Re: [rt-users] RT mysql / LDAP Auth
-Original Message-
From: Mike Peachey [mailto:mike.peac...@jennic.com]
Sent: 14 May 2010 10:33
To: Julian Grunnell; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT mysql / LDAP Auth
Julian Grunnell wrote:
Right, thanks - that makes sense now. I misunderstood the use of this
and thought you had to define ALL the authentication methods you
wanted
to use. So I have removed the MySQL section completely from the
config
and tried again with different results. Using my LDAP credentials I
still get Your username or password is incorrect BUT RT has created
me
as a user, the Let this user be granted rights box is unchecked and
I'm NOT a member of any Groups. The logs created when this was done
are:
1. It found you and loaded your information from LDAP just as it
should.
2. ExternalAuth cannot currently add you to any internal RT groups
based
on LDAP information, this must be done in the RT administration panels.
3. If you want LDAP users to be automatically assigned Let this user
be
granted rights then you may do so with this config setting:
Set($AutoCreate, {Privileged = 1});
Otherwise it will need setting manually along with group membership.
The only thing that is now failing for you is authentication and the
reason is now obvious:
Your config
###
# Does authentication depend on group membership? What group name?
'group' = 'GROUP_NAME',
# What is the attribute for the group object that determines
membership?
'group_attr' = 'GROUP_ATTR',
###
Your log
###
[Fri May 14 08:22:42 2010]
[critical]:
Search for (GROUP_ATTR=CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp
,
DC=internal,DC=hosteurope,DC=com)
failed: LDAP_INVALID_DN_SYNTAX 34
###
You have told ExternalAuth that all ldap users must be in an ldap group
named GROUP_NAME and that in order to confirm that the users are a
member of that group, the members should be in the GROUP_ATTR attribute
of that group.
If you simply comment out group and group_attr it should work fine. If
in future you wish to restrict access by group, ensure the group name
is
specified in full ldap dn form.
--
[]
Thanks Mike - appreciate your help with this, made the changes you
suggest and it works a treat now. Now to look at the script that can
convert to ldap style logins.
Julian.
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT mysql / LDAP Auth
-- Julian Grunnell This email is subject to: www.corporate.webfusion.co.uk/disclaimer -Original Message- From: Mike Peachey [mailto:mike.peac...@jennic.com] Sent: 13 May 2010 13:56 To: Julian Grunnell Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT mysql / LDAP Auth Julian Grunnell wrote: -Original Message- From: Mike Peachey [mailto:mike.peac...@jennic.com] Sent: 10 May 2010 12:54 To: Julian Grunnell Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT mysql / LDAP Auth So at present users are just authenticating against RT's own DB for user access. What I'd like to do is keep this but also have LDAP. The reason being users now have multiple usernames / passwords for different services we run and I want to use LDAP as a way to simplify this - BUT in order for this to be done I also need to be able to keep the MySQL access for now and not break RT for all the users. The RT DB is on a different physical server and the fact that after I restarted httpd with the config above and could still login with my usual (mysql) credentials assumed that atleast part of it was working - is this not the case? No, you've misunderstood and it has massively complicated your debugging of the situation. ExternalAuth *only* adds to the available authentication mechanisms. It does not replace RT's own. The use of ExternalAuth MySQL authentication is if you want to be able to authenticate against some other MySQL source such as a custom website database or the database of another web-application. This is /in addition/ to checking against RT's own internal database (whether this is hosted locally or not). So, authentication happens in this order: 1. ExternalAuth 2. RT-Internal And you can have as many ExternalAuth sources as you wish. For your setup, what you want is to only specify the LDAP source which is then checked for a valid user. If there's no user in LDAP, RT's internal DB will be checked. -- Kind Regards, [] Right, thanks - that makes sense now. I misunderstood the use of this and thought you had to define ALL the authentication methods you wanted to use. So I have removed the MySQL section completely from the config and tried again with different results. Using my LDAP credentials I still get Your username or password is incorrect BUT RT has created me as a user, the Let this user be granted rights box is unchecked and I'm NOT a member of any Groups. The logs created when this was done are: [Fri May 14 08:22:41 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:64) [Fri May 14 08:22:41 2010] [debug]: Calling UserExists with $username (jgrunnell) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:105) [Fri May 14 08:22:41 2010] [debug]: UserExists params: username: jgrunnell , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:274) [Fri May 14 08:22:41 2010] [debug]: LDAP Search === Base: ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter: ((objectClass=User)(sAMAccountName=jgrunnell)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber, sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:304) [Fri May 14 08:22:41 2010] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with: Disabled: 0, EmailAddress: , Gecos: jgrunnell, Name: jgrunnell, Privileged: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:450) [Fri May 14 08:22:41 2010] [debug]: Attempting to get user info using this external service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:458) [Fri May 14 08:22:41 2010] [debug]: Attempting to use this canonicalization key: Name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:472) [Fri May 14 08:22:41 2010] [debug]: LDAP Search === Base: ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter: ((objectClass=User)(sAMAccountName=jgrunnell)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber, sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:195) [Fri May 14 08:22:41 2010] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City: , Country: , Disabled: 0, EmailAddress: julian.grunn...@webfusion.com, ExternalAuthId: jgrunnell, Gecos: jgrunnell, Name: jgrunnell, Organization: Leeds, Privileged: 0, RealName: Julian Grunnell, State: , WorkPhone: 0208 587 7212, Zip: (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:536) [Fri May 14 08:22:41 2010] [debug]: About
Re: [rt-users] RT mysql / LDAP Auth
Julian Grunnell wrote:
Right, thanks - that makes sense now. I misunderstood the use of this
and thought you had to define ALL the authentication methods you wanted
to use. So I have removed the MySQL section completely from the config
and tried again with different results. Using my LDAP credentials I
still get Your username or password is incorrect BUT RT has created me
as a user, the Let this user be granted rights box is unchecked and
I'm NOT a member of any Groups. The logs created when this was done are:
