Error when initializing database with external auth enabled

Hi there,

I may be just missing something but this is failing miserably for me and
I am not sure what the correct way to fix it is:

Running rt 4.4.1 rc1 as of today.

The situation is I have external authentication working fine using both
RT::Authen::ExternalAuth and RT::LDAPImport.

I use puppet to provision the machine.

When I have the external authentication configuration enabled in
RT_SiteConfig.pm the
initial database import breaks. I think this is because when it trys to
add the “root” user it attempts to canonicalize the name from ldap which
fails.

Here is an example of the run:

      make initialize-database

/usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database --action init --prompt-for-dba-password
In order to create or update your RT database, this script needs to connect to your mysql instance on localhost (port ‘’) as root
Please specify that user’s database password below. If the user has no database
password, just press return.

Password:
Working with:
Type: mysql
Host: localhost
Port:
Name: rt4
User: rt
DBA: root
Now creating a mysql database rt4 for RT.
Done.
Now populating database schema.
Done.
Now inserting database ACLs.
Done.
Now inserting RT core system objects.
[15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787. (/opt/rt_source/sbin/…/lib/RT.pm:390)
Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787.
Makefile:386: recipe for target ‘initialize-database’ failed
make: *** [initialize-database] Error 2
root@rt-dev:/opt/rt_source#

I can work around this by having puppet install one version of RT_SiteConfig.pm without
external authentication configured, run the database import and then
replace it with a version with external auth enabled.

This works, I’ve tested it.

It just feels terribly ugly and wrong.

Can anyone suggest what I might be doing wrong here or is this a genuine
issue?

Kind regards
Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005

Couldn’t this be related to RT::Authen::ExternalAuth migration to RT
core since 4.4 version?

https://docs.bestpractical.com/rt/4.4.0/UPGRADING-4.4.html

PeterOn Wed, May 25, 2016 at 2:26 AM, Bart Bunting bart.bunting@ursys.com.au wrote:

Hi there,

I may be just missing something but this is failing miserably for me and
I am not sure what the correct way to fix it is:

Running rt 4.4.1 rc1 as of today.

The situation is I have external authentication working fine using both
RT::Authen::ExternalAuth and RT::LDAPImport.

I use puppet to provision the machine.

When I have the external authentication configuration enabled in
RT_SiteConfig.pm the
initial database import breaks. I think this is because when it trys to
add the “root” user it attempts to canonicalize the name from ldap which
fails.

Here is an example of the run:

      make initialize-database

/usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database --action init --prompt-for-dba-password
In order to create or update your RT database, this script needs to connect to your mysql instance on localhost (port ‘’) as root
Please specify that user’s database password below. If the user has no database
password, just press return.

Password:
Working with:
Type: mysql
Host: localhost
Port:
Name: rt4
User: rt
DBA: root
Now creating a mysql database rt4 for RT.
Done.
Now populating database schema.
Done.
Now inserting database ACLs.
Done.
Now inserting RT core system objects.
[15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787. (/opt/rt_source/sbin/…/lib/RT.pm:390)
Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787.
Makefile:386: recipe for target ‘initialize-database’ failed
make: *** [initialize-database] Error 2
root@rt-dev:/opt/rt_source#

I can work around this by having puppet install one version of RT_SiteConfig.pm without
external authentication configured, run the database import and then
replace it with a version with external auth enabled.

This works, I’ve tested it.

It just feels terribly ugly and wrong.

Can anyone suggest what I might be doing wrong here or is this a genuine
issue?

Kind regards
Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005

RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Los Angeles - September, 2016

Peter,

Not sure, but this is a new install using rt 4.4.

Kind regards
Peter Viskup skupko.sk@gmail.com writes:

Couldn’t this be related to RT::Authen::ExternalAuth migration to RT
core since 4.4 version?

UPGRADING-4.4 - RT 4.4.0 Documentation - Best Practical


Peter

Hi there,

I may be just missing something but this is failing miserably for me and
I am not sure what the correct way to fix it is:

Running rt 4.4.1 rc1 as of today.

