[rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses

Gerald Vogt vogt at spamcop.net
Sat Jan 18 08:27:13 EST 2014 

Hi!

We use the ExternalAuth module to authenticate users against a LDAP
directory. Some users have multiple e-mail addresses, i.e. multiple
values for the LDAP mail attribute (e.g. gv2 at example.com and
vogt at example.com)

Users can send e-mails to the RT server from the e-mail address which
made it into the RT MySQL database without problems. (let's say
vogt at example.com works)

However, if they send from a different e-mail address (i.e.
gv2 at example.com) it fails with error "Could not load a valid user".

Documentations mentions it should work if the users has e-mail addresses
from different attributes. But it doesn't say anything if there are
multiple values for the same attribute.

Browsing through the source code it looks to me as if RT first only
checks against it internal database to find out whether a user with the
sender address already exists, then tries to create a new user for the
address only to find that the user name matching in LDAP to this e-mail
address already exists in the internal database.

Is this not possible or am I missing something here?

Thanks!

Logs show this:

Jan 17 13:57:56 rt4 RT: [5002] The RTAddressRegexp option is not set in
the config. Not setting this option results in additional SQL queries to
check whether each address belongs to RT or not. It is especially
important to set this option if RT recieves emails on addresses that are
not in the database or config. (/usr/local/rt4/sbin/../lib/RT/Config.pm:485)
Jan 17 13:57:57 rt4 RT: [5007] Encode::Guess guessed encoding: ascii
(/usr/local/rt4/sbin/../lib/RT/I18N.pm:595)
Jan 17 13:57:57 rt4 RT: [5007] Encode::Guess guessed encoding: ascii
(/usr/local/rt4/sbin/../lib/RT/I18N.pm:595)
Jan 17 13:57:57 rt4 RT: [5007] Converting 'ascii' to 'utf-8' for
text/plain - test (/usr/local/rt4/sbin/../lib/RT/I18N.pm:295)
Jan 17 13:57:57 rt4 RT: [5007] Going to create user with address
'gv2 at example.com'
(/usr/local/rt4/sbin/../lib/RT/Interface/Email/Auth/MailFrom.pm:100)
Jan 17 13:57:57 rt4 RT: [5007]
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by
RT::Authen::ExternalAuth
/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
702 with: Comments: Autocreated on ticket submission, Disabled: ,
EmailAddress: gv2 at example.com, Name: gv2 at example.com, Password: ,
Privileged: , RealName:
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:599)
Jan 17 13:57:57 rt4 RT: [5007] Attempting to get user info using this
external service: LDAP
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607)
Jan 17 13:57:57 rt4 RT: [5007] Attempting to use this canonicalization
key: Name
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:621)
Jan 17 13:57:57 rt4 RT: [5007] LDAP Search ===  Base:
ou=people,o=ldap,o=root == Filter:
(&(objectclass=*)(uid=gv2 at example.com)) == Attrs:
l,gecos,st,mail,gecos,co,streetAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357)
Jan 17 13:57:57 rt4 RT: [5007] Attempting to use this canonicalization
key: EmailAddress
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:621)
Jan 17 13:57:57 rt4 RT: [5007] LDAP Search ===  Base:
ou=people,o=ldap,o=root == Filter:
(&(objectclass=*)(mail=gv2 at example.com)) == Attrs:
l,gecos,st,mail,gecos,co,streetAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357)
Jan 17 13:57:57 rt4 RT: [5007]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Comments: Autocreated on ticket submission, Country: , Disabled:
, EmailAddress: vogt at example.com, ExternalAuthId: vogt, Gecos: Gerald
Vogt, Name: vogt, Organization: , Password: , Privileged: , RealName:
Gerald Vogt, State: , WorkPhone: , Zip:
Jan 17 13:57:57 rt4 RT: [5007] Use of uninitialized value $Username in
concatenation (.) or string at
/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm line 849.
Jan 17 13:57:57 rt4 RT: [5007] create new user. username = ,
emailaddress = gv2 at example.com
(/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm:849)
Jan 17 13:57:57 rt4 RT: [5007] Use of uninitialized value in
concatenation (.) or string at
/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm line 859.
Jan 17 13:57:57 rt4 RT: [5007] loadbyemail got
(/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm:859)
Jan 17 13:57:57 rt4 RT: [5007] User could not be created: User creation
failed in mailgateway: Name in use
Jan 17 13:57:57 rt4 RT: [5007] Couldn't load user
'gv2 at example.com'.giving up
Jan 17 13:57:57 rt4 RT: [5007] User could not be loaded: User
'gv2 at example.com' could not be loaded in the mail gateway
Jan 17 13:57:57 rt4 RT: [5007] Could not load a valid user: RT could not
load a valid user, and RT's configuration does not allow#012for the
creation of a new user for this email (gv2 at example.com).#012#012You
might need to grant 'Everyone' the right 'CreateTicket' for the#012queue
Firewall.
Jan 17 13:57:57 rt4 RT: [5007] Could not load a valid user: RT could not
load a valid user, and RT's configuration does not allow#012for the
creation of a new user for your email.
Jan 17 13:57:57 rt4 RT: [5007] Could not record email: Could not load a
valid user

LDAP configuration is this:

Plugin( "RT::Authen::ExternalAuth" );

Set($ExternalAuthPriority,  [ 'LDAP' ]);
Set($ExternalInfoPriority,  [ 'LDAP' ]);
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers,    0);
Set($ExternalSettings, {
    'LDAP'       =>  {
        'type'                      =>  'ldap',
        'server'                    =>  [ 'ldaps://dsp1.example.com',
'ldaps://dsp2.example.com' ],
        'user'                      =>  'cn=agent, ou=Special Users,
dc=adm',
        'pass'                    =>  'password',
        'base'                      =>  'ou=people,o=ldap,o=root',
        'filter'                    =>  '(objectclass=*)',
#        'd_filter'                  =>  '(FILTER_STRING)',
#        'group'                     =>  'GROUP_NAME',
#        'group_attr'                =>  'GROUP_ATTR',
        'tls'                       =>  1,
        'ssl_version'               =>  3,
        'net_ldap_args'             => [    version =>  3   ],
#        'group_scope'               =>  'base',
#        'group_attr_value'          =>  'GROUP_ATTR_VALUE',
        'attr_match_list' => [
            'Name',
            'EmailAddress',
        ],
        'attr_map' => {
            'Name' => 'uid',
            'EmailAddress' => 'mail',
            'Organization' => 'physicalDeliveryOfficeName',
            'RealName' => 'gecos',
            'ExternalAuthId' => 'uid',
            'Gecos' => 'gecos',
            'WorkPhone' => 'telephoneNumber',
            'Address1' => 'streetAddress',
            'City' => 'l',
            'State' => 'st',
            'Zip' => 'postalCode',
            'Country' => 'co'
        },
    },
} );

Gerald

More information about the rt-users mailing list