[rt-users] LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth
Bill Teeple
teeps at 3leafsystems.com
Thu May 29 17:33:29 EDT 2008
OK,
I have just finished splunking about 4 months of back articles/e-mails
on LDAP Authentication within RT and have run up against some sort of
error that I might just be mis-interpretting.
DEBUG Logging is enabled.
I am using the ExternAuth using LDAP to Windows 2003 SP2 based Active
Directory controllers.
(also - note - I put rt3 within the /var volume not the /opt volume)
Running on CentOS 5.1 32 bit - fully patched.
Here is a part of my log:
[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn't, as
you didn't specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)
[Thu May 29 19:37:57 2008] [debug]: RT::User::IsExternalPassword Trying
External authentication (/var/rt3/local/lib/RT/User_Vendor.pm:52)
[Thu May 29 19:37:57 2008] [debug]: Attempting to use external auth
service: My_LDAP (/var/rt3/local/lib/RT/User_Vendor.pm:63)
[Thu May 29 19:37:57 2008] [debug]: LDAP Search === Base:
ou=Corporate,dc=3leafnetworks,dc=corp == Filter:
(&(sAMAccountName=ldapsearch)(objectclass=Person)) == Attrs: dn
(/var/rt3/local/lib/RT/User_Vendor.pm:185)
[Thu May 29 19:37:57 2008] [debug]: Found LDAP DN: CN=LDAP
Search,OU=Corporate,DC=3leafnetworks,DC=corp
(/var/rt3/local/lib/RT/User_Vendor.pm:217)
[Thu May 29 19:37:57 2008] [info]: RT::User::IsExternalPassword External
Auth OK ( My_LDAP ): ldapsearch (/var/rt3/local/lib/RT/User_Vendor.pm:281)
[Thu May 29 19:37:57 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED (/var/rt3/local/lib/RT/User_Vendor.pm:360)
[Thu May 29 19:37:57 2008] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /var/rt3/lib/RT/User_Overlay.pm 192 with: Disabled:
0, EmailAddress: , Gecos: ldapsearch, Name: ldapsearch, Privileged: 0
(/var/rt3/local/lib/RT/User_Vendor.pm:400)
[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/local/lib/RT/User_Vendor.pm:408)
[Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using
this external service: (/var/rt3/local/lib/RT/User_Vendor.pm:408)
[Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo
returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name:
ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444)
[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
Here is my RT_SiteConfig.pm:
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
Set( $rtname, '3leafnetworks.com');
Set($SendmailPath , "/usr/sbin/sendmail");
Set($SendmailArguments , "-oi -t");
Set($AuthMethods, ['LDAP','internal']);
Set($LogToFileNamed, "/var/log/rt3/rt.log");
Set($LogToFile, 'debug');
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
#Set($AutoCreateNonExternalUsers, 1);
# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g.
Set($ExternalAuthPriority,['My_LDAP']);
#
Set($ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'auth' => 1,
'info' => 1,
'server' => 'zeus.3leafnetworks.com',
'user' => '3LEAF\\ldapsearch',
'pass' => 'ldapsearch',
'base' => 'ou=Corporate,dc=3leafnetworks,dc=corp',
'filter' => '(objectclass=Person)',
'd_filter' =>
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' => 0,
'net_ldap_args' => [ version => 3 ],
#'group' => 'GROUP_NAME',
#'group_attr' => 'GROUP_ATTR',
'attr_match_list' => [ 'Name',
'EmailAddress',
'RealName',
'WorkPhone',
'Address2'
],
'attr_map' => { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' =>
'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
}
}
);
1;
When I uncomment the:
#Set($AutoCreateNonExternalUsers, 1);
line, my attempted user gets AUTO-CREATED in the system, but no
attributes are pulled over.
As you can see by the log file above, when a user (in log above, example
user is called ldapsearch) who is not within RT attempts to log on,
settings are pulled just fine - it even says it has authenticated
properly, but then the last line:
[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
Shows me that the account is attempting to be created, but the "( )" is
missing an ID of some?
This coupled with the error further UP the log:
[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn't, as
you didn't specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)
leads me to believe that I might be missing like ONE setting that would
allow this to all JIVE the way it should.
--
***********************************************************************
* Bill Teeple * *
* Manager of I.T. Department * 3255-1 Scott Blvd *
* 3Leaf Systems * Suite 200 *
* * Santa Clara, CA 95054 *
* http://www.3leafsystems.com * main (408) 572-5900 *
* * fax (408) 727-2008 *
* AIM: t33ps * *
* Yahoo: t33ps * direct (408) 572-5128 *
***********************************************************************
--
***********************************************************************
* Bill Teeple * *
* Manager of I.T. Department * 3255-1 Scott Blvd *
* 3Leaf Systems * Suite 200 *
* * Santa Clara, CA 95054 *
* http://www.3leafsystems.com * main (408) 572-5900 *
* * fax (408) 727-2008 *
* AIM: t33ps * *
* Yahoo: t33ps * direct (408) 572-5128 *
***********************************************************************
More information about the rt-users
mailing list