[rt-users] Could not load valid user - ExternalAuth

Mike Johnson mike.johnson at nosm.ca
Tue Jul 2 14:24:27 EDT 2013


Hi all,

I need some help with understanding my setup :D It works for a good
majority of cases, but we want to do something new with AD and it's
breaking, and I think I assumed something about our setup that isn't quite
true... now I'm stuck on figuring out why my user isn't getting loaded.

We used Best Practical to help setup our ExternalAuth so that our LDAP
settings allowed emails from 2 types of emails to map to 1 RT account(don't
get me started on why people are potentially emailing from 2 accounts).

We had to ensure our AD had both email addresses listed, and we chose to
put them in the attribute mail, and pager respectively. Both emails will
end in @nosm.ca, but they are typically username at nosm.ca RealName at nosm.ca(ie.
aliases).

Anyway, our below $ExternalSettings works perfectly for the standard...

However, when we put a non- at nosm.ca email into either mail or pager, we are
getting a "Could not load a valid user" message and I'm not sure why...

Here is my settings(removed non-essential stuff like connection info, and
our ou structure/group names)
Set($ExternalSettings, {
   'NORMEDISA' =>  {
        'type'          =>  'ldap',
        'server'        =>  'XXX.XXX.XXX.XXX',
        'user'          =>  'XXXXXXXXXX',
        'pass'          =>  'XXXXXXXXXX',
        'base'          =>  'XXXXXXXXXX',
        'filter'        =>  '(&(objectCategory=User) (ObjectClass=Person))',
        'd_filter'      =>
 '(userAccountControl:1.2.840.113556.1.4.803:=2)',
        'tls'           =>  0,
        'ssl_version'   =>  3,
        'net_ldap_args' => [    version =>  3   ],
        'group'         =>
            'some_group',
        'group_attr'    =>  'member',
        'attr_match_list' => [
            'Name',
            'EmailAddress',
        ],
        'attr_map' =>  {
            'Name'           => 'sAMAccountName',
            'EmailAddress'   => ['mail', 'pager'],
            'RealName'       => 'cn',
            'ExternalAuthId' => 'sAMAccountName'
        },
    },
} );

The people that aren't getting in are ones that exist in AD, but don't have
an RT account. The AD account either has mail or pager, or both, and one of
them has a non- at nosm.ca value in one of those attributes.

I'm not sure where it's breaking...

Any thoughts?
Mike.
-- 
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON   P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson at nosm.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130702/f21dd4f9/attachment.html>


More information about the rt-users mailing list