Issues configuring RT::Authen::ExternalAuth

I have followed a recent thread in the list to setup LDAP authentication using
RT::Authen::ExternalAuth and it is kind of working, but the user doesn;t
actually get to use the system. The system just leaves the user at the login
page and nothing happens. Is it that I’m using a bad disabled account filter
or something?

As an additional observation, I logged in as root after trying this out and
even though the logs say the account was created I could not find the user.

Here is the log I get when I try to login carlos.velez99:

[Sat Apr 19 22:19:45 2008] [warning]: Transaction->Create couldn’t, as you
didn’t specify an object type and id
(/usr/share/request-tracker3.6/lib/RT/Record.pm:1466)
[Sat Apr 19 22:19:45 2008] [debug]: RT::User::IsExternalPassword Trying
External authentication
(/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:52)
[Sat Apr 19 22:19:45 2008] [debug]: Attempting to use external auth service:
My_LDAP (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:63)
[Sat Apr 19 22:19:45 2008] [debug]: LDAP Search === Base:
ou=people,dc=upr,dc=edu == Filter: (&(uid=carlos.velez99)(objectclass=)) ==
Attrs: dn (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:185)
[Sat Apr 19 22:19:45 2008] [debug]: Found LDAP DN:
uid=carlos.velez99,ou=people,dc=upr,dc=edu
(/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:217)
[Sat Apr 19 22:19:45 2008] [info]: RT::User::IsExternalPassword External Auth
OK ( My_LDAP ): carlos.velez99
(/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:281)
[Sat Apr 19 22:19:45 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:360)
[Sat Apr 19 22:19:45 2008] [debug]: RT::User::CanonicalizeUserInfo called by
RT::User /usr/share/request-tracker3.6/lib/RT/User_Overlay.pm 190 with:
Disabled: 0, EmailAddress: , Gecos: carlos.velez99, Name: carlos.velez99,
Privileged: 0 (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:400)
[Sat Apr 19 22:19:45 2008] [debug]: Attempting to get user info using this
external service: My_LDAP
(/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:408)
[Sat Apr 19 22:19:45 2008] [debug]: Attempting to use this canonicalization
key: Name (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:417)
[Sat Apr 19 22:19:45 2008] [debug]: LDAP Search === Base:
ou=people,dc=upr,dc=edu == Filter: (&(objectclass=
)(uid=carlos.velez99)) ==
Attrs: ,displayName,eduPersonPrincipalName,uid,uid,eduPersonOrgDN,uid
(/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:538)
[Sat Apr 19 22:19:45 2008] [info]: RT::User::LookupExternalUserInfo :
Returning: Address1: , City: , Country: , EmailAddress:
carlos.velez99@upr.edu, ExternalAuthId: carlos.velez99, Gecos:
carlos.velez99, Name: carlos.velez99, Organization:
cn=Mayaguez,ou=people,dc=upr,dc=edu, RealName: Carlos J. Velez-Rivera,
State: , WorkPhone: , Zip:
(/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:703)
[Sat Apr 19 22:19:45 2008] [info]: RT::User::CanonicalizeUserInfo returning
Address1: , City: , Country: , Disabled: 0, EmailAddress:
carlos.velez99@upr.edu, ExternalAuthId: carlos.velez99, Gecos:
carlos.velez99, Name: carlos.velez99, Organization:
cn=Mayaguez,ou=people,dc=upr,dc=edu, Privileged: 0, RealName: Carlos J.
Velez-Rivera, State: , WorkPhone: , Zip:
(/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:444)
[Sat Apr 19 22:19:46 2008] [info]: Autocreated authenticated user
carlos.velez99 ( )
(/usr/share/request-tracker3.6/html/Callbacks/ExternalAuth/autohandler/Auth:50)

Carlos J. Velez-Rivera

Manager
CK Computing Corporation
cvelez@ckcomputingpr.com
Voice: (787)464-1182
Fax: 866-910-4798

Carlos J. Velez-Rivera wrote:

I have followed a recent thread in the list to setup LDAP authentication using
RT::Authen::ExternalAuth and it is kind of working, but the user doesn;t
actually get to use the system. The system just leaves the user at the login
page and nothing happens. Is it that I’m using a bad disabled account filter
or something?

As an additional observation, I logged in as root after trying this out and
even though the logs say the account was created I could not find the user.

