Re: [rt-users] RT::Authen::ExternalAuth with AD...

[Glenn Sieb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 4/20/12 2:52 AM, Joop wrote:
 Glenn Sieb wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
 On 4/19/12 9:23 PM, Jeff Blaine wrote:
 
 Share the solution?
 
 
 In the LDAP definition of RT_SiteConfig, where you set up the
 user to query as, and such, the ldap user login wasn't working
 until we added the @domain.ou bit to the end of it.
 
 So if the AD domain is dc=intranet,dc=local, the user had to be 
 user@intranet.local then it started working.
 
 I'm also using AD and I don't have to add the @domain.local to my
 login. I had a look at your RT_SiteConfig but didn't see the
 obvious. Will check later to see what difference there is between
 my and yours.

Unsure--the one I posted to pastebin was the one that wasn't working.

I'm just happy it's working :) I'm also happy we were able to demo
this to the company on Friday afternoon, and it was a big hit.

Now to figure out Approvals.. :)

Best,
- --Glenn

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+S1vMACgkQf5MxTDXTimEI3wCeLaCWQ3b7fAtxyMIthvc0ATk+
ejYAn2TBnBhn6DVS4hibyhfRq1NEbdpI
=AMs6
-END PGP SIGNATURE-

Re: [rt-users] RT::Authen::ExternalAuth with AD...

[Joop]

Glenn Sieb wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 4/19/12 9:23 PM, Jeff Blaine wrote:
  

Share the solution?



In the LDAP definition of RT_SiteConfig, where you set up the user to
query as, and such, the ldap user login wasn't working until we added
the @domain.ou bit to the end of it.

So if the AD domain is dc=intranet,dc=local, the user had to be
user@intranet.local then it started working.
  
I'm also using AD and I don't have to add the @domain.local to my login. 
I had a look at your RT_SiteConfig but didn't see the obvious. Will 
check later to see what difference there is between my and yours.


Joop

[rt-users] RT::Authen::ExternalAuth with AD...

[Glenn Sieb]

Greetings.. :)

I'm at $work, trying to set up AD authentication for RT 4.0.5.

I'm getting the following error:

[Thu Apr 19 18:38:57 2012] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_INVALID_CREDENTIALS 49
(/data/IH-Websites/rt/sbin/../local/lib/RT/Authen/ExternalAuth/LDAP.pm:492)
[Thu Apr 19 18:38:57 2012] [error]: FAILED LOGIN for gsieb from 10.200.4.5
(/data/IH-Websites/rt/sbin/../lib/RT/Interface/Web.pm:665)

We created a user to authenticate to AD for RT to use (RT_AD_USER).

The goal is to be able to log in as USERNAME (as opposed to
USERNAME@intranet.local).

Any help would be greatly appreciated. I have to have this live by EOB
today.. (yay for last minute projects)!

Thanks in advance, everyone. My RT_SiteConfig.pm follows...

Best,
--Glenn


RT_SiteConfig.pm:

Set( $rtname, '$WORK.TLD');
Set( $Organization , '$WORK.TLD');
Set( $UseTransactionBatch , 1);
@EmailInputEncodings = qw(utf-8 big5 us-ascii);
Set( $WebBaseURL, 'https://helpdesk.$WORK.TLD');
Set( $WebDomain, 'helpdesk.$WORK.TLD');
Set( $CompanySpecific , '$WORK');
Set( $DatabaseUser , 'rt_user');
Set( $DatabasePassword , 'rt_user_password');
Set( $NotifyActor , 0);
Set( $WebPath , );
Set( $WebURL , $WebBaseURL . $WebPath . /);
Set( $WebImagesURL , $WebPath . /NoAuth/images/);
Set( $CorrespondAddress , 'help@$WORK.TLD');
Set( $CommentAddress , 'help-comment@$WORK.TLD');
Set( $SendmailPath , /usr/local/sbin/sendmail);
Set( $Timezone , 'US/Eastern');
Set( $ParseNewMessageForTicketCcs, 1);
Set( $RTAddressRegexp , '^(help|help-comment)+\@$WORK\.TLD$');
Set( $LogToSyslog, info);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set( $ExternalAuthPriority, ['eFS_LDAP']);
Set( $ExternalServiceUsesSSLorTLS, 0);
Set( $AutoCreateNonExternalUsers, 0);
Set( $ExternalInfoPriority,  ['eFS_LDAP']);
Set( $ExternalSettings,  {'eFS_LDAP'   =  {
'type'  =  'ldap',
'server'=  
'DC01.intranet.local',
'user' = 'RT_AD_USER',
'pass' = 'RT_AD_USER_PASS',
'base'  =  
'dc=intranet,dc=local',
'filter'=  
'(objectClass=*)',
'd_filter'  =  
'(objectclass=pwdPolicy)',
'tls'   =  0,
'ssl_version'   =  3,
'net_ldap_args' = [version =  
3  ],
'attr_match_list'   = ['Name', 
'EmailAddress' ],
'attr_map'  =  {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
}
},
});


1;

Re: [rt-users] RT::Authen::ExternalAuth with AD...

