LDAP Authentication and User Account Creation 3.6.6. and latest ExternalAuth


#1

OK,

I have just finished splunking about 4 months of back articles/e-mails
on LDAP Authentication within RT and have run up against some sort of
error that I might just be mis-interpretting.

DEBUG Logging is enabled.

I am using the ExternAuth using LDAP to Windows 2003 SP2 based Active
Directory controllers.

(also - note - I put rt3 within the /var volume not the /opt volume)

Running on CentOS 5.1 32 bit - fully patched.

Here is a part of my log:

[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)
[Thu May 29 19:37:57 2008] [debug]: RT::User::IsExternalPassword Trying
External authentication (/var/rt3/local/lib/RT/User_Vendor.pm:52)
[Thu May 29 19:37:57 2008] [debug]: Attempting to use external auth
service: My_LDAP (/var/rt3/local/lib/RT/User_Vendor.pm:63)
[Thu May 29 19:37:57 2008] [debug]: LDAP Search === Base:
ou=Corporate,dc=3leafnetworks,dc=corp == Filter:
(&(sAMAccountName=ldapsearch)(objectclass=Person)) == Attrs: dn
(/var/rt3/local/lib/RT/User_Vendor.pm:185)
[Thu May 29 19:37:57 2008] [debug]: Found LDAP DN: CN=LDAP
Search,OU=Corporate,DC=3leafnetworks,DC=corp
(/var/rt3/local/lib/RT/User_Vendor.pm:217)
[Thu May 29 19:37:57 2008] [info]: RT::User::IsExternalPassword External
Auth OK ( My_LDAP ): ldapsearch (/var/rt3/local/lib/RT/User_Vendor.pm:281)
[Thu May 29 19:37:57 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED (/var/rt3/local/lib/RT/User_Vendor.pm:360)
[Thu May 29 19:37:57 2008] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /var/rt3/lib/RT/User_Overlay.pm 192 with: Disabled:
0, EmailAddress: , Gecos: ldapsearch, Name: ldapsearch, Privileged: 0
(/var/rt3/local/lib/RT/User_Vendor.pm:400)
[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/local/lib/RT/User_Vendor.pm:408)
[Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using
this external service: (/var/rt3/local/lib/RT/User_Vendor.pm:408)
[Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo
returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name:
ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444)
[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)

Here is my RT_SiteConfig.pm:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set( $rtname, ‘3leafnetworks.com’);
Set($SendmailPath , “/usr/sbin/sendmail”);
Set($SendmailArguments , “-oi -t”);
Set($AuthMethods, [‘LDAP’,‘internal’]);
Set($LogToFileNamed, “/var/log/rt3/rt.log”);
Set($LogToFile, ‘debug’);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

#Set($AutoCreateNonExternalUsers, 1);

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set($ExternalAuthPriority,[‘My_LDAP’]);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘auth’ => 1,
‘info’ => 1,
‘server’ => ‘zeus.3leafnetworks.com’,
‘user’ => ‘3LEAF\ldapsearch’,
‘pass’ => ‘ldapsearch’,
‘base’ => ‘