user to query as, and such, the ldap user login wasn't working until we added the @domain.ou bit to the end of it. So if the AD domain is dc=intranet,dc=local, the user had to be user@intranet.local then it started working. And there was much rejoicing in the office when it did.. :-) Best, - --Glenn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+Q0JgACgkQf5MxTDXTimGssQCfbvzngA/izrXfwr9JWO6Yo8Xz Nv4An3umOoIb/OQ/hIzpvEECAx6j271q =EEfV -END PGP SIGNATURE-
Re: [rt-users] RT-Authen-ExternalAuth usage questions
I hate to be that guy (top posting, reposting.. how many more taboos can I break!) However, I'm hoping a Monday-morning post will get better attention than a Thursday evening one. Anyone have ideas on the below? Thanks! On 3/22/12 4:10 PM, Steve Huston wrote: I'm in the process of setting up a new RT instance which is going to be used differently than the one I've been running for many years now. Previously I only cared about the web interface for administrators, but now it's desired to have web access for all users. We use a CAS-enabled virtualhost (so RT uses the REMOTE_USER varaible with external authentication). This means a user logging in will have a username such as 'huston'. However if they send an email, it would be 'hus...@princeton.edu', so there's the possibility of having two users created. OK, I need something that populates fields from LDAP. I found a few ways to do this, but it looks like the not outdated method is the aforementioned extension. I've downloaded it and am looking through things, but I have some questions for people more intimately in tune with the code: 1) Can I run this extension and continue to use the Apache-based authentication, relying on ExternalAuth just for the LDAP glue? 2) Did I see right that any time a user logs in, this extension will poll LDAP to see if their information matches what's in the RT user database and updates accordingly? 3) Will the extension care if a user doesn't exist? We may have people sending in emails that do not have an account in the LDAP server, and this should be allowed - we will want an account autocreated just as it is currently. 4) Will the extension poll LDAP on an incoming email, properly creating the user account if it doesn't exist with the right UID returned from the lookup? Or does this only work when logging in through the web interface? 5) If a user is created as a watcher - say someone in the web interface adds an email address as a CC to a ticket - will ExternalAuth be hooked to look up that user's information in LDAP and populate the uid realname fields? Thanks! -- Steve Huston - W2SRH - Unix Sysadmin, Astrophysical Sci CSES/PICSciE Princeton University |ICBM Address: 40.346525 -74.651285 206 Peyton Hall |On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery. -Rush, 'Cygnus X-1'
[rt-users] RT-Authen-ExternalAuth usage questions
I'm in the process of setting up a new RT instance which is going to be used differently than the one I've been running for many years now. Previously I only cared about the web interface for administrators, but now it's desired to have web access for all users. We use a CAS-enabled virtualhost (so RT uses the REMOTE_USER varaible with external authentication). This means a user logging in will have a username such as 'huston'. However if they send an email, it would be 'hus...@princeton.edu', so there's the possibility of having two users created. OK, I need something that populates fields from LDAP. I found a few ways to do this, but it looks like the not outdated method is the aforementioned extension. I've downloaded it and am looking through things, but I have some questions for people more intimately in tune with the code: 1) Can I run this extension and continue to use the Apache-based authentication, relying on ExternalAuth just for the LDAP glue? 2) Did I see right that any time a user logs in, this extension will poll LDAP to see if their information matches what's in the RT user database and updates accordingly? 3) Will the extension care if a user doesn't exist? We may have people sending in emails that do not have an account in the LDAP server, and this should be allowed - we will want an account autocreated just as it is currently. 4) Will the extension poll LDAP on an incoming email, properly creating the user account if it doesn't exist with the right UID returned from the lookup? Or does this only work when logging in through the web interface? 5) If a user is created as a watcher - say someone in the web interface adds an email address as a CC to a ticket - will ExternalAuth be hooked to look up that user's information in LDAP and populate the uid realname fields? Thanks! -- Steve Huston - W2SRH - Unix Sysadmin, Astrophysical Sci CSES/PICSciE Princeton University |ICBM Address: 40.346525 -74.651285 206 Peyton Hall |On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery. -Rush, 'Cygnus X-1'
Re: [rt-users] RT-Authen-ExternalAuth plugin causes 'Can't locate Apache.pm in @INC' issue
Thanks Bart. User interface is not affected. Only Php/Perl code execution. On Feb 1, 2012, at 11:32 PM, Bart b...@pleh.infomailto:b...@pleh.info wrote: Are you only getting the errors when executing the custom PHP/Perl code? Or does this also affect RT's user interface/functionality? -- Bart Op 2 februari 2012 02:33 schreef Srikumar Nair srikum...@fb.commailto:srikum...@fb.com het volgende: We have a RT 4.0.4 installation running on Apache. We have some front end PHP code that calls Perl scripts which use Perl RT APIs for RT interactions. Recently we installed the RT-Authen-ExternalAuth plugin (version 0.09) to RT. This creates the the following error when ever the php tries to invoke the perl scripts. But if I remove the plugin from the RT_SiteConfig.pm file everything works fine again. Has anyone see this issue? Can't locate Apache.pm in @INC (@INC contains: /opt/rt4/local/lib /opt/rt4/local/plugins/RT-Site-Facebook-TicketPageMenu/lib /opt/rt4/local/plugins/RT-Site-Facebook-SetQueue/lib /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib /opt/rt4/local/plugins/RT-Extension-ArticleTemplates/lib /opt/rt4/lib /opt/rt4/share/html/fb/perl /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/lib/perl5/5.8.8/CGI/Cookie.pm line 38, DATA line 558. Compilation failed in require at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI/Cookie.pm line 3, DATA line 558. BEGIN failed--compilation aborted at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI/Cookie.pm line 3, DATA line 558. Compilation failed in require at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm line 4, DATA line 558. BEGIN failed--compilation aborted at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm line 4, DATA line 558. Compilation failed in require at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 27, DATA line 558. BEGIN failed--compilation aborted at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 27, DATA line 558. Thanks a bunch. RT Training Sessions (http://bestpractical.com/services/training.html) * Boston — March 5 6, 2012 RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
[rt-users] RT-Authen-ExternalAuth plugin causes 'Can't locate Apache.pm in @INC' issue
We have a RT 4.0.4 installation running on Apache. We have some front end PHP code that calls Perl scripts which use Perl RT APIs for RT interactions. Recently we installed the RT-Authen-ExternalAuth plugin (version 0.09) to RT. This creates the the following error when ever the php tries to invoke the perl scripts. But if I remove the plugin from the RT_SiteConfig.pm file everything works fine again. Has anyone see this issue? Can't locate Apache.pm in @INC (@INC contains: /opt/rt4/local/lib /opt/rt4/local/plugins/RT-Site-Facebook-TicketPageMenu/lib /opt/rt4/local/plugins/RT-Site-Facebook-SetQueue/lib /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib /opt/rt4/local/plugins/RT-Extension-ArticleTemplates/lib /opt/rt4/lib /opt/rt4/share/html/fb/perl /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/lib/perl5/5.8.8/CGI/Cookie.pm line 38, DATA line 558. Compilation failed in require at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI/Cookie.pm line 3, DATA line 558. BEGIN failed--compilation aborted at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI/Cookie.pm line 3, DATA line 558. Compilation failed in require at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm line 4, DATA line 558. BEGIN failed--compilation aborted at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm line 4, DATA line 558. Compilation failed in require at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 27, DATA line 558. BEGIN failed--compilation aborted at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 27, DATA line 558. Thanks a bunch. RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT-Authen-ExternalAuth plugin causes 'Can't locate Apache.pm in @INC' issue
Are you only getting the errors when executing the custom PHP/Perl code? Or does this also affect RT's user interface/functionality? -- Bart Op 2 februari 2012 02:33 schreef Srikumar Nair srikum...@fb.com het volgende: We have a RT 4.0.4 installation running on Apache. We have some front end PHP code that calls Perl scripts which use Perl RT APIs for RT interactions. Recently we installed the RT-Authen-ExternalAuth plugin (version 0.09) to RT. This creates the the following error when ever the php tries to invoke the perl scripts. But if I remove the plugin from the RT_SiteConfig.pm file everything works fine again. Has anyone see this issue? Can't locate Apache.pm in @INC (@INC contains: /opt/rt4/local/lib /opt/rt4/local/plugins/RT-Site-Facebook-TicketPageMenu/lib /opt/rt4/local/plugins/RT-Site-Facebook-SetQueue/lib /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib /opt/rt4/local/plugins/RT-Extension-ArticleTemplates/lib /opt/rt4/lib /opt/rt4/share/html/fb/perl /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/lib/perl5/5.8.8/CGI/Cookie.pm line 38, DATA line 558. Compilation failed in require at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI/Cookie.pm line 3, DATA line 558. BEGIN failed--compilation aborted at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI/Cookie.pm line 3, DATA line 558. Compilation failed in require at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm line 4, DATA line 558. BEGIN failed--compilation aborted at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm line 4, DATA line 558. Compilation failed in require at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 27, DATA line 558. BEGIN failed--compilation aborted at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 27, DATA line 558. Thanks a bunch. RT Training Sessions (http://bestpractical.com/services/training.html) * Boston — March 5 6, 2012 RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT::Authen::ExternalAuth cannot find LDAP users if they haven't logged in at least once.
Hi, Not sure if that's possible with ExternalAuth, it automatically creates a user during login but doesn't sync the LDAP. (at least, like you I can't find an option for it) You'll probably need to run something separate from ExternalAuth to import those users, this plugin might help with that: - http://search.cpan.org/~falcone/RT-Extension-LDAPImport-0.31/lib/RT/Extension/LDAPImport.pm -- Bart Op 30 januari 2012 02:16 schreef Camron W. Fox cw...@us.fujitsu.com het volgende: Alle, So we've installed RT::Authen::ExternalAuth, but when we try to search for users to create groups and such, if the user hasn't logged in to RT at least once, they cannot be found. Here is the LDAP excerpt from RT_SiteConfig.PM: Set(@Plugins, (qw(RT::Authen::ExternalAuth))); Set($ExternalAuthPriority, [ 'My_LDAP' ] ); Set($ExternalInfoPriority, [ 'My_LDAP' ] ); Set($ExternalAuthPriority,['My_LDAP']); Set($ExternalSettings, { Set($ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'server'= 'admin.subaru.nao.ac.jp', 'user' = 'cn=Manager,dc=subaru,dc=nao,dc=ac,dc=jp', 'pass' = 'X', 'base' = 'ou=people,dc=subaru,dc=nao,dc=ac,dc=jp', 'filter'= '(objectClass=person)', 'd_filter' = '(employeeType=locked)', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], # 'group' = 'GROUP_NAME', # 'group_attr' = 'GROUP_ATTR', 'attr_match_list' = [ 'Name', 'EmailAddress' ], 'attr_map' = { 'Name' = 'uid', 'EmailAddress' = 'mail', # 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId'= 'uid', 'Gecos' = 'gecos' # 'WorkPhone' = 'telephoneNumber', # 'Address1' = 'streetAddress', # 'City' = 'l', # 'State' = 'st', # 'Zip' = 'postalCode', # 'Country' = 'co' } } ); We've obviously missed something here, but we've spent the last couple days searching the docs/wiki/web and playing with RT_SiteConfig.pm but with no luck. Best Regards, Camron -- Camron W. Fox Hilo Office High Performance Computing Group Fujitsu Management Services of America, Inc. E-mail: cw...@us.fujitsu.com RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012 RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT::Authen::ExternalAuth cannot find LDAP users if they haven't logged in at least once.