[Glenn Sieb]

Thanks to jibsheet  Paul in the IRC channel for their help!

Best,
--Glenn

Re: [rt-users] RT::Authen::ExternalAuth with AD...

[Jeff Blaine]

Share the solution?

On 4/19/2012 6:46 PM, Glenn Sieb wrote:

Thanks to jibsheet  Paul in the IRC channel for their help!

Best,
--Glenn

Re: [rt-users] RT::Authen::ExternalAuth with AD...

[Glenn Sieb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 4/19/12 9:23 PM, Jeff Blaine wrote:
 Share the solution?

In the LDAP definition of RT_SiteConfig, where you set up the user to
query as, and such, the ldap user login wasn't working until we added
the @domain.ou bit to the end of it.

So if the AD domain is dc=intranet,dc=local, the user had to be
user@intranet.local then it started working.

And there was much rejoicing in the office when it did.. :-)

Best,
- --Glenn
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+Q0JgACgkQf5MxTDXTimGssQCfbvzngA/izrXfwr9JWO6Yo8Xz
Nv4An3umOoIb/OQ/hIzpvEECAx6j271q
=EEfV
-END PGP SIGNATURE-

Re: [rt-users] RT-Authen-ExternalAuth and AD...

[Tollefsen, Lyle]

Hi Kevin,

I found a work-around on CPAN. Thanks for the redirect!

Lyle.

-Original Message-
From: rt-users-boun...@lists.bestpractical.com 
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Thursday, January 06, 2011 3:53 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD...

On Thu, Jan 06, 2011 at 03:22:03PM -0600, Tollefsen, Lyle wrote:
 Thanks for the reply. Your suggestions led to finding the problem, but not 
 the fix. 
 
 As I originally said, the username:password combo would work only if 
 not testing for group membership, it would fail if it did test for 
 membership. An ldapearch revealed that the sAMAccountName was fine, 
 but, as the fullname in our AD is Last, first, the CN would be 
 returned as Last\, First'. If we renamed the account to Last First, 
 omitting the comma, authentication using group membership succeded.
 The comma is breaking something. Have you seen this before, and is a 
 fix available?

There may be an open bug about this in rt.cpan.org against 
RT::Authen::ExternalAuth , but I don't know if I've seen a root cause or patch.

-kevin

 -Original Message-
 From: rt-users-boun...@lists.bestpractical.com 
 [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin 
 Falcone
 Sent: Thursday, January 06, 2011 10:18 AM
 To: rt-users@lists.bestpractical.com
 Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD...
 
 On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote:
 We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to 
  authenticate against Active
 Directory. Any new AD account I create can logon to RT, and have 
  corresponding account created
 in RT, if it is in the necessary security group, but older accounts, 
  mine included, pass the
 password test, but fail at the group membership test, and fail to logon. 
  The RT account,
 however, does get created. The log entries look like this...
 
 If you turn on debug logging, you should be able to see the query being run 
 and you can run it manually from ldapsearch to see what is going wrong.
 
 -kevin
 
 Jan  5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name
 
  (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
  lA
  uth/LDAP.pm:127)
  
 Jan  5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1
 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
  
  
  
 As I said above, older accounts (3 years plus) which are members of the 
  group being tested
 fail to fully authenticate, while new accounts which are members of the 
  same group,
 authenticate properly. In fact, If I comment out the group test from 
  RT_SiteConfig.pm, I can
 logon to RT with my old account.
  
  
  
 I don't know if this is pertinent, but we upgraded to Exchange 2007 a 
  few months back, and I
 wonder if the AD schema changes could be affecting things?
  
  
  
 Lyle.
  
  

Re: [rt-users] RT-Authen-ExternalAuth and AD...

[Kevin Falcone]

On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote:
We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to 
 authenticate against Active
Directory. Any new AD account I create can logon to RT, and have 
 corresponding account created
in RT, if it is in the necessary security group, but older accounts, mine 
 included, pass the
password test, but fail at the group membership test, and fail to logon. 
 The RT account,
however, does get created. The log entries look like this...

If you turn on debug logging, you should be able to see the query
being run and you can run it manually from ldapsearch to see what is
going wrong.

-kevin

Jan  5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name

 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
 
Jan  5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1
(/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
 
 
 
As I said above, older accounts (3 years plus) which are members of the 
 group being tested
fail to fully authenticate, while new accounts which are members of the 
 same group,
authenticate properly. In fact, If I comment out the group test from 
 RT_SiteConfig.pm, I can
logon to RT with my old account.
 
 
 
I don't know if this is pertinent, but we upgraded to Exchange 2007 a few 
 months back, and I
wonder if the AD schema changes could be affecting things?
 
 
 
Lyle.
 
 


pgpWvL0eGiaak.pgp
Description: PGP signature

Re: [rt-users] RT-Authen-ExternalAuth and AD...

