Ldap auth failing

RT Users
1

when I attempt to login as ‘root’, the first attempt produces this
message (the second succeeds). I assume the success on the second try
results from a fallback to local auth. Logging in as a known user fails
without any error message. I’m not seeing any authentication attempt on
the ldap server.

error: Can’t locate object method “new” via package “Net::LDAP”
(perhaps you forgot to load “Net::LDAP”?) at
/usr/share/request-tracker3/lib/RT/User_Local.pm line 65.
context:

61: $RT::Logger->info(“Using External Authentication\n”);
62: use Net::LDAP;
63:
64: my $mesg;
65: my $ldap = Net::LDAP->new($RT::LdapServer, version=>3) or
$RT::Logger->critical("GetExternalUserWithLDAP: " . “Cannot connect to
LDAP’\n”), return 0;
66:
67: # Iseem to have problems is I try and bind with a NULL username by
hand
68: # So this now checks to see if we are really going to bind with a
69: # username.

code stack: /usr/share/request-tracker3/lib/RT/User_Local.pm:65
/usr/share/request-tracker3/lib/RT/CurrentUser.pm:273
/usr/share/request-tracker3/html/autohandler:172
raw error

2

Perhaps Net::LDAP is not loading. What happens when you run:

perl -MNet::LDAP -e 0;

-ToddOn Fri, Dec 31, 2004 at 02:24:36PM -0800, Mark Taylor wrote:

when I attempt to login as ‘root’, the first attempt produces this
message (the second succeeds). I assume the success on the second try
results from a fallback to local auth. Logging in as a known user fails
without any error message. I’m not seeing any authentication attempt on
the ldap server.

error: Can’t locate object method “new” via package “Net::LDAP”
(perhaps you forgot to load “Net::LDAP”?) at
/usr/share/request-tracker3/lib/RT/User_Local.pm line 65.
context:

61: $RT::Logger->info(“Using External Authentication\n”);
62: use Net::LDAP;
63:
64: my $mesg;
65: my $ldap = Net::LDAP->new($RT::LdapServer, version=>3) or
$RT::Logger->critical("GetExternalUserWithLDAP: " . “Cannot connect to
LDAP’\n”), return 0;
66:
67: # Iseem to have problems is I try and bind with a NULL username by
hand
68: # So this now checks to see if we are really going to bind with a
69: # username.

code stack: /usr/share/request-tracker3/lib/RT/User_Local.pm:65
/usr/share/request-tracker3/lib/RT/CurrentUser.pm:273
/usr/share/request-tracker3/html/autohandler:172
raw error

The rt-users Archives

Be sure to check out the RT wiki at http://wiki.bestpractical.com

3

nothing happened with

perl -MNet::LDAP -e 0

prompt returned. However, NET::LDAP is in the $INC path
(/usr/share/perl5/NET/LDAP.pm).
reinstalled perl-ldap with no effect.

this is rt3.0 on Debian, Perl 5

thanks

mt

Todd Chapman wrote:

4

My ldapsearch works, but ldap auth with RT is failing

cat /etc/ldap/ldap.conf

TLS_REQCERT never # without this ldap bind fails
# TLS: peer cert untrusted or revoked (0x42)
# TLS: can’t connect: (unknown error code).

ldapsearch -LLL -W -D

“uid=binduser,ou=People,dc=mnet,dc=example,dc=com” -b
“ou=People,dc=mnet,dc=example,dc=com” -H ldaps://192.168.1.7:1636
uid=“asif” mail
Enter LDAP Password:
dn: uid=asif,ou=People,dc=mnet,dc=example,dc=com
mail: Asif.Iqbal@example.com

but RT fails with this error

[Wed May 25 14:51:39 2011] [info] [client 192.168.1.215] (32)Broken
pipe: core_output_filter: writing data to the network
[Wed May 25 14:51:39 2011] [error] [client 192.168.1.215]
Apache2::RequestIO::rflush: (103) Software caused connection abort at
/usr/local/share/perl/5.10.1/Plack/Handler/Apache2.pm line 148
[Wed May 25 14:51:39 2011] [debug] mod_deflate.c(615): [client
192.162.1.215] Zlib: Compressed 0 to 2 : URL /
[Wed May 25 14:51:41 2011] [info] [client 192.168.1.215] Request
header read timeout
[Wed May 25 14:51:41 2011] [info] [client 192.168.1.215] Request
header read timeout
[Wed May 25 14:51:43 2011] [info] [client 192.168.1.215] (32)Broken
pipe: core_output_filter: writing data to the network
[Wed May 25 14:51:43 2011] [error] [client 192.168.1.215]
Apache2::RequestIO::rflush: (103) Software caused connection abort at
/usr/local/share/perl/5.10.1/Plack/Handler/Apache2.pm line 148
[Wed May 25 14:51:43 2011] [debug] mod_deflate.c(615): [client
192.168.1.215] Zlib: Compressed 0 to 2 : URL /
[Wed May 25 14:51:43 2011] [debug] mod_deflate.c(615): [client
192.168.1.215] Zlib: Compressed 0 to 8 : URL /NoAuth/Login.htm
[Wed May 25 14:51:43 2011] [info] [client 192.168.1.215] (32)Broken
pipe: core_output_filter: writing data to the network
[Wed May 25 14:51:47 2011] [debug] mod_deflate.c(615): [client
192.168.1.215] Zlib: Compressed 4232 to 1682 : URL /NoAuth/Login.html,
referer: http://192.168.1.72/NoAuth/Login.html

and apache2/error.log show this

[Wed May 25 18:51:43 2011] [error]: FAILED LOGIN for asif from
192.168.1.215 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

egrep -v “[1]*#|^$” /opt/rt4/etc/RT_SiteConfig.pm

Set( $rtname, ‘example.com’);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
1;

egrep -v “[2]*#|^$”

/opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’,
‘My_SSO_Cookie’
]
);
Set($ExternalInfoPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);
Set($ExternalServiceUsesSSLorTLS, 1); # <== set this to 1' for TLS. tried with 0’ as well and failed
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_MySQL’ => { ## GENERIC SECTION
‘type’
=> ‘db’,
‘server’
=> ‘server.domain.tld’,
‘database’
=> ‘DB_NAME’,
‘table’
=> ‘USERS_TABLE’,
‘user’
=> ‘DB_USER’,
‘pass’
=> ‘DB_PASS’,
‘port’
=> ‘DB_PORT’,
‘dbi_driver’
=> ‘DBI_DRIVER’,
‘u_field’
=> ‘username’,
‘p_field’
=> ‘password’,
‘p_enc_pkg’
=> ‘Crypt::MySQL’,
‘p_enc_sub’
=> ‘password’,
‘d_field’
=> ‘disabled’,
‘d_values’
=> [‘0’],

‘attr_match_list’ => [ ‘Gecos’,

                 'Name'

             ],
                                                    'attr_map'
         =>  {   'Name' => 'username',

                 'EmailAddress' => 'email',

                 'ExternalAuthId' => 'username',

                 'Gecos' => 'userID'

             }
                                                },
                            'My_LDAP'       =>  {   ## GENERIC SECTION
                                                    'type'
         =>  'ldap',
                                                    'server'
         =>  'ldaps://192.168.1.7:1636',
                                                    'user'
         =>  'sysldapq',
                                                    'pass'
       =>  'secret',
						'debug'			  => 255,
                                                    'base'
         =>  'ou=People,dc=mnet,dc=example,dc=com',
                                                    'filter'
         =>  '(objectclass=mnetperson)',
                                                    'd_filter'
         =>  '(objectclass=blah)',
                                                    'tls'
         =>  1,         # <== set this to `1' for tls. failed with

`0’ as well
‘ssl_version’
=> 3,

‘net_ldap_args’ => [ version => 3 ],

‘attr_match_list’ => [ ‘Name’,

                 'EmailAddress',

             ],
                                                    'attr_map'
         =>  {   'Name' => 'uid',

                 'EmailAddress' => 'mail',

                 'Organization' => 'companynumber',

                 'RealName' => 'cn',

                 'ExternalAuthId' => 'uid',

                 'WorkPhone' => 'telephoneNumber',

                 'Address1' => 'street',

                 'City' => 'l',

                 'State' => 'st',
									    	    'Zip' => 'postalCode'

                 'Country' => 'nationname'

             }
                                                },
                            'My_SSO_Cookie'  => {   # # The type

of service (db/ldap/cookie)
‘type’
=> ‘cookie’,
‘name’
=> ‘loginCookieValue’,
‘u_table’
=> ‘users’,
‘u_field’
=> ‘username’,
‘u_match_key’
=> ‘userID’,
‘c_table’
=> ‘login_cookie’,
‘c_field’
=> ‘loginCookieValue’,
‘c_match_key’
=> ‘loginCookieUserID’,

‘db_service_name’ => ‘My_MySQL’
}
}
);
1;

I can login as root with local password.

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

  1. [:space:] ↩︎

  2. [:space:] ↩︎

5

My ldapsearch works, but ldap auth with RT is failing

cat /etc/ldap/ldap.conf

TLS_REQCERT never # without this ldap bind fails
# TLS: peer cert untrusted or revoked (0x42)
# TLS: can’t connect: (unknown error code).

ldapsearch -LLL -W -D

“uid=binduser,ou=People,dc=mnet,dc=example,dc=com” -b
“ou=People,dc=mnet,dc=example,dc=com” -H ldaps://192.168.1.7:1636
uid=“asif” mail
Enter LDAP Password:
dn: uid=asif,ou=People,dc=mnet,dc=example,dc=com
mail: Asif.Iqbal@example.com