I have the ldap import plugin running and it does import new users and update existing information based on the options you set in config. You must set up a cron job for this. Thanks, Jim Lesinski On Jan 30, 2012, at 11:24 AM, Bart b...@pleh.info wrote: Hi, Not sure if that's possible with ExternalAuth, it automatically creates a user during login but doesn't sync the LDAP. (at least, like you I can't find an option for it) You'll probably need to run something separate from ExternalAuth to import those users, this plugin might help with that: http://search.cpan.org/~falcone/RT-Extension-LDAPImport-0.31/lib/RT/Extension/LDAPImport.pm -- Bart Op 30 januari 2012 02:16 schreef Camron W. Fox cw...@us.fujitsu.com het volgende: Alle, So we've installed RT::Authen::ExternalAuth, but when we try to search for users to create groups and such, if the user hasn't logged in to RT at least once, they cannot be found. Here is the LDAP excerpt from RT_SiteConfig.PM: Set(@Plugins, (qw(RT::Authen::ExternalAuth))); Set($ExternalAuthPriority, [ 'My_LDAP' ] ); Set($ExternalInfoPriority, [ 'My_LDAP' ] ); Set($ExternalAuthPriority,['My_LDAP']); Set($ExternalSettings, { Set($ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'server'= 'admin.subaru.nao.ac.jp', 'user' = 'cn=Manager,dc=subaru,dc=nao,dc=ac,dc=jp', 'pass' = 'X', 'base' = 'ou=people,dc=subaru,dc=nao,dc=ac,dc=jp', 'filter'= '(objectClass=person)', 'd_filter' = '(employeeType=locked)', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], # 'group' = 'GROUP_NAME', # 'group_attr' = 'GROUP_ATTR', 'attr_match_list' = [ 'Name', 'EmailAddress' ], 'attr_map' = { 'Name' = 'uid', 'EmailAddress' = 'mail', # 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId'= 'uid', 'Gecos' = 'gecos' # 'WorkPhone' = 'telephoneNumber', # 'Address1' = 'streetAddress', # 'City' = 'l', # 'State' = 'st', # 'Zip' = 'postalCode', # 'Country' = 'co' } } ); We've obviously missed something here, but we've spent the last couple days searching the docs/wiki/web and playing with RT_SiteConfig.pm but with no luck. Best Regards, Camron -- Camron W. Fox Hilo Office High Performance Computing Group Fujitsu Management Services of America, Inc. E-mail: cw...@us.fujitsu.com RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012 RT Training Sessions (http://bestpractical.com/services/training.html) * Boston � March 5 6, 2012 RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
[rt-users] RT::Authen::ExternalAuth cannot find LDAP users if they haven't logged in at least once.
Alle, So we've installed RT::Authen::ExternalAuth, but when we try to search for users to create groups and such, if the user hasn't logged in to RT at least once, they cannot be found. Here is the LDAP excerpt from RT_SiteConfig.PM: Set(@Plugins, (qw(RT::Authen::ExternalAuth))); Set($ExternalAuthPriority, [ 'My_LDAP' ] ); Set($ExternalInfoPriority, [ 'My_LDAP' ] ); Set($ExternalAuthPriority,['My_LDAP']); Set($ExternalSettings, { Set($ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'server'= 'admin.subaru.nao.ac.jp', 'user' = 'cn=Manager,dc=subaru,dc=nao,dc=ac,dc=jp', 'pass' = 'X', 'base' = 'ou=people,dc=subaru,dc=nao,dc=ac,dc=jp', 'filter'= '(objectClass=person)', 'd_filter' = '(employeeType=locked)', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], # 'group' = 'GROUP_NAME', # 'group_attr' = 'GROUP_ATTR', 'attr_match_list' = [ 'Name', 'EmailAddress' ], 'attr_map' = { 'Name' = 'uid', 'EmailAddress' = 'mail', # 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId'= 'uid', 'Gecos' = 'gecos' # 'WorkPhone' = 'telephoneNumber', # 'Address1' = 'streetAddress', # 'City' = 'l', # 'State' = 'st', # 'Zip' = 'postalCode', # 'Country' = 'co' } } ); We've obviously missed something here, but we've spent the last couple days searching the docs/wiki/web and playing with RT_SiteConfig.pm but with no luck. Best Regards, Camron -- Camron W. Fox Hilo Office High Performance Computing Group Fujitsu Management Services of America, Inc. E-mail: cw...@us.fujitsu.com RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT-Authen-ExternalAuth-0.09 a bit too eager?
Thank you Kevin, I got rid of those parameters and everything is now fine. Best regards, Iulian RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
[rt-users] RT-Authen-ExternalAuth-0.09 a bit too eager?
Hello, I am upgrading from 3.8.7 (apache2 + mod_perl) to 4.0.4 (apache2 + mod_fastcgi) and I notice a strange behaviour of RT-Authen-ExternalAuth -0.09. The authentication works fine, however, the login page gets redirected straight away here: http://rt.address.com/NoAuth/Login.html?next=xxresults=xxx With the error message: You are not an authorized user. That is, this is what I see instead of the normal login page. This is what the log says: [Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10) [Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10) Is this to be expected? Or am I missing something? Because in the old version there was no redirection and no error messages. I dug a little bit and found a fix, but it seems a bit heavy handed (if not plain wrong). It involves modifiying .../html/Callbacks/ExternalAuth/autohandler/Session from this: %init $m-comp('/Elements/DoAuth',%ARGS); .. to this: %init if($ARGS{'user'} || $m-request_comp-path ne '/index.html'){ $m-comp('/Elements/DoAuth',%ARGS); } That is, try to authenticate me only if I provided an username or if I am trying to access something else than the login page(well..). Here's the relevant part of RT_SiteConfig: Set($WebExternalAuth , '1'); Set($WebFallbackToInternalAuth , '1'); Set($WebExternalAuto , '1'); Set($ExternalAuthPriority, [ 'AD' ]); Set($ExternalInfoPriority, [ 'AD' ]); Set($AutoCreateNonExternalUsers, 1); Set($ExternalSettings, { 'AD' = { 'type' = 'ldap', ... } }); And httpd.conf: VirtualHost *:80 ServerName xxx KeepAlive On AddDefaultCharsetUTF-8 LogLevel debug LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-agent}i\ %{X-Forwarded-For}i combined ErrorLog /opt/rt/var/log/error_log CustomLog /opt/rt/var/log/access_log common env=!dontlog Alias /NoAuth/images/ /opt/rt/share/html/NoAuth/images/ ScriptAlias / /opt/rt/sbin/rt-server.fcgi/ DocumentRoot /opt/rt/share/html Location / Order allow,deny Allow from all Options +ExecCGI AddHandlerfastcgi-script fcgi /Location Location /NoAuth/images SetHandler default-handler /Location /VirtualHost Thanks, Iulian RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT-Authen-ExternalAuth-0.09 a bit too eager?
On Thu, Dec 15, 2011 at 06:18:04AM -0800, Iulian Dragan wrote: Hello, I am upgrading from 3.8.7 (apache2 + mod_perl) to 4.0.4 (apache2 + mod_fastcgi) and I notice a strange behaviour of RT-Authen-ExternalAuth -0.09. The authentication works fine, however, the login page gets redirected straight away here: http://rt.address.com/NoAuth/Login.html?next=xxresults=xxx With the error message: You are not an authorized user. That is, this is what I see instead of the normal login page. This is what the log says: [Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10) [Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10) Is this to be expected? Or am I missing something? Because in the old version there was no redirection and no error messages. RT4 redirects on login attempt (to the login form) and those are the debug messages you get with RT-Authen-ExternalAuth. Set($WebExternalAuth , '1'); Set($WebFallbackToInternalAuth , '1'); Set($WebExternalAuto , '1'); I'm not sure why you have those set since you aren't doing any Apache authentication. The message you quote only comes about if you have WebExteralAuth turned on and either have WebExternalOnly set or have WebExternalFallbackToInternalAuth set and have a session that's invalid. Try turning off the options you're not using -kevin Set($ExternalAuthPriority, [ 'AD' ]); Set($ExternalInfoPriority, [ 'AD' ]); Set($AutoCreateNonExternalUsers,1); Set($ExternalSettings, { 'AD' = { 'type' = 'ldap', ... } }); pgpLzbtAoHGOk.pgp Description: PGP signature RT Training Sessions (http://bestpractical.com/services/training.html) * Boston March 5 6, 2012
Re: [rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
On Thu, Nov 17, 2011 at 1:49 PM, Adrian Stel adisa...@gmail.com wrote: Hi Ruslan, If I understand well: 1) apply patch - easy to do (just add line to /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm) 2) Here I have some question because I'm not sure how set 'p_enc_pkg' and 'p_enc_sub' These are not required when p_check is set. p_check is a code inlined right into config that does whole job of checking password user entered against the hash. I need add this check to RT_SiteConfig.pm: ?? Yes. p_check = sub { my ($hash, $pass) = @_; use Authen::Passphrase; return Authen::Passphrase-from_crypt($hash || '*')-match($pass); }, then RT_SiteConfig.pm looks like: # The Perl package subroutine used to encrypt passwords # e.g. if the passwords are stored using the MySQL v3.23 PASSWORD # function, then you will need Crypt::MySQL::password, but for the # MySQL4+ password function you will need Crypt::MySQL::password41 # Alternatively, you could use Digest::MD5::md5_hex or any other # encryption subroutine you can load in your perl installation 'p_enc_pkg' = 'Authen::Passphrase', (???) 'p_enc_sub' = '$P$', () p_check = sub { my ($hash, $pass) = @_; use Authen::Passphrase; return Authen::Passphrase-from_crypt($hash || '*')-match($pass); }, #'p_enc_pkg' = 'Crypt::MySQL', #'p_enc_sub' = 'password41', # If your p_enc_sub takes a salt as a second parameter, # uncomment this line to add your salt #'p_salt' = 'SALT', If i mix/miss something please correct me. Leave p_check and options that control how to find user in the DB, drop p_salt and p_enc_* options. Best Regards Adrian -- Best regards, Ruslan. RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 29, 2011
Re: [rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
Hi Ruslan, I comment in RT_SiteConfig.pm: #p_enc_pkg = #p_enc_sub = and put: p_check = sub { my ($hash, $pass) = @_; use Authen::Passphrase; return Authen::Passphrase-from_crypt($hash || '*')-match($pass); }, In log I can see: p_check for My_MySQL failed: unrecognised crypt scheme $H$ at /opt/rt4/etc/RT_SiteConfig.pm line 154 This is the line: 154 return Authen::Passphrase-from_crypt($hash || '*')-match($pass); I'm not sure if I put this p_check i right place, or I miss some '' ? Normal we have: ''p_enc_pkg' = 'Authen::Passphrase',' Should I live this p_check like this: 151 p_check = sub { 152 my ($hash, $pass) = @_; 153 use Authen::Passphrase; 154 return Authen::Passphrase-from_crypt($hash || '*')-match($pass); 155 }, 156 I can send you whole Set($ExternalSettings,) if it will help find issues. Best Adrian 2011/11/17 Ruslan Zakirov r...@bestpractical.com: On Thu, Nov 17, 2011 at 1:49 PM, Adrian Stel adisa...@gmail.com wrote: Hi Ruslan, If I understand well: 1) apply patch - easy to do (just add line to /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm) 2) Here I have some question because I'm not sure how set 'p_enc_pkg' and 'p_enc_sub' These are not required when p_check is set. p_check is a code inlined right into config that does whole job of checking password user entered against the hash. I need add this check to RT_SiteConfig.pm: ?? Yes. p_check = sub { my ($hash, $pass) = @_; use Authen::Passphrase; return Authen::Passphrase-from_crypt($hash || '*')-match($pass); }, then RT_SiteConfig.pm looks like: # The Perl package subroutine used to encrypt passwords # e.g. if the passwords are stored using the MySQL v3.23 PASSWORD # function, then you will need Crypt::MySQL::password, but for the # MySQL4+ password function you will need Crypt::MySQL::password41 # Alternatively, you could use Digest::MD5::md5_hex or any other # encryption subroutine you can load in your perl installation 'p_enc_pkg' = 'Authen::Passphrase', (???) 'p_enc_sub' = '$P$', () p_check = sub { my ($hash, $pass) = @_; use Authen::Passphrase; return Authen::Passphrase-from_crypt($hash || '*')-match($pass); }, #'p_enc_pkg' = 'Crypt::MySQL', #'p_enc_sub' = 'password41', # If your p_enc_sub takes a salt as a second parameter, # uncomment this line to add your salt #'p_salt' = 'SALT', If i mix/miss something please correct me. Leave p_check and options that control how to find user in the DB, drop p_salt and p_enc_* options. Best Regards Adrian -- Best regards, Ruslan. -- Pozdrawiam Adrian Stelmaszyk RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 29, 2011
