It request only the “dn” attribute because the user is not internal.
once user is created, it will request the others attributes.
I have seen our ldap administrator and for him all is OK. Accounts are
well binded with LDAP.
It seem like after binding account it request another validation wich
failed.
I’m sorry to take your presious time and thank you once more.
Yes,
But even if it’is a new user, user is create but I still have LOGIN
FAILED.
below log with a new user
[4110] [Tue Dec 6 10:22:44 2016] [debug]: Trying external auth
service: My_LDAP
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:201)
[4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP Search === Base:
o=corp.mycorp.com [1] [1] == Filter:
(&(uid=20005528)(objectClass=privperson)) == Attrs: dn
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:234)
[4110] [Tue Dec 6 10:22:44 2016] [debug]: Found LDAP DN:
uid=20005528,ou=people,ou=GO-LM,o=corp.mycorp.com [1] [1]
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:268)
[4110] [Tue Dec 6 10:22:44 2016] [info]:
RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP
):
20005528 (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:350)
[4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP password validation
result: 1 (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:558)
[4110] [Tue Dec 6 10:22:44 2016] [debug]: Password Validation Check
Result: 1 (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:383)
[4110] [Tue Dec 6 10:22:44 2016] [debug]: Autohandler called
ExternalAuth. Response: (0, No User)
(/opt/rt4/share/html/Elements/DoAuth:58)
[4110] [Tue Dec 6 10:22:44 2016] [error]: FAILED LOGIN for 20005528
from 10.1.52.222 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:826)
[4109] [Tue Dec 6 10:22:50 2016] [debug]: Attempting to use
external
auth service: My_LDAP
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:286)
[4109] [Tue Dec 6 10:22:50 2016] [debug]: Calling UserExists with
$username (20005528) and $service (My_LDAP)
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:327)
2016-12-06 11:12 GMT+01:00 Martin Wheldon
martin.wheldon@greenhills-it.co.uk:
Hi Claude,
Seems you already have a user in the RT database with the same email
address, but different user name.
[3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn’t create user
20006583: Email address in use
Best Regards
Martin
On 2016-12-06 08:05, Claude EDUMA wrote:
Hi Martin,
Thank you for your response.
File permissions for my CA.cert are “rw-r–r-”.
below rt.log
[3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use
external
auth service: My_LDAP
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:286)
[3605] [Tue Dec 6 07:58:02 2016] [debug]: Calling UserExists with
$username (20006583) and $service (My_LDAP)
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:327)
[3605] [Tue Dec 6 07:58:02 2016] [debug]: UserExists params:
username: 20006583 , service: My_LDAP
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:488)
[3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
o=corp.mycorp.com [1] [1] [2] == Filter:
(&(objectClass=privperson)(uid=20006583)) == Attrs:
co,cn,mail,uid,uid
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:518)
[3605] [Tue Dec 6 07:58:02 2016] [debug]:
RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
/opt/rt4/sbin/…/lib/RT/User.pm 699 with: Disabled: , EmailAddress:
,
Gecos: 20006583, Name: 20006583, Privileged: 1
(/opt/rt4/sbin/…/lib/RT/User.pm:735)
[3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to get user
info
using this external service: My_LDAP
(/opt/rt4/sbin/…/lib/RT/User.pm:743)
[3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use this
canonicalization key: Name (/opt/rt4/sbin/…/lib/RT/User.pm:752)
[3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
o=corp.mycorp.com [1] [1] [2] == Filter:
(&(objectClass=privperson)(uid=20006583)) == Attrs:
co,cn,mail,uid,uid
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:406)
[3605] [Tue Dec 6 07:58:02 2016] [info]:
RT::User::CanonicalizeUserInfoFromExternalAuth returning Country: ,
Disabled: , EmailAddress: claude.eduma@ext.mycorp.com, Gecos:
20006583, Name: 20006583, Privileged: 1, RealName: CLAUDE EDUMA
(/opt/rt4/sbin/…/lib/RT/User.pm:812)
[3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn’t create user
20006583: Email address in use
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:353)
[3605] [Tue Dec 6 07:58:02 2016] [debug]: Autohandler called
ExternalAuth. Response: (0, No User)
(/opt/rt4/share/html/Elements/DoAuth:58)
[3605] [Tue Dec 6 07:58:02 2016] [error]: FAILED LOGIN for 20006583
from 10.1.179.71 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:826)
Thank you one more time.
Regards.
2016-12-05 23:35 GMT+01:00 Martin Wheldon
martin.wheldon@greenhills-it.co.uk:
Hi Claude,
Your english is much better than my french
I’ve cc’d the RT users list as they may have additional suggestions.
The short answer is no I don’t believe your problem is caused by TLS
bugs.
You seem to be mixing up the new RT 4.4 LDAP configuration syntax
with the older RT::Authen::ExternalAuth syntax.
If you are using RT 4.4.x then you don’t need the following, because
it is the old style syntax:
Set($LDAPBase,‘MYLDAPSERVER’);
Set($LDAPFilter, ‘(&(objectClass=person))’);
Set($LDAPMapping, {
Name => ‘uid’,
EmailAddress => ‘mail’,
RealName => ‘cn’
});
The following option should also be removed when using RT4.4.x
‘ssl_version’ => 3,
Is RT able to read your CAcert file? Please could you check the file
permissions.
Do you see any errors in the logs?
Best Regards
Martin
On 2016-12-05 13:22, claudeduma@gmail.com wrote:
Hi Martin,
I try to configure LDAP authentication but it don’t work.
I’m sure all my config is correct (see below). I tried with
ladapsearch and all it’s OK. I look my ldap’s server logs and i
bind
users correctly. Do you thinks it’s TLS bugs ?
(sorry for my english I’m french)
Thank you.
Set($LDAPBase,‘MYLDAPSERVER’);
Set($LDAPFilter, ‘(&(objectClass=person))’);
Set($LDAPMapping, {
Name => ‘uid’,
EmailAddress => ‘mail’,
RealName => ‘cn’
});
Use the below LDAP source for both authentication, as well
as user
information
Set( $ExternalAuthPriority, [“My_LDAP”] );
Set( $ExternalInfoPriority, [“My_LDAP”] );
Set($ExternalServiceUsesSSLorTLS, 1);
Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Users should still be autocreated by RT as internal users if
they
fail to exist in an external service; this is so requestors
(who
are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 0);
Minimal LDAP configuration; see
RT::Authen::ExternalAuth::LDAP for
further details and examples
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldaps://MYLDAPSERVER’,
‘user’ => ‘MYUSER’,
‘pass’ => ‘MYPASS’,
‘base’ => ‘MYBASE’,
‘filter’ => ‘(objectClass=privperson)’,
‘tls’ => { verify => “require”, cafile =>
“/etc/CA.crt” },
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3, debug => 8
],
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘Gecos’ => ‘uid’,
‘Country’ => ‘co’,
}
},
}
);
1;
Sent from http://requesttracker.8502.n7.nabble.com [2] [2] [1]