Re: [rt-users] RT 4.4.1 on Debian with RT::Authen::ExternalAuth?
Hi Malcolm, The output from rt-ldapimport is normal if no changes are required, as I've just tried it here in my lab and it is working. Incidentally LDAPImport doesn't currently support TLS, I've written a patch which you are welcome to have if you would like it. I'm afraid I haven't submitted it to BP yet, but intend too when I get some time. Best Regards Martin On 2016-10-19 14:21, Malcolm Galland wrote: Ah, yes. It looks like I had commented it out during testing, and that's what was causing the PeerHost error. Below is the section of SiteConfig dedicated to LDAPImport: Set($LDAPHost,'ggdc1.domain.int'); Set($LDAPUser,'LDAP_ACCOUNT'); Set($LDAPPassword,'LDAP_ACCOUNT_PASS'); Set($LDAPBase, 'dc=domain,dc=int'); Set($LDAPFilter, '(&(cn = users))'); Set($LDAPMapping, {Name => 'uid', # required EmailAddress => 'mail', RealName => 'cn', WorkPhone=> 'telephoneNumber', Organization => 'departmentName'}); # If you want to sync Groups from LDAP into RT Set($LDAPGroupBase, 'dc=domain,dc=int'); Set($LDAPGroupFilter, '(&(cn = Groups))'); Set($LDAPGroupMapping, {Name => 'cn', Member_Attr=> 'member', Member_Attr_Value => 'dn' }); Interesting follow up question though, when I run rt-ldapimport I don't get any errors, but the output doesn't exactly instill a feeling of sucess either: /opt/rt4/sbin/rt-ldapimport --debug Running test import, no data will be changed Rerun command with --import to perform the import Rerun command with --debug for more information Testing group import Finished test On Wed, 2016-10-19 at 14:09 +, Martin Wheldon wrote: Hi Malcolm, You are missing the LDAP import configuration, which is separate from the External auth config. The following will help: https://docs.bestpractical.com/rt/4.4.1/RT/LDAPImport.html Best Regards Martin On 2016-10-19 13:37, Malcolm Galland wrote: > > I've set up RT, and am testing it with rt-server. Everything seems > to > be going smoothly except LDAP with RT::Authen::ExternalAuth. I > read > the docs and have implemented the suggested changes in > /opt/rt4/etc/RT_SiteConfig.pm like so: > > Set( $ExternalAuthPriority, ["My_LDAP"] ); > Set( $ExternalInfoPriority, ["My_LDAP"] ); > Set($ExternalAuth, 1); > Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } ); > Set($AutoCreateNonExternalUsers, 1); > Set($ExternalSettings, { > 'My_LDAP' => { > 'type' => 'ldap', > 'server' => 'ggdc1.domain.int', > 'user' => 'LDAP_ACCOUNT', > 'pass' => 'LDAP_ACCOUNT_PASS', > 'base' => 'ou=Production,dc=domain,dc=int', > 'filter' => '(objectClass=inetOrgPerson)', > 'attr_match_list' => [ > 'Name', > 'EmailAddress', > ], > 'attr_map' => { > 'Name' => 'sAMAccountName', > 'EmailAddress' => 'mail', > 'RealName' => 'cn', > 'WorkPhone'=> 'telephoneNumber', > 'Address1' => 'streetAddress', > 'City' => 'l', > 'State'=> 'st', > 'Zip' => 'postalCode', > 'Country' => 'co', > }, > }, > } ); > > The issue is when I try to login the users aren't allowed access, > and I > get the following error from rt-server: > > [error]: FAILED LOGIN for username_redacted from IP_REDACTED > (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826) > > Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug > I get: > [critical]: Expected 'PeerHost' at > /usr/local/share/perl/5.20.2/Net/LDAP.pm line 164. > (/opt/rt4/sbin/../lib/RT.pm:390) > > Any ideas? I read every document I could find, but it's hard to > know > which non-official ones you can trust since RT has been around so > long > and ExternalAuth was just added to the core. Also, the official > docs > are a bit terse. > - > RT 4.4 and RTIR training sessions, and a new workshop day! > https://bestpractical.com/training > * Boston - October 24-26 > * Los Angeles - Q1 2017 - RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training * Boston - October 24-26 * Los Angeles - Q1 2017
Re: [rt-users] RT 4.4.1 on Debian with RT::Authen::ExternalAuth?