Re: [rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
On Thu, Nov 17, 2011 at 3:30 PM, Adrian Stel adisa...@gmail.com wrote: Hi Ruslan, [snip] In log I can see: p_check for My_MySQL failed: unrecognised crypt scheme $H$ at /opt/rt4/etc/RT_SiteConfig.pm line 154 Looks like it works. This is the line: 154 return Authen::Passphrase-from_crypt($hash || '*')-match($pass); I'm not sure if I put this p_check i right place, or I miss some '' ? Everything in its right place. However, according to http://www.openwall.com/phpass/ smart people in phpBB3 team changed $P$ to $H$ without changing meaning, so you need to oversmart them. Put the following line right before line 154 (return Authen...): $hash =~ s/^\$H\$/$P$/; That will replace $H$ in the beginning with $P$ and Authen::Passphrase should find proper module. -- Best regards, Ruslan. RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 29, 2011
Re: [rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
Hi, DBI.pm this is the place with p_enc_sub: sub GetAuth { my ($service, $username, $password) = @_; my $config = $RT::ExternalSettings-{$service}; $RT::Logger-debug( Trying external auth service:,$service); my $db_table= $config-{'table'}; my $db_u_field = $config-{'u_field'}; my $db_p_field = $config-{'p_field'}; my $db_p_enc_pkg= $config-{'p_enc_pkg'}; my $db_p_enc_sub= $config-{'p_enc_sub'}; my $db_p_salt = $config-{'p_salt'}; Place where the password is submitted to that method as a string parameter. In my opinion could be here: # Get the user's password from the database query result my $pass_from_db = $results_hashref-{$username}-{$db_p_field}; # This is the encryption package subroutine passed in by the config file $RT::Logger-debug( Encryption Package:, $db_p_enc_pkg); $RT::Logger-debug( Encryption Subroutine:, $db_p_enc_sub); # Use config info to auto-load the perl package needed for password encryption # I know it uses a string eval - but I don't think there's a better way to do this # Jump to next external authentication service on failure eval require $db_p_enc_pkg or $RT::Logger-error(AUTH FAILED, Couldn't Load Password Encryption Package. Error: $@) return 0; my $encrypt = $db_p_enc_pkg-can($db_p_enc_sub); if (defined($encrypt)) { # If the package given can perform the subroutine given, then use it to compare the # password given with the password pulled from the database. # Jump to the next external authentication service if they don't match if(defined($db_p_salt)) { $RT::Logger-debug(Using salt:,$db_p_salt); if(${encrypt}-($password,$db_p_salt) ne $pass_from_db){ $RT::Logger-info( $service, AUTH FAILED, $username, Password Incorrect); return 0; } } else { if(${encrypt}-($password) ne $pass_from_db){ $RT::Logger-info( $service, AUTH FAILED, $username, Password Incorrect); return 0; } } } else { # If the encryption package can't perform the request subroutine, # dump an error and jump to the next external authentication service. $RT::Logger-error($service, AUTH FAILED, The encryption package you gave me (, $db_p_enc_pkg, ) does not support the encryption method you specified (, $db_p_enc_sub, )); return 0; } But i'm not shure where exactly. And how I can convert string to hash. I'm not familiar with perl ;/ Best Adrian 2011/11/15 Zordrak zord...@tpa.me.uk: Adrian Stel wrote: Hi, Can't use string (user password) as a HASH ref while strict refs in use at /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm line 278. Problem is with type of user password. Still need to know where I should search. Search for the text p_enc_sub. There's only one place it should be defined and it will be very close to where the password is submitted to that method as a string parameter. -- Zordrak zord...@tpa.me.uk -- Pozdrawiam Adrian Stelmaszyk RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 29, 2011
Re: [rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
Hi, I get some info from PHPass but I don't know how use it ;/ any sugestion from your site ? 'p_enc_pkg' = 'Authen::Passphrase::PHPass', 'p_enc_sub' = 'cost', The comment above, the example below, and a bit of googling all show that p_enc_pkg and p_enc_sub are together meant to name a hash function. Your password string will be passed through the function, and the resulting hash value is then managed by RT. The clearest example: #'p_enc_pkg' = 'Crypt::MySQL', #'p_enc_sub' = 'password41', Crypt::MySQL::password41() is a function to which you pass a password string and it returns a hash. For example, password41(hunter2) returns *58815970BE77B3720276F63DB198B1FA42E5CC02. Authen::Passphrase::PHPass::cost is not a hashing function. It's not meant to be called as a standalone function at all. It's the implementation of the -cost method on the Authen::Passphrase::PHPass class, and so expects to be passed an A:P:PHPass object, not a string. A:P:PHPass doesn't actually expose the hash function on its own, so you can't use it this way. In fact, the PHPass hash algorithm *can't* be properly used by RT, because it takes a salt input, and apparently RT can't perform salting. (There's a p_salt parameter, which appears to be a *fixed* salt, defeating the purpose.) You could write a wrapper function around A:P:PHPass that creates a recogniser for a supplied password and then just extracts the hash. The wrapper would have to fix the cost parameter and the salt. It looks like this: use Authen::Passphrase::PHPass (); sub phpass_10_($) { return Authen::Passphrase::PHPass-new( cost=10, passphrase=$_[0], salt=, )-hash_base64; } phpass_10_(hunter2) returns LvYU3dRamxKB1.lRa4ow1/. *This* is a hash function and could be used by RT via p_enc_pkg and p_enc_sub. It's a bit of an abstraction inversion to use A:P:PHPass just for its hash function. If A:P:PHPass were wrapping some other module that just provides the hash then I'd point you at the other module. Most A:P modules do this, such as A:P:MySQL323 wrapping Crypt::MySQL. But A:P:PHPass implements the hash itself. Also, if there were a module exposing the PHPass algorithm on its own, you'd still have to write a wrapper, because of the cost parameter that RT has no idea how to handle. 2011/11/16 Adrian Stel adisa...@gmail.com: Hi, DBI.pm this is the place with p_enc_sub: sub GetAuth { my ($service, $username, $password) = @_; my $config = $RT::ExternalSettings-{$service}; $RT::Logger-debug( Trying external auth service:,$service); my $db_table = $config-{'table'}; my $db_u_field = $config-{'u_field'}; my $db_p_field = $config-{'p_field'}; my $db_p_enc_pkg = $config-{'p_enc_pkg'}; my $db_p_enc_sub = $config-{'p_enc_sub'}; my $db_p_salt = $config-{'p_salt'}; Place where the password is submitted to that method as a string parameter. In my opinion could be here: # Get the user's password from the database query result my $pass_from_db = $results_hashref-{$username}-{$db_p_field}; # This is the encryption package subroutine passed in by the config file $RT::Logger-debug( Encryption Package:, $db_p_enc_pkg); $RT::Logger-debug( Encryption Subroutine:, $db_p_enc_sub); # Use config info to auto-load the perl package needed for password encryption # I know it uses a string eval - but I don't think there's a better way to do this # Jump to next external authentication service on failure eval require $db_p_enc_pkg or $RT::Logger-error(AUTH FAILED, Couldn't Load Password Encryption Package. Error: $@) return 0; my $encrypt = $db_p_enc_pkg-can($db_p_enc_sub); if (defined($encrypt)) { # If the package given can perform the subroutine given, then use it to compare the # password given with the password pulled from the database. # Jump to the next external authentication service if they don't match if(defined($db_p_salt)) { $RT::Logger-debug(Using salt:,$db_p_salt); if(${encrypt}-($password,$db_p_salt) ne $pass_from_db){ $RT::Logger-info( $service, AUTH FAILED, $username, Password Incorrect); return 0; } } else { if(${encrypt}-($password) ne $pass_from_db){ $RT::Logger-info( $service, AUTH FAILED, $username, Password Incorrect); return 0; } } } else { # If the encryption
Re: [rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
Hello, I didn't read full thread, but long time ago I talked with zordrak about how password checking is wrong and not flexible. The current set of options is not suitable for many cases. I've cooked a patch [1]. The following config with patched extension can check any format supported by Authen::Passphrase framework: ... p_check = sub { my ($hash, $pass) = @_; use Authen::Passphrase; return Authen::Passphrase-from_crypt($hash || '*')-match($pass); }, ... Above covers HASH schemes described in [2]. If stored hash doesn't have $schema$ prefix then code needs a little bit of change. However, I didn't test the patch. [1] https://github.com/bestpractical/rt-authen-externalauth/commit/22ba2bfa8d59a00354712e63daaa5d622e39cf4d [2] http://search.cpan.org/~zefram/Authen-Passphrase-0.007/lib/Authen/Passphrase.pm#CONSTRUCTORS On Wed, Nov 16, 2011 at 4:27 PM, Adrian Stel adisa...@gmail.com wrote: Hi, I get some info from PHPass but I don't know how use it ;/ any sugestion from your site ? 'p_enc_pkg' = 'Authen::Passphrase::PHPass', 'p_enc_sub' = 'cost', The comment above, the example below, and a bit of googling all show that p_enc_pkg and p_enc_sub are together meant to name a hash function. Your password string will be passed through the function, and the resulting hash value is then managed by RT. The clearest example: #'p_enc_pkg' = 'Crypt::MySQL', #'p_enc_sub' = 'password41', Crypt::MySQL::password41() is a function to which you pass a password string and it returns a hash. For example, password41(hunter2) returns *58815970BE77B3720276F63DB198B1FA42E5CC02. Authen::Passphrase::PHPass::cost is not a hashing function. It's not meant to be called as a standalone function at all. It's the implementation of the -cost method on the Authen::Passphrase::PHPass class, and so expects to be passed an A:P:PHPass object, not a string. A:P:PHPass doesn't actually expose the hash function on its own, so you can't use it this way. In fact, the PHPass hash algorithm *can't* be properly used by RT, because it takes a salt input, and apparently RT can't perform salting. (There's a p_salt parameter, which appears to be a *fixed* salt, defeating the purpose.) You could write a wrapper function around A:P:PHPass that creates a recogniser for a supplied password and then just extracts the hash. The wrapper would have to fix the cost parameter and the salt. It looks like this: use Authen::Passphrase::PHPass (); sub phpass_10_($) { return Authen::Passphrase::PHPass-new( cost=10, passphrase=$_[0], salt=, )-hash_base64; } phpass_10_(hunter2) returns LvYU3dRamxKB1.lRa4ow1/. *This* is a hash function and could be used by RT via p_enc_pkg and p_enc_sub. It's a bit of an abstraction inversion to use A:P:PHPass just for its hash function. If A:P:PHPass were wrapping some other module that just provides the hash then I'd point you at the other module. Most A:P modules do this, such as A:P:MySQL323 wrapping Crypt::MySQL. But A:P:PHPass implements the hash itself. Also, if there were a module exposing the PHPass algorithm on its own, you'd still have to write a wrapper, because of the cost parameter that RT has no idea how to handle. 2011/11/16 Adrian Stel adisa...@gmail.com: Hi, DBI.pm this is the place with p_enc_sub: sub GetAuth { my ($service, $username, $password) = @_; my $config = $RT::ExternalSettings-{$service}; $RT::Logger-debug( Trying external auth service:,$service); my $db_table = $config-{'table'}; my $db_u_field = $config-{'u_field'}; my $db_p_field = $config-{'p_field'}; my $db_p_enc_pkg = $config-{'p_enc_pkg'}; my $db_p_enc_sub = $config-{'p_enc_sub'}; my $db_p_salt = $config-{'p_salt'}; Place where the password is submitted to that method as a string parameter. In my opinion could be here: # Get the user's password from the database query result my $pass_from_db = $results_hashref-{$username}-{$db_p_field}; # This is the encryption package subroutine passed in by the config file $RT::Logger-debug( Encryption Package:, $db_p_enc_pkg); $RT::Logger-debug( Encryption Subroutine:, $db_p_enc_sub); # Use config info to auto-load the perl package needed for password encryption # I know it uses a string eval - but I don't think there's a better way to do this # Jump to next external authentication service on failure eval require $db_p_enc_pkg or $RT::Logger-error(AUTH FAILED, Couldn't Load Password Encryption Package. Error: $@) return 0; my $encrypt = $db_p_enc_pkg-can($db_p_enc_sub); if (defined($encrypt)) { # If the package given can perform the
