Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
Original Message From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Wednesday, April 13, 2011 7:50 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue? > On Mon, Apr 11, 2011 at 11:22:19AM -0600, Eli Guzman wrote: >> >> I think I see where you are going, maybe the permissions under the: >> >> _/autohandler, >> _/Elements/Header >> >> directories could be incorrect? > > This is unlikely to be a problem, or nothing would run, but you > should check it anyway. > > On Mon, Apr 11, 2011 at 09:59:54AM -0400, Kevin Falcone wrote: >>> [Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth >>> service: My_LDAP >>> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa >>> lAut h.pm:64) >>> [Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test >>> with. NextingHey Thomas (and Kevin) > > You are basically at the point where you need to start enhancing this > debugging line to include more about what was captured from the form > so you can figure out why the username isn't available. > > -kevin Thanks Kevin, adjusting the permissions to the file may have worked as we are now able to authenticate via LDAP (there is no automatic log-on, the users just need to enter their credentials, however it is pulling user information via the module properly). Oddly enough even though the Auth piece is working, when a user within the RTUsers group (via AD) accesses the RT main login page, on the 'rt.log' I still get the same error: [Tue Apr 12 23:37:15 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:92) But as I stated, at least now I can actually authenticate, so my question is could this then just be related to a misconfigured RT_SiteConfig.pm file? I did make some changes to the file as well, and this change could have had an effect as well, since previous to the change, authentication was not taking place (besides just adjusting the permissions of the files). Here is my RT_SiteConfig (for the Auth plug-in) as well, perhaps something listed in this file is incorrect: http://pastebin.com/zEF44vHr I'll go ahead and enhance the debug line a bit more, and once I have that information I will post it. Thanks, Eli
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
On Mon, Apr 11, 2011 at 11:22:19AM -0600, Eli Guzman wrote: > > I think I see where you are going, maybe the permissions under the: > > _/autohandler, > _/Elements/Header > > directories could be incorrect? This is unlikely to be a problem, or nothing would run, but you should check it anyway. On Mon, Apr 11, 2011 at 09:59:54AM -0400, Kevin Falcone wrote: > > [Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth > > service: > > My_LDAP > > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut > > h.pm:64) > > [Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test with. > > Nexting You are basically at the point where you need to start enhancing this debugging line to include more about what was captured from the form so you can figure out why the username isn't available. -kevin pgpqBJgtVjhWx.pgp Description: PGP signature
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
Original Message From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Thomas Sibley Sent: Monday, April 11, 2011 11:06 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT::Authen::ExternalAuth,Possible Configuration Issue? > On 04/11/2011 12:43 PM, Eli Guzman wrote: >> On the pastebin you may also notice that there is a message when >> httpd services are initializing stating that "RT's GnuPG libraries >> couldn't successfully read your configured GnuPG home directory" >> and thereupon Disables PGP support for RT. Could this have something >> to do with the RT::Authen::ExternalAuth error? > > Nope, this is completely unrelated to ExternalAuth. > >> If there is anything else I can try please let me know. > > Please send the output of: ls -lR > /opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ > > Thomas Hey Thomas, Here it is: http://pastebin.com/raw.php?i=U3a8gde4 I think I see where you are going, maybe the permissions under the: _/autohandler, _/Elements/Header directories could be incorrect? Thanks, Eli
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
On 04/11/2011 12:43 PM, Eli Guzman wrote: > On the pastebin you may also notice that there is a message when httpd > services are initializing > stating that "RT's GnuPG libraries couldn't successfully read your > configured GnuPG home directory" > and thereupon Disables PGP support for RT. Could this have something to > do with the > RT::Authen::ExternalAuth error? Nope, this is completely unrelated to ExternalAuth. > If there is anything else I can try please let me know. Please send the output of: ls -lR /opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ Thomas
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
