[rt-users] Issue With ExternalAuth
Martin Wheldon
martin.wheldon at greenhills-it.co.uk
Tue Dec 6 07:50:22 EST 2016
Hi Claude,
Yes, your problem seems to be a little odd.
I believe that this is the code that is rejecting your authentication
from
/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm
> # If we got here and don't have a user loaded we must have failed to
> # get a full, valid user from an authoritative external source.
> unless ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id)
> {
> $session->{'CurrentUser'} = RT::CurrentUser->new;
> return (0, "No User");
> }
Do you have multiple external auth mechanisms configured??
Would you be able to post your full RT configuration, with sensitive
information obfuscated obviously?
Best Regards
Martin
On 2016-12-06 11:37, Claude EDUMA wrote:
> Martin,
>
> It request only the "dn" attribute because the user is not internal.
> once user is created, it will request the others attributes.
>
> I have seen our ldap administrator and for him all is OK. Accounts are
> well binded with LDAP.
> It seem like after binding account it request another validation wich
> failed.
>
> My question is why RT retreive all attributes on LDAP but still fail
> to grant acces to users ?
>
> I'm sorry to take your presious time and thank you once more.
>
> -------------------------------------------
>
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: UserExists params:
> username: 20005528 , service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:488)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: LDAP Search === Base:
> o=corp.mycorp.com [1] == Filter:
> (&(objectClass=privperson)(uid=20005528)) == Attrs: co,cn,mail,uid,uid
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:518)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]:
> RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
> /opt/rt4/sbin/../lib/RT/User.pm 699 with : Disabled: , EmailAddress:
> , Gecos: 20005528, Name: 20005528, Privileged: 1
> (/opt/rt4/sbin/../lib/RT/User.pm:735)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Attempting to get user info
> using this external service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/User.pm:743)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Attempting to use this
> canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.pm:752)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: LDAP Search === Base:
> o=corp.mycorp.com [1] == Filter:
> (&(objectClass=privperson)(uid=20005528)) == Attrs: co,cn,mail,uid,uid
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:406)
> [4109] [Tue Dec 6 10:22:50 2016] [info]:
> RT::User::CanonicalizeUserInfoFromExternalAuth returning Country: ,
> Disabled: , EmailAddress: jonathan.laigle at ext.mycorpservices.com,
> Gecos: 20005528, Name: 20005528, Privileged: 1, RealName: JONATHAN
> LAIGLE (/opt/rt4/sbin/../lib/RT/User.pm:812)
> [4109] [Tue Dec 6 10:22:50 2016] [error]: Couldn't create user
> 20005528: Email address in use
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:353)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Autohandler called
> ExternalAuth. Response: (0, No User)
> (/opt/rt4/share/html/Elements/DoAuth:58)
> [4109] [Tue Dec 6 10:22:50 2016] [error]: FAILED LOGIN for 20005528
> from 10.1.52.222 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
> -------------------------
>
> Regards
>
> 2016-12-06 12:04 GMT+01:00 Martin Wheldon
> <martin.wheldon at greenhills-it.co.uk>:
>
>> Hi Claude,
>>
>> OK from your logs you can see successful lookup from LDAP of the
>> user and a successful validation.
>> So we can rule out issues with communication with the LDAP server
>> and user credentials.
>>
>> The following line however is an issue as you seem to be only
>> getting/requesting the dn attribute returned. I'm not quite certain
>> which :)
>>
>> "... == Attrs: dn"
>>
>>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP Search === Base:
>>> o=corp.mycorp.com [1] [1] == Filter:
>>> (&(uid=20005528)(objectClass=privperson)) == Attrs: dn
>>
>> This is what I get on my test system:
>>
>> "... == Attrs:
>>
> mail,cn,street,telephoneNumber,mobile,st,mail,ukFirmGhITAccOrg,postalCode,l"
>>
>> The configuration you sent earlier is expecting uid,mail,cn and co:
>>
>> 'attr_map' => {
>> 'Name' => 'uid',
>> 'EmailAddress' => 'mail',
>> 'RealName' => 'cn',
>> 'Gecos' => 'uid',
>> 'Country' => 'co',
>> }
>
> Is your ldap search account able to get this information from the
> ldapserver?
