[rt-users] SOLVED: LDAP authentication fails in RT 3.6.1

Garret Huntress ghuntress at ciw.edu
Fri Nov 24 20:36:20 EST 2006 

I figured this one out after some more experimentation.  In the event  
that there is an user in the local database with the same e-mail  
address as the user logging in, and the account for the ldap user  
needs to be created, creation fails although no exception log is  
thrown that *this* is the case.  For example:

Local:
Username: testuser at domain.com
Email: testuser at domain.com
(Created prior to ldap integration through the e-mail gateway or when  
added as a watcher to a ticket)

LDAP:
Username: testuser
Email: testuser at domain.com

When testuser attempts to log in, LDAP auth is successful, the  
account creation fails, and testuser is denied the ability to login  
to rt.

An error about the fact that there was an e-mail address conflict  
during account creation would be most helpful.

-Garret

On Nov 13, 2006, at 9:21 PM, Garret Huntress wrote:

> Hello,
>
> I've been trying to setup LDAP integration in RT 3.6.1, however I  
> am unable to get authentication to work properly.  Authentication  
> against the LDAP directory succeeds (the code is able to bind with  
> the supplied credentials), however the $UserObj->Id variable  
> remains undefined, and the rest of the code fails.  I spent the  
> weekend poking around in the code, I've attached some logs below to  
> help explain what I have found.
>
> Note, I've removed some details from the logs for privacy/security:
> $MyUID is my ldap UID
> $MyDN is my ldap DN
> $MyEMAIL is my Email
> $MyINFO is all of the LDAP info
>
>
> The first key line in the logs seems to be: [Sat Nov 11 19:34:19  
> 2006] [warning]: Transaction->Create couldn't, as you didn't  
> specify an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/ 
> Record.pm:1466)
> Which occurs at this line of code in the LDAP Auth callback: my  
> ($val, $msg) = $UserObj->SetName($user);
> What this means, I do not know.  I'm not familiar enough with RT's  
> structure to debug that line.
>
> The next key log is: [Sat Nov 11 19:34:19 2006] [debug]:  
> RT::User::IsPassword auth method IsLDAPPassword SUCCEEDED (/usr/lib/ 
> perl5/vendor_perl/5.8.8/RT/User_Local.pm:291)
> So the code is able to bind with the credentials I supplied.  Our  
> ldap server logs also indicate successful binding as my user
>
> The next key log: [Sat Nov 11 19:34:19 2006] [info]: Autocreated  
> authenticated user $MyUID () (/usr/share/rt3/html/Callbacks/LDAP/ 
> autohandler/Auth:23)
> Which occurs at this line in the LDAP Auth callback: $RT::Logger- 
> >info("Autocreated authenticated user " . $UserObj->Name . " (" .  
> $UserObj->Id . ")\n");
> What's interesting about this is that the $UserObj->Id is blank.   
> This means that no data is loaded into the $session{'CurrentUser'}  
> variable, and remainder of the code fails to execute because it is  
> dependent on $session{'CurrentUser'}->Id to be set
>
>
> Is this a bug, or is something wrong with my LDAP mapping that  
> cause the $UserObj->Id value to not be set?  Below are the relevant  
> LDAP settings from my RT_SiteConfig.pm (I've left out server  
> settings since I know those are working):
>
> Set($AuthMethods, ['LDAP', 'Internal']);
> Set($LdapExternalAuth, 1);
> Set($LdapExternalInfo, 1);
> Set($LdapAutoCreateNonLdapUsers, 1);
> Set($LdapAttrMap, {'Name' => 'uid',
>         'EmailAddress' => 'mail',
>         'Organization' => 'o',
>         'RealName' => 'cn',
>         'ExternalContactInfoId' => 'dn',
>         'ExternalAuthId' => 'uid',
>         'Gecos' => 'uid',
>         'WorkPhone' => 'telephoneNumber',
>         'Address1' => 'street',
>         'City' => 'l',
>         'State' => 'st',
>         'Zip' => 'postalCode',
>         'Country' => 'co'}
> );
> Set($LdapRTAttrMatchList, ['ExternalContactInfoId',
>         'Name',
>         'EmailAddress',
>         'RealName']
> );
> Set($LdapEmailAttrMatchList, ['mail']);
> Set($LdapEmailAttrMatchPrefix, ['']);
>
>
> -Garret
>
> P.S. Logs
>
> [Sat Nov 11 19:34:19 2006] [warning]: Transaction->Create couldn't,  
> as you didn't specify an object type and id (/usr/lib/perl5/ 
> vendor_perl/5.8.8/RT/Record.pm:1466)
> [Sat Nov 11 19:34:19 2006] [debug]: Trying LDAP authentication (/ 
> usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:153)
> [Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsLDAPPassword Found  
> LDAP DN: $MyDN (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:187)
> [Sat Nov 11 19:34:19 2006] [info]: RT::User::IsLDAPPassword AUTH  
> OK: $MyUID ($MyDN) (/usr/lib/perl5/vendor_perl/5.8.8/RT/ 
> User_Local.pm:222)
> [Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsPassword auth  
> method IsLDAPPassword SUCCEEDED (/usr/lib/perl5/vendor_perl/5.8.8/ 