Original Message From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Monday, April 11, 2011 8:00 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue? >> [Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth >> service: My_LDAP >> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA >> ut h.pm:64) >> [Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test >> with. Nexting > > This implies that the username you typed into the login box isn't > getting to the plugin. > > You did clear the mason cache when you updated the module, right? > > -kevin Hey Kevin, No I did not clear the cache at that time, so I made sure to do so now: [root@xx ~]# rm -fr /opt/rt3/var/mason_data/obj [root@xx ~]# rm -rf /opt/rt3/var/mason_data/* And then restarted httpd services, this goes ok, and once again I get the same message: http://pastebin.com/raw.php?i=kme8CUdk All of the "ExternalAuth" messages listed on the pastebin came up as I opened the browser, with our designated test domain user named "jjdoe". On the pastebin you may also notice that there is a message when httpd services are initializing stating that "RT's GnuPG libraries couldn't successfully read your configured GnuPG home directory" and thereupon Disables PGP support for RT. Could this have something to do with the RT::Authen::ExternalAuth error? [Mon Apr 11 16:30:02 2011] [debug]: RT's GnuPG libraries couldn't successfully read your configured GnuPG home directory (/opt/rt3/var/data/gpg). PGP support has been disabled /opt/rt3/bin/../lib/RT/Config.pm:449) If there is anything else I can try please let me know. Thanks, Eli
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
> [Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth > service: > My_LDAP > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut > h.pm:64) > [Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test with. > Nexting This implies that the username you typed into the login box isn't getting to the plugin. You did clear the mason cache when you updated the module, right? -kevin pgpJKgg6zOEHb.pgp Description: PGP signature
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
Original Message From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Eli Guzman Sent: Friday, April 08, 2011 10:36 AM To: Thomas Sibley; rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT::Authen::ExternalAuth,Possible Configuration Issue? > Original Message > From: rt-users-boun...@lists.bestpractical.com > [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Thomas > Sibley Sent: Thursday, April 07, 2011 6:33 PM To: > rt-users@lists.bestpractical.com Subject: Re: [rt-users] > RT::Authen::ExternalAuth,Possible Configuration Issue? > >> On 04/07/2011 08:04 PM, Eli Guzman wrote: >>>> == TL/DR == >>>> >>>> Installed RT 3.8.9 on a test RHEL server, and cannot seem to get >>>> RT::Authen::ExternalAuth to properly work, please help! >>> >>> Sorry for the bump to this topic, just needed to see if anyone can >>> still assist with this issue. If this is a problem with the module >>> itself, what would be another possible workaround for getting LDAP >>> connected? >> >> You didn't actually include the log or configuration files that you >> said you did. However I suspect you're running version 0.08 of >> ExternalAuth which is known not to work with RT 3.8.9. You should >> download and install ExternalAuth 0.08_01 from CPAN at the link >> below. >> 0.08_01 is a developer release containing a known fix for the >> problem. >> >> > http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAu > th-0.08_01.tar.gz >> >> Thomas > > Hey Thomas, > > Thanks a lot for the information, I went ahead and queried the cpan > packages and you are correct I am running: > >RT::Authen::ExternalAuth 0.08 > > I will give try at downloading 0.08_01 and see how it goes. I did > include the logs in another email, not sure if that one made the > list. I am including the logs on this email (just in case anyone > wants a quick glance at them), please do let me know if they do not > go through (sometimes our AV server strips off attachments). If they > don't I'll just do a pastebin from the logs I do have. I'll make sure > to update the list with the results. > > Thanks, > Eli I went ahead and updated RT::Authen::ExternalAuth to version 0.8_01, but for some reason I am still getting the same error as before: [Fri Apr 8 23:34:13 2011] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:64) [Fri Apr 8 23:34:13 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:92) [Fri Apr 8 23:34:13 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:26) So I am not sure what else could be causing the issue, I am guessing that this is a configuration issue at this point (as to where exactly the issue may be, that is the 64,000 dollar question). I'll continue to have a look and see if I can fix the issue, but I think I may have to use an alternate method of connecting to AD (i.e. OpenLDAP Synchronization from our AD server, or a manual overlay). If there is any additional insight on the problem please feel free to reply, as I'd be willing to try other solutions as needed. Thanks, Eli