The situation is I have external authentication working fine using both
RT::Authen::ExternalAuth and RT::LDAPImport.

I use puppet to provision the machine.

When I have the external authentication configuration enabled in
RT_SiteConfig.pm the
initial database import breaks. I think this is because when it trys to
add the “root” user it attempts to canonicalize the name from ldap which
fails.

Here is an example of the run:

      make initialize-database

/usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database --action init --prompt-for-dba-password
In order to create or update your RT database, this script needs to connect to your mysql instance on localhost (port ‘’) as root
Please specify that user’s database password below. If the user has no database
password, just press return.

Password:
Working with:
Type: mysql
Host: localhost
Port:
Name: rt4
User: rt
DBA: root
Now creating a mysql database rt4 for RT.
Done.
Now populating database schema.
Done.
Now inserting database ACLs.
Done.
Now inserting RT core system objects.
[15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787. (/opt/rt_source/sbin/…/lib/RT.pm:390)
Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787.
Makefile:386: recipe for target ‘initialize-database’ failed
make: *** [initialize-database] Error 2
root@rt-dev:/opt/rt_source#

I can work around this by having puppet install one version of RT_SiteConfig.pm without
external authentication configured, run the database import and then
replace it with a version with external auth enabled.

This works, I’ve tested it.

It just feels terribly ugly and wrong.

Can anyone suggest what I might be doing wrong here or is this a genuine
issue?

Kind regards
Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005

RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Los Angeles - September, 2016
    Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005

To clarify the previous question, if you were using
RT::Authen::ExternalAuth in a previous version of RT (pre-4.4) and have
it pulled in as a Plugin, you need to remove it because it is now in
core. It’s not clear to me if your RT_SiteConfig.pm is from an earlier
RT version. If so, you will need to make some updates due to the RT
version change:

https://docs.bestpractical.com/rt/4.4.1/UPGRADING-4.4.htmlOn 5/25/16 10:21 PM, Bart Bunting wrote:

Peter,

Not sure, but this is a new install using rt 4.4.

Kind regards
Peter Viskup skupko.sk@gmail.com writes:

Couldn’t this be related to RT::Authen::ExternalAuth migration to RT
core since 4.4 version?

UPGRADING-4.4 - RT 4.4.0 Documentation - Best Practical


Peter

On Wed, May 25, 2016 at 2:26 AM, Bart Bunting bart.bunting@ursys.com.au wrote:

Hi there,

I may be just missing something but this is failing miserably for me and
I am not sure what the correct way to fix it is:

Running rt 4.4.1 rc1 as of today.

The situation is I have external authentication working fine using both
RT::Authen::ExternalAuth and RT::LDAPImport.

I use puppet to provision the machine.

When I have the external authentication configuration enabled in
RT_SiteConfig.pm the
initial database import breaks. I think this is because when it trys to
add the “root” user it attempts to canonicalize the name from ldap which
fails.

Here is an example of the run:

      make initialize-database

/usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database --action init --prompt-for-dba-password
In order to create or update your RT database, this script needs to connect to your mysql instance on localhost (port ‘’) as root
Please specify that user’s database password below. If the user has no database
password, just press return.

Password:
Working with:
Type: mysql
Host: localhost
Port:
Name: rt4
User: rt
DBA: root
Now creating a mysql database rt4 for RT.
Done.
Now populating database schema.
Done.
Now inserting database ACLs.
Done.
Now inserting RT core system objects.
[15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787. (/opt/rt_source/sbin/…/lib/RT.pm:390)
Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787.
Makefile:386: recipe for target ‘initialize-database’ failed
make: *** [initialize-database] Error 2
root@rt-dev:/opt/rt_source#

I can work around this by having puppet install one version of RT_SiteConfig.pm without
external authentication configured, run the database import and then
replace it with a version with external auth enabled.

This works, I’ve tested it.

It just feels terribly ugly and wrong.

Can anyone suggest what I might be doing wrong here or is this a genuine
issue?