> RT/User_Local.pm:291)
> [Sat Nov 11 19:34:19 2006] [debug]: RT::User::CanonicalizeUserInfo   
> called by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/ 
> User_Overlay.pm 190 with: Disabled: 0, EmailAddress: , Gecos:  
> $MyUID, Name: $MyUID, Privileged: 0 (/usr/lib/perl5/vendor_perl/ 
> 5.8.8/RT/User_Local.pm:378)
> [Sat Nov 11 19:34:19 2006] [debug]:  
> RT::User::LookupExternalUserInfo called with baseDN "MyDN" and  
> filter "uid=$MyUID" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/ 
> User_Local.pm 393 (/usr/lib/perl5/vendor_perl/5.8.8/RT/ 
> User_Local.pm:508)
> [Sat Nov 11 19:34:19 2006] [info]:  
> RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/ 
> vendor_perl/5.8.8/RT/User_Local.pm:563)
> [Sat Nov 11 19:34:19 2006] [debug]:  
> RT::User::CanonicalizeEmailAddress : called with "$MyEMAIL" by  
> RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 402 (/ 
> usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
> [Sat Nov 11 19:34:19 2006] [debug]:  
> RT::User::LookupExternalUserInfo called with baseDN "$MyDN" and  
> filter "mail=$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/ 
> RT/User_Local.pm 332 (/usr/lib/perl5/vendor_perl/5.8.8/RT/ 
> User_Local.pm:508)
> [Sat Nov 11 19:34:19 2006] [info]:  
> RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/ 
> vendor_perl/5.8.8/RT/User_Local.pm:563)
> [Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/ 
> vendor_perl/5.8.8/RT/User_Local.pm:335)
> [Sat Nov 11 19:34:19 2006] [info]:  
> RT::User::CanonicalizeEmailAddress $MyEMAIL =>  $MyEMAIL (/usr/lib/ 
> perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
> [Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeUserInfo  
> returning $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/ 
> User_Local.pm:411)
> [Sat Nov 11 19:34:19 2006] [debug]:  
> RT::User::CanonicalizeEmailAddress : called with "$MyEMAIL" by  
> RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 194 (/ 
> usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
> [Sat Nov 11 19:34:19 2006] [debug]:  
> RT::User::LookupExternalUserInfo called with baseDN "$MyDN" and  
> filter "mail=$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/ 
> RT/User_Local.pm 332 (/usr/lib/perl5/vendor_perl/5.8.8/RT/ 
> User_Local.pm:508)
> [Sat Nov 11 19:34:19 2006] [info]:  
> RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/ 
> vendor_perl/5.8.8/RT/User_Local.pm:563)
> [Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/ 
> vendor_perl/5.8.8/RT/User_Local.pm:335)
> [Sat Nov 11 19:34:19 2006] [info]:  
> RT::User::CanonicalizeEmailAddress $MyEMAIL =>  $MyEMAIL (/usr/lib/ 
> perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
> [Sat Nov 11 19:34:19 2006] [debug]:  
> RT::User::CanonicalizeEmailAddress : called with "$MyEMAIL" by  
> RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 561 (/ 
> usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
> [Sat Nov 11 19:34:19 2006] [debug]:  
> RT::User::LookupExternalUserInfo called with baseDN "$MyDN" and  
> filter "mail=$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/ 
> RT/User_Local.pm 332 (/usr/lib/perl5/vendor_perl/5.8.8/RT/ 
> User_Local.pm:508)
> [Sat Nov 11 19:34:19 2006] [info]:  
> RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/ 
> vendor_perl/5.8.8/RT/User_Local.pm:563)
> [Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/ 
> vendor_perl/5.8.8/RT/User_Local.pm:335)
> [Sat Nov 11 19:34:19 2006] [info]:  
> RT::User::CanonicalizeEmailAddress  $MyEMAIL =>  $MyEMAIL (/usr/lib/ 
> perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
> [Sat Nov 11 19:34:19 2006] [info]: Autocreated authenticated user  
> $MyUID () (/usr/share/rt3/html/Callbacks/LDAP/autohandler/Auth:23)
> [Sat Nov 11 19:34:19 2006] [error]: FAILED LOGIN for $MyUID from  
> 10.1.1.254 (/usr/share/rt3/html/autohandler:238)
> -- 
> Garret W. Huntress
> System Administrator / System Developer
>
> Geophysical Laboratory
> Carnegie Institution of Washington
> 5251 Broad Branch Road, NW
> Washington, DC 20015
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com

-- 
Garret W. Huntress
System Administrator / System Developer

Geophysical Laboratory
Carnegie Institution of Washington
5251 Broad Branch Road, NW
Washington, DC 20015

Email: ghuntress at ciw.edu
Phone: (202)-478-8973
AIM: Garret Huntress




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20061125/f703dff2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Garret Huntress.vcf
Type: text/directory
Size: 18045 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20061125/f703dff2/attachment.bin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20061125/f703dff2/attachment-0001.htm>

More information about the rt-users mailing list