but RT fails with this error

[Wed May 25 14:51:39 2011] [info] [client 192.168.1.215] (32)Broken
pipe: core_output_filter: writing data to the network
[Wed May 25 14:51:39 2011] [error] [client 192.168.1.215]
Apache2::RequestIO::rflush: (103) Software caused connection abort at
/usr/local/share/perl/5.10.1/Plack/Handler/Apache2.pm line 148
[Wed May 25 14:51:39 2011] [debug] mod_deflate.c(615): [client
192.162.1.215] Zlib: Compressed 0 to 2 : URL /
[Wed May 25 14:51:41 2011] [info] [client 192.168.1.215] Request
header read timeout
[Wed May 25 14:51:41 2011] [info] [client 192.168.1.215] Request
header read timeout
[Wed May 25 14:51:43 2011] [info] [client 192.168.1.215] (32)Broken
pipe: core_output_filter: writing data to the network
[Wed May 25 14:51:43 2011] [error] [client 192.168.1.215]
Apache2::RequestIO::rflush: (103) Software caused connection abort at
/usr/local/share/perl/5.10.1/Plack/Handler/Apache2.pm line 148
[Wed May 25 14:51:43 2011] [debug] mod_deflate.c(615): [client
192.168.1.215] Zlib: Compressed 0 to 2 : URL /
[Wed May 25 14:51:43 2011] [debug] mod_deflate.c(615): [client
192.168.1.215] Zlib: Compressed 0 to 8 : URL /NoAuth/Login.htm
[Wed May 25 14:51:43 2011] [info] [client 192.168.1.215] (32)Broken
pipe: core_output_filter: writing data to the network
[Wed May 25 14:51:47 2011] [debug] mod_deflate.c(615): [client
192.168.1.215] Zlib: Compressed 4232 to 1682 : URL /NoAuth/Login.html,
referer: http://192.168.1.72/NoAuth/Login.html

and apache2/error.log show this

[Wed May 25 18:51:43 2011] [error]: FAILED LOGIN for asif from
192.168.1.215 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:639)

egrep -v “[1]*#|^$” /opt/rt4/etc/RT_SiteConfig.pm

Set( $rtname, ‘example.com’);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
1;

egrep -v “[2]*#|^$”

/opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_MySQL’,
‘My_SSO_Cookie’
]
);
Set($ExternalInfoPriority, [ ‘My_MySQL’,
‘My_LDAP’
]
);
Set($ExternalServiceUsesSSLorTLS, 1); # <== set this to 1' for TLS. tried with 0’ as well and failed
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_MySQL’ => { ## GENERIC SECTION
‘type’
=> ‘db’,
‘server’
=> ‘server.domain.tld’,
‘database’
=> ‘DB_NAME’,
‘table’
=> ‘USERS_TABLE’,
‘user’
=> ‘DB_USER’,
‘pass’
=> ‘DB_PASS’,
‘port’
=> ‘DB_PORT’,
‘dbi_driver’
=> ‘DBI_DRIVER’,
‘u_field’
=> ‘username’,
‘p_field’
=> ‘password’,
‘p_enc_pkg’
=> ‘Crypt::MySQL’,
‘p_enc_sub’
=> ‘password’,
‘d_field’
=> ‘disabled’,
‘d_values’
=> [‘0’],

‘attr_match_list’ => [ ‘Gecos’,

                'Name'

            ],
                                                   'attr_map'
        =>  {   'Name' => 'username',

                'EmailAddress' => 'email',

                'ExternalAuthId' => 'username',

                'Gecos' => 'userID'

            }
                                               },
                           'My_LDAP'       =>  {   ## GENERIC SECTION
                                                   'type'
        =>  'ldap',
                                                   'server'
        =>  'ldaps://192.168.1.7:1636',
                                                   'user'
        =>  'sysldapq',
                                                   'pass'
      =>  'secret',
                                                   'debug'                   => 255,
                                                   'base'
        =>  'ou=People,dc=mnet,dc=example,dc=com',
                                                   'filter'
        =>  '(objectclass=mnetperson)',
                                                   'd_filter'
        =>  '(objectclass=blah)',
                                                   'tls'
        =>  1,         # <== set this to `1' for tls. failed with

`0’ as well
‘ssl_version’
=> 3,

‘net_ldap_args’ => [ version => 3 ],

‘attr_match_list’ => [ ‘Name’,

                'EmailAddress',

            ],
                                                   'attr_map'
        =>  {   'Name' => 'uid',

                'EmailAddress' => 'mail',

                'Organization' => 'companynumber',

                'RealName' => 'cn',

                'ExternalAuthId' => 'uid',

                'WorkPhone' => 'telephoneNumber',

                'Address1' => 'street',

                'City' => 'l',

                'State' => 'st',
                                                                                       'Zip' => 'postalCode'

                'Country' => 'nationname'

            }
                                               },
                           'My_SSO_Cookie'  => {   # # The type

of service (db/ldap/cookie)
‘type’
=> ‘cookie’,
‘name’
=> ‘loginCookieValue’,
‘u_table’
=> ‘users’,
‘u_field’
=> ‘username’,
‘u_match_key’
=> ‘userID’,
‘c_table’
=> ‘login_cookie’,
‘c_field’
=> ‘loginCookieValue’,
‘c_match_key’
=> ‘loginCookieUserID’,

‘db_service_name’ => ‘My_MySQL’
}
}
);
1;

I can login as root with local password.

I got it working after going through the README few more times and
replacing the user => ‘binduser’ with user => ‘the binddn of the user’

Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

  1. [:space:] ↩︎

  2. [:space:] ↩︎