>
> Best Regards
>
> Martin
>
> On 2016-12-06 10:25, Claude EDUMA wrote:
>
>> Yes,
>>
>> But even if it'is a new user, user is create but I still have LOGIN
>> FAILED.
>>
>> below log with a new user
>>
>> ---------------------------
>>
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Trying external auth
>> service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:201)
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP Search === Base:
>> o=corp.mycorp.com [1] [1] == Filter:
>> (&(uid=20005528)(objectClass=privperson)) == Attrs: dn
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:234)
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Found LDAP DN:
>> uid=20005528,ou=people,ou=GO-LM,o=corp.mycorp.com [1] [1]
>>
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:268)
>> [4110] [Tue Dec 6 10:22:44 2016] [info]:
>> RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP
>> ):
>> 20005528 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:350)
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP password validation
>> result: 1 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:558)
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Password Validation Check
>> Result: 1 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:383)
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Autohandler called
>> ExternalAuth. Response: (0, No User)
>> (/opt/rt4/share/html/Elements/DoAuth:58)
>> [4110] [Tue Dec 6 10:22:44 2016] [error]: FAILED LOGIN for 20005528
>> from 10.1.52.222 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
>> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Attempting to use
>> external
>> auth service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:286)
>> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Calling UserExists with
>> $username (20005528) and $service (My_LDAP)
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:327)
>>
>> 2016-12-06 11:12 GMT+01:00 Martin Wheldon
>> <martin.wheldon at greenhills-it.co.uk>:
>>
>> Hi Claude,
>>
>> Seems you already have a user in the RT database with the same email
>> address, but different user name.
>>
>> [3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn't create user
>> 20006583: Email address in use
>>
>> Best Regards
>>
>> Martin
>>
>> On 2016-12-06 08:05, Claude EDUMA wrote:
>> Hi Martin,
>>
>> Thank you for your response.
>>
>> File permissions for my CA.cert are "rw-r--r-".
>>
>> below rt.log
>>
>> ---------------------------
>>
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use
>> external
>> auth service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:286)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Calling UserExists with
>> $username (20006583) and $service (My_LDAP)
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:327)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: UserExists params:
>> username: 20006583 , service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:488)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
>> o=corp.mycorp.com [1] [1] [2] == Filter:
>> (&(objectClass=privperson)(uid=20006583)) == Attrs:
>> co,cn,mail,uid,uid
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:518)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]:
>> RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
>> /opt/rt4/sbin/../lib/RT/User.pm 699 with: Disabled: , EmailAddress:
>> ,
>> Gecos: 20006583, Name: 20006583, Privileged: 1
>> (/opt/rt4/sbin/../lib/RT/User.pm:735)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to get user
>> info
>> using this external service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/User.pm:743)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use this
>> canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.pm:752)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
>> o=corp.mycorp.com [1] [1] [2] == Filter:
>>
>> (&(objectClass=privperson)(uid=20006583)) == Attrs:
>> co,cn,mail,uid,uid
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:406)
>> [3605] [Tue Dec 6 07:58:02 2016] [info]:
>> RT::User::CanonicalizeUserInfoFromExternalAuth returning Country: ,
>> Disabled: , EmailAddress: claude.eduma at ext.mycorp.com, Gecos:
>> 20006583, Name: 20006583, Privileged: 1, RealName: CLAUDE EDUMA
>> (/opt/rt4/sbin/../lib/RT/User.pm:812)
>> [3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn't create user
>> 20006583: Email address in use
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:353)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Autohandler called
>> ExternalAuth. Response: (0, No User)
>> (/opt/rt4/share/html/Elements/DoAuth:58)
>> [3605] [Tue Dec 6 07:58:02 2016] [error]: FAILED LOGIN for 20006583
>> from 10.1.179.71 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
>>
>> ----------------
>>
>> Thank you one more time.
>>
>> Regards.
