Re: [rt-users] LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth
On Monday 02 June 2008 04:25:17 Mike Peachey wrote: Carlos J. Velez-Rivera wrote: Mike, I'm one of those who has the issue you mention. I'd like to help. Do you want some more output enabled? Would you like me to add some code to my instance so you can output anything that might help you fix it? It's not something that is easily done by remote instruction. What I really need is someone who is vaguely familiar with perl and RT to run through the code with a few new debugging statements, and make adjustments to them where necessary based on the log output to determine where the ID is getting lost. Honestly, I'm not familiar with the RT code, but have done extensive perl programing in the past. I'd like to give it a try, if you are up for it! Let me know if you have any recommended reading before I jump in. -- Carlos J. Velez-Rivera Manager CK Computing Corporation [EMAIL PROTECTED] Voice: (787)464-1182 Fax: 866-910-4798 ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth
Carlos J. Velez-Rivera wrote: Mike, I'm one of those who has the issue you mention. I'd like to help. Do you want some more output enabled? Would you like me to add some code to my instance so you can output anything that might help you fix it? It's not something that is easily done by remote instruction. What I really need is someone who is vaguely familiar with perl and RT to run through the code with a few new debugging statements, and make adjustments to them where necessary based on the log output to determine where the ID is getting lost. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth
Bill Teeple wrote: (also - note - I put rt3 within the /var volume not the /opt volume) Meh, I always stick it in /usr Here is a part of my log: [Thu May 29 19:37:57 2008] [warning]: Transaction-Create couldn't, as you didn't specify an object type and id (/var/rt3/lib/RT/Record.pm:1486) I'm not sure what the cause of this message is, but it does not get int the way of user creation, this is one of those messages that has ALWAYS been there, I've just yet to get around to working out why. [Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22. (/var/rt3/local/lib/RT/User_Vendor.pm:408) I've never seen this one before, but I'm guessing it's due to a lack of a Set($ExternalInfoPriority, ['My_LDAP']); in your config. Auth and info are treated as completely seperate services and so you need to define the services for each. [Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using this external service: (/var/rt3/local/lib/RT/User_Vendor.pm:408) Hence this line ^^ [Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name: ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444) [Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22. (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50) And again ^^ [Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user ldapsearch ( ) (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50) This one ^^ is the nub of the problem. I have had a number of people report having this issue, for some reason there just seems to be no user object created or no principle ID assigned and, because it's only debug output, it's not clear if anything is being created or not, or if it's just not reporting right to the debugging code. If you can help me get to the cause of this issue I would greatly appreciate it. The problem I have is that, because it's never happened to me, I do not have access to a copy of RT with the problem so that I can debug it myself. Here is my RT_SiteConfig.pm: Set($AuthMethods, ['LDAP','internal']); This setting ^^ is irrelevant. It forms part of Jim Meyer's LDAP User_Local.pm overlay code which was deprecated by the ExternalAuth extension. I recommend removing it. Also, since you have this line, make sure you don't have a $RTHOME/local/lib/RT/User_Local.pm or the same in the non-local tree, because if you have accidentally combined my code and Jim Meyer's you could be looking at problems. # These are the full settings for each external service as a HashOfHashes # Note that you may have as many external services as you wish. They will # be checked in the order specified in the Priority directives above. # e.g. Set($ExternalAuthPriority,['My_LDAP']); Obviously insert ExternalInfoPriority here. 'attr_match_list' = ['Name', 'EmailAddress', 'RealName', 'WorkPhone', 'Address2' ], I think I'll be updating the example config for the next release to reduce the attr_match_list. I would recommend only using Name and EmailAddress in your configuration. These should be attributes that *uniquely* identify a user meaning you can't have more than one with the same Address or workphone. Name and Email give RT a username and an e-mail address, each of which should be unique for each and every user. When I uncomment the: #Set($AutoCreateNonExternalUsers,1); line, my attempted user gets AUTO-CREATED in the system, but no attributes are pulled over. As per the comments, if you uncomment it, RT will create the user whether they authenticated (and informaticated :/) correctly or not. As you can see by the log file above, when a user (in log above, example user is called ldapsearch) who is not within RT attempts to log on, settings are pulled just fine - it even says it has authenticated properly, but then the last line: [Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user ldapsearch ( ) (/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50) Shows me that the account is attempting to be created, but the ( ) is missing an ID of some? Precisely. A few of your own debugging statements may be able to help you work out why and I would love to know. If I can help I'm always around, especially in #rt on irc.perl.org. Just say Zordrak three times and I shall appear. I'm magic like that. This coupled with the error further UP the log: [Thu May 29 19:37:57 2008] [warning]: Transaction-Create couldn't, as you didn't specify an object type and id
[rt-users] LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth
OK,
I have just finished splunking about 4 months of back articles/e-mails
on LDAP Authentication within RT and have run up against some sort of
error that I might just be mis-interpretting.