Here is the log I get when I try to login carlos.velez99:

Your attr_map seems a little broken, although that shouldn’t affect user
creation. The cause of the problem seems related to this line:

[Sat Apr 19 22:19:46 2008] [info]: Autocreated authenticated user
carlos.velez99 ( )

The empty parenthesis at the end of this line is supposed to contain the
principal ID for the newly created user, which means that user creation
didn’t succeed.

It’s not clear what would cause that.

Perhaps if you provided your RT_SiteConfig.pm we might be better able to
work out what’s going on…

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Hello Mike,

Thanks for your answer.  Sorry for the delay in getting back to you.  I had to take care of a fire... Here is the RT_SiteConfig.pm file.  I thought it could be related to a bad filter...

Thanks in advance for any pointers you might have!
Carlos

RT_SiteConfig.pm

These are the bits you absolutely must edit.

To find out how, please read

/usr/share/doc/request-tracker3.6/INSTALL.Debian

THE BASICS:

Set($rtname, ‘Universidad de Puerto Rico - GAE’);
Set($Organization, ‘upr.edu’);

Set($CorrespondAddress , ‘someone@upr.edu’);
Set($CommentAddress , ‘someone@upr.edu’);

Set($Timezone , ‘Venezuela/Caracas’); # obviously choose what suits you

THE DATABASE:

Added by carlos 20070629

Set($DatabaseHost, ‘localhost’);
Set($DatabaseRTHost, ‘localhost’);

Set($DatabaseType, ‘Pg’); # e.g. Pg or mysql

These are the settings we used above when creating the RT database,

you MUST set these to what you chose in the section above.

Set($DatabaseUser , ‘dbuser’);
Set($DatabasePassword , ‘dbuserpwd’);
Set($DatabaseName , ‘dbname’);

THE WEBSERVER:

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://localhost”);

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_LDAP’ ]
);

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

Set($ExternalInfoPriority, [ ‘My_LDAP’ ]
);

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set(ExternalAuthPriority,[‘My_LDAP’,‘My_MySQL’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);

Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# Should the service be used for authentication?
‘auth’ => 1,
# Should the service be used for information?
‘info’ => 1,
# The server hosting the service
‘server’ => ‘upridldap.upr.edu’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘admindn’,
# The password RT should use to connect to the LDAP server
‘pass’ => ‘adminpwd’,
# The LDAP search base
‘base’ => ‘ou=people,dc=upr,dc=edu’,
# The filter to use to match RT-Users
‘filter’ => ‘(objectclass=*)’,
# The filter that will only match disabled users
‘d_filter’ => ‘(eduPersonAffiliation=alumn)’,
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
‘group’ => ‘’,
# What is the attribute for the group object that determines membership?
‘group_attr’ => ‘’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
‘attr_match_list’ => [ ‘Name’ ],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ => ‘uid’,
‘EmailAddress’ => ‘eduPersonPrincipalName’,
‘Organization’ => ‘eduPersonOrgDN’,
‘RealName’ => ‘displayName’,
‘ExternalAuthId’ => ‘uid’,
‘Gecos’ => ‘uid’,
‘WorkPhone’ => ‘’,
‘Address1’ => ‘’,
‘City’ => ‘’,
‘State’ => ‘’,
‘Zip’ => ‘’,
‘Country’ => ‘’
}
}
}
);
Set($LogToSyslog , ‘debug’);
Set($LogToScreen , ‘debug’);
Set($LogToFile , ‘debug’);
Set($LogDir, ‘/var/log/request-tracker3.6’);
Set($LogToFileNamed , “rt.log”); #log to rt.log
Set($LogStackTraces , 0);

Set($LogoURL , $WebImagesURL . “bplogo.gif”);

1;On Monday 21 April 2008 04:46:56 Mike Peachey wrote:

Carlos J. Velez-Rivera wrote:

I have followed a recent thread in the list to setup LDAP authentication using
RT::Authen::ExternalAuth and it is kind of working, but the user doesn;t
actually get to use the system. The system just leaves the user at the login
page and nothing happens. Is it that I’m using a bad disabled account filter
or something?

As an additional observation, I logged in as root after trying this out and
even though the logs say the account was created I could not find the user.

Here is the log I get when I try to login carlos.velez99:

Your attr_map seems a little broken, although that shouldn’t affect user
creation. The cause of the problem seems related to this line:

[Sat Apr 19 22:19:46 2008] [info]: Autocreated authenticated user
carlos.velez99 ( )

The empty parenthesis at the end of this line is supposed to contain the
principal ID for the newly created user, which means that user creation
didn’t succeed.

It’s not clear what would cause that.

