[rt-users] LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth
Mike Peachey
mike.peachey at jennic.com
Fri May 30 04:34:10 EDT 2008
Bill Teeple wrote:
> (also - note - I put rt3 within the /var volume not the /opt volume)
Meh, I always stick it in /usr
> Here is a part of my log:
>
>
>
> [Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn't, as
> you didn't specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)
I'm not sure what the cause of this message is, but it does not get int
the way of user creation, this is one of those messages that has ALWAYS
been there, I've just yet to get around to working out why.
> [Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
> or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
> (/var/rt3/local/lib/RT/User_Vendor.pm:408)
I've never seen this one before, but I'm guessing it's due to a lack of
a Set($ExternalInfoPriority, ['My_LDAP']); in your config. Auth and info
are treated as completely seperate services and so you need to define
the services for each.
> [Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using
> this external service: (/var/rt3/local/lib/RT/User_Vendor.pm:408)
Hence this line ^^
> [Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo
> returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name:
> ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444)
> [Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
> or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
> (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
And again ^^
> [Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
> ldapsearch ( )
> (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
This one ^^ is the nub of the problem. I have had a number of people
report having this issue, for some reason there just seems to be no user
object created or no principle ID assigned and, because it's only debug
output, it's not clear if anything is being created or not, or if it's
just not reporting right to the debugging code.
If you can help me get to the cause of this issue I would greatly
appreciate it. The problem I have is that, because it's never happened
to me, I do not have access to a copy of RT with the problem so that I
can debug it myself.
> Here is my RT_SiteConfig.pm:
>
> Set($AuthMethods, ['LDAP','internal']);
This setting ^^ is irrelevant. It forms part of Jim Meyer's LDAP
User_Local.pm overlay code which was deprecated by the ExternalAuth
extension. I recommend removing it. Also, since you have this line, make
sure you don't have a $RTHOME/local/lib/RT/User_Local.pm or the same in
the non-local tree, because if you have accidentally combined my code
and Jim Meyer's you could be looking at problems.
> # These are the full settings for each external service as a HashOfHashes
> # Note that you may have as many external services as you wish. They will
> # be checked in the order specified in the Priority directives above.
> # e.g.
> Set($ExternalAuthPriority,['My_LDAP']);
Obviously insert ExternalInfoPriority here.
> 'attr_match_list' => [ 'Name',
> 'EmailAddress',
> 'RealName',
> 'WorkPhone',
> 'Address2'
> ],
I think I'll be updating the example config for the next release to
reduce the attr_match_list. I would recommend only using Name and
EmailAddress in your configuration. These should be attributes that
*uniquely* identify a user meaning you can't have more than one with the
same Address or workphone. Name and Email give RT a username and an
e-mail address, each of which should be unique for each and every user.
> When I uncomment the:
>
> #Set($AutoCreateNonExternalUsers, 1);
>
> line, my attempted user gets AUTO-CREATED in the system, but no
> attributes are pulled over.
As per the comments, if you uncomment it, RT will create the user
whether they authenticated (and informaticated :/) correctly or not.
>
> As you can see by the log file above, when a user (in log above, example
> user is called ldapsearch) who is not within RT attempts to log on,
> settings are pulled just fine - it even says it has authenticated
> properly, but then the last line:
>
> [Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
> ldapsearch ( )
> (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
>
> Shows me that the account is attempting to be created, but the "( )" is
> missing an ID of some?
Precisely. A few of your own debugging statements may be able to help
you work out why and I would love to know. If I can help I'm always
around, especially in #rt on irc.perl.org. Just say Zordrak three times
and I shall appear. I'm magic like that.
> This coupled with the error further UP the log:
>
> [Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn't, as
> you didn't specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)
Again, I think this is a red herring and completely unrelated as it is
always there.
> leads me to believe that I might be missing like ONE setting that would
> allow this to all JIVE the way it should.
Well, you're missing ExternalInfoPriority, but I only think that will
fix your boogie-woogie problems, I think your jive-block is elsewhere.
--
Kind Regards,
__________________________________________________
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__________________________________________________
More information about the rt-users
mailing list