Re: [rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
Hi, any idea where I should look, file name ? function ? Best Adrian 2011/11/14 Zordrak zord...@tpa.me.uk: Adrian Stel wrote: Hi, thanks :) phpass has many method I use hash_base64, RTSiteConfig.pm: 'p_enc_pkg' = 'Authen::Passphrase::PHPass', 'p_enc_sub' = 'hash_base64', and when i put user/pass I get: RT Site: http://150.254.148.60/NoAuth/Login.html Can't use string (*) as a HASH ref while strict refs in use at /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm line 278. But when I reload page I will be login to RT. Any idea why we get this error. My guess would be that PHPass.pm expects the password to be sent to it as a hashref instead of a string. IF this is the case then you will need to modify the code in ExternalAuth so that when the subroutine is called, the string is first converted into a hashref and then sent as a parameter. -- Zordrak zord...@tpa.me.uk RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 29, 2011
Re: [rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
Hi, Can't use string (user password) as a HASH ref while strict refs in use at /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm line 278. Problem is with type of user password. Still need to know where I should search. Best Adrian 2011/11/15 Adrian Stel adisa...@gmail.com: Hi, any idea where I should look, file name ? function ? Best Adrian 2011/11/14 Zordrak zord...@tpa.me.uk: Adrian Stel wrote: Hi, thanks :) phpass has many method I use hash_base64, RTSiteConfig.pm: 'p_enc_pkg' = 'Authen::Passphrase::PHPass', 'p_enc_sub' = 'hash_base64', and when i put user/pass I get: RT Site: http://150.254.148.60/NoAuth/Login.html Can't use string (*) as a HASH ref while strict refs in use at /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm line 278. But when I reload page I will be login to RT. Any idea why we get this error. My guess would be that PHPass.pm expects the password to be sent to it as a hashref instead of a string. IF this is the case then you will need to modify the code in ExternalAuth so that when the subroutine is called, the string is first converted into a hashref and then sent as a parameter. -- Zordrak zord...@tpa.me.uk -- Pozdrawiam Adrian Stelmaszyk RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 29, 2011
[rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
Hi, I'm trying to configure ExternalAuth on my RT4.0.2 External database use Portable PHP password hashing framework. (phpbb3) http://www.openwall.com/phpass/ There is perl module for this Authen::Passphrase::PHPass (Perl module reimplements the support for portable hashes introduced in phpass, but in Perl). My question is haw I should configure RT_siteConfig.pm: 'p_enc_pkg' = '?' 'p_enc_sub' = '?' When I use: 'p_enc_pkg' = 'Authen::Passphrase::PHPass', 'p_enc_sub' = '', I get: My_MySQL AUTH FAILED The encryption package you gave me ( Authen::Passphrase::PHPass ) does not support the encryption method you specified ( ) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm:99) Any idea why ? -- Best Adrian Stelmaszyk RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 29, 2011
Re: [rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
Hi, thanks :) phpass has many method I use hash_base64, RTSiteConfig.pm: 'p_enc_pkg' = 'Authen::Passphrase::PHPass', 'p_enc_sub' = 'hash_base64', and when i put user/pass I get: RT Site: http://150.254.148.60/NoAuth/Login.html Can't use string (*) as a HASH ref while strict refs in use at /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm line 278. But when I reload page I will be login to RT. Any idea why we get this error. I test 2 more method hash and cost i both case we get the same error. I'm not sure if I chose rigt method. Or there is issues in RTSiteConfig.pm Best Adrian 2011/11/14 Zordrak zord...@tpa.me.uk: Adrian Stel wrote: Hi, When I use: 'p_enc_pkg' = 'Authen::Passphrase::PHPass', 'p_enc_sub' = '', I get: My_MySQL AUTH FAILED The encryption package you gave me ( Authen::Passphrase::PHPass ) does not support the encryption method you specified ( ) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm:99) Any idea why ? Very simple, you haven't specified a method (subroutine) for the encryption; only the package. Take MySQL's password function as an example. To use it you would specific the p_enc_pkg as Crypt::MySQL which will include that perl module, but that module provides many different methods. Normally you'd expect to use password41 as the p_enc_sub. If it were MD5: p_eng_pkg: Digest::MD5 p_enc_sub: md5_hex -- Zordrak zord...@tpa.me.uk -- Pozdrawiam Adrian Stelmaszyk RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 29, 2011
Re: [rt-users] RT::Authen::ExternalAuth with PHPass (phpbb3);
On Mon, Nov 14, 2011 at 03:10:46PM +0100, Adrian Stel wrote: Hi, thanks :) phpass has many method I use hash_base64, RTSiteConfig.pm: 'p_enc_pkg' = 'Authen::Passphrase::PHPass', 'p_enc_sub' = 'hash_base64', and when i put user/pass I get: RT Site: http://150.254.148.60/NoAuth/Login.html Can't use string (*) as a HASH ref while strict refs in use at /usr/local/share/perl/5.10.1/Authen/Passphrase/PHPass.pm line 278. Sounds like the Authen::Passphrase::PHPass module doesn't like the way that RT-Authen-ExternalAuth is invoking it. Unfortunately, you'll need to add some debugging to figure out where it goes wrong unless someone on the list has experience with the configuration you want to use. -kevin But when I reload page I will be login to RT. Any idea why we get this error. I test 2 more method hash and cost i both case we get the same error. I'm not sure if I chose rigt method. Or there is issues in RTSiteConfig.pm Best Adrian 2011/11/14 Zordrak zord...@tpa.me.uk: Adrian Stel wrote: Hi, When I use: 'p_enc_pkg' = 'Authen::Passphrase::PHPass', 'p_enc_sub' = '', I get: My_MySQL AUTH FAILED The encryption package you gave me ( Authen::Passphrase::PHPass ) does not support the encryption method you specified ( ) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/DBI.pm:99) Any idea why ? Very simple, you haven't specified a method (subroutine) for the encryption; only the package. Take MySQL's password function as an example. To use it you would specific the p_enc_pkg as Crypt::MySQL which will include that perl module, but that module provides many different methods. Normally you'd expect to use password41 as the p_enc_sub. If it were MD5: p_eng_pkg: Digest::MD5 p_enc_sub: md5_hex -- Zordrak zord...@tpa.me.uk -- Pozdrawiam Adrian Stelmaszyk RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 29, 2011 pgpjIMd8zotgN.pgp Description: PGP signature RT Training Sessions (http://bestpractical.com/services/training.html) * Barcelona, Spain November 28 29, 2011
Re: [rt-users] RT::Authen::ExternalAuth and SSO via Apache authentication for RT4
On 07/17/2011 07:27 PM, James Zuelow wrote: In testing I noticed that the debug log was complaining about there not being a user to authenticate. Since I still had Apache performing NTLM authentication, I knew there was user information available via REMOTE_USER. Modifying RT::Authen::ExternalAuth's ExternalAuth.pm to take that information from Apache turned out to be a three line edit. (1) The reason RT::Authen::ExternalAuth doesn't do this is because RT itself has the ability to authenticate using the information in REMOTE_USER. Look at the WebExternal settings in etc/RT_Config.pm. It'll be much more maintainable to use RT's built-in support rather than a hacked up extension you have to patch every time you upgrade. Cheers, Thomas 2011 Training: http://bestpractical.com/services/training.html
Re: [rt-users] RT::Authen::ExternalAuth and SSO via Apache authentication for RT4
On 07/18/2011 12:27 PM, James Zuelow wrote: I did look at the WebExternal settings in RT. Using them, RT does do authentication and log the user in. But at least in my experience over the last week it does not synchronize data from from AD. Admittedly, I am doing this as a side project in addition to my regular job, so I may have missed the sync data with AD tag for WebExternal. With RT-Extension-LDAPImport, you can load users into RT from LDAP and put it cron to keep it current. ExternalAuth _should_ support info only mode which syncs the user details on first user create, but that's currently TODO. Thomas 2011 Training: http://bestpractical.com/services/training.html
[rt-users] RT::Authen::ExternalAuth and SSO via Apache authentication for RT4
Google tells me there are people interested in this question that aren't finding a solution, so hopefully this is useful to some of them. I've been evaluating RT for the past week or so, looking at it as an alternative to our current ticket system. One of my requirements is Active Directory integration for our users and helpdesk staff allowing for passwordless login/account creation with a web browser and correct user information for RT users created via e-mail. This is easy to accomplish for RT3 with the various overlays on the wiki, combined with NTLM authentication for Apache. But I didn't want to start a new deployment on RT3 now that RT4 is out. (And I like the layout better anyway.) Rewriting the overlays for RT4 looks like too much work. The simplest AD method for RT4 is using RT::Authen::ExternalAuth version 0.9's LDAP lookup. That works well, but it presents a problem in that users have to enter their username/password to see their self service page. In testing I noticed that the debug log was complaining about there not being a user to authenticate. Since I still had Apache performing NTLM authentication, I knew there was user information available via REMOTE_USER. Modifying RT::Authen::ExternalAuth's ExternalAuth.pm to take that information from Apache turned out to be a three line edit. (1) I am somewhat familiar with Perl, although I am not a Perl guru. I didn't audit anything to see if there were any issues. Right now I am happy because It Works For Me and there are no obvious failures. I did not sanitize the REMOTE_USER input because I trust winbind not to put something crazy in there. I do wonder about the two lines in my log (2) discussing a failure to enable the user, followed by a successful enabling of the user. Is this normal for RT::Authen::ExternalAuth, or did I break something? James Zuelow Systems Operations Manager City and Borough of Juneau MIS (907) 586-0236 === (1) (probably get munged by word wrap) RT::Authen::ExternalAuth version 0.9 Modified: ExternalAuth.pm around line 85 ### CBJ BELOW #if(defined($username)) { #$RT::Logger-debug(Pass not going to be checked, attempting SSO); #$pass_bypass = 1; if ( defined $ENV{'REMOTE_USER'} ) { $username = $ENV{'REMOTE_USER'}; $RT::Logger-debug(Apache returned REMOTE_USER $username, attempting SSO); $pass_bypass = 1; ### CBJ ABOVE } else { == (2) 8- snip -8 [Sun Jul 17 22:07:54 2011] [warning]: Couldn't enable user 41 (/usr/share/request-tracker4/lib/RT/User.pm:1066) [Sun Jul 17 22:07:54 2011] [info]: User marked as ENABLED ( James_Zuelow ) per External Service (, ) -8- snip -8- 2011 Training: http://bestpractical.com/services/training.html
Re: [rt-users] RT::Authen::ExternalAuth?
