[rt-users] RT Extension LDAPImport Using LDAPS?

Scott Pestana scott.pestana at linguamatics.com
Mon Apr 9 16:50:09 EDT 2012 

Kevin,
     Thomas's notes helped me get my import working.  Users are now 
imported into our RT instance.  However we do get a lot of noise:

[Mon Apr  9 19:51:49 2012] [critical]: 
RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo : Search for  
(&(|(objectClass=posixAccount)(objectClass=account))(mail=USEREMAIL at linguamatics.com))  
failed:  LDAP_NO_SUCH_OBJECT 32 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:232)
[Mon Apr  9 19:51:49 2012] [critical]: 
RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo : Search for  
(&(|(objectClass=posixAccount)(objectClass=account))(uid=USERID))  
failed:  LDAP_NO_SUCH_OBJECT 32 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:232)

     For each user we get the above two "critical" errors, and the below 
"info" message (which I don't mind aside from the "Disabled" part):

[Mon Apr  9 19:51:49 2012] [info]: 
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , 
EmailAddress: USEREMAIL at linguamatics.com, ExternalAuthId: USERID, Gecos: 
USERFULLNAME, Name: USERID, Privileged: 1, RealName: USERFULLNAME 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:651)

     When I inspected the MySQL tables that were created, I found that 
all the users appeared to be created as I wanted.  I am having trouble 
with the Web view at the moment, so I need to verify them through that 
view as well.

     For reference, here are the settings / bindings from RT_SiteConfig.pm

Set($LDAPHost,'ldaps://OURLDAPS.linguamatics.com');
Set($LDAPUser,'uid=OURBINDUSER,dc=linguamatics,dc=com');
Set($LDAPPassword, 'OURBINDPW');
Set($LDAPBase, 'ou=OURUSERTREE,dc=linguamatics,dc=com');
Set($LDAPFilter, '(|(objectClass=posixAccount)(objectClass=account))');
Set($LDAPMapping, {     'Name' => 'uid',
                         'EmailAddress' => 'mail',
                         'RealName' => 'cn',
                         'ExternalAuthId' => 'uid',
                         'Gecos' => 'gecos'
                 }
);
Set($LDAPCreatePrivileged, 1);
#For now we don't need groups, from what I can tell so:
#Set($LDAPGroupName, 'Imported Users');
#The previous line is commented out and we use this line:
Set($LDAPSkipAutogeneratedGroup, 1);
Set($LDAPUpdateUsers, 0);
Set($LDAPUpdateOnly, 0);
#Set($LDAPGroupBase, '');
#Set($LDAPGroupFilter, '');
#Set($LDAPGroupMapping, { });

     Please let me know if anything jumps out at you about why we're 
generating so many "critical" messages.  Otherwise, I'm more or less 
happy with how RT Extension LDAPImport works, inspecting the data sent 
into the MySQL database showed me data that looked good.

-Scott

On 4/9/2012 3:10 PM, Kevin Falcone wrote:
> On Mon, Apr 09, 2012 at 02:25:47PM -0400, Scott Pestana wrote:
>>      I'm having trouble setting up LDAPImport over LDAPS.  The README
>> with the package on CPAN details set up and includes "Hostname or
>> ldap(s):// uri" which suggests to me that secure transmission should
>> work.  I have settings in RT_SiteConfig.pm for Security, but I don't
>> see a specific flag for the Extension::LDAPImport package to set
>> that secure communication is requested.
>>
>>      I run into the following error trying to run rtldapimport:
>>
>> [root at owlwoman bin]# ./rtldapimport
>> Running test import, no data will be changed
>> Rerun command with --import to perform the import
>> Rerun command with --debug for more information
>> [Mon Apr  9 18:19:15 2012] [error]: LDAP search failed No such
>> object (/opt/rt4/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:866)
>> LDAP search failed No such object
>> Testing group import
>> [Mon Apr  9 18:19:15 2012] [warning]: Not running a group import,
>> configuration not set (/opt/rt4/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:874)
>> Not running a group import, configuration not set
>> Finished test
> Please show your LDAPimport configuration for LDAPHost / LDAPUser and
> a sanitized version of LDAPPassword.
>
> Your port # implies that Net::LDAP didn't think you needed ssl.
>
> -kevin
>
>>      Digging into the PERL code being executed by rtldapimport, I
>> found that the LDAP object can't be created because the
>> configuration being used is insecure:
>>
>>    DB<9>  x $ldap
>> 0  Net::LDAP=HASH(0x5af6f00)
>>     'net_ldap_async' =>  0
>>     'net_ldap_debug' =>  0
>>     'net_ldap_host' =>  'OURLDAPS.linguamatics.com'
>>     'net_ldap_port' =>  389
>>     'net_ldap_refcnt' =>  1
>>     'net_ldap_resp' =>  HASH(0x86044f0)
>>          empty hash
>>     'net_ldap_scheme' =>  'ldap'
>>     'net_ldap_socket' =>  IO::Socket::INET=GLOB(0x8604718)
>>        ->  *Symbol::GEN46
>>              FileHandle({*Symbol::GEN46}) =>  fileno(8)
>>     'net_ldap_uri' =>  'OURLDAPS.linguamatics.com'
>>     'net_ldap_version' =>  3
>>
>>      What flags do I need to set for rtldapimport to use secure
>> communication when doing the import?  I have set $LDAPUser and
>> $LDAPPassword in the RT_SiteConfig.pm but aren't reflected here
>> either (perhaps they are applied later).
>>
>>
>>
>> -- 
>> N. Scott Pestana
>> IT Infrastructure
>> Linguamatics
>> 275 Grove Street, Suite 2-400
>> Newton, MA 02466
>>
>> Tel: +1-774-571-7135
>>
>> US Tel: +1-617-674-3256
>> UK Tel: 011-44-1223-421360
>> UK Fax: 011-44-1223-421361
>> Web: www.linguamatics.com
>>

-- 
N. Scott Pestana
IT Infrastructure
Linguamatics
275 Grove Street, Suite 2-400
Newton, MA 02466

Tel: +1-774-571-7135

US Tel: +1-617-674-3256
UK Tel: 011-44-1223-421360
UK Fax: 011-44-1223-421361
Web: www.linguamatics.com

More information about the rt-users mailing list