DEBUG Logging is enabled.
I am using the ExternAuth using LDAP to Windows 2003 SP2 based Active
Directory controllers.
(also - note - I put rt3 within the /var volume not the /opt volume)
Running on CentOS 5.1 32 bit - fully patched.
Here is a part of my log:
[Thu May 29 19:37:57 2008] [warning]: Transaction-Create couldn't, as
you didn't specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)
[Thu May 29 19:37:57 2008] [debug]: RT::User::IsExternalPassword Trying
External authentication (/var/rt3/local/lib/RT/User_Vendor.pm:52)
[Thu May 29 19:37:57 2008] [debug]: Attempting to use external auth
service: My_LDAP (/var/rt3/local/lib/RT/User_Vendor.pm:63)
[Thu May 29 19:37:57 2008] [debug]: LDAP Search === Base:
ou=Corporate,dc=3leafnetworks,dc=corp == Filter:
((sAMAccountName=ldapsearch)(objectclass=Person)) == Attrs: dn
(/var/rt3/local/lib/RT/User_Vendor.pm:185)
[Thu May 29 19:37:57 2008] [debug]: Found LDAP DN: CN=LDAP
Search,OU=Corporate,DC=3leafnetworks,DC=corp
(/var/rt3/local/lib/RT/User_Vendor.pm:217)
[Thu May 29 19:37:57 2008] [info]: RT::User::IsExternalPassword External
Auth OK ( My_LDAP ): ldapsearch (/var/rt3/local/lib/RT/User_Vendor.pm:281)
[Thu May 29 19:37:57 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED (/var/rt3/local/lib/RT/User_Vendor.pm:360)
[Thu May 29 19:37:57 2008] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /var/rt3/lib/RT/User_Overlay.pm 192 with: Disabled:
0, EmailAddress: , Gecos: ldapsearch, Name: ldapsearch, Privileged: 0
(/var/rt3/local/lib/RT/User_Vendor.pm:400)
[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/local/lib/RT/User_Vendor.pm:408)
[Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using
this external service: (/var/rt3/local/lib/RT/User_Vendor.pm:408)
[Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo
returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name:
ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444)
[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
Here is my RT_SiteConfig.pm:
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
Set( $rtname, '3leafnetworks.com');
Set($SendmailPath , /usr/sbin/sendmail);
Set($SendmailArguments , -oi -t);
Set($AuthMethods, ['LDAP','internal']);
Set($LogToFileNamed, /var/log/rt3/rt.log);
Set($LogToFile, 'debug');
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
#Set($AutoCreateNonExternalUsers,1);
# These are the full settings for each external service as a HashOfHashes
# Note that you may have as many external services as you wish. They will
# be checked in the order specified in the Priority directives above.
# e.g.
Set($ExternalAuthPriority,['My_LDAP']);
#
Set($ExternalSettings, {
'My_LDAP' = {
'type' = 'ldap',
'auth' = 1,
'info' = 1,
'server' = 'zeus.3leafnetworks.com',
'user' = '3LEAF\\ldapsearch',
'pass' = 'ldapsearch',
'base' = 'ou=Corporate,dc=3leafnetworks,dc=corp',
'filter' = '(objectclass=Person)',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' = 0,
'net_ldap_args' = [version = 3 ],
#'group' = 'GROUP_NAME',
#'group_attr' = 'GROUP_ATTR',
'attr_match_list' = ['Name',
'EmailAddress',
'RealName',
'WorkPhone',
'Address2'
],
'attr_map' = { 'Name' =