So RT 3.8.10 is working swimmingly well except for one possible post upgrade snag - two users (out of 100+) reported that after RT was restarted they were logged in as someone else. Any ideas? On Tue, 2011-06-14 at 15:17 -0400, Kevin Falcone wrote: On Tue, Jun 14, 2011 at 02:50:24PM -0400, Joshua Knarr wrote: Kevin - We gave up on RT 4. RTFM is not the answer. The problem is threefold: Oh, now that I reread your original thread I see. You didn't run any database upgrades between 3.4.5 and 4.0.0 other than those described in UPGRADING.mysql. That's going to cause you problems on 3.8.10 also. -kevin -- Joshua Knarr Systems Engineer GSI Commerce, Inc. http://www.gsicommerce.com E-Mail: kna...@gsicommerce.com Office: 610-491-7110 Mobile: 484-636-7371 The information contained in this electronic mail transmission is intended only for the use of the individual or entity named in this transmission. If you are not the intended recipient of this transmission, you are hereby notified that any disclosure, copying or distribution of the contents of this transmission is strictly prohibited and that you should delete the contents of this transmission from your system immediately. Any comments or statements contained in this transmission do not necessarily reflect the views or position of GSI Commerce, Inc. or its subsidiaries and/or affiliates. 2011 Training: http://bestpractical.com/services/training.html
[rt-users] RT::Authen::ExternalAuth?
Hello mailing list, Kevin - We gave up on RT 4. RTFM is not the answer. The problem is threefold: 1) DBI is too new to upgrade the old style DB. People running fedora or rawhide are going to start yelling at some point when they go to upgrade if they're upgrading from an old enough version. 2) FCGI changed from being statically linked to a module that this causes... 3) ...the new mason's handling of UTF to break the old DB. That being said - I made it to 3.8.10 which tells me something goes very wrong between 3.8.10 and 4.0.0. The docs for External Auth talk about .08 being current. For 3.8.10, the docs talk about .08_02. CPAN says .09 is out but the docs on the wiki don't discuss it. Which one do I use for a 3.8.10 RT? -- Joshua Knarr Systems Engineer GSI Commerce, Inc. http://www.gsicommerce.com E-Mail: kna...@gsicommerce.com Office: 610-491-7110 Mobile: 484-636-7371 The information contained in this electronic mail transmission is intended only for the use of the individual or entity named in this transmission. If you are not the intended recipient of this transmission, you are hereby notified that any disclosure, copying or distribution of the contents of this transmission is strictly prohibited and that you should delete the contents of this transmission from your system immediately. Any comments or statements contained in this transmission do not necessarily reflect the views or position of GSI Commerce, Inc. or its subsidiaries and/or affiliates.
Re: [rt-users] RT::Authen::ExternalAuth?
On Tue, Jun 14, 2011 at 02:50:24PM -0400, Joshua Knarr wrote: 1) DBI is too new to upgrade the old style DB. People running fedora or rawhide are going to start yelling at some point when they go to upgrade if they're upgrading from an old enough version. I'm afraid I don't understand this statement. You may need to provide an error or log snippet that demonstrates the problem. 2) FCGI changed from being statically linked to a module that this causes... I'm afraid I don't understand this statement. You may need to provide an error or log snippet that demonstrates the problem. 3) ...the new mason's handling of UTF to break the old DB. I'm afraid I don't understand this statement. You may need to provide an error or log snippet that demonstrates the problem. That being said - I made it to 3.8.10 which tells me something goes very wrong between 3.8.10 and 4.0.0. The docs for External Auth talk about .08 being current. For 3.8.10, the docs talk about .08_02. CPAN says .09 is out but the docs on the wiki don't discuss it. Which one do I use for a 3.8.10 RT? Use 0.09 I write the README for RT-Authen-ExternalAuth, I do not maintain the wiki pages for it. My opinion will always be in the README. -kevin pgpsanPHykkoc.pgp Description: PGP signature
Re: [rt-users] RT::Authen::ExternalAuth?
On Tue, Jun 14, 2011 at 02:50:24PM -0400, Joshua Knarr wrote: Kevin - We gave up on RT 4. RTFM is not the answer. The problem is threefold: Oh, now that I reread your original thread I see. You didn't run any database upgrades between 3.4.5 and 4.0.0 other than those described in UPGRADING.mysql. That's going to cause you problems on 3.8.10 also. -kevin pgp30rX1RwTJE.pgp Description: PGP signature
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for Authentification ?
Solved with a help from a colleague Here's the solution: Set($ExternalSettings,{'My_LDAP' ={ ## GENERIC SECTION 'type' = 'ldap', 'server' = 'xxx.xxx.local', 'user' = 'CN=User,OU=Benutzer,OU=xxx,DC=xxx,DC=xx', # THat was the crucial point 'pass' = 'pass', 'base' = 'OU=xxx,OU=xxx,DC=xxx,DC=local', 'filter' = '(memberOf=CN=RT,OU=Gruppen,OU=xxx,DC=xxx,DC=xxx)', #and the filter is modified 'd_filter' = '(userAccountControl=514)', 'tls'= 1, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'attr_match_list' = ['Name', 'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'RealName' = 'cn', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'ExternalAuthId' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'Zip' = 'postalCode', } } } best regards john s. -- View this message in context: http://old.nabble.com/RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-Authentification---tp31342791p31635938.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
@Mike Johnson20 My gut feeling is your Base DN is wrong. Not really, right direction but still wrong :) But joking aside I have it done it with a help from a colleague It was a hard piece of work with many trial and error parts . here is my solution: Set($ExternalSettings,{'My_LDAP' ={ ## GENERIC SECTION 'type' = 'ldap', 'server' = 'xxx.xxx.local', 'user' = 'CN=User,OU=Benutzer,OU=xxx,DC=xxx,DC=xx', # THat was the crucial point 'pass' = 'pass', 'base' = 'OU=xxx,OU=xxx,DC=xxx,DC=local', 'filter' = '(memberOf=CN=RT,OU=Gruppen,OU=xxx,DC=xxx,DC=xxx)', #and the filter is modified 'd_filter' = '(userAccountControl=514)', 'tls'= 1, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'attr_match_list' = ['Name', 'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'RealName' = 'cn', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'ExternalAuthId' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'Zip' = 'postalCode', } } } many thanks to all guys which are trying to help me ps: could anyone clean up this threadfrom double entries best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31503157.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
I agree with Raphael on this one, The error you are seeing is basically saying it cannot find the user based on the searching parameters you used. A useful troubleshooting tool for this would be an LDAP Browser(I used Softerra's). The browser allows you to test your Base DN. My gut feeling is your Base DN is wrong. Good luck! Mike. 2011/4/26 Raphaël MOUNEYRES raphael.mouney...@sagemcom.com Hello, the LDAP answer is clear : User not found in your config you search in this Base: ou=User,dc=xxx,dc=xxx,dc=local are you sure the xxx.xxx.local domain exist in your AD configuration ? or did you change company values to hide from the list ? it looks like you don't have the good parameters between RT and your AD config so you can match and find the USER Raphaël *john s. firesk...@gmx.de* Envoyé par : rt-users-boun...@lists.bestpractical.com 26/04/2011 10:44 A rt-users@lists.bestpractical.com cc Objet Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for Turn your RT debug logging on and check that log to see what it's doing.# Hello mike the rt.log says the following: username: USER , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)pr 26 06:58:11 2011] [debug]: LDAP Search === Base: ou=User,dc=xxx,dc=xxx,dc=local == Filter: ((ObjectClass=*)(sAMAccountName=User)) == Attrs: cn,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Tue Apr 26 06:58:11 2011] [debug]: User Check Failed :: ( My_LDAP ) USER User not found (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318) So sth goes awry Any further hints,clues or advices would be helpfully best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31476578.html Sent from the Request Tracker - User mailing list archive at Nabble.com. http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31476578.html # Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés. ** This e-mail and any attached documents may contain confidential or proprietary information. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system. # -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Turn your RT debug logging on and check that log to see what it's doing.# Hello mike the rt.log says the following: username: USER , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)pr 26 06:58:11 2011] [debug]: LDAP Search === Base: ou=User,dc=xxx,dc=xxx,dc=local == Filter: ((ObjectClass=*)(sAMAccountName=User)) == Attrs: cn,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Tue Apr 26 06:58:11 2011] [debug]: User Check Failed :: ( My_LDAP ) USER User not found (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318) So sth goes awry Any further hints,clues or advices would be helpfully best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31476578.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Is it clear what i want? No? okay i try to describe a litte bit more exaclty as far as possible from myself okay my ldapseach command which runs perfectly is: sudo ldapsearch -h xxx.xxx.local -D xxx\User -w password -b 'dc=xxx, dc=local -s sub sAMAccountName=USER So here are my RT Config Parameter again: Set($ExternalSettings,{'My_LDAP' ={ ## GENERIC SECTION 'type' = 'ldap', 'server' = '192.168.123.45', 'user' = 'USER', 'pass' = 'password', 'base' = 'ou=companyou,ou=User,dc=xxx,dc=xxx,dc=local', 'filter' = '(ObjectClass=*)', 'd_filter' = '(userAccountControl=514)' # 'tls'= 0, # 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], # 'group' = 'Benutzer', # 'group_attr' = 'GROUP_ATTR', 'attr_match_list' = ['Name', #'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'RealName' = 'cn', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' } } I'll try to find out, which parameter doesn't match with the ldap one ... cause if i try to authorize on rt with an ad user my AD gives the following message out: xxx.xxx.xxx.xxx:2799 NTDS NoneTCP4 32 NonDSE Can't find object 0.0 0 best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31448102.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