Perhaps if you provided your RT_SiteConfig.pm we might be better able to
work out what’s going on…

Carlos J. Velez-Rivera

Manager
CK Computing Corporation
cvelez@ckcomputingpr.com
Voice: (787)464-1182
Fax: 866-910-4798

Carlos J. Velez-Rivera wrote:

Hello Mike,

Thanks for your answer. Sorry for the delay in getting back to you. I had to take care of a fire… Here is the RT_SiteConfig.pm file. I thought it could be related to a bad filter…

Thanks in advance for any pointers you might have!
Carlos

Since you’re not using LDAP groups to determine access, remove the group
and group_attr lines from ExternalSettings, then run it again and
provide the debug log for what heppens.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Carlos J. Velez-Rivera wrote:

Hello Mike,

Thanks for your answer.  Sorry for the delay in getting back to you.  I had to take care of a fire... Here is the RT_SiteConfig.pm file.  I thought it could be related to a bad filter...

Thanks in advance for any pointers you might have!
Carlos

Since you’re not using LDAP groups to determine access, remove the group
and group_attr lines from ExternalSettings, then run it again and
provide the debug log for what heppens.

Made the change cleaned up the mason files and restarted apache just in case.  It appears as though the same thing is happening.  Here's the log.  I also tried taking out the d_filter parameter in a separate try and there was no change.

[Thu Apr 24 12:46:39 2008] [warning]: Transaction->Create couldn’t, as you didn’t specify an object type and id (/usr/share/request-tracker3.6/lib/RT/Record.pm:1466)
[Thu Apr 24 12:46:39 2008] [debug]: RT::User::IsExternalPassword Trying External authentication (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:52)
[Thu Apr 24 12:46:39 2008] [debug]: Attempting to use external auth service: My_LDAP (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:63)
[Thu Apr 24 12:46:40 2008] [debug]: LDAP Search === Base: ou=people,dc=upr,dc=edu == Filter: (&(uid=carlos.velez99)(objectclass=)) == Attrs: dn (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:185)
[Thu Apr 24 12:46:40 2008] [debug]: Found LDAP DN: uid=carlos.velez99,ou=people,dc=upr,dc=edu (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:217)
[Thu Apr 24 12:46:40 2008] [info]: RT::User::IsExternalPassword External Auth OK ( My_LDAP ): carlos.velez99 (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:281)
[Thu Apr 24 12:46:40 2008] [debug]: RT::User::IsPassword External auth SUCCEEDED (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:360)
[Thu Apr 24 12:46:40 2008] [debug]: RT::User::CanonicalizeUserInfo called by RT::User /usr/share/request-tracker3.6/lib/RT/User_Overlay.pm 190 with: Disabled: 0, EmailAddress: , Gecos: carlos.velez99, Name: carlos.velez99, Privileged: 0 (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:400)
[Thu Apr 24 12:46:40 2008] [debug]: Attempting to get user info using this external service: My_LDAP (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:408)
[Thu Apr 24 12:46:40 2008] [debug]: Attempting to use this canonicalization key: Name (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:417)
[Thu Apr 24 12:46:40 2008] [debug]: LDAP Search === Base: ou=people,dc=upr,dc=edu == Filter: (&(objectclass=
)(uid=carlos.velez99)) == Attrs: ,displayName,eduPersonPrincipalName,uid,uid,eduPersonOrgDN,uid (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:538)
[Thu Apr 24 12:46:40 2008] [info]: RT::User::LookupExternalUserInfo : Returning: Address1: , City: , Country: , EmailAddress: carlos.velez99@upr.edu, ExternalAuthId: carlos.velez99, Gecos: carlos.velez99, Name: carlos.velez99, Organization: cn=Mayaguez,ou=people,dc=upr,dc=edu, RealName: Carlos J. Velez-Rivera, State: , WorkPhone: , Zip: (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:703)
[Thu Apr 24 12:46:40 2008] [info]: RT::User::CanonicalizeUserInfo returning Address1: , City: , Country: , Disabled: 0, EmailAddress: carlos.velez99@upr.edu, ExternalAuthId: carlos.velez99, Gecos: carlos.velez99, Name: carlos.velez99, Organization: cn=Mayaguez,ou=people,dc=upr,dc=edu, Privileged: 0, RealName: Carlos J. Velez-Rivera, State: , WorkPhone: , Zip: (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:444)
[Thu Apr 24 12:46:41 2008] [info]: Autocreated authenticated user carlos.velez99 ( ) (/usr/share/request-tracker3.6/html/Callbacks/ExternalAuth/autohandler/Auth:50)

Carlos J. Velez-Rivera

Manager
CK Computing Corporation
cvelez@ckcomputingpr.com
Voice: (787)464-1182
Fax: 866-910-4798

Carlos J. Velez-Rivera wrote:

Hello Mike,

Thanks for your answer.  Sorry for the delay in getting back to you.  I had to take care of a fire... Here is the RT_SiteConfig.pm file.  I thought it could be related to a bad filter...