[Tollefsen, Lyle]

Hi Kevin,

Thanks for the reply. Your suggestions led to finding the problem, but not the 
fix. 

As I originally said, the username:password combo would work only if not 
testing for group membership, it would fail if it did test for membership. An 
ldapearch revealed that the sAMAccountName was fine, but, as the fullname in 
our AD is Last, first, the CN would be returned as Last\, First'. If we 
renamed the account to Last First, omitting the comma, authentication using 
group membership succeded. The comma is breaking something. Have you seen this 
before, and is a fix available?

Thanks.


Lyle Tollefsen
Network Administrator
Innovation Place
114 - 15 Innovation Blvd
Saskatoon, Sk. S7N 2X8

(P) 306-933-7243
(F) 306.933.8200
ltollef...@innovationplace.com
www.innovationplace.com


-Original Message-
From: rt-users-boun...@lists.bestpractical.com 
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Thursday, January 06, 2011 10:18 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD...

On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote:
We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to 
 authenticate against Active
Directory. Any new AD account I create can logon to RT, and have 
 corresponding account created
in RT, if it is in the necessary security group, but older accounts, mine 
 included, pass the
password test, but fail at the group membership test, and fail to logon. 
 The RT account,
however, does get created. The log entries look like this...

If you turn on debug logging, you should be able to see the query being run and 
you can run it manually from ldapsearch to see what is going wrong.

-kevin

Jan  5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name

 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
 uth/LDAP.pm:127)
 
Jan  5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1
(/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
 
 
 
As I said above, older accounts (3 years plus) which are members of the 
 group being tested
fail to fully authenticate, while new accounts which are members of the 
 same group,
authenticate properly. In fact, If I comment out the group test from 
 RT_SiteConfig.pm, I can
logon to RT with my old account.
 
 
 
I don't know if this is pertinent, but we upgraded to Exchange 2007 a few 
 months back, and I
wonder if the AD schema changes could be affecting things?
 
 
 
Lyle.
 
 

Re: [rt-users] RT-Authen-ExternalAuth and AD...

[Kevin Falcone]

On Thu, Jan 06, 2011 at 03:22:03PM -0600, Tollefsen, Lyle wrote:
 Thanks for the reply. Your suggestions led to finding the problem, but not 
 the fix. 
 
 As I originally said, the username:password combo would work only if
 not testing for group membership, it would fail if it did test for
 membership. An ldapearch revealed that the sAMAccountName was fine,
 but, as the fullname in our AD is Last, first, the CN would be
 returned as Last\, First'. If we renamed the account to Last First,
 omitting the comma, authentication using group membership succeded.
 The comma is breaking something. Have you seen this before, and is a
 fix available?

There may be an open bug about this in rt.cpan.org against
RT::Authen::ExternalAuth , but I don't know if I've seen a root cause
or patch.

-kevin

 -Original Message-
 From: rt-users-boun...@lists.bestpractical.com 
 [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone
 Sent: Thursday, January 06, 2011 10:18 AM
 To: rt-users@lists.bestpractical.com
 Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD...
 
 On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote:
 We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to 
  authenticate against Active
 Directory. Any new AD account I create can logon to RT, and have 
  corresponding account created
 in RT, if it is in the necessary security group, but older accounts, 
  mine included, pass the
 password test, but fail at the group membership test, and fail to logon. 
  The RT account,
 however, does get created. The log entries look like this...
 
 If you turn on debug logging, you should be able to see the query being run 
 and you can run it manually from ldapsearch to see what is going wrong.
 
 -kevin
 
 Jan  5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name
 
  (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
  uth/LDAP.pm:127)
  
 Jan  5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1
 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
  
  
  
 As I said above, older accounts (3 years plus) which are members of the 
  group being tested
 fail to fully authenticate, while new accounts which are members of the 
  same group,
 authenticate properly. In fact, If I comment out the group test from 
  RT_SiteConfig.pm, I can
 logon to RT with my old account.
  
  
  
 I don't know if this is pertinent, but we upgraded to Exchange 2007 a 
  few months back, and I
 wonder if the AD schema changes could be affecting things?
  
  
  
 Lyle.
  
  


pgpeL2O9GHgKy.pgp
Description: PGP signature

[rt-users] RT-Authen-ExternalAuth and AD...

[Tollefsen, Lyle]

Hi,

We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate 
against Active Directory. Any new AD account I create can logon to RT, and have 
corresponding account created in RT, if it is in the necessary security group, 
but older accounts, mine included, pass the password test, but fail at the 
group membership test, and fail to logon. The RT account, however, does get 
created. The log entries look like this...

Jan  5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name 
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
Jan  5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 
(/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)

As I said above, older accounts (3 years plus) which are members of the group 
being tested fail to fully authenticate, while new accounts which are members 
of the same group, authenticate properly. In fact, If I comment out the group 
test from RT_SiteConfig.pm, I can logon to RT with my old account.

I don't know if this is pertinent, but we upgraded to Exchange 2007 a few 
months back, and I wonder if the AD schema changes could be affecting things?

Lyle.