hello, i would say that as you have commented ou the EmailAdress in the attribute match list, you need to remove the , (comma) after the Name attribute I think i remember having some error similar ; the last parameter must NOT have the comma, at the end of the line so your config would look like : 'attr_match_list' = ['Name' #'EmailAddress', ], Raphaël Raphaël MOUNEYRES Ingénieur Moyens Tests Avenue Paul Gellos 64990 Mouguerre Phone: +33 (0)5 59 58 41 51 Email: raphael.mouney...@sagemcom.com john s. firesk...@gmx.de Envoyé par : rt-users-boun...@lists.bestpractical.com 21/04/2011 11:31 A rt-users@lists.bestpractical.com cc Objet Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for Is it clear what i want? No? okay i try to describe a litte bit more exaclty as far as possible from myself okay my ldapseach command which runs perfectly is: sudo ldapsearch -h xxx.xxx.local -D xxx\User -w password -b 'dc=xxx, dc=local -s sub sAMAccountName=USER So here are my RT Config Parameter again: Set($ExternalSettings,{'My_LDAP' ={ ## GENERIC SECTION 'type' = 'ldap', 'server' = '192.168.123.45', 'user' = 'USER', 'pass' = 'password', 'base' = 'ou=companyou,ou=User,dc=xxx,dc=xxx,dc=local', 'filter' = '(ObjectClass=*)', 'd_filter' = '(userAccountControl=514)' # 'tls'= 0, # 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], # 'group' = 'Benutzer', # 'group_attr' = 'GROUP_ATTR', 'attr_match_list' = ['Name', #'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'RealName' = 'cn', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' } } I'll try to find out, which parameter doesn't match with the ldap one ... cause if i try to authorize on rt with an ad user my AD gives the following message out: xxx.xxx.xxx.xxx:2799 NTDS NoneTCP4 32 NonDSE Can't find object 0.0 0 best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31448102.html Sent from the Request Tracker - User mailing list archive at Nabble.com. # Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés. ** This e-mail and any attached documents may contain confidential or proprietary information. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system. # image/gifimage/gif
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Hello Raphael No nothing has changed at all... still the same error sth. goes really wrong ... i have to track the issue in order to determine the issue but i don't know how .. any idea or a clue ? Her is the tcpdumpo log: 13:27:25.872995 IP ubunturt3.52185 xxx.xxx.local.ldap: Flags [.], ack 1, win 5840, length 0 13:27:25.875403 IP ubunturt3.52185 xxx.xxx.local.ldap: Flags [P.], seq 1:33, ack 1, win 5840, length 32 13:27:25.875739 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [.], ack 33, win 64240, length 0 13:27:25.877367 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [P.], seq 1:23, ack 33, win 64240, length 22 13:27:25.877460 IP ubunturt3.52185 xxx.xxx.local.ldap: Flags [.], ack 23, win 5840, length 0 13:27:25.889275 IP ubunturt3.52185 xxx.xxx.local.ldap: Flags [P.], seq 33:282, ack 23, win 5840, length 249 13:27:25.889595 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [.], ack 282, win 64240, length 0 13:27:25.890369 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [P.], seq 23:165, ack 282, win 64240, length 142 13:27:25.895897 IP ubunturt3.52185 xxx.xxx.local.ldap: Flags [F.], seq 282, ack 165, win 6432, length 0 13:27:25.897013 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [.], ack 283, win 64239, length 0 13:27:25.897328 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [R.], seq 165, ack 283, win 64239, length 0 may it could help best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31448783.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
reading your previous messages : your RT log shows :...:: ( My_LDAP ) RT-USER User not found that mean your LDAP server is sending a response that the RT-USER is not existing in his database then you mention successfully : sudo ldapsearch -h xxx.xxx.local -D xxx\User -w password -b 'dc=xxx, dc=local -s sub sAMAccountName= USER that mean USER is existing in the database so are you using the good login on RT screen ? john s. firesk...@gmx.de Envoyé par : rt-users-boun...@lists.bestpractical.com 21/04/2011 13:43 A rt-users@lists.bestpractical.com cc Objet Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for Hello Raphael No nothing has changed at all... still the same error sth. goes really wrong ... i have to track the issue in order to determine the issue but i don't know how .. any idea or a clue ? Her is the tcpdumpo log: 13:27:25.872995 IP ubunturt3.52185 xxx.xxx.local.ldap: Flags [.], ack 1, win 5840, length 0 13:27:25.875403 IP ubunturt3.52185 xxx.xxx.local.ldap: Flags [P.], seq 1:33, ack 1, win 5840, length 32 13:27:25.875739 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [.], ack 33, win 64240, length 0 13:27:25.877367 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [P.], seq 1:23, ack 33, win 64240, length 22 13:27:25.877460 IP ubunturt3.52185 xxx.xxx.local.ldap: Flags [.], ack 23, win 5840, length 0 13:27:25.889275 IP ubunturt3.52185 xxx.xxx.local.ldap: Flags [P.], seq 33:282, ack 23, win 5840, length 249 13:27:25.889595 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [.], ack 282, win 64240, length 0 13:27:25.890369 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [P.], seq 23:165, ack 282, win 64240, length 142 13:27:25.895897 IP ubunturt3.52185 xxx.xxx.local.ldap: Flags [F.], seq 282, ack 165, win 6432, length 0 13:27:25.897013 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [.], ack 283, win 64239, length 0 13:27:25.897328 IP xxx.xxx.local.ldap ubunturt3.52185: Flags [R.], seq 165, ack 283, win 64239, length 0 may it could help best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31448783.html Sent from the Request Tracker - User mailing list archive at Nabble.com. # Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés. ** This e-mail and any attached documents may contain confidential or proprietary information. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system. #
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
One thing that stands out in your config is your d_filter. I read on the RT wiki somewhere that d_filter for an AD you needed to put what I have below: 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', Read these 2 microsoft support KB to learn more on why http://support.microsoft.com/kb/305144 http://support.microsoft.com/kb/269181 Also, you have tls, ssl_version, group and group_attr commented out. Someone else can correct me, but I believe you need to define those in your settings. Best I can do with my limited knowledge. Good luck! Mike. On Thu, Apr 21, 2011 at 5:31 AM, john s. firesk...@gmx.de wrote: Is it clear what i want? No? okay i try to describe a litte bit more exaclty as far as possible from myself okay my ldapseach command which runs perfectly is: sudo ldapsearch -h xxx.xxx.local -D xxx\User -w password -b 'dc=xxx, dc=local -s sub sAMAccountName=USER So here are my RT Config Parameter again: Set($ExternalSettings,{'My_LDAP' ={ ## GENERIC SECTION 'type' = 'ldap', 'server' = '192.168.123.45', 'user' = 'USER', 'pass' = 'password', 'base' = 'ou=companyou,ou=User,dc=xxx,dc=xxx,dc=local', 'filter' = '(ObjectClass=*)', 'd_filter' = '(userAccountControl=514)' # 'tls'= 0, # 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], # 'group' = 'Benutzer', # 'group_attr' = 'GROUP_ATTR', 'attr_match_list' = ['Name', #'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'RealName' = 'cn', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' } } I'll try to find out, which parameter doesn't match with the ldap one ... cause if i try to authorize on rt with an ad user my AD gives the following message out: xxx.xxx.xxx.xxx:2799 NTDS NoneTCP4 32 NonDSE Can't find object 0.0 0 best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31448102.html Sent from the Request Tracker - User mailing list archive at Nabble.com. -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
@Raphael so are you using the good login on RT screen ? Waht do you mean with an good login? @Mike Hello Mike I have readed the 2 Articles and modified my config in such way ... but the same error occurs ... but i have found sth... on my AD, i 'll try to copy the infos which should be necessary ... xxx.xxx.xxx.xxx:2206 NTDS None TCP 4 32 NonDSE Can't find Objekt 0.0 0 0.0 xxx.xxx.xxx.xxx:2200 NTDS None TCP 4 32 NonDSE Can't find Objekt 0.0 0 0.0 thats one of it ... xxx.xxx.xxx.xxx:2200 NTDS None TCP 1 0 NonDSE Sucess 0.0 1 0.0 xxx.xxx.xxx.xxx.2206 NTDS None TCP 1 0 NonDSE Sucess 0.0 1 0.0 This is the same log but i comes a litte bit later i wonder why success And now it comes really strange: Thats the search log Client Instanz Objektname Filtername Reply/s Response Time (ms) CPU% Internal NTDS [](displayName=RT-USER) 0 0 0 0 Internal NTDS [] (displayName=RT-USER)0 0 00 I don't understand it looks like , that he can't resolve the objectname. best regards john. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31450244.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Turn your RT debug logging on and check that log to see what it's doing. I believe the debug log shows you the actual LDAP call it's doing... then you can verify what is failing based on that. Good luck! Mike. On Thu, Apr 21, 2011 at 10:55 AM, john s. firesk...@gmx.de wrote: @Raphael so are you using the good login on RT screen ? Waht do you mean with an good login? @Mike Hello Mike I have readed the 2 Articles and modified my config in such way ... but the same error occurs ... but i have found sth... on my AD, i 'll try to copy the infos which should be necessary ... xxx.xxx.xxx.xxx:2206 NTDS None TCP 4 32 NonDSE Can't find Objekt 0.0 0 0.0 xxx.xxx.xxx.xxx:2200 NTDS None TCP 4 32 NonDSE Can't find Objekt 0.0 0 0.0 thats one of it ... xxx.xxx.xxx.xxx:2200 NTDS None TCP 1 0 NonDSE Sucess 0.0 1 0.0 xxx.xxx.xxx.xxx.2206 NTDS None TCP 1 0 NonDSE Sucess 0.0 1 0.0 This is the same log but i comes a litte bit later i wonder why success And now it comes really strange: Thats the search log Client Instanz Objektname Filtername Reply/s Response Time (ms) CPU% Internal NTDS [](displayName=RT-USER) 0 0 0 0 Internal NTDS [] (displayName=RT-USER) 0 0 00 I don't understand it looks like , that he can't resolve the objectname. best regards john. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31450244.html Sent from the Request Tracker - User mailing list archive at Nabble.com. -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Greetings Luis okay i have trimmed my config a little bit and now it look like this: Set($ExternalAuthPriority, [ ' My_LDAP' ]); Set($ExternalInfoPriority, ['My_LDAP']); #Set($ExternalServiceUsesSSLorTLS, 0 ); Set($AutoCreateNonExternalUsers,0); Set($ExternalSettings, {'My_LDAP' = { ## GENERIC SECTION 'type' = 'ldap', 'server' = 'ipserver', 'user' = 'USER', 'pass' = 'pass', 'base' = 'ou=OU Unit,dc=sb,dc=local', 'filter' = '(ObjectClass=*)', 'd_filter' = '(userAccountControl=514)' # 'tls'= 0, 'ssl_version' = 3, 'net_ldap_args' = [ version = 3 ], 'group' = 'Benutzer', 'group_attr' = 'GROUP_ATTR', 'attr_match_list' = ['Name', 'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', } } } ); And now i have also posted the apache logfile, cause this comments the steps from which lines i had to comment out that apache will start... so thats the basic without any outlines... and this one doesn't work... http://pastebin.com/PHpDsi7S http://pastebin.com/PHpDsi7S and now the config which let apache started: #RT Authenth# Set($ExternalAuthPriority, [ ' My_LDAP' ]); Set($ExternalInfoPriority, ['My_LDAP']); #Set($ExternalServiceUsesSSLorTLS, 0 ); Set($AutoCreateNonExternalUsers,0); Set($ExternalSettings, {'My_LDAP' = { ## GENERIC SECTION 'type' = 'ldap', 'server' = '192.168.10.40', 'user' = 'RT-USER', 'pass' = 'sl-pg33011', 'base' = 'ou=SBAOU Unit,dc=sbah,dc=local', 'filter' = '(ObjectClass=*)', 'd_filter' = '(userAccountControl=514)' # 'tls'= 0, # 'ssl_version' = 3, # 'net_ldap_args' = [version = 3 ], # 'group' = 'Benutzer', # 'group_attr' = 'GROUP_ATTR', # 'attr_match_list' = ['Name', # 'EmailAddress', # ], # 'attr_map' = { 'Name' = 'sAMAccountName', #'EmailAddress' = 'mail', # 'Organization' = 'physicalDeliveryOfficeName', # 'RealName' = 'cn', # 'ExternalAuthId' = 'sAMAccountName', # 'Gecos' = 'sAMAccountName', # 'WorkPhone' = 'telephoneNumber', # 'Address1' = 'streetAddress', # 'City' = 'l',
