[rt-users] LDAP authentication fails in RT 3.6.1

Mon, 13 Nov 2006 18:49:05 -0800

Hello,

I've been trying to setup LDAP integration in RT 3.6.1, however I am unable to get authentication to work properly.  Authentication against the LDAP directory succeeds (the code is able to bind with the supplied credentials), however the $UserObj->Id variable remains undefined, and the rest of the code fails.  I spent the weekend poking around in the code, I've attached some logs below to help explain what I have found.

Note, I've removed some details from the logs for privacy/security:
$MyUID is my ldap UID
$MyDN is my ldap DN
$MyEMAIL is my Email
$MyINFO is all of the LDAP info


The first key line in the logs seems to be: [Sat Nov 11 19:34:19 2006] [warning]: Transaction->Create couldn't, as you didn't specify an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/Record.pm:1466)
Which occurs at this line of code in the LDAP Auth callback: my ($val, $msg) = $UserObj->SetName($user);
What this means, I do not know.  I'm not familiar enough with RT's structure to debug that line.

The next key log is: [Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsPassword auth method IsLDAPPassword SUCCEEDED (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:291)
So the code is able to bind with the credentials I supplied.  Our ldap server logs also indicate successful binding as my user

The next key log: [Sat Nov 11 19:34:19 2006] [info]: Autocreated authenticated user $MyUID () (/usr/share/rt3/html/Callbacks/LDAP/autohandler/Auth:23)
Which occurs at this line in the LDAP Auth callback: $RT::Logger->info("Autocreated authenticated user " . $UserObj->Name . " (" . $UserObj->Id . ")\n");
What's interesting about this is that the $UserObj->Id is blank.  This means that no data is loaded into the $session{'CurrentUser'} variable, and remainder of the code fails to execute because it is dependent on $session{'CurrentUser'}->Id to be set


Is this a bug, or is something wrong with my LDAP mapping that cause the $UserObj->Id value to not be set?  Below are the relevant LDAP settings from my RT_SiteConfig.pm (I've left out server settings since I know those are working):

Set($AuthMethods, ['LDAP', 'Internal']);
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);
Set($LdapAutoCreateNonLdapUsers, 1);
Set($LdapAttrMap, {'Name' => 'uid',
        'EmailAddress' => 'mail',
        'Organization' => 'o',
        'RealName' => 'cn',
        'ExternalContactInfoId' => 'dn',
        'ExternalAuthId' => 'uid',
        'Gecos' => 'uid',
        'WorkPhone' => 'telephoneNumber',
        'Address1' => 'street',
        'City' => 'l',
        'State' => 'st',
        'Zip' => 'postalCode',
        'Country' => 'co'}
);
Set($LdapRTAttrMatchList, ['ExternalContactInfoId',
        'Name',
        'EmailAddress',
        'RealName']
);
Set($LdapEmailAttrMatchList, ['mail']);
Set($LdapEmailAttrMatchPrefix, ['']);


-Garret

P.S. Logs

[Sat Nov 11 19:34:19 2006] [warning]: Transaction->Create couldn't, as you didn't specify an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/Record.pm:1466)
[Sat Nov 11 19:34:19 2006] [debug]: Trying LDAP authentication (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:153)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsLDAPPassword Found LDAP DN: $MyDN (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:187)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::IsLDAPPassword AUTH OK: $MyUID ($MyDN) (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:222)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsPassword auth method IsLDAPPassword SUCCEEDED (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:291)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::CanonicalizeUserInfo  called by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 190 with: Disabled: 0, EmailAddress: , Gecos: $MyUID, Name: $MyUID, Privileged: 0 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:378)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo called with baseDN "MyDN" and filter "uid=$MyUID" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 393 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::CanonicalizeEmailAddress : called with "$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 402 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo called with baseDN "$MyDN" and filter "mail=$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 332 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeEmailAddress $MyEMAIL =>  $MyEMAIL (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeUserInfo returning $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:411)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::CanonicalizeEmailAddress : called with "$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 194 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo called with baseDN "$MyDN" and filter "mail=$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 332 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeEmailAddress $MyEMAIL =>  $MyEMAIL (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::CanonicalizeEmailAddress : called with "$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 561 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo called with baseDN "$MyDN" and filter "mail=$MyEMAIL" by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 332 (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeEmailAddress  $MyEMAIL =>  $MyEMAIL (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [info]: Autocreated authenticated user $MyUID () (/usr/share/rt3/html/Callbacks/LDAP/autohandler/Auth:23)
[Sat Nov 11 19:34:19 2006] [error]: FAILED LOGIN for $MyUID from 10.1.1.254 (/usr/share/rt3/html/autohandler:238)
-- 
Garret W. Huntress
System Administrator / System Developer

Geophysical Laboratory
Carnegie Institution of Washington
5251 Broad Branch Road, NW
Washington, DC 20015
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Reply via email to