[rt-users] RT::Authen::ExternalAuth problem with AD....
I've gotten the extension installed, and have modified my RT_SiteConfig.pm correctly (or as best as I can figure based off the example configuration), however, I cannot login with my personal AD credentials. The info I'm getting from logging follows: [Thu Dec 18 01:32:57 2008] [warning]: Transaction-Create couldn't, as you didn't specify an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/Record.pm:1439) [Thu Dec 18 01:32:57 2008] [error]: Couldn't get principal for not loaded object (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm:1113) Anyone else ran into this? If so, can you point me in the right direction to getting this fixed? Thanks. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT::Authen::ExternalAuth problem
David Mackintosh wrote: On Fri, Sep 19, 2008 at 03:40:51PM -0400, David Mackintosh wrote: So my definitions look like: [...] 'base' = 'ou=Users,ou=ABC,dc=abcsystems,dc=com', 'filter' = '(objectclass=Person)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'group' = 'Request Tracker Users', [...] Partially working: if I change 'base' to 'dc=abcsystems,dc=com', and comment out the 'group' field, I can log in with my AD credentials. It's the commenting out the group that will do it, your base was fine so long as it reflects actual OUs in your AD config. So now my only authentication problem is how to specify the 'group' parameter. As before, try specifying the full container id. I did notice when poking around that the AD user has no privileges by default except to create a new ticket Set($AutoCreate,{Privileged = 0}); Autocreated users are unprivileged. Set($AutoCreate,{Privileged = 1}); Autocreated users are privileged. -- and this user doesn't appear in the RT user list such that I can apply privileges to it. Is there a link someone can provide that can show me what privs I need to assign, and where, to get going? This is simply a misunderstanding. By default, the list of users only shows privileged users because in many RT installations there may be thousands or millions of users who've raised support tickets, but only a few users that are support staff that might need to be played around with. In the users search page, try specifying this search precisely: Find users whose username isn't farfegnugen That should show you all users and then allow you to modify them. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT::Authen::ExternalAuth problem
On Fri, Sep 19, 2008 at 03:40:51PM -0400, David Mackintosh wrote: So my definitions look like: [...] 'base' = 'ou=Users,ou=ABC,dc=abcsystems,dc=com', 'filter' = '(objectclass=Person)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'group' = 'Request Tracker Users', [...] Partially working: if I change 'base' to 'dc=abcsystems,dc=com', and comment out the 'group' field, I can log in with my AD credentials. So now my only authentication problem is how to specify the 'group' parameter. I did notice when poking around that the AD user has no privileges by default except to create a new ticket -- and this user doesn't appear in the RT user list such that I can apply privileges to it. Is there a link someone can provide that can show me what privs I need to assign, and where, to get going? -- /\oo/\ / /()\ \ David Mackintosh | [EMAIL PROTECTED] | http://www.xdroop.com pgpdvXVA2bRdc.pgp Description: PGP signature ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT::Authen::ExternalAuth problem
I can see two things worth pointing out here.. but there may be more and so it might be worth providing me/us with your full RT_SiteConfig.pm (sanitised of course). Sep 19 15:24:47 rt RT: RT::User::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 (/opt/rt3/local/lib/RT/User_Vendor.pm:1056) This means one of three things: 1. You have specified a user and pass for LDAP in the configuration that is not valid. 2. AD is somehow configured to only allow search by anonymous bind. 2. This *can* be caused by certain versions of Perl Net::LDAP - what version do you have? So I'm presuming I have either incorrectly defined my my 'base', my 'filter' my 'd_filter', or my 'group'. [...] 'base' = 'ou=Users,ou=ABC,dc=abcsystems,dc=com', 'filter' = '(objectclass=Person)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'group' = 'Request Tracker Users', [...] An LDAP group is a container like anything else, so you will almost certainly need to specify the full container like this: 'group' = 'cn=Request Tracker Users,ou=Groups,ou=ABC,dc=abcsystems,dc=com' As I said, it would be easier to see with the full config. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] RT::Authen::ExternalAuth problem
Hi Folks, I've been passed a working RT 3.6.6 and asked to add the LDAP component so that we can authenticate against an Active Directory server. So I've installed the RT::Authen::ExternalAuth module from CPAN and used my google-fu to get the configuration started, however at this point I'm stymied. Right now local users authenticate, but AD users do not. When I attempt to authenticate as a AD user, I get these errors: Sep 19 15:25:59 rt RT: Transaction-Create couldn't, as you didn't specify an object type and id (/opt/rt3/lib/RT/Record.pm:1486) Sep 19 15:25:59 rt RT: My_LDAP AUTH FAILED: gridwayAdmin User not found or more than one user found (/opt/rt3/local/lib/RT/User_Vendor.pm:208) Sep 19 15:25:59 rt RT: RT::User::IsExternalPassword External Auth Failed: gridwayAdmin (/opt/rt3/local/lib/RT/User_Vendor.pm:294) Sep 19 15:25:59 rt RT: RT::User::IsInternalPassword AUTH FAILED (no passwd): gridwayAdmin (/opt/rt3/local/lib/RT/User_Vendor.pm:305) I know that RT is connecting to teh AD because when I change the connecting password, I get the error: Sep 19 15:24:47 rt RT: RT::User::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 (/opt/rt3/local/lib/RT/User_Vendor.pm:1056) So I'm presuming I have either incorrectly defined my my 'base', my 'filter' my 'd_filter', or my 'group'. Here's what I have. I have a domain, abcsystems.com. Inside abcsystems.com I have a folder ABC, and under there a folder Users which is where all the users are. I want to restrict access to users who are members in the group 'Request Tracker Users'. So my definitions look like: [...] 'base' = 'ou=Users,ou=ABC,dc=abcsystems,dc=com', 'filter' = '(objectclass=Person)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'group' = 'Request Tracker Users', [...] I'm probably doing something trivially wrong here since I'm not familiar with LDAP or AD in any depth. Can someone point me at a web page that can get me started to figure this out? Thank you. -- /\oo/\ / /()\ \ David Mackintosh | [EMAIL PROTECTED] | http://www.xdroop.com pgpoZcQ1s1Rso.pgp Description: PGP signature ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com