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Addition: So i have make an tracelog over port 389 with tcpdump The Result: No request is going out if I try to authorize on RT so i think the plugin doesn't work anymore ... best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31423760.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Hi John, It looks that you missed a comma after 'd_filter' = '(userAccountControl=514)' In addition, please check you settings here 'attr_map' = { 'Name' = 'sAMAccountName',... Nothing else to match? If so, just to be sure, please delete the comma after 'sAMAccountName'. Finally, I would recommend you to comment 'ssl_version' = 3, After you get this configuration to work, then you can play with the SSL configuration. Good luck, Best, - 4. Re: RT-Authen-ExternalAuth-0.08 which packages i need for (john s.) Message: 4 Date: Mon, 18 Apr 2011 04:07:28 -0700 (PDT) From: john s. firesk...@gmx.de To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for Message-ID: 31422830.p...@talk.nabble.com Content-Type: text/plain; charset=us-ascii Greetings Luis okay i have trimmed my config a little bit and now it look like this: Set($ExternalAuthPriority, [ ' My_LDAP' ]); Set($ExternalInfoPriority, ['My_LDAP']); #Set($ExternalServiceUsesSSLorTLS, 0 ); Set($AutoCreateNonExternalUsers,0); Set($ExternalSettings, {'My_LDAP' = { ## GENERIC SECTION 'type' = 'ldap', 'server' = 'ipserver', 'user' = 'USER', 'pass' = 'pass', 'base' = 'ou=OU Unit,dc=sb,dc=local', 'filter' = '(ObjectClass=*)', 'd_filter' = '(userAccountControl=514)' # 'tls'= 0, 'ssl_version' = 3, 'net_ldap_args' = [ version = 3 ], 'group' = 'Benutzer', 'group_attr' = 'GROUP_ATTR', 'attr_match_list' = ['Name', 'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', } } } ); And now i have also posted the apache logfile, cause this comments the steps from which lines i had to comment out that apache will start... so thats the basic without any outlines... and this one doesn't work... http://pastebin.com/PHpDsi7S http://pastebin.com/PHpDsi7S and now the config which let apache started: #RT Authenth# Set($ExternalAuthPriority, [ ' My_LDAP' ]); Set($ExternalInfoPriority, ['My_LDAP']); #Set($ExternalServiceUsesSSLorTLS, 0 ); Set($AutoCreateNonExternalUsers,0); Set($ExternalSettings, {'My_LDAP' = { ## GENERIC SECTION 'type' = 'ldap', 'server' = '192.168.10.40', 'user' = 'RT-USER', 'pass' = 'sl-pg33011', 'base' = 'ou=SBAOU Unit,dc=sbah,dc=local', 'filter' = '(ObjectClass=*)', 'd_filter' = '(userAccountControl=514)' # 'tls'= 0, # 'ssl_version' = 3, # 'net_ldap_args' = [version = 3 ], # 'group' = 'Benutzer', # 'group_attr' = 'GROUP_ATTR', # 'attr_match_list' = ['Name', # 'EmailAddress', # ], # 'attr_map' = { 'Name' = 'sAMAccountName', #'EmailAddress' = 'mail', # 'Organization' = 'physicalDeliveryOfficeName', # 'RealName' = 'cn', # 'ExternalAuthId' = 'sAMAccountName', # 'Gecos' = 'sAMAccountName', # 'WorkPhone' = 'telephoneNumber', # 'Address1' = 'streetAddress', # 'City' = 'l', # 'State' = 'st', # 'Zip' = 'postalCode', # 'Country' = 'co' } } #} ); So as far as you can see, the other version with clean comments and # signs doesn't work. But i don't know why or if i walking completely off the track at the moment :-( Best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-nee d-for-tp31388437p31422830
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
you also have a space befor My_LDAP here, wich does not match the later defined service Set($ExternalAuthPriority, [ ' My_LDAP' ]); ... Set($ExternalSettings, {'My_LDAP' = { Luis Avendaño lavend...@acmgrp.com Envoyé par : rt-users-boun...@lists.bestpractical.com 18/04/2011 15:32 A rt-users@lists.bestpractical.com cc Objet Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for Hi John, It looks that you missed a comma after 'd_filter' = '(userAccountControl=514)' In addition, please check you settings here 'attr_map' = { 'Name' = 'sAMAccountName',... Nothing else to match? If so, just to be sure, please delete the comma after 'sAMAccountName'. Finally, I would recommend you to comment 'ssl_version' = 3, After you get this configuration to work, then you can play with the SSL configuration. Good luck, Best, - 4. Re: RT-Authen-ExternalAuth-0.08 which packages i need for (john s.) Message: 4 Date: Mon, 18 Apr 2011 04:07:28 -0700 (PDT) From: john s. firesk...@gmx.de To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for Message-ID: 31422830.p...@talk.nabble.com Content-Type: text/plain; charset=us-ascii Greetings Luis okay i have trimmed my config a little bit and now it look like this: Set($ExternalAuthPriority, [ ' My_LDAP' ]); Set($ExternalInfoPriority, ['My_LDAP']); #Set($ExternalServiceUsesSSLorTLS, 0 ); Set($AutoCreateNonExternalUsers,0); Set($ExternalSettings, {'My_LDAP' = { ## GENERIC SECTION 'type' = 'ldap', 'server' = 'ipserver', 'user' = 'USER', 'pass' = 'pass', 'base' = 'ou=OU Unit,dc=sb,dc=local', 'filter' = '(ObjectClass=*)', 'd_filter' = '(userAccountControl=514)' # 'tls'= 0, 'ssl_version' = 3, 'net_ldap_args' = [ version = 3 ], 'group' = 'Benutzer', 'group_attr' = 'GROUP_ATTR', 'attr_match_list' = ['Name', 'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', } } } ); And now i have also posted the apache logfile, cause this comments the steps from which lines i had to comment out that apache will start... so thats the basic without any outlines... and this one doesn't work... http://pastebin.com/PHpDsi7S http://pastebin.com/PHpDsi7S and now the config which let apache started: #RT Authenth# Set($ExternalAuthPriority, [ ' My_LDAP' ]); Set($ExternalInfoPriority, ['My_LDAP']); #Set($ExternalServiceUsesSSLorTLS, 0 ); Set($AutoCreateNonExternalUsers,0); Set($ExternalSettings, {'My_LDAP' = { ## GENERIC SECTION 'type' = 'ldap', 'server' = '192.168.10.40', 'user' = 'RT-USER', 'pass' = 'sl-pg33011', 'base' = 'ou=SBAOU Unit,dc=sbah,dc=local', 'filter' = '(ObjectClass=*)', 'd_filter' = '(userAccountControl=514)' # 'tls'= 0, # 'ssl_version' = 3, # 'net_ldap_args' = [version = 3 ], # 'group' = 'Benutzer', # 'group_attr' = 'GROUP_ATTR', # 'attr_match_list' = ['Name', # 'EmailAddress', # ], # 'attr_map' = { 'Name' = 'sAMAccountName', #'EmailAddress' = 'mail', # 'Organization' = 'physicalDeliveryOfficeName', # 'RealName' = 'cn', # 'ExternalAuthId' = 'sAMAccountName', # 'Gecos' = 'sAMAccountName', # 'WorkPhone' = 'telephoneNumber', # 'Address1' = 'streetAddress', # 'City' = 'l', # 'State' = 'st', # 'Zip' = 'postalCode
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Greetign Raphael i have changed this ... and nothing happens ... here is an outline from my apachelogfile: [Mon Apr 18 15:33:33 2011] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Apr 18 15:33:33 2011] [debug]: Calling UserExists with $username (RT-USER) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Apr 18 15:33:33 2011] [debug]: UserExists params: username: RT-USER , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Mon Apr 18 15:33:33 2011] [debug]: LDAP Search === Base: ou=SBAOU Unit,dc=srv41,dc=sbah,dc=local == Filter: ((ObjectClass=*)(sAMAccountName=RT-USER)) == Attrs: cn,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Mon Apr 18 15:33:33 2011] [debug]: User Check Failed :: ( My_LDAP ) RT-USER User not found (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318) [Mon Apr 18 15:33:33 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:26) [Mon Apr 18 15:33:33 2011] [error]: FAILED LOGIN for RT-USER from 192.168.112.1 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) [Mon Apr 18 15:33:33 2011] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Apr 18 15:33:33 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Apr 18 15:33:33 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:26) [Mon Apr 18 15:33:34 2011] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Apr 18 15:33:34 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Apr 18 15:33:34 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/ so as far as i can see he find the user ... but the user check fails but i don't know what does it mean exactly ps: i thought perl doesn't pay much attention on spaces best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31425121.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Greetings Louis Despite your piece of good advice my Syntax is correct also, Cause i only used the # Sign to comment out the Lines which will apache2 get into trouble.If try to run normally the same issue appears. And in refer to the Readme .. you can also write: 'attr_match_list' = ['Name', 'EmailAddress', 'RealName', 'WorkPhone', 'Address2' ], the only important thing is to set the brackets correctly and this will benoticed if you try to restart apache So.. thats not the problem any other clue or idea? best regards john s. -- View this message in context: http://old.nabble.com/Re%3A-RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-tp31388437p31404102.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Hi John, you have a syxtax error somewhere, and it's pretty close when you set EmailAddress. Your error is: Couldn't load RT config file RT_SiteConfig.pm:nnsyntax error at /opt/rt3/etc/RT_SiteConfig.pm line 146, near 'EmailAddress'nCompilation failed in require at /opt/rt3/bin/../lib/RT/Config.pm line 562.nCompilation failed in require at (eval 2) line 1.n Try to make a configuration file without all the comments you have within the Authen:External008.. conf (delete all the #). You might be missing something. Best Regards, - Greetings Louis Despite your piece of good advice my Syntax is correct also, Cause i only used the # Sign to comment out the Lines which will apache2 get into trouble.If try to run normally the same issue appears. And in refer to the Readme .. you can also write: 'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName', 'WorkPhone', 'Address2' ], the only important thing is to set the brackets correctly and this will benoticed if you try to restart apache So.. thats not the problem any other clue or idea? best regards john s. Message: 3 Date: Fri, 15 Apr 2011 02:26:11 -0700 (PDT) From: john s. To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for Message-ID: Content-Type: text/plain; charset=us-ascii Greetings Louis Despite your piece of good advice my Syntax is correct also, Cause i only used the # Sign to comment out the Lines which will apache2 get into trouble.If try to run normally the same issue appears. And in refer to the Readme .. you can also write: 'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName', 'WorkPhone', 'Address2' ], the only important thing is to set the brackets correctly and this will benoticed if you try to restart apache So.. thats not the problem any other clue or idea? best regards john s. -- View this message in context: Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Hello Luis First of all many thanks for you help I have set my ldap configuration in this way which you have described, but there are still coming some error messages in relation to the apache2 log file: cutout apache.log: Couldn't load RT config file RT_SiteConfig.pm:\n\nsyntax error at /opt/rt3/etc/RT_SiteConfig.pm line 146, near 'EmailAddress'\nCompilation failed in require at /opt/rt3/bin/../lib/RT/Config.pm line 562.\nCompilation failed in require at (eval 2) line 1.