ldap auth for request-tracker3.6 on debian etch

The debian request-tracker3.6 package puts things in different places than request tracker expects.

If you haven’t yet run ‘zless /usr/share/doc/request-tracker3.6/NOTES.Debian.gz’ do so now!

At first after following the steps outlined here on the bestpractical rt wiki for the LDAP Overlay I was befuddled by not seeing any LDAP traffic. After taking a look in /var/log/syslog, I noticed an ldap request when I logged into the local root account but not when I tried to log in as an LDAP user and realized that RT doesn’t bother trying to Auth LDAP if the account doesn’t exist locally so you need to use LdapAutocreateAuthCallback but where do you put it on debian etch?

/usr/share/request-tracker3.6/html/Callbacks/LDAP/autohandler/Auth

Auth is the filename, and you may need to create those folders.

logs for a local user:

syslog:Jan 23 09:11:12 hostname RT: Trying LDAP authentication
syslog:Jan 23 09:11:12 hostname RT: RT::User::IsLDAPPassword AUTH FAILED: root (/usr/share/request-tracker3.6/lib/RT/User_Local.pm:184)
syslog:Jan 23 09:11:12 hostname RT: RT::User::IsPassword auth method IsLDAPPassword FAILED

failing logs for an ldap ONLY user:

Jan 23 09:27:12 hostname RT: FAILED LOGIN for btmsldapuser from 10.0.0.60 (/usr/share/request-tracker3.6/html/autohandler:238)

My configs follow:

# RT_SiteConfig.pm
#
# These are the bits you absolutely *must* edit.
#
# To find out how, please read
# /usr/share/doc/request-tracker3.6/NOTES.Debian

# THE BASICS:

Set($rtname, ‘host.domain.com’);
Set($Organization, ‘domain.com’);

Set($CorrespondAddress , ‘rt@domain.com’);
Set($CommentAddress , ‘rt-comment@domain.com’);

Set($Timezone , ‘US/Pacific’); # obviously choose what suits you

# THE DATABASE:

Set($DatabaseType, ‘mysql’); # e.g. Pg or mysql

# These are the settings we used above when creating the RT database,
# you MUST set these to what you chose in the section above.

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘rtpassword’);
Set($DatabaseName , ‘rtdb’);

# THE WEBSERVER:

Set($WebPath , “”);
Set($WebBaseURL , “http://host.domain.com”);

# Authentication

### What auth methods do you like and in what order?

Set($AuthMethods, [‘LDAP’, ‘Internal’]);
#Set($AuthMethods, [‘LDAP’]);
### LDAP Settings
#
# There are two different branches of this: LdapAuth* and LdapInfo*;
# additionally, most of the old Ldap* variables are honored, too.
#
# This means if you only have one LDAP server/config you can just set
# “LdapServer”, “LdapUser”, etc. and they will be used for both
# authentication and information

### Enable/Disable LDAP services
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);

### Common Settings: affecting both auth and info services

# Should we create accounts for users who aren’t in LDAP?
Set($LdapAutoCreateNonLdapUsers, 1);

# Map RT attributes to LDAP attributes
#
### THE MAPPING BELOW WILL NOT WORK FOR YOU UNLESS YOU CHANGE
### IT TO MATCH YOUR LDAP SCHEMA! See http://wiki.bestpractical.com/view/LdapAttrMap
### to learn how to set this variable properly for either LDAP or Windows
### Active Directory.
Set($LdapAttrMap, {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘HomePhone’ => ‘homePhone’,
‘WorkPhone’ => ‘telephoneNumber’,
‘MobilePhone’ => ‘mobile’,
‘PagerPhone’ => ‘pager’,
‘Address1’ => ‘streetAddress’,
‘Address2’ => ‘postOfficeBox’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
‘FreeformContactInfo’ => ‘info’}
);

