[rt-users] Error when initializing database with external auth enabled
Bart Bunting
bart.bunting at ursys.com.au
Sun May 29 08:47:40 EDT 2016
Hi Jim,
Sorry for not posting the relevant details. It is a totally new install
being built to replace our customized version of rt 3.6 :). Probably
time for an upgrade :).
Here are the configuration details that are to do with authentication.
As previously mentioned I think the error is happening when RT is trying
to use the external ldap server to canonicalize the root user when it's
added from initialdata:
use utf8;
#* Authentication
# configure external authentication
#Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);
# LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
'URSYS_LDAP' => {
'type' => 'ldap',
'server' => 'xxx',
'base' => 'cn=users,cn=accounts,dc=xxx',
'user' => 'uid=system,cn=sysaccounts,cn=etc,dc=xxx',
'pass' => 'xxx',
'filter' => '(&(memberOf=cn=helpdesk-*))',
'attr_match_list' => [
'Name',
],
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
},
},
} );
#* Ldapimport Configuration
Set($LDAPBase,'cn=users,cn=accounts,dc=xxx');
Set($LDAPHost,'xxx');
Set($LDAPUser,'uid=system,cn=sysaccounts,cn=etc,dc=xxx');
Set($LDAPPassword,'xxx');
Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
Set($LDAPMapping, {Name => 'uid', # required
EmailAddress => 'mail',
RealName => 'cn',
WorkPhone => 'telephoneNumber',
Organization => 'departmentName'});
# create users as privileged
Set($LDAPCreatePrivileged, 1);
# sync Groups from LDAP into RT
Set($LDAPGroupBase, 'cn=accounts,dc=xxx');
Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
Set($LDAPGroupMapping, {Name => 'cn',
Description => 'description',
Member_Attr => 'member',
Member_Attr_Value => 'dn',
});
#* Slack Notifier configuration
# All parameters with the exclusion of Proxy are directly passed to the WebService::Slack::IncomingWebHook object
Kind regards
Bart
Jim Brandt <jbrandt at bestpractical.com> writes:
> To clarify the previous question, if you were using
> RT::Authen::ExternalAuth in a previous version of RT (pre-4.4) and have
> it pulled in as a Plugin, you need to remove it because it is now in
> core. It's not clear to me if your RT_SiteConfig.pm is from an earlier
> RT version. If so, you will need to make some updates due to the RT
> version change:
>
> https://docs.bestpractical.com/rt/4.4.1/UPGRADING-4.4.html
>
> On 5/25/16 10:21 PM, Bart Bunting wrote:
>> Peter,
>>
>> Not sure, but this is a new install using rt 4.4.
>>
>>
>>
>> Kind regards
>> Peter Viskup <skupko.sk at gmail.com> writes:
>>
>>> Couldn't this be related to RT::Authen::ExternalAuth migration to RT
>>> core since 4.4 version?
>>>
>>> https://docs.bestpractical.com/rt/4.4.0/UPGRADING-4.4.html
>>>
>>> --
>>> Peter
>>>
>>> On Wed, May 25, 2016 at 2:26 AM, Bart Bunting <bart.bunting at ursys.com.au> wrote:
>>>>
>>>> Hi there,
>>>>
>>>> I may be just missing something but this is failing miserably for me and
>>>> I am not sure what the correct way to fix it is:
>>>>
>>>> Running rt 4.4.1 rc1 as of today.
>>>>
>>>> The situation is I have external authentication working fine using both
>>>> RT::Authen::ExternalAuth and RT::LDAPImport.
>>>>
>>>> I use puppet to provision the machine.
>>>>
>>>> When I have the external authentication configuration enabled in
>>>> RT_SiteConfig.pm the
>>>> initial database import breaks. I think this is because when it trys to
>>>> add the "root" user it attempts to canonicalize the name from ldap which
>>>> fails.
>>>>
>>>> Here is an example of the run:
>>>>
>>>> make initialize-database
>>>> /usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database --action init --prompt-for-dba-password
>>>> In order to create or update your RT database, this script needs to connect to your mysql instance on localhost (port '') as root
>>>> Please specify that user's database password below. If the user has no database
>>>> password, just press return.
>>>>
>>>> Password:
>>>> Working with:
>>>> Type: mysql
>>>> Host: localhost
>>>> Port:
>>>> Name: rt4
>>>> User: rt
>>>> DBA: root
>>>> Now creating a mysql database rt4 for RT.
>>>> Done.
>>>> Now populating database schema.
>>>> Done.
>>>> Now inserting database ACLs.
>>>> Done.
>>>> Now inserting RT core system objects.
>>>> [15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/../lib/RT/User.pm line 787. (/opt/rt_source/sbin/../lib/RT.pm:390)
>>>> Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/../lib/RT/User.pm line 787.
>>>> Makefile:386: recipe for target 'initialize-database' failed
>>>> make: *** [initialize-database] Error 2
>>>> root at rt-dev:/opt/rt_source#
>>>>
>>>> I can work around this by having puppet install one version of RT_SiteConfig.pm without
>>>> external authentication configured, run the database import and then
>>>> replace it with a version with external auth enabled.
>>>>
>>>> This works, I've tested it.
>>>>
>>>> It just feels terribly ugly and wrong.
>>>>
>>>> Can anyone suggest what I might be doing wrong here or is this a genuine
>>>> issue?
>>>>
>>>>
>>>> Kind regards
>>>> Bart
>>>> --
>>>>
>>>> Bart Bunting - URSYS
>>>> PH: 02 87452811
>>>> Mbl: 0409560005
>>>> ---------
>>>> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
>>>> * Los Angeles - September, 2016
>> Bart
>>
> ---------
> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
> * Los Angeles - September, 2016
Bart
--
Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
More information about the rt-users
mailing list