1. It found you and loaded your information from LDAP just as it should.
2. ExternalAuth cannot currently add you to any internal RT groups based
on LDAP information, this must be done in the RT administration panels.
3. If you want LDAP users to be automatically assigned Let this user be
granted rights then you may do so with this config setting:
Set($AutoCreate, {Privileged = 1});
Otherwise it will need setting manually along with group membership.
The only thing that is now failing for you is authentication and the
reason is now obvious:
Your config
###
# Does authentication depend on group membership? What group name?
'group' = 'GROUP_NAME',
# What is the attribute for the group object that determines membership?
'group_attr' = 'GROUP_ATTR',
###
Your log
###
[Fri May 14 08:22:42 2010]
[critical]:
Search for (GROUP_ATTR=CN=Julian
Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp,DC=internal,DC=hosteurope,DC=com)
failed: LDAP_INVALID_DN_SYNTAX 34
###
You have told ExternalAuth that all ldap users must be in an ldap group
named GROUP_NAME and that in order to confirm that the users are a
member of that group, the members should be in the GROUP_ATTR attribute
of that group.
If you simply comment out group and group_attr it should work fine. If
in future you wish to restrict access by group, ensure the group name is
specified in full ldap dn form.
--
Kind Regards,
__
Mike Peachey, IT Systems Administrator
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT mysql / LDAP Auth
Julian Grunnell wrote: -Original Message- From: Mike Peachey [mailto:mike.peac...@jennic.com] Sent: 10 May 2010 12:54 To: Julian Grunnell Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT mysql / LDAP Auth So at present users are just authenticating against RT's own DB for user access. What I'd like to do is keep this but also have LDAP. The reason being users now have multiple usernames / passwords for different services we run and I want to use LDAP as a way to simplify this - BUT in order for this to be done I also need to be able to keep the MySQL access for now and not break RT for all the users. The RT DB is on a different physical server and the fact that after I restarted httpd with the config above and could still login with my usual (mysql) credentials assumed that atleast part of it was working - is this not the case? No, you've misunderstood and it has massively complicated your debugging of the situation. ExternalAuth *only* adds to the available authentication mechanisms. It does not replace RT's own. The use of ExternalAuth MySQL authentication is if you want to be able to authenticate against some other MySQL source such as a custom website database or the database of another web-application. This is /in addition/ to checking against RT's own internal database (whether this is hosted locally or not). So, authentication happens in this order: 1. ExternalAuth 2. RT-Internal And you can have as many ExternalAuth sources as you wish. For your setup, what you want is to only specify the LDAP source which is then checked for a valid user. If there's no user in LDAP, RT's internal DB will be checked. -- Kind Regards, __ Mike Peachey, IT Systems Administrator Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT mysql / LDAP Auth
-Original Message-
From: Mike Peachey [mailto:mike.peac...@jennic.com]
Sent: 10 May 2010 12:54
To: Julian Grunnell
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT mysql / LDAP Auth
Julian Grunnell wrote:
Hi - hoping someone can help me, I'm trying to get the
RT::Authen::ExternalAuth plugin to work so I can use LDAP for
authentication. Just using mysql at the moment, so want to keep this
as
well. Running RT 3.8.5 on Centos, I'd like mysql auth first and then
LDAP next. I've managed to configure this without any errors and my
mysql authentication still works after a httpd restart. However LDAP
auth never works, I'm not that familiar with LDAP so am hoping if I
provide my config and rt.log below someone might be able to point me
in
the right direction:
Looks like the whole thing is dying during the MySQL check.
1. Provide the whole config
2. Are you sure you're supposed to be using ExternalAuth for MySQL
auth?
Are you actually using it to check against an external MySQL source, or
are you trying to use MySQL to check RT's own database?
