Re: [rt-users] RT::Authen::ExternalAuth with AD...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/20/12 2:52 AM, Joop wrote: Glenn Sieb wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/19/12 9:23 PM, Jeff Blaine wrote: Share the solution? In the LDAP definition of RT_SiteConfig, where you set up the user to query as, and such, the ldap user login wasn't working until we added the @domain.ou bit to the end of it. So if the AD domain is dc=intranet,dc=local, the user had to be user@intranet.local then it started working. I'm also using AD and I don't have to add the @domain.local to my login. I had a look at your RT_SiteConfig but didn't see the obvious. Will check later to see what difference there is between my and yours. Unsure--the one I posted to pastebin was the one that wasn't working. I'm just happy it's working :) I'm also happy we were able to demo this to the company on Friday afternoon, and it was a big hit. Now to figure out Approvals.. :) Best, - --Glenn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+S1vMACgkQf5MxTDXTimEI3wCeLaCWQ3b7fAtxyMIthvc0ATk+ ejYAn2TBnBhn6DVS4hibyhfRq1NEbdpI =AMs6 -END PGP SIGNATURE-
Re: [rt-users] RT::Authen::ExternalAuth with AD...
Glenn Sieb wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/19/12 9:23 PM, Jeff Blaine wrote: Share the solution? In the LDAP definition of RT_SiteConfig, where you set up the user to query as, and such, the ldap user login wasn't working until we added the @domain.ou bit to the end of it. So if the AD domain is dc=intranet,dc=local, the user had to be user@intranet.local then it started working. I'm also using AD and I don't have to add the @domain.local to my login. I had a look at your RT_SiteConfig but didn't see the obvious. Will check later to see what difference there is between my and yours. Joop
[rt-users] RT::Authen::ExternalAuth with AD...
Greetings.. :) I'm at $work, trying to set up AD authentication for RT 4.0.5. I'm getting the following error: [Thu Apr 19 18:38:57 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 (/data/IH-Websites/rt/sbin/../local/lib/RT/Authen/ExternalAuth/LDAP.pm:492) [Thu Apr 19 18:38:57 2012] [error]: FAILED LOGIN for gsieb from 10.200.4.5 (/data/IH-Websites/rt/sbin/../lib/RT/Interface/Web.pm:665) We created a user to authenticate to AD for RT to use (RT_AD_USER). The goal is to be able to log in as USERNAME (as opposed to USERNAME@intranet.local). Any help would be greatly appreciated. I have to have this live by EOB today.. (yay for last minute projects)! Thanks in advance, everyone. My RT_SiteConfig.pm follows... Best, --Glenn RT_SiteConfig.pm: Set( $rtname, '$WORK.TLD'); Set( $Organization , '$WORK.TLD'); Set( $UseTransactionBatch , 1); @EmailInputEncodings = qw(utf-8 big5 us-ascii); Set( $WebBaseURL, 'https://helpdesk.$WORK.TLD'); Set( $WebDomain, 'helpdesk.$WORK.TLD'); Set( $CompanySpecific , '$WORK'); Set( $DatabaseUser , 'rt_user'); Set( $DatabasePassword , 'rt_user_password'); Set( $NotifyActor , 0); Set( $WebPath , ); Set( $WebURL , $WebBaseURL . $WebPath . /); Set( $WebImagesURL , $WebPath . /NoAuth/images/); Set( $CorrespondAddress , 'help@$WORK.TLD'); Set( $CommentAddress , 'help-comment@$WORK.TLD'); Set( $SendmailPath , /usr/local/sbin/sendmail); Set( $Timezone , 'US/Eastern'); Set( $ParseNewMessageForTicketCcs, 1); Set( $RTAddressRegexp , '^(help|help-comment)+\@$WORK\.TLD$'); Set( $LogToSyslog, info); Set( @Plugins, qw(RT::Authen::ExternalAuth) ); Set( $ExternalAuthPriority, ['eFS_LDAP']); Set( $ExternalServiceUsesSSLorTLS, 0); Set( $AutoCreateNonExternalUsers, 0); Set( $ExternalInfoPriority, ['eFS_LDAP']); Set( $ExternalSettings, {'eFS_LDAP' = { 'type' = 'ldap', 'server'= 'DC01.intranet.local', 'user' = 'RT_AD_USER', 'pass' = 'RT_AD_USER_PASS', 'base' = 'dc=intranet,dc=local', 'filter'= '(objectClass=*)', 'd_filter' = '(objectclass=pwdPolicy)', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'attr_match_list' = ['Name', 'EmailAddress' ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', } }, }); 1;
Re: [rt-users] RT::Authen::ExternalAuth with AD...
Thanks to jibsheet Paul in the IRC channel for their help! Best, --Glenn
Re: [rt-users] RT::Authen::ExternalAuth with AD...
Share the solution? On 4/19/2012 6:46 PM, Glenn Sieb wrote: Thanks to jibsheet Paul in the IRC channel for their help! Best, --Glenn
Re: [rt-users] RT::Authen::ExternalAuth with AD...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/19/12 9:23 PM, Jeff Blaine wrote: Share the solution? In the LDAP definition of RT_SiteConfig, where you set up the user to query as, and such, the ldap user login wasn't working until we added the @domain.ou bit to the end of it. So if the AD domain is dc=intranet,dc=local, the user had to be user@intranet.local then it started working. And there was much rejoicing in the office when it did.. :-) Best, - --Glenn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+Q0JgACgkQf5MxTDXTimGssQCfbvzngA/izrXfwr9JWO6Yo8Xz Nv4An3umOoIb/OQ/hIzpvEECAx6j271q =EEfV -END PGP SIGNATURE-
Re: [rt-users] RT-Authen-ExternalAuth and AD...