Kind regards
Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005

RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Los Angeles - September, 2016
    Bart

Hi Jim,

Sorry for not posting the relevant details. It is a totally new install
being built to replace our customized version of rt 3.6 :). Probably
time for an upgrade :).

Here are the configuration details that are to do with authentication.

As previously mentioned I think the error is happening when RT is trying
to use the external ldap server to canonicalize the root user when it’s
added from initialdata:

use utf8;
#* Authentication

configure external authentication

#Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, [‘URSYS_LDAP’] );
Set( $ExternalInfoPriority, [‘URSYS_LDAP’] );

Make users created from LDAP Privileged

Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

Users should still be autocreated by RT as internal users if they

fail to exist in an external service; this is so requestors (who

are not in LDAP) can still be created when they email in.

Set($AutoCreateNonExternalUsers, 1);

LDAP configuration; see RT::Authen::ExternalAuth::LDAP for

further details and examples

Set($ExternalSettings, {
‘URSYS_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘xxx’,
‘base’ => ‘cn=users,cn=accounts,dc=xxx’,
‘user’ => ‘uid=system,cn=sysaccounts,cn=etc,dc=xxx’,
‘pass’ => ‘xxx’,
‘filter’ => ‘(&(memberOf=cn=helpdesk-*))’,
‘attr_match_list’ => [
‘Name’,
],
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
},
},
} );

#* Ldapimport Configuration

Set($LDAPBase,‘cn=users,cn=accounts,dc=xxx’);
Set($LDAPHost,‘xxx’);
Set($LDAPUser,‘uid=system,cn=sysaccounts,cn=etc,dc=xxx’);
Set($LDAPPassword,‘xxx’);
Set($LDAPFilter, ‘(&(memberOf=cn=helpdesk-*))’);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});

create users as privileged

Set($LDAPCreatePrivileged, 1);

sync Groups from LDAP into RT

Set($LDAPGroupBase, ‘cn=accounts,dc=xxx’);
Set($LDAPGroupFilter, ‘(&(objectClass=groupofnames)(cn=helpdesk-*))’);
Set($LDAPGroupMapping, {Name => ‘cn’,
Description => ‘description’,
Member_Attr => ‘member’,
Member_Attr_Value => ‘dn’,
});

#* Slack Notifier configuration

All parameters with the exclusion of Proxy are directly passed to the WebService::Slack::IncomingWebHook object

Kind regards
Bart

Jim Brandt jbrandt@bestpractical.com writes:

To clarify the previous question, if you were using
RT::Authen::ExternalAuth in a previous version of RT (pre-4.4) and have
it pulled in as a Plugin, you need to remove it because it is now in
core. It’s not clear to me if your RT_SiteConfig.pm is from an earlier
RT version. If so, you will need to make some updates due to the RT
version change:

UPGRADING-4.4 - RT 4.4.1 Documentation - Best Practical

Peter,

Not sure, but this is a new install using rt 4.4.

Kind regards
Peter Viskup skupko.sk@gmail.com writes:

Couldn’t this be related to RT::Authen::ExternalAuth migration to RT
core since 4.4 version?

UPGRADING-4.4 - RT 4.4.0 Documentation - Best Practical


Peter

Hi there,

I may be just missing something but this is failing miserably for me and
I am not sure what the correct way to fix it is:

Running rt 4.4.1 rc1 as of today.

The situation is I have external authentication working fine using both
RT::Authen::ExternalAuth and RT::LDAPImport.

I use puppet to provision the machine.

When I have the external authentication configuration enabled in
RT_SiteConfig.pm the
initial database import breaks. I think this is because when it trys to
add the “root” user it attempts to canonicalize the name from ldap which
fails.

Here is an example of the run:

      make initialize-database

/usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database --action init --prompt-for-dba-password
In order to create or update your RT database, this script needs to connect to your mysql instance on localhost (port ‘’) as root
Please specify that user’s database password below. If the user has no database
password, just press return.

