[rt-users] LDAPImport bug with RT-Authen-ExternalAuth
Shawn Plummer
plummer at geneseo.edu
Thu Jul 28 13:32:40 EDT 2011
Here is the RT_Siteconfig entries for ldapimport and external auth
# For the Ldapimport extension
Set($LDAPHost,'server.geneseo.edu');
Set($LDAPUser, 'cn=username,cn=Users,dc=w2k,dc=geneseo,dc=edu');
Set($LDAPPassword, 'password');
Set($LDAPBase, 'cn=Users,dc=w2k,dc=geneseo,dc=edu');
Set($LDAPFilter, '(objectClass=*)');
Set($LDAPMapping, {Name => 'sAMAccountName',
EmailAddress => 'mail',
RealName => 'displayName',
WorkPhone => 'telephoneNumber',
Organization => 'department',
Address1 => 'street'
});
Set($LDAPGroupName,'Imported Users');
Set($LDAPSkipAutogeneratedGroup, 1);
Set($LDAPUpdateUsers,1);
Set($LDAPUpdateOnly,0);
Set($ExternalAuthPriority, ['Geneseo_AD']);
Set($ExternalInfoPriority, ['Geneseo_AD']);
Set($ExternalServiceUsesSSLorTLS, 0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings,{'Geneseo_AD' => { ## GENERIC SECTION
'type' => 'ldap',
'server' => 'server.geneseo.edu',
# The username RT should use to connect to the LDAP server
'user' => 'cn=username,cn=users,dc=w2k,dc=geneseo,dc=edu',
# The password RT should use to connect to the LDAP server
'pass' => 'password',
#
# The LDAP search base
'base' => 'cn=Users,DC=w2k,DC=geneseo,DC=edu',
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
'filter' => '(objectClass=*)',
# A catch-all example filter: '(objectClass=*)'
#
# The filter that will only match disabled users
'd_filter' => '(objectClass=FooBarBaz)',
# A catch-none example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use TLS to encrypt connections?
'tls' => 0,
# SSL Version to provide to Net::SSLeay *if* using SSL
'ssl_version' => 3,
# What other args should I pass to Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What group name?
#'group' => 'GROUP_NAME',
# What is the attribute for the group object that determines membership?
#'group_attr' => 'GROUP_ATTR',
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you *can* specify.. I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
'attr_match_list' => [ 'sAMAccountName',
'mail'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'department',
'RealName' => 'displayName',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
}
}
);
On Jul 27, 2011, at 8:06 PM, Kevin Falcone wrote:
> On Wed, Jul 27, 2011 at 07:48:11PM -0400, Shawn M Plummer wrote:
>> On Jul 27, 2011, at 5:40 PM, Kevin Falcone wrote:
>>
>>> You've left off a number of useful debugging messages from
>>> CanonicalizeUserInfo which came right before this. Without those,
>>> it's hard to tell what's going on
>>>
>>
>> I set $LogToSyslog to debug in RT_Config and tried again. Is this what you were referring to? Or do I need to turn something on to get better messages from CanonicalizeUserInfo?
>
> I'd expect to see the output of
> $RT::Logger->debug( (caller(0))[3],
> "called by",
> caller,
> "with:",
> join(", ", map {sprintf("%s: %s", $_, $args->{$_})}
> sort(keys(%$args))));
>
> and a reference to every Info service queried
>
> You may want to post your RT-Authen-ExternalAuth config and version
>
> -kevin
>
>
>> Here is everything I got from tailing /var/log/httpd/* and /var/log/message while I attempted to login with the new AD user I created today.
>>
>> Jul 27 19:44:28 rtdevel RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
>> Jul 27 19:44:28 rtdevel RT: Couldn't create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
>>
>> ==> /var/log/httpd/rt4devel_error_log <==
>> [Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
>> [Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [error]: Couldn't create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
>> [Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [error]: FAILED LOGIN for rttestuser f, referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
>>
>> ==> /var/log/messages <==
>> Jul 27 19:44:28 rtdevel RT: FAILED LOGIN for rttestuser from 137.238.60.9 (/opt/rt4devel/sbin/../lib/RT/Interface/Web.pm:655)
>>
>> ==> /var/log/httpd/rt4devel_error_log <==
>> [Wed Jul 27 19:44:31 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: rom 137.238.60.9 (/opt/rt4devel/sbin/../lib/RT/Interface/Web.pm:655), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
>>
>> ==> /var/log/httpd/rt4devel_access_log <==
>> 137.238.60.9 - - [27/Jul/2011:19:44:27 -0400] "POST /NoAuth/Login.html HTTP/1.1" 200 4534 "https://rtdevel.geneseo.edu/NoAuth/Login.html" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3"
>>
>>
>>
>>
>> ~~~~~~~~~~~~~
>> Shawn Plummer
>> Systems Manager
>> CIT SUNY Geneseo
>> "The mind can make substance, and people planets of its own with beings brighter than have been, and give a breath to forms which can outlive all flesh." -Lord Byron
>>
>>
>> --------
>> 2011 Training: http://bestpractical.com/services/training.html
>
> --------
> 2011 Training: http://bestpractical.com/services/training.html
More information about the rt-users
mailing list