Hi Kevin, I found a work-around on CPAN. Thanks for the redirect! Lyle. -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Thursday, January 06, 2011 3:53 PM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD... On Thu, Jan 06, 2011 at 03:22:03PM -0600, Tollefsen, Lyle wrote: Thanks for the reply. Your suggestions led to finding the problem, but not the fix. As I originally said, the username:password combo would work only if not testing for group membership, it would fail if it did test for membership. An ldapearch revealed that the sAMAccountName was fine, but, as the fullname in our AD is Last, first, the CN would be returned as Last\, First'. If we renamed the account to Last First, omitting the comma, authentication using group membership succeded. The comma is breaking something. Have you seen this before, and is a fix available? There may be an open bug about this in rt.cpan.org against RT::Authen::ExternalAuth , but I don't know if I've seen a root cause or patch. -kevin -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Thursday, January 06, 2011 10:18 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD... On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote: We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active Directory. Any new AD account I create can logon to RT, and have corresponding account created in RT, if it is in the necessary security group, but older accounts, mine included, pass the password test, but fail at the group membership test, and fail to logon. The RT account, however, does get created. The log entries look like this... If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong. -kevin Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa lA uth/LDAP.pm:127) Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) As I said above, older accounts (3 years plus) which are members of the group being tested fail to fully authenticate, while new accounts which are members of the same group, authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can logon to RT with my old account. I don't know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I wonder if the AD schema changes could be affecting things? Lyle.
Re: [rt-users] RT-Authen-ExternalAuth and AD...
On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote: We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active Directory. Any new AD account I create can logon to RT, and have corresponding account created in RT, if it is in the necessary security group, but older accounts, mine included, pass the password test, but fail at the group membership test, and fail to logon. The RT account, however, does get created. The log entries look like this... If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong. -kevin Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) As I said above, older accounts (3 years plus) which are members of the group being tested fail to fully authenticate, while new accounts which are members of the same group, authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can logon to RT with my old account. I don't know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I wonder if the AD schema changes could be affecting things? Lyle. pgpWvL0eGiaak.pgp Description: PGP signature
Re: [rt-users] RT-Authen-ExternalAuth and AD...
Hi Kevin, Thanks for the reply. Your suggestions led to finding the problem, but not the fix. As I originally said, the username:password combo would work only if not testing for group membership, it would fail if it did test for membership. An ldapearch revealed that the sAMAccountName was fine, but, as the fullname in our AD is Last, first, the CN would be returned as Last\, First'. If we renamed the account to Last First, omitting the comma, authentication using group membership succeded. The comma is breaking something. Have you seen this before, and is a fix available? Thanks. Lyle Tollefsen Network Administrator Innovation Place 114 - 15 Innovation Blvd Saskatoon, Sk. S7N 2X8 (P) 306-933-7243 (F) 306.933.8200 ltollef...@innovationplace.com www.innovationplace.com -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Thursday, January 06, 2011 10:18 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD... On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote: We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active Directory. Any new AD account I create can logon to RT, and have corresponding account created in RT, if it is in the necessary security group, but older accounts, mine included, pass the password test, but fail at the group membership test, and fail to logon. The RT account, however, does get created. The log entries look like this... If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong. -kevin Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA uth/LDAP.pm:127) Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) As I said above, older accounts (3 years plus) which are members of the group being tested fail to fully authenticate, while new accounts which are members of the same group, authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can logon to RT with my old account. I don't know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I wonder if the AD schema changes could be affecting things? Lyle.
Re: [rt-users] RT-Authen-ExternalAuth and AD...
On Thu, Jan 06, 2011 at 03:22:03PM -0600, Tollefsen, Lyle wrote: Thanks for the reply. Your suggestions led to finding the problem, but not the fix. As I originally said, the username:password combo would work only if not testing for group membership, it would fail if it did test for membership. An ldapearch revealed that the sAMAccountName was fine, but, as the fullname in our AD is Last, first, the CN would be returned as Last\, First'. If we renamed the account to Last First, omitting the comma, authentication using group membership succeded. The comma is breaking something. Have you seen this before, and is a fix available? There may be an open bug about this in rt.cpan.org against RT::Authen::ExternalAuth , but I don't know if I've seen a root cause or patch. -kevin -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Thursday, January 06, 2011 10:18 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD... On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote: We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active Directory. Any new AD account I create can logon to RT, and have corresponding account created in RT, if it is in the necessary security group, but older accounts, mine included, pass the password test, but fail at the group membership test, and fail to logon. The RT account, however, does get created. The log entries look like this... If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong. -kevin Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA uth/LDAP.pm:127) Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) As I said above, older accounts (3 years plus) which are members of the group being tested fail to fully authenticate, while new accounts which are members of the same group, authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can logon to RT with my old account. I don't know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I wonder if the AD schema changes could be affecting things? Lyle. pgpeL2O9GHgKy.pgp Description: PGP signature
[rt-users] RT-Authen-ExternalAuth and AD...
Hi, We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active Directory. Any new AD account I create can logon to RT, and have corresponding account created in RT, if it is in the necessary security group, but older accounts, mine included, pass the password test, but fail at the group membership test, and fail to logon. The RT account, however, does get created. The log entries look like this... Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) As I said above, older accounts (3 years plus) which are members of the group being tested fail to fully authenticate, while new accounts which are members of the same group, authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can logon to RT with my old account. I don't know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I wonder if the AD schema changes could be affecting things? Lyle.