[]
The whole config is:
##
## Local settings - overrides RT_Config.pm
##
Set($WebBaseURL, https://xxx.xxx.xxx;);
Set($rtname, 'xxx');
Set($Organization , xxx);
Set($MinimumPasswordLength , 8);
Set($OwnerEmail , 'jul...@xxx.xxx');
Set($SMTPFrom, 'supp...@xxx.xxx');
Set($Timezone , 'GB/London');
Set($UsernameFormat, 'concise');
Set($OldestTransactionsFirst, '0');
Set($SenderMustExistInExternalDatabase);
Set($LogToSyslog, 'debug');
Set($UseFriendlyFromLine, 0);
Set($WebDomain, 'xxx.xxx.xxx');
Set($WebDefaultStylesheet, '3.5-default');
Set($WebPort, 443);
Set($MaxInlineBody, 148000);
## Display Webfusion logo / link
##
Set($WebImagesURL , $WebPath . /NoAuth/images/); # need this for
below
Set($LogoURL, $WebImagesURL . xxx-logo.png);
Set($LogoLinkURL, 'http://xxx.xxx.xxx');
Set($LogoImageURL, $WebImagesURL . xxx.xxx.png);
Set($LogoAltText, xxx);
# {{{ Logging
Set($LogToSyslog,'critical');
Set($LogToScreen, 'error');
Set($LogToFile , 'debug');
Set($LogDir, '/opt/rt3/var/log/rt3');
Set($LogToFileNamed , rt.log);#log to rt.log
#Set(@Plugins,(qw(RT::Extension::SLA)));
#Set( %ServiceAgreements,
#Default = '4h',
#QueueDefault = {
#'General' = '4h',
#},
#Levels = {
#'2h' = {
# StartImmediately = 1,
# Resolve = { RealMinutes = 60*2 } },
#'4h' = {
# StartImmediately = 1,
# Resolve = { RealMinutes = 60*4 } },
#},
#);
#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
## MySQL / LDAP Configuration
#
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority, [ 'My_MySQL',
'My_LDAP'
]
);
# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
#
# Once user info is found, no more services are checked.
#
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority, [ 'My_MySQL',
'My_LDAP'
]
);
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means use Net::SSLeay;
Set($ExternalServiceUsesSSLorTLS,0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,0);
# These are the full settings for each external service as a
HashOfHashes
# Note that you may have as many external services as you wish. They
will
# be checked in the order specified in the Priority directives above.
# e.g.
#
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDA
P','Other-DB']);
#
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
'My_MySQL' = { ## GENERIC
SECTION
# The type of
service (db/ldap/cookie)
'type'
= 'db',
# The server
hosting the service
'server'
= 'resolver-db.xxx.com',
##
SERVICE-SPECIFIC SECTION
# The database
name
'database'
= 'rt3',
# The database
table
Re: [rt-users] RT mysql / LDAP Auth
james machado wrote: this is the part that is probably killing you on your LDAP authentication piece. Active Directory does not allow anonymous bind for LDAP authentication. Not true, you just have to configure it. I use anonymous bind - just means my own account has to not be a domain admin because anonymous bind doesn't seem to return privileged accounts. -- Kind Regards, __ Mike Peachey, IT Systems Administrator Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT mysql / LDAP Auth
Julian Grunnell wrote: Hi – hoping someone can help me, I’m trying to get the RT::Authen::ExternalAuth plugin to work so I can use LDAP for authentication. Just using mysql at the moment, so want to keep this as well. Running RT 3.8.5 on Centos, I’d like mysql auth first and then LDAP next. I’ve managed to configure this without any errors and my mysql authentication still works after a httpd restart. However LDAP auth never works, I’m not that familiar with LDAP so am hoping if I provide my config and rt.log below someone might be able to point me in the right direction: Looks like the whole thing is dying during the MySQL check. 1. Provide the whole config 2. Are you sure you're supposed to be using ExternalAuth for MySQL auth? Are you actually using it to check against an external MySQL source, or are you trying to use MySQL to check RT's own database? -- Kind Regards, __ Mike Peachey, IT Systems Administrator Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT mysql / LDAP Auth
On Sun, May 9, 2010 at 3:12 AM, Julian Grunnell julian.grunn...@webfusion.com wrote: # The username RT should use to connect to the LDAP server 'user' = 'ldap-rt', # The password RT should use to connect to the LDAP server 'pass'= 'x', # this is the part that is probably killing you on your LDAP authentication piece. Active Directory does not allow anonymous bind for LDAP authentication. You will need to create a non-privileged user in AD to do the binding and place the user name and password for that user in your RT_SiteConfig.pm file. This user will be used buy the RT::Authen::ExternalAuth plugin to bind to AD LDAP. Once bound RT::Authen::ExternalAuth will be able to search for the user attempting to login and use *that* persons credentials to authenticate into RT. James Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