# A list of RT attrs which can uniquely identify a user,
# ordered from most to least preferred.
Set($LdapRTAttrMatchList, [‘ExternalContactInfoId’, ‘Name’,
‘EmailAddress’, ‘RealName’,
‘WorkPhone’, ‘Address2’]
);

# A list of LDAP attrs to examine when canonicalizing email addresses,
# ordered from most to least preferred
Set($LdapEmailAttrMatchList, [‘mail’, ‘mailRoutingAddress’,
‘mailAlternateAddress’]
);
# A list of prefixes to apply to email address matches.
# Windows 2003 AD uses prefixes or smtp: or SMTP:.
# If not required just leave ”
Set($LdapEmailAttrMatchPrefix, [”, ‘smtp:’, ‘SMTP:’] );

# The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*
Set($LdapServer, ‘ldap.domain.com’);
Set($LdapBase, ‘dc=domain,dc=com’);
Set($LdapFilter, ‘(objectclass=*)’);
#Set($LdapFilter, ‘(objectclass=posixAccount)’);
# Windows 2003 Active Directory does not allow anonymous LDAP binding
# thus you must pass Net::LDAP a username and password that has
# access to read the directory.
#
# You may also need to specify the full distinguished name instead of
# just a username for LdapUser below.
# e.g. cn=Username,cn=Users,dc=yourdomain,dc=com
#
Set($LdapUser, ‘binddn’);
Set($LdapPass, ‘bindpassword’);

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user’s RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
Set($LdapDisableFilter, ‘(employmentStatus=Terminated)’);

# If you set these, only members of this group can auth via LDAP
#Set($LdapGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapGroupAttr, ‘uniqueMember’);

# These turn on SSL for LDAP
#Set($LdapTLS, 0);
#Set($LdapSSLVersion, 3);

### IF YOU USE THE SAME LDAP SERVER FOR AUTH AND INFO STOP HERE ###

### Authentication settings

#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above

#Set($LdapAuthServer, ‘ldap.example.com’);
#Set($LdapAuthBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapAuthFilter, “(objectclass=posixAccount)”);
#Set($LdapAuthUser, ”);
#Set($LdapAuthPass, ”);

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user’s RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapAuthDisableFilter, ‘(employmentStatus=Terminated)’);

# If you set these, only members of this group can auth via LDAP
#Set($LdapAuthGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapAuthGroupAttr, ‘uniqueMember’);
# These turn on SSL for LDAP
#Set($LdapAuthTLS, 0);
#Set($LdapAuthSSLVersion, 3);

### Information settings

#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above

#Set($LdapInfoServer, ‘ldap.example.com’);
#Set($LdapInfoBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapInfoFilter, “(objectclass=posixAccount)”);
#Set($LdapInfoUser, ”);
#Set($LdapInfoPass, ”);

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user’s RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapInfoDisableFilter, ‘(employmentStatus=Terminated)’);

# These turn on SSL for LDAP
#Set($LdapInfoTLS, 0);
#Set($LdapInfoSSLVersion, 3);

1;

and my apache2 config:

NameVirtualHost *

ServerName rt.domain.com
ServerAlias rt
ServerAdmin admin@domain.com
AddDefaultCharset UTF-8

PerlModule Apache2::RequestRec Apache2::compat
PerlModule Apache::DBI
PerlRequire /usr/share/request-tracker3.6/libexec/webmux.pl
PerlSetVar MasonArgsMethod CGI

DocumentRoot /usr/share/request-tracker3.6/html
SetHandler perl-script
PerlHandler RT::Mason

RedirectMatch permanent (.*)/$ http://rt.domain.com$1/index.html

ErrorLog /var/log/apache2/rt.error.log
LogLevel warn
CustomLog /var/log/apache2/rt.access.log combined
ServerSignature On

1 thought on “ldap auth for request-tracker3.6 on debian etch

  1. Pingback: ldap auth for request-tracker3.6 on ubuntu hardy at btm.geek

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.