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
Original Message From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Thomas Sibley Sent: Thursday, April 07, 2011 6:33 PM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT::Authen::ExternalAuth,Possible Configuration Issue? > On 04/07/2011 08:04 PM, Eli Guzman wrote: >>> == TL/DR == >>> >>> Installed RT 3.8.9 on a test RHEL server, and cannot seem to get >>> RT::Authen::ExternalAuth to properly work, please help! >> >> Sorry for the bump to this topic, just needed to see if anyone can >> still assist with this issue. If this is a problem with the module >> itself, what would be another possible workaround for getting LDAP >> connected? > > You didn't actually include the log or configuration files that you > said you did. However I suspect you're running version 0.08 of > ExternalAuth which is known not to work with RT 3.8.9. You should > download and install ExternalAuth 0.08_01 from CPAN at the link > below. 0.08_01 is a developer release containing a known fix for the > problem. > > http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAu th-0.08_01.tar.gz > > Thomas Hey Thomas, Thanks a lot for the information, I went ahead and queried the cpan packages and you are correct I am running: RT::Authen::ExternalAuth 0.08 I will give try at downloading 0.08_01 and see how it goes. I did include the logs in another email, not sure if that one made the list. I am including the logs on this email (just in case anyone wants a quick glance at them), please do let me know if they do not go through (sometimes our AV server strips off attachments). If they don't I'll just do a pastebin from the logs I do have. I'll make sure to update the list with the results. Thanks, Eli config-and-logs.tar.gz Description: config-and-logs.tar.gz
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
On 04/07/2011 08:04 PM, Eli Guzman wrote: >> == TL/DR == >> >> Installed RT 3.8.9 on a test RHEL server, and cannot seem to get >> RT::Authen::ExternalAuth to properly work, please help! > > Sorry for the bump to this topic, just needed to see if anyone can still > assist with > this issue. If this is a problem with the module itself, what would be > another possible > workaround for getting LDAP connected? You didn't actually include the log or configuration files that you said you did. However I suspect you're running version 0.08 of ExternalAuth which is known not to work with RT 3.8.9. You should download and install ExternalAuth 0.08_01 from CPAN at the link below. 0.08_01 is a developer release containing a known fix for the problem. http://search.cpan.org/CPAN/authors/id/F/FA/FALCONE/RT-Authen-ExternalAuth-0.08_01.tar.gz Thomas
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
Eli Guzman wrote: > Greetings all, > > == A Little Background == > > Sorry for the length of this post, TL/DR is at the bottom of this > message. We currently run RT 3.6.6 in a production environment > (running on RHEL 5.3, Tikanga, 2.6.18-128.2.1.el5xen #1 SMP, x86, > running on a Dell PowerEdge R410). We are in the midst of upgrading > to 3.8.9 (as we really liked the new look). The test environment is > running on RHEL 5.6 Tikanga, 2.6.18-229.el5 #1 SMP, x86_64, within an > ESX virtual environment (Dell PowerEdge R710 acting as the VM host). > > We have already compiled the new RT instance successfully (web GUI > runs really well), ported our current production DB to the new > environment (after some issues related to MyISAM incompatibilities > during initial deployment; we have been running RT since release > v2.8), ran any necessary schema updates, and ensured that there > weren't any CPAN related inconsistencies. > > == The Problem == > > Everything as far as the interface seems to be working as it should. > We are currently attempting to integrate the LDAP piece into the > install (LDAP via RT is a bit new to us). I believe that I may be > missing a configuration piece somewhere, as we cannot seem to get > authentication to occur properly between "RT::Authen::ExternalAuth", > and our Active Directory (AD) server. > > I've enabled logging in RT (debug mode), and have attached the actual > "rt.log" file to see if anyone can take a look and see if anything > sticks out. I've also included my main "RT_SiteConfig.pm", as well as > the RT::Authen::External LDAP configuration file > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm), > as the issue could also be a configuration issue with this file. As > far as LDAP authentication, we currently use Active Directory on > Windows 2003 R2. Within AD we have setup an initial OU named > 'services', with an authentication user named 'ldap', and a security > group named 'RTUsers'. > > The actual error is as follows: > > [Tue Apr 5 16:03:18 2011] [debug]: SSO Failed and no user to test > with. > Nexting > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut > h.pm:92) > > I've searched for this error, but I have only found some threads > addressing a similar issue, but with no actual listed solutions. From > what I can tell from these threads the issue seems to stem from > either an Apache, or a FastCGI configuration issue. The thing is > Apache on this server starts without any errors at all, so it seems > to be parsing the configuration files without a problem. I am > attaching any related Apache configuration files as well (two files > actually, /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/rt3.conf). > > At the moment I am a bit stumped, so if anyone here has any > suggestions/information as to the issues mentioned above I'd > certainly appreciate any and all input. > > == TL/DR == > > Installed RT 3.8.9 on a test RHEL server, and cannot seem to get > RT::Authen::ExternalAuth to properly work, please help! > > Best Regards, > Eli Sorry for the bump to this topic, just needed to see if anyone can still assist with this issue. If this is a problem with the module itself, what would be another possible workaround for getting LDAP connected? I've seen quite a few different solutions, so I am just wondering what solutions are more successful in implementing than others (would a manual overlay or perhaps Apache authentication Over OpenLDAP be a better choice?). If anyone has had any success with any of these other methods any input you may have would be very useful specially since we seem to be having an issue getting RT:Authen:ExternalAuth configured correctly. Best Regards, Eli
Re: [rt-users] RT::Authen::ExternalAuth, Possible Configuration Issue?
Apologies, forgot to include configuration and log file attachment. Thanks, Eli -Original Message- From: Eli Guzman Sent: Tuesday, April 05, 2011 11:50 AM To: 'rt-users@lists.bestpractical.com' Subject: RT::Authen::ExternalAuth, Possible Configuration Issue? Greetings all, == A Little Background == Sorry for the length of this post, TL/DR is at the bottom of this message. We currently run RT 3.6.6 in a production environment (running on RHEL 5.3, Tikanga, 2.6.18-128.2.1.el5xen #1 SMP, x86, running on a Dell PowerEdge R410). We are in the midst of upgrading to 3.8.9 (as we really liked the new look). The test environment is running on RHEL 5.6 Tikanga, 2.6.18-229.el5 #1 SMP, x86_64, within an ESX virtual environment (Dell PowerEdge R710 acting as the VM host). We have already compiled the new RT instance successfully (web GUI runs really well), ported our current production DB to the new environment (after some issues related to MyISAM incompatibilities during initial deployment; we have been running RT since release v2.8), ran any necessary schema updates, and ensured that there weren't any CPAN related inconsistencies. == The Problem == Everything as far as the interface seems to be working as it should. We are currently attempting to integrate the LDAP piece into the install (LDAP via RT is a bit new to us). I believe that I may be missing a configuration piece somewhere, as we cannot seem to get authentication to occur properly between "RT::Authen::ExternalAuth", and our Active Directory (AD) server. I've enabled logging in RT (debug mode), and have attached the actual "rt.log" file to see if anyone can take a look and see if anything sticks out. I've also included my main "RT_SiteConfig.pm", as well as the RT::Authen::External LDAP configuration file (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm), as the issue could also be a configuration issue with this file. As far as LDAP authentication, we currently use Active Directory on Windows 2003 R2. Within AD we have setup an initial OU named 'services', with an authentication user named 'ldap', and a security group named 'RTUsers'. The actual error is as follows: [Tue Apr 5 16:03:18 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:92) I've searched for this error, but I have only found some threads addressing a similar issue, but with no actual listed solutions. From what I can tell from these threads the issue seems to stem from either an Apache, or a FastCGI configuration issue. The thing is Apache on this server starts without any errors at all, so it seems to be parsing the configuration files without a problem. I am attaching any related Apache configuration files as well (two files actually, /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/rt3.conf). At the moment I am a bit stumped, so if anyone here has any suggestions/information as to the issues mentioned above I'd certainly appreciate any and all input. == TL/DR == Installed RT 3.8.9 on a test RHEL server, and cannot seem to get RT::Authen::ExternalAuth to properly work, please help! Best Regards, Eli config-and-logs.tar.gz Description: config-and-logs.tar.gz