Password:
Working with:
Type: mysql
Host: localhost
Port:
Name: rt4
User: rt
DBA: root
Now creating a mysql database rt4 for RT.
Done.
Now populating database schema.
Done.
Now inserting database ACLs.
Done.
Now inserting RT core system objects.
[15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787. (/opt/rt_source/sbin/…/lib/RT.pm:390)
Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787.
Makefile:386: recipe for target ‘initialize-database’ failed
make: *** [initialize-database] Error 2
root@rt-dev:/opt/rt_source#

I can work around this by having puppet install one version of RT_SiteConfig.pm without
external authentication configured, run the database import and then
replace it with a version with external auth enabled.

This works, I’ve tested it.

It just feels terribly ugly and wrong.

Can anyone suggest what I might be doing wrong here or is this a genuine
issue?

Kind regards
Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005

RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Los Angeles - September, 2016
    Bart

RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Los Angeles - September, 2016
    Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005

Hi there,

Hi Bart,

I may be just missing something but this is failing miserably for me and
I am not sure what the correct way to fix it is:

Running rt 4.4.1 rc1 as of today.

I’m glad to hear it. :slight_smile:

When I have the external authentication configuration enabled in
RT_SiteConfig.pm the
initial database import breaks. I think this is because when it trys to
add the “root” user it attempts to canonicalize the name from ldap which
fails.

You’re exactly right. It’s even trying to canonicalize the RT System and Nobody users too.

I can work around this by having puppet install one version of RT_SiteConfig.pm without
external authentication configured, run the database import and then
replace it with a version with external auth enabled.

This works, I’ve tested it.

It just feels terribly ugly and wrong.

Indeed it is, but hey, it works.

Can anyone suggest what I might be doing wrong here or is this a genuine
issue?

It’s a genuine issue. I’ve created an Issues ticket on your behalf:

https://issues.bestpractical.com/Ticket/Display.html?id=32009

I’ve also fixed the underlying issue with the following two commits (the first for RT System and Nobody, the latter for the root user):

These fixes will be included in RT 4.4.1rc2, but if you want to apply the patches ahead of time, you can get rid of your double SiteConfig hack.

Kind regards
Bart

Thank you for testing the RCs!
Shawn

Shawn,

Thanks for the fix.

I’ll rework my configuration once the commit is merged, things in that
department are working ok at the moment and I’m still fighting other
small fires from the transition.

Much appreciate the update and fix though!

Kind regards

Bart

Shawn Moore shawn@bestpractical.com writes:> On 2016年5月24日 at 20:27:02, Bart Bunting (bart.bunting@ursys.com.au) wrote:

Hi there,

Hi Bart,

I may be just missing something but this is failing miserably for me and
I am not sure what the correct way to fix it is:

Running rt 4.4.1 rc1 as of today.

I’m glad to hear it. :slight_smile:

When I have the external authentication configuration enabled in
RT_SiteConfig.pm the
initial database import breaks. I think this is because when it trys to
add the “root” user it attempts to canonicalize the name from ldap which
fails.

You’re exactly right. It’s even trying to canonicalize the RT System and Nobody users too.

I can work around this by having puppet install one version of RT_SiteConfig.pm without
external authentication configured, run the database import and then
replace it with a version with external auth enabled.

This works, I’ve tested it.

It just feels terribly ugly and wrong.

Indeed it is, but hey, it works.

Can anyone suggest what I might be doing wrong here or is this a genuine
issue?

It’s a genuine issue. I’ve created an Issues ticket on your behalf:

Login

I’ve also fixed the underlying issue with the following two commits (the first for RT System and Nobody, the latter for the root user):

Avoid trying to canonicalize system users through ExternalAuth · bestpractical/rt@86b45ac · GitHub
Allow SkipCanonicalize for users in initialdata · bestpractical/rt@a32c581 · GitHub

These fixes will be included in RT 4.4.1rc2, but if you want to apply the patches ahead of time, you can get rid of your double SiteConfig hack.

Kind regards
Bart

Thank you for testing the RCs!
Shawn

RT 4.4 and RTIR Training Sessions https://bestpractical.com/training

  • Los Angeles - September, 2016
    Bart

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005