[rt-users] LDAP authentication fails in RT 3.6.1
Garret Huntress
ghuntress at ciw.edu
Mon Nov 13 21:21:38 EST 2006
Hello,
I've been trying to setup LDAP integration in RT 3.6.1, however I am
unable to get authentication to work properly. Authentication
against the LDAP directory succeeds (the code is able to bind with
the supplied credentials), however the $UserObj->Id variable remains
undefined, and the rest of the code fails. I spent the weekend
poking around in the code, I've attached some logs below to help
explain what I have found.
Note, I've removed some details from the logs for privacy/security:
$MyUID is my ldap UID
$MyDN is my ldap DN
$MyEMAIL is my Email
$MyINFO is all of the LDAP info
The first key line in the logs seems to be: [Sat Nov 11 19:34:19
2006] [warning]: Transaction->Create couldn't, as you didn't specify
an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/Record.pm:
1466)
Which occurs at this line of code in the LDAP Auth callback: my
($val, $msg) = $UserObj->SetName($user);
What this means, I do not know. I'm not familiar enough with RT's
structure to debug that line.
The next key log is: [Sat Nov 11 19:34:19 2006] [debug]:
RT::User::IsPassword auth method IsLDAPPassword SUCCEEDED (/usr/lib/
perl5/vendor_perl/5.8.8/RT/User_Local.pm:291)
So the code is able to bind with the credentials I supplied. Our
ldap server logs also indicate successful binding as my user
The next key log: [Sat Nov 11 19:34:19 2006] [info]: Autocreated
authenticated user $MyUID () (/usr/share/rt3/html/Callbacks/LDAP/
autohandler/Auth:23)
Which occurs at this line in the LDAP Auth callback: $RT::Logger->info
("Autocreated authenticated user " . $UserObj->Name . " (" . $UserObj-
>Id . ")\n");
What's interesting about this is that the $UserObj->Id is blank.
This means that no data is loaded into the $session{'CurrentUser'}
variable, and remainder of the code fails to execute because it is
dependent on $session{'CurrentUser'}->Id to be set
Is this a bug, or is something wrong with my LDAP mapping that cause
the $UserObj->Id value to not be set? Below are the relevant LDAP
settings from my RT_SiteConfig.pm (I've left out server settings
since I know those are working):
Set($AuthMethods, ['LDAP', 'Internal']);
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);
Set($LdapAutoCreateNonLdapUsers, 1);
Set($LdapAttrMap, {'Name' => 'uid',
'EmailAddress' => 'mail',
'Organization' => 'o',
'RealName' => 'cn',
'ExternalContactInfoId' => 'dn',
'ExternalAuthId' => 'uid',
'Gecos' => 'uid',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'street',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'}
);
Set($LdapRTAttrMatchList, ['ExternalContactInfoId',
'Name',
'EmailAddress',
'RealName']
);
Set($LdapEmailAttrMatchList, ['mail']);
Set($LdapEmailAttrMatchPrefix, ['']);
-Garret
P.S. Logs
[Sat Nov 11 19:34:19 2006] [warning]: Transaction->Create couldn't,
as you didn't specify an object type and id (/usr/lib/perl5/
vendor_perl/5.8.8/RT/Record.pm:1466)
[Sat Nov 11 19:34:19 2006] [debug]: Trying LDAP authentication (/usr/
lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:153)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsLDAPPassword Found
LDAP DN: $MyDN (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:187)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::IsLDAPPassword AUTH OK:
$MyUID ($MyDN) (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:222)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsPassword auth method
IsLDAPPassword SUCCEEDED (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:291)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Overlay.pm 190 with: Disabled: 0, EmailAddress: , Gecos: $MyUID,
Name: $MyUID, Privileged: 0 (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:378)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN "MyDN" and filter "uid=$MyUID" by RT::User /usr/
lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 393 (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo :
$MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with "$MyEMAIL" by
RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 402 (/usr/
lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN "$MyDN" and filter "mail=$MyEMAIL" by RT::User /
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 332 (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo :
$MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeEmailAddress
$MyEMAIL => $MyEMAIL (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeUserInfo
returning $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:
411)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with "$MyEMAIL" by
RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 194 (/
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN "$MyDN" and filter "mail=$MyEMAIL" by RT::User /
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 332 (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo :
$MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeEmailAddress
$MyEMAIL => $MyEMAIL (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with "$MyEMAIL" by
RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 561 (/
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN "$MyDN" and filter "mail=$MyEMAIL" by RT::User /
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 332 (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo :
$MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]:
RT::User::CanonicalizeEmailAddress $MyEMAIL => $MyEMAIL (/usr/lib/
perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [info]: Autocreated authenticated user
$MyUID () (/usr/share/rt3/html/Callbacks/LDAP/autohandler/Auth:23)
[Sat Nov 11 19:34:19 2006] [error]: FAILED LOGIN for $MyUID from
10.1.1.254 (/usr/share/rt3/html/autohandler:238)
--
Garret W. Huntress
System Administrator / System Developer
Geophysical Laboratory
Carnegie Institution of Washington
5251 Broad Branch Road, NW
Washington, DC 20015
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20061113/90f01f04/attachment.htm>
More information about the rt-users
mailing list