Hi Jim,
Sorry for not posting the relevant details. It is a totally new install
being built to replace our customized version of rt 3.6 :). Probably
time for an upgrade :).
Here are the configuration details that are to do with authentication.
As previously mentioned I think the error is happening when RT is trying
to use the external ldap server to canonicalize the root user when it’s
added from initialdata:
use utf8;
#* Authentication
configure external authentication
#Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, [‘URSYS_LDAP’] );
Set( $ExternalInfoPriority, [‘URSYS_LDAP’] );
Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Users should still be autocreated by RT as internal users if they
fail to exist in an external service; this is so requestors (who
are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);
LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
further details and examples
Set($ExternalSettings, {
‘URSYS_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘xxx’,
‘base’ => ‘cn=users,cn=accounts,dc=xxx’,
‘user’ => ‘uid=system,cn=sysaccounts,cn=etc,dc=xxx’,
‘pass’ => ‘xxx’,
‘filter’ => ‘(&(memberOf=cn=helpdesk-*))’,
‘attr_match_list’ => [
‘Name’,
],
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
},
},
} );
#* Ldapimport Configuration
Set($LDAPBase,‘cn=users,cn=accounts,dc=xxx’);
Set($LDAPHost,‘xxx’);
Set($LDAPUser,‘uid=system,cn=sysaccounts,cn=etc,dc=xxx’);
Set($LDAPPassword,‘xxx’);
Set($LDAPFilter, ‘(&(memberOf=cn=helpdesk-*))’);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});
create users as privileged
Set($LDAPCreatePrivileged, 1);
sync Groups from LDAP into RT
Set($LDAPGroupBase, ‘cn=accounts,dc=xxx’);
Set($LDAPGroupFilter, ‘(&(objectClass=groupofnames)(cn=helpdesk-*))’);
Set($LDAPGroupMapping, {Name => ‘cn’,
Description => ‘description’,
Member_Attr => ‘member’,
Member_Attr_Value => ‘dn’,
});
#* Slack Notifier configuration
All parameters with the exclusion of Proxy are directly passed to the WebService::Slack::IncomingWebHook object
Kind regards
Bart
Jim Brandt jbrandt@bestpractical.com writes:
To clarify the previous question, if you were using
RT::Authen::ExternalAuth in a previous version of RT (pre-4.4) and have
it pulled in as a Plugin, you need to remove it because it is now in
core. It’s not clear to me if your RT_SiteConfig.pm is from an earlier
RT version. If so, you will need to make some updates due to the RT
version change:
UPGRADING-4.4 - RT 4.4.1 Documentation - Best Practical
Peter,
Not sure, but this is a new install using rt 4.4.
Kind regards
Peter Viskup skupko.sk@gmail.com writes:
Couldn’t this be related to RT::Authen::ExternalAuth migration to RT
core since 4.4 version?
UPGRADING-4.4 - RT 4.4.0 Documentation - Best Practical
–
Peter
Hi there,
I may be just missing something but this is failing miserably for me and
I am not sure what the correct way to fix it is:
Running rt 4.4.1 rc1 as of today.
The situation is I have external authentication working fine using both
RT::Authen::ExternalAuth and RT::LDAPImport.
I use puppet to provision the machine.
When I have the external authentication configuration enabled in
RT_SiteConfig.pm the
initial database import breaks. I think this is because when it trys to
add the “root” user it attempts to canonicalize the name from ldap which
fails.
Here is an example of the run:
make initialize-database
/usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database --action init --prompt-for-dba-password
In order to create or update your RT database, this script needs to connect to your mysql instance on localhost (port ‘’) as root
Please specify that user’s database password below. If the user has no database
password, just press return.
Password:
Working with:
Type: mysql
Host: localhost
Port:
Name: rt4
User: rt
DBA: root
Now creating a mysql database rt4 for RT.
Done.
Now populating database schema.
Done.
Now inserting database ACLs.
Done.
Now inserting RT core system objects.
[15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787. (/opt/rt_source/sbin/…/lib/RT.pm:390)
Undefined subroutine &RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/…/lib/RT/User.pm line 787.
Makefile:386: recipe for target ‘initialize-database’ failed
make: *** [initialize-database] Error 2
root@rt-dev:/opt/rt_source#
I can work around this by having puppet install one version of RT_SiteConfig.pm without
external authentication configured, run the database import and then
replace it with a version with external auth enabled.
This works, I’ve tested it.
It just feels terribly ugly and wrong.
Can anyone suggest what I might be doing wrong here or is this a genuine
issue?
Kind regards
Bart
Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
- Los Angeles - September, 2016
Bart
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
- Los Angeles - September, 2016
Bart
Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005