Thanks in advance for any pointers you might have!
Carlos

Since you’re not using LDAP groups to determine access, remove the group
and group_attr lines from ExternalSettings, then run it again and
provide the debug log for what heppens.

Made the change cleaned up the mason files and restarted apache just in case. It appears as though the same thing is happening. Here’s the log. I also tried taking out the d_filter parameter in a separate try and there was no change.

[Thu Apr 24 12:46:39 2008] [warning]: Transaction->Create couldn’t, as you didn’t specify an object type and id (/usr/share/request-tracker3.6/lib/RT/Record.pm:1466)
[Thu Apr 24 12:46:39 2008] [debug]: RT::User::IsExternalPassword Trying External authentication (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:52)
[Thu Apr 24 12:46:39 2008] [debug]: Attempting to use external auth service: My_LDAP (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:63)
[Thu Apr 24 12:46:40 2008] [debug]: LDAP Search === Base: ou=people,dc=upr,dc=edu == Filter: (&(uid=carlos.velez99)(objectclass=)) == Attrs: dn (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:185)
[Thu Apr 24 12:46:40 2008] [debug]: Found LDAP DN: uid=carlos.velez99,ou=people,dc=upr,dc=edu (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:217)
[Thu Apr 24 12:46:40 2008] [info]: RT::User::IsExternalPassword External Auth OK ( My_LDAP ): carlos.velez99 (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:281)
[Thu Apr 24 12:46:40 2008] [debug]: RT::User::IsPassword External auth SUCCEEDED (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:360)
[Thu Apr 24 12:46:40 2008] [debug]: RT::User::CanonicalizeUserInfo called by RT::User /usr/share/request-tracker3.6/lib/RT/User_Overlay.pm 190 with: Disabled: 0, EmailAddress: , Gecos: carlos.velez99, Name: carlos.velez99, Privileged: 0 (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:400)
[Thu Apr 24 12:46:40 2008] [debug]: Attempting to get user info using this external service: My_LDAP (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:408)
[Thu Apr 24 12:46:40 2008] [debug]: Attempting to use this canonicalization key: Name (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:417)
[Thu Apr 24 12:46:40 2008] [debug]: LDAP Search === Base: ou=people,dc=upr,dc=edu == Filter: (&(objectclass=
)(uid=carlos.velez99)) == Attrs: ,displayName,eduPersonPrincipalName,uid,uid,eduPersonOrgDN,uid (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:538)
[Thu Apr 24 12:46:40 2008] [info]: RT::User::LookupExternalUserInfo : Returning: Address1: , City: , Country: , EmailAddress: carlos.velez99@upr.edu, ExternalAuthId: carlos.velez99, Gecos: carlos.velez99, Name: carlos.velez99, Organization: cn=Mayaguez,ou=people,dc=upr,dc=edu, RealName: Carlos J. Velez-Rivera, State: , WorkPhone: , Zip: (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:703)
[Thu Apr 24 12:46:40 2008] [info]: RT::User::CanonicalizeUserInfo returning Address1: , City: , Country: , Disabled: 0, EmailAddress: carlos.velez99@upr.edu, ExternalAuthId: carlos.velez99, Gecos: carlos.velez99, Name: carlos.velez99, Organization: cn=Mayaguez,ou=people,dc=upr,dc=edu, Privileged: 0, RealName: Carlos J. Velez-Rivera, State: , WorkPhone: , Zip: (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:444)
[Thu Apr 24 12:46:41 2008] [info]: Autocreated authenticated user carlos.velez99 ( ) (/usr/share/request-tracker3.6/html/Callbacks/ExternalAuth/autohandler/Auth:50)

Hello: Do you have any pointers as to what in the Perl code I should look into in order to debug this issue? Where does the module look for the user name of the new account? Is it ExternalAuthId? Do you have any suspects you recommend I check?

I am trying to avoid having to create a separate webapp to handle self service… We have about 100,000 accounts for students in the University.

Thanks much!
Carlos J. Velez-Rivera

Manager
CK Computing Corporation
cvelez@ckcomputingpr.com
Voice: (787)464-1182
Fax: 866-910-4798