Hi Malcolm, Are you able to get any results from the LDAP server when you try the same search using ldapsearch from the commandline on the Debian box? Something like: ldapsearch -D LDAP_ACCOUNT -x -w -ZZ -H ldap://ggdc1.domain.int/ -b ou=Production,dc=domain,dc=int "(objectClass=inetOrgPerson)" I'm guessing your LDAP server is MS AD so you will probably need to configure TLS. The following items come from my configuration. Set( $ExternalAuthPriority, ["My_LDAP"] ); Set( $ExternalInfoPriority, ["My_LDAP"] ); Set($ExternalAuth, 1); Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } ); Set($AutoCreateNonExternalUsers, 1); # Use TLS Set($ExternalServiceUsesSSLorTLS,1); Set($ExternalSettings, { 'My_LDAP' => { 'type' => 'ldap', 'server' => 'ggdc1.domain.int', # Configure TLS settings 'tls' => { 'verify'=> 'require', 'cafile'=> '/etc/ssl/certs/CACert.pem', # Path CA file }, 'user' => 'LDAP_ACCOUNT', 'pass' => 'LDAP_ACCOUNT_PASS', 'base' => 'ou=Production,dc=domain,dc=int', 'filter' => '(objectClass=inetOrgPerson)', 'attr_match_list' => [ 'Name', 'EmailAddress', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', 'WorkPhone'=> 'telephoneNumber', 'Address1' => 'streetAddress', 'City' => 'l', 'State'=> 'st', 'Zip' => 'postalCode', 'Country' => 'co', }, }, } ); Best Regards Martin On 2016-10-19 13:37, Malcolm Galland wrote: I've set up RT, and am testing it with rt-server. Everything seems to be going smoothly except LDAP with RT::Authen::ExternalAuth. I read the docs and have implemented the suggested changes in /opt/rt4/etc/RT_SiteConfig.pm like so: Set( $ExternalAuthPriority, ["My_LDAP"] ); Set( $ExternalInfoPriority, ["My_LDAP"] ); Set($ExternalAuth, 1); Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } ); Set($AutoCreateNonExternalUsers, 1); Set($ExternalSettings, { 'My_LDAP' => { 'type' => 'ldap', 'server' => 'ggdc1.domain.int', 'user' => 'LDAP_ACCOUNT', 'pass' => 'LDAP_ACCOUNT_PASS', 'base' => 'ou=Production,dc=domain,dc=int', 'filter' => '(objectClass=inetOrgPerson)', 'attr_match_list' => [ 'Name', 'EmailAddress', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', 'WorkPhone'=> 'telephoneNumber', 'Address1' => 'streetAddress', 'City' => 'l', 'State'=> 'st', 'Zip' => 'postalCode', 'Country' => 'co', }, }, } ); The issue is when I try to login the users aren't allowed access, and I get the following error from rt-server: [error]: FAILED LOGIN for username_redacted from IP_REDACTED (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826) Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug I get: [critical]: Expected 'PeerHost' at /usr/local/share/perl/5.20.2/Net/LDAP.pm line 164. (/opt/rt4/sbin/../lib/RT.pm:390) Any ideas? I read every document I could find, but it's hard to know which non-official ones you can trust since RT has been around so long and ExternalAuth was just added to the core. Also, the official docs are a bit terse. - RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training * Boston - October 24-26 * Los Angeles - Q1 2017 - RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training * Boston - October 24-26 * Los Angeles - Q1 2017
Re: [rt-users] RT 4.4.1 on Debian with RT::Authen::ExternalAuth?
