[rt-users] Issue With ExternalAuth
Martin Wheldon
martin.wheldon at greenhills-it.co.uk
Tue Dec 6 05:12:37 EST 2016
Hi Claude,
Seems you already have a user in the RT database with the same email
address, but different user name.
> [3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn't create user
> 20006583: Email address in use
Best Regards
Martin
On 2016-12-06 08:05, Claude EDUMA wrote:
> Hi Martin,
>
> Thank you for your response.
>
> File permissions for my CA.cert are "rw-r--r-".
>
> below rt.log
>
> ---------------------------
>
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use external
> auth service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:286)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Calling UserExists with
> $username (20006583) and $service (My_LDAP)
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:327)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: UserExists params:
> username: 20006583 , service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:488)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
> o=corp.mycorp.com [2] == Filter:
> (&(objectClass=privperson)(uid=20006583)) == Attrs: co,cn,mail,uid,uid
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:518)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]:
> RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
> /opt/rt4/sbin/../lib/RT/User.pm 699 with: Disabled: , EmailAddress: ,
> Gecos: 20006583, Name: 20006583, Privileged: 1
> (/opt/rt4/sbin/../lib/RT/User.pm:735)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to get user info
> using this external service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/User.pm:743)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use this
> canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.pm:752)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
> o=corp.mycorp.com [2] == Filter:
> (&(objectClass=privperson)(uid=20006583)) == Attrs: co,cn,mail,uid,uid
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:406)
> [3605] [Tue Dec 6 07:58:02 2016] [info]:
> RT::User::CanonicalizeUserInfoFromExternalAuth returning Country: ,
> Disabled: , EmailAddress: claude.eduma at ext.mycorp.com, Gecos:
> 20006583, Name: 20006583, Privileged: 1, RealName: CLAUDE EDUMA
> (/opt/rt4/sbin/../lib/RT/User.pm:812)
> [3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn't create user
> 20006583: Email address in use
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:353)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Autohandler called
> ExternalAuth. Response: (0, No User)
> (/opt/rt4/share/html/Elements/DoAuth:58)
> [3605] [Tue Dec 6 07:58:02 2016] [error]: FAILED LOGIN for 20006583
> from 10.1.179.71 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
>
> ----------------
>
> Thank you one more time.
>
> Regards.
>
> 2016-12-05 23:35 GMT+01:00 Martin Wheldon
> <martin.wheldon at greenhills-it.co.uk>:
>
>> Hi Claude,
>>
>> Your english is much better than my french :)
>> I've cc'd the RT users list as they may have additional suggestions.
>> The short answer is no I don't believe your problem is caused by TLS
>> bugs.
>>
>> You seem to be mixing up the new RT 4.4 LDAP configuration syntax
>> with the older RT::Authen::ExternalAuth syntax.
>>
>> If you are using RT 4.4.x then you don't need the following, because
>> it is the old style syntax:
>>
>>> Set($LDAPBase,'MYLDAPSERVER');
>>> Set($LDAPFilter, '(&(objectClass=person))');
>>> Set($LDAPMapping, {
>>> Name => 'uid',
>>> EmailAddress => 'mail',
>>> RealName => 'cn'
>>> });
>>
>> The following option should also be removed when using RT4.4.x
>>
>>> 'ssl_version' => 3,
>>
>> Is RT able to read your CAcert file? Please could you check the file
>> permissions.
>> Do you see any errors in the logs?
>>
>> Best Regards
>>
>> Martin
>>
>> On 2016-12-05 13:22, claudeduma at gmail.com wrote:
>>
>>> Hi Martin,
>>>
>>> I try to configure LDAP authentication but it don't work.
>>> I'm sure all my config is correct (see below). I tried with
>>> ladapsearch and all it's OK. I look my ldap's server logs and i
>>> bind
>>> users correctly. Do you thinks it's TLS bugs ?
>>>
>>> (sorry for my english I'm french)
>>> Thank you.
>>>
>>> --------------
>>> Set($LDAPBase,'MYLDAPSERVER');
>>> Set($LDAPFilter, '(&(objectClass=person))');
>>> Set($LDAPMapping, {
>>> Name => 'uid',
>>> EmailAddress => 'mail',
>>> RealName => 'cn'
>>> });
>>>
>>> # Use the below LDAP source for both authentication, as well
>>> as user
>>> # information
>>> Set( $ExternalAuthPriority, ["My_LDAP"] );
>>> Set( $ExternalInfoPriority, ["My_LDAP"] );
>>> Set($ExternalServiceUsesSSLorTLS, 1);
>>>
>>> # Make users created from LDAP Privileged
>>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>>
>>> # Users should still be autocreated by RT as internal users if
>>> they
>>> # fail to exist in an external service; this is so requestors
>>> (who
>>> # are not in LDAP) can still be created when they email in.
>>> Set($AutoCreateNonExternalUsers, 0);
>>>
>>> # Minimal LDAP configuration; see
>>> RT::Authen::ExternalAuth::LDAP for
>>> # further details and examples
>>> Set($ExternalSettings, {
>>> 'My_LDAP' => {
>>> 'type' => 'ldap',
>>> 'server' => 'ldaps://MYLDAPSERVER',
>>> 'user' => 'MYUSER',
>>> 'pass' => 'MYPASS',
>>> 'base' => 'MYBASE',
>>> 'filter' => '(objectClass=privperson)',
>>> 'tls' => { verify => "require", cafile =>
>>> "/etc/CA.crt" },
>>> 'ssl_version' => 3,
>>> 'net_ldap_args' => [ version => 3, debug => 8
>>> ],
>>> 'attr_match_list' => [
>>> 'Name',
>>> 'EmailAddress',
>>> ],
>>>
>>> 'attr_map' => {
>>> 'Name' => 'uid',
>>> 'EmailAddress' => 'mail',
>>> 'RealName' => 'cn',
>>> 'Gecos' => 'uid',
>>> 'Country' => 'co',
>>> }
>>> },
>>> }
>>> );
>>>
>>> 1;
>>>
>>> _____________________________________
>>> Sent from http://requesttracker.8502.n7.nabble.com [1]
>
>
>
> Links:
> ------
> [1] http://requesttracker.8502.n7.nabble.com
> [2] http://corp.mycorp.com
More information about the rt-users
mailing list