\n Similar errors comes if try to activate the following command lines: 'tls'= 0, ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'group' = 'User', 'group' = 'GROUP_NAME', 'attr_match_list' = ['Name', # 'EmailAddress', ], # 'attr_map' = { 'Name' = 'sAMAccountName', #'EmailAddress' = 'mail', # 'Organization' = # 'Organization' = 'physicalDeliveryOfficeName', # 'RealName' = 'cn', # 'ExternalAuthId' = 'sAMAccountName', # 'Gecos' = 'sAMAccountName', # 'WorkPhone' = 'telephoneNumber', # 'Address1' = 'streetAddress', # 'City' = 'l', # 'State' = 'st', # 'Zip' = 'postalCode', # 'Country' = 'co' } } ); So i had to comment out some command lines in order to determine whats going wrong and the the apache server will runing fine : Her is my new config: #RT Authenth# Set($ExternalAuthPriority, [ ' My_LDAP' ]); Set($ExternalInfoPriority, ['My_LDAP']); Set($ExternalServiceUsesSSLorTLS, 0 ); Set($AutoCreateNonExternalUsers,0); Set($ExternalSettings, {'My_LDAP' = { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' = 'ldap', # The server hosting the service 'server' = '192.168.23.40', ## SERVICE-SPECIFIC SECTION # If you can bind to your LDAP server anonymously you should # remove the user and pass config lines, otherwise specify them here: # # The username RT should use to connect to the LDAP server 'user' = 'USER', # The password RT should use to connect to the LDAP server 'pass' = 'password', # # The LDAP search base 'base' = 'ou= Unit,dc=s***,dc=local', # # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES! # YOU **MUST** SPECIFY A filter AND A d_filter!! # # The filter to use to match RT-Users 'filter' = '(ObjectClass=*)', # A catch-all example filter: '(objectClass=*)' # # The filter that will only match disabled users 'd_filter' = '(userAccountControl=514)'
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Hi John, apparently your problem is this: 'attr_match_list' = [ 'Name', # 'EmailAddress', ], # 'attr_map' = { 'Name' = 'sAMAccountName', ... You have to ensure formatting correctly the list. For example: 'attr_match_list' = [ 'Name' ]... you are doing this: 'attr_match_list' = [ 'Name', In addition, check also attr_map. For example: 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'WorkPhone' = 'telephoneNumber' } The error you are getting is that the SiteConfig is not correctly formed. Hope this helps, Best, Luis Avendaño Grupo Latinoamericano ACM Av. Venezuela Torre America, Piso 1 Ofic 116, Bello Monte. Caracas, Venezuela Phone: (+58) 212-763.4104 Fax: (+58) 212-763.1847 http://www.acmgrp.com USO DE CORREO ELECTRÓNICO DE ACM ** Este mensaje puede contener información únicamente de interés para ACM GROUP o sus negocios y es enviado solamente al destinatario designado, y puede contener información privilegiada, patentada o privada. La copia, distribución, revelación o cualquier uso de la información contenida en este mensaje es permitida solo a personas autorizadas. Si ha recibido este correo electrónico por error, por favor destruyalo y notifique inmediatamente a webmas...@acmgrp.com o al remitente ** ACM GROUP INTERNET E-MAIL USE *** This message may contain information solely of the interest of ACM or its businesses and is delivered for the designated recipient only and may containprivileged, proprietary, or otherwise privatetion. Copying, distribution, disclosure or any use of the information contained in this transmission is permitted only to authorized parties. If you have received this e-mail by error, please destroy it and notify webmas...@acmgrp.com or the sender immediately **
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for Authentification ?
Someone out there ? best regards john s. -- View this message in context: http://old.nabble.com/RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-Authentification---tp31342791p31385180.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
On Mon, Apr 11, 2011 at 11:22:19AM -0600, Eli Guzman wrote: I think I see where you are going, maybe the permissions under the: _/autohandler, _/Elements/Header directories could be incorrect? This is unlikely to be a problem, or nothing would run, but you should check it anyway. On Mon, Apr 11, 2011 at 09:59:54AM -0400, Kevin Falcone wrote: [Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:64) [Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test with. Nexting You are basically at the point where you need to start enhancing this debugging line to include more about what was captured from the form so you can figure out why the username isn't available. -kevin pgpqBJgtVjhWx.pgp Description: PGP signature
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for
Hi Jhon, Based on the Rt_SiteConfig piece you sent, there is a missing variable setting in your configuration. You put this: Set($AutoCreateNonExternalUsers, 0); 'My_LDAP' = { ## GENERIC . It should be like this: Set($ExternalSettings, { # AN EXAMPLE DB SERVICE 'My_LDAP' = In addition, based on the log you sent, you are also configuring My_SSO and My_MySQL. If you are not using these services to authenticate, please delete them from the RT_SiteConfig file. If you are using them I would recommend you going step by step. First configure the LDAP, then go for the next source This is an example of a working conf, using RT 3.8.9 and LDAP = Active Directory: #Set($WebExternalAuth, 1); #Set($WebExternalAuthContinuous, 1); #Set($WebExternalGecos , undef); #Set($WebExternalAuto , true); #Set($WebFallbackToInternalAuth , undef); Set($ExternalAuthPriority, [ 'My_LDAP' ]); Set($ExternalInfoPriority, ['My_LDAP']); Set($ExternalServiceUsesSSLorTLS,0); Set($AutoCreateNonExternalUsers,0); Set($ExternalSettings, { 'My_LDAP' = { ## GENERIC SECTION 'type' = 'ldap', 'server' = '***.***.***.***', 'user' = '*\*', 'pass' = '', 'base' = 'DC=*,DC=com,DC=ve', 'filter' = '(objectClass=*)', 'd_filter' = '(userAccountControl=514)', 'tls' = 0, 'net_ldap_args' = [version = 3 ], #'group' = 'GROUP_NAME', #'group_attr' = 'GROUP_ATTR', 'attr_match_list' = ['Name', 'EmailAddress' # 'RealName', # 'WorkPhone' ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'WorkPhone' = 'telephoneNumber' } } } ); o Set( @Plugins, qw( RT::Authen::ExternalAuth ) ); Give a shot with this, and then get back with the resulted log file and final configuration. Hope this helps, Best, Luis Avendaño
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
Original Message From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Wednesday, April 13, 2011 7:50 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue? On Mon, Apr 11, 2011 at 11:22:19AM -0600, Eli Guzman wrote: I think I see where you are going, maybe the permissions under the: _/autohandler, _/Elements/Header directories could be incorrect? This is unlikely to be a problem, or nothing would run, but you should check it anyway. On Mon, Apr 11, 2011 at 09:59:54AM -0400, Kevin Falcone wrote: [Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa lAut h.pm:64) [Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test with. NextingHey Thomas (and Kevin) You are basically at the point where you need to start enhancing this debugging line to include more about what was captured from the form so you can figure out why the username isn't available. -kevin Thanks Kevin, adjusting the permissions to the file may have worked as we are now able to authenticate via LDAP (there is no automatic log-on, the users just need to enter their credentials, however it is pulling user information via the module properly). Oddly enough even though the Auth piece is working, when a user within the RTUsers group (via AD) accesses the RT main login page, on the 'rt.log' I still get the same error: [Tue Apr 12 23:37:15 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:92) But as I stated, at least now I can actually authenticate, so my question is could this then just be related to a misconfigured RT_SiteConfig.pm file? I did make some changes to the file as well, and this change could have had an effect as well, since previous to the change, authentication was not taking place (besides just adjusting the permissions of the files). Here is my RT_SiteConfig (for the Auth plug-in) as well, perhaps something listed in this file is incorrect: http://pastebin.com/zEF44vHr I'll go ahead and enhance the debug line a bit more, and once I have that information I will post it. Thanks, Eli
Re: [rt-users] RT-Authen-ExternalAuth-0.08 which packages i need for Authentification ?
You don't say your RT version, or what fails, it is possible you need .08_01 if you're running RT 3.8.9 Hello Kevin Sorry i forgot i currently useig the Version 3.8.9 So i had followed your advice and now the RT-Authen-ExternalAuth-0.08_01 is still running. At first it looks better than before, now i get response from the rt.log.. but there still some problems ... here is the relevant piece of information from my log file: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:14) [Mon Apr 11 12:13:55 2011] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Apr 11 12:13:55 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Apr 11 12:13:55 2011] [debug]: Attempting to use external auth service: My_MySQL (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Apr 11 12:13:55 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Apr 11 12:13:55 2011] [debug]: Attempting to use external auth service: My_SSO_Cookie (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Apr 11 12:13:55 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Apr 11 12:13:55 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:26) [Mon Apr 11 12:14:06 2011] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Apr 11 12:14:06 2011] [debug]: Calling UserExists with $username (RT-USER) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Apr 11 12:14:06 2011] [debug]: Invalid service type for UserExists: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:361) [Mon Apr 11 12:14:06 2011] [debug]: Attempting to use external auth service: My_MySQL (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Apr 11 12:14:06 2011] [debug]: Calling UserExists with $username (RT-USER) and $service (My_MySQL) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Apr 11 12:14:06 2011] [debug]: Invalid service type for UserExists: My_MySQL (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:361) [Mon Apr 11 12:14:06 2011] [debug]: Attempting to use external auth service: My_SSO_Cookie (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Apr 11 12:14:06 2011] [debug]: Calling UserExists with $username (RT-USER) and $service (My_SSO_Cookie) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Apr 11 12:14:06 2011] [debug]: Invalid service type for UserExists: My_SSO_Cookie (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:361) [Mon Apr 11 12:14:06 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:26) [Mon Apr 11 12:14:06 2011] [error]: FAILED LOGIN for RT-USER from 192.168.112.1 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) Thanks in advance best regrads john s. -- View this message in context: http://old.nabble.com/RT-Authen-ExternalAuth-0.08-which-packages-i-need-for-Authentification---tp31342791p31369863.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
[Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:64) [Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test with. Nexting This implies that the username you typed into the login box isn't getting to the plugin. You did clear the mason cache when you updated the module, right? -kevin pgpJKgg6zOEHb.pgp Description: PGP signature