>>
>> 2016-12-05 23:35 GMT+01:00 Martin Wheldon
>> <martin.wheldon at greenhills-it.co.uk>:
>>
>> Hi Claude,
>>
>> Your english is much better than my french :)
>> I've cc'd the RT users list as they may have additional suggestions.
>> The short answer is no I don't believe your problem is caused by TLS
>> bugs.
>>
>> You seem to be mixing up the new RT 4.4 LDAP configuration syntax
>> with the older RT::Authen::ExternalAuth syntax.
>>
>> If you are using RT 4.4.x then you don't need the following, because
>> it is the old style syntax:
>>
>> Set($LDAPBase,'MYLDAPSERVER');
>> Set($LDAPFilter, '(&(objectClass=person))');
>> Set($LDAPMapping, {
>> Name => 'uid',
>> EmailAddress => 'mail',
>> RealName => 'cn'
>> });
>>
>> The following option should also be removed when using RT4.4.x
>>
>> 'ssl_version' => 3,
>>
>> Is RT able to read your CAcert file? Please could you check the file
>> permissions.
>> Do you see any errors in the logs?
>>
>> Best Regards
>>
>> Martin
>>
>> On 2016-12-05 13:22, claudeduma at gmail.com wrote:
>>
>> Hi Martin,
>>
>> I try to configure LDAP authentication but it don't work.
>> I'm sure all my config is correct (see below). I tried with
>> ladapsearch and all it's OK. I look my ldap's server logs and i
>> bind
>> users correctly. Do you thinks it's TLS bugs ?
>>
>> (sorry for my english I'm french)
>> Thank you.
>>
>> --------------
>> Set($LDAPBase,'MYLDAPSERVER');
>> Set($LDAPFilter, '(&(objectClass=person))');
>> Set($LDAPMapping, {
>> Name => 'uid',
>> EmailAddress => 'mail',
>> RealName => 'cn'
>> });
>>
>> # Use the below LDAP source for both authentication, as well
>> as user
>> # information
>> Set( $ExternalAuthPriority, ["My_LDAP"] );
>> Set( $ExternalInfoPriority, ["My_LDAP"] );
>> Set($ExternalServiceUsesSSLorTLS, 1);
>>
>> # Make users created from LDAP Privileged
>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>
>> # Users should still be autocreated by RT as internal users if
>> they
>> # fail to exist in an external service; this is so requestors
>> (who
>> # are not in LDAP) can still be created when they email in.
>> Set($AutoCreateNonExternalUsers, 0);
>>
>> # Minimal LDAP configuration; see
>> RT::Authen::ExternalAuth::LDAP for
>> # further details and examples
>> Set($ExternalSettings, {
>> 'My_LDAP' => {
>> 'type' => 'ldap',
>> 'server' => 'ldaps://MYLDAPSERVER',
>> 'user' => 'MYUSER',
>> 'pass' => 'MYPASS',
>> 'base' => 'MYBASE',
>> 'filter' => '(objectClass=privperson)',
>> 'tls' => { verify => "require", cafile =>
>> "/etc/CA.crt" },
>> 'ssl_version' => 3,
>> 'net_ldap_args' => [ version => 3, debug => 8
>> ],
>> 'attr_match_list' => [
>> 'Name',
>> 'EmailAddress',
>> ],
>>
>> 'attr_map' => {
>> 'Name' => 'uid',
>> 'EmailAddress' => 'mail',
>> 'RealName' => 'cn',
>> 'Gecos' => 'uid',
>> 'Country' => 'co',
>> }
>> },
>> }
>> );
>>
>> 1;
>>
>> _____________________________________
>> Sent from http://requesttracker.8502.n7.nabble.com [2] [2] [1]
>
> Links:
> ------
> [1] http://requesttracker.8502.n7.nabble.com [2] [2]
> [2] http://corp.mycorp.com
>
> Links:
> ------
> [1] http://corp.mycorp.com
> [2] http://requesttracker.8502.n7.nabble.com [2]
>
>
>
> Links:
> ------
> [1] http://corp.mycorp.com
> [2] http://requesttracker.8502.n7.nabble.com
More information about the rt-users
mailing list