Request Tracker installation and Windows AD integration.. any help?

linuxlover.chaitanya · 03-07-2012, 02:06 AM

Greetings all,

Got Request Tracker (RT4) installed on Cent OS 5.6 successfully using the online documentation.
Now I want to integrate it with our existing windows 2003 Active Directory domain.
Searched online and got ExternalAuth module. Got it installed and configured. But still somehow no authentication using AD credentials.
Have looked around google and duckduckgo but did not find anything relevant.
Whatever I could find, I tried to use the information but nothing helped.
Any help would be appreciated.

acid_kewpie · 03-07-2012, 02:12 AM

divide and conquer.

That plugin will presumably be using ldap, so verify that the LDAP queries are happening. For this *I* would use wireshark / tcpdump to grab the network traffic and look at the ldap bind requests etc. Obviously I'd also first look at the log files etc for useful info.

linuxlover.chaitanya · 03-07-2012, 03:47 AM

I am unable to find anything in log files. That is something strange to me. Let me use your other advice of using packet graber to see if I can find anything. I would have liked to configure log file though.

linuxlover.chaitanya · 03-07-2012, 04:04 AM

Okay I enabled file logging and found this in the logs

Code:

[Wed Mar  7 10:03:39 2012] [debug]: Autohandler called ExternalAuth. Response: (0, ExternalAuthPriority not defined, please check your configuration file.) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)

Dont get much of it. I have checked the file but it is a read only file and possibly not meant for manually editing.
If anyone can understand what this means.

I am pasting the contents of the said file here for helping others help me

Code:

<%once>
my $loaded_user = 0;
</%once>
<%init>

use RT::Authen::ExternalAuth;

my ($val,$msg);
unless($session{'CurrentUser'} && $session{'CurrentUser'}->Id) {
    ($val,$msg) = RT::Authen::ExternalAuth::DoAuth(\%session,$user,$pass);
    $RT::Logger->debug("Autohandler called ExternalAuth. Response: ($val, $msg)");
}

return;
</%init>

<%ARGS>
$user => undef
$pass => undef
$menu => undef
</%ARGS>

acid_kewpie · 03-07-2012, 04:09 AM

it doesn't say check that file, it says check your configuration file. That file name is there to identify where the error message came from.

linuxlover.chaitanya · 03-07-2012, 05:15 AM

Now this is what I find in the logs after doing some more configuration

Code:

[Wed Mar  7 11:15:07 2012] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:492)
[Wed Mar  7 11:15:07 2012] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Wed Mar  7 11:15:07 2012] [error]: FAILED LOGIN for cambaselkar from 10.10.8.94 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:665)

While this says "INVALID CREDENTIALS", I am sure none of the credentials are wrong. The credentials that I am using to bind to the LDAP are correct are working with Bugzilla on other server while the credentials I am using to login are the one I have used to login to the system I am writing this from.

Interesting... I think ldapsearch should give me some information on this. Only if I knew how to use "ldapsearch" tool.

acid_kewpie · 03-07-2012, 05:36 AM

yeah, ldapsearch and wireshark would be absolutely what I'd use. Grab bugzilla binds and rt binds and compare them

linuxlover.chaitanya · 03-07-2012, 05:42 AM

Both the binds are similar. And the credentials too are same. But I got to know from some googling that RT needs complete CN in user name as well while binding. Did the changes. But still the same issue.
This the error that I am facing now:

Code:

 User Check Failed :: ( My_LDAP ) <username> User not found (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:343)
[Wed Mar  7 11:35:39 2012] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Wed Mar  7 11:35:39 2012] [error]: FAILED LOGIN for <username> from 10.10.8.94 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:665)

acid_kewpie · 03-07-2012, 05:43 AM

looks like it's searching and not finding the user, as opposed to not being able to bind as that user. just a guess... You may well find more RT specific routes, but generically, you want to see that search actually happen.

linuxlover.chaitanya · 03-07-2012, 05:53 AM

Could it be that its searching for a field name that is not valid? I am mapping uid attibute to sAMAccountName ?

acid_kewpie · 03-07-2012, 05:56 AM

it could be, but going and LOOKING AT THE SEARCH would be a good way to find out. You should be able to use the cn attribute too I think.

linuxlover.chaitanya · 03-07-2012, 06:25 AM

Using ldapsearch command really did the trick. Eliminated the issues related to the LDAP search. Now a very different issue. After giving user name and password for LDAP user, a blank page with only one on it:

Code:

Can't call method "as_string" on an undefined value at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm line 329, line 29.

Can not understand this.

acid_kewpie · 03-07-2012, 06:42 AM

well in that case I'd look at that code, find the value and see if that inspires anything, hopefully on the configuration file side, as it would sound like it's hopefully expecting a config variable to exist but doesn't. Esp as it's calling "as_string" which would often be used to coerce data you don't possibly totally trust into a known format, e.g a numerical value in the config file might be able to not be put in quote marks to make it a string, making it an integer value instead, which would need messing with.

linuxlover.chaitanya · 03-09-2012, 12:52 AM

I have searched google and duckduckgo but have not found anything substantial as yet and the error continues to bug me down. For anyone with Perl knowledge, I am pasting the code here for review.
PS: I have not written a single line of it. It is a pert of External Auth Package.

Code:

# Check that the user exists in the LDAP service
    $RT::Logger->debug( "LDAP Search === ",  <====== This is line 329 where which is shown in error
                        "Base:",
                        $base,
                        "== Filter:",
                        $filter->as_string,
                        "== Attrs:",
                        join(',',@attrs));

    my $user_found = $ldap->search( base    => $base,
                                    filter  => $filter,
                                    attrs   => \@attrs);

    if($user_found->count < 1) {
        # If 0 or negative integer, no user found or major failure
        $RT::Logger->debug( "User Check Failed :: (",
                            $service,
                            ")",
                            $username,
                            "User not found");
        return 0;
    } elsif ($user_found->count > 1) {
        # If more than one result returned, die because we the username field should be unique!
        $RT::Logger->debug( "User Check Failed :: (",
                            $service,
                            ")",
                            $username,
                            "More than one user with that username!");
        return 0;
    }

acid_kewpie · 03-09-2012, 02:42 AM

Well I hope you appreciate it is pretty obvious that the "$filter" variable is what's causing the error. Presumably that means there is no search filter provided, although it doesn't seem like it should be essential, and a lack of one should be handled.

10 seconds on google gives me this page: http://requesttracker.wikia.com/wiki...ConfigSettings which gives examples of RT ldap filters to set. Does that $LdapFilter value end up being used in that $filter value? Sounds reasonable. I really hope this is not new to you. I've never touched RT in my life and it all looks pretty self explanatory to me.