Hi Malcolm, You are missing the LDAP import configuration, which is separate from the External auth config. The following will help: https://docs.bestpractical.com/rt/4.4.1/RT/LDAPImport.html Best Regards Martin On 2016-10-19 13:37, Malcolm Galland wrote: I've set up RT, and am testing it with rt-server. Everything seems to be going smoothly except LDAP with RT::Authen::ExternalAuth. I read the docs and have implemented the suggested changes in /opt/rt4/etc/RT_SiteConfig.pm like so: Set( $ExternalAuthPriority, ["My_LDAP"] ); Set( $ExternalInfoPriority, ["My_LDAP"] ); Set($ExternalAuth, 1); Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } ); Set($AutoCreateNonExternalUsers, 1); Set($ExternalSettings, { 'My_LDAP' => { 'type' => 'ldap', 'server' => 'ggdc1.domain.int', 'user' => 'LDAP_ACCOUNT', 'pass' => 'LDAP_ACCOUNT_PASS', 'base' => 'ou=Production,dc=domain,dc=int', 'filter' => '(objectClass=inetOrgPerson)', 'attr_match_list' => [ 'Name', 'EmailAddress', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', 'WorkPhone'=> 'telephoneNumber', 'Address1' => 'streetAddress', 'City' => 'l', 'State'=> 'st', 'Zip' => 'postalCode', 'Country' => 'co', }, }, } ); The issue is when I try to login the users aren't allowed access, and I get the following error from rt-server: [error]: FAILED LOGIN for username_redacted from IP_REDACTED (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826) Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug I get: [critical]: Expected 'PeerHost' at /usr/local/share/perl/5.20.2/Net/LDAP.pm line 164. (/opt/rt4/sbin/../lib/RT.pm:390) Any ideas? I read every document I could find, but it's hard to know which non-official ones you can trust since RT has been around so long and ExternalAuth was just added to the core. Also, the official docs are a bit terse. - RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training * Boston - October 24-26 * Los Angeles - Q1 2017 - RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training * Boston - October 24-26 * Los Angeles - Q1 2017
[rt-users] RT 4.4.1 on Debian with RT::Authen::ExternalAuth?
I've set up RT, and am testing it with rt-server. Everything seems to be going smoothly except LDAP with RT::Authen::ExternalAuth. I read the docs and have implemented the suggested changes in /opt/rt4/etc/RT_SiteConfig.pm like so: Set( $ExternalAuthPriority, ["My_LDAP"] ); Set( $ExternalInfoPriority, ["My_LDAP"] ); Set($ExternalAuth, 1); Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } ); Set($AutoCreateNonExternalUsers, 1); Set($ExternalSettings, { 'My_LDAP' => { 'type' => 'ldap', 'server' => 'ggdc1.domain.int', 'user' => 'LDAP_ACCOUNT', 'pass' => 'LDAP_ACCOUNT_PASS', 'base' => 'ou=Production,dc=domain,dc=int', 'filter' => '(objectClass=inetOrgPerson)', 'attr_match_list' => [ 'Name', 'EmailAddress', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'RealName' => 'cn', 'WorkPhone'=> 'telephoneNumber', 'Address1' => 'streetAddress', 'City' => 'l', 'State'=> 'st', 'Zip' => 'postalCode', 'Country' => 'co', }, }, } ); The issue is when I try to login the users aren't allowed access, and I get the following error from rt-server: [error]: FAILED LOGIN for username_redacted from IP_REDACTED (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826) Just for kicks, if I run /opt/rt4/sbin/rt-ldapimport --debug I get: [critical]: Expected 'PeerHost' at /usr/local/share/perl/5.20.2/Net/LDAP.pm line 164. (/opt/rt4/sbin/../lib/RT.pm:390) Any ideas? I read every document I could find, but it's hard to know which non-official ones you can trust since RT has been around so long and ExternalAuth was just added to the core. Also, the official docs are a bit terse. - RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training * Boston - October 24-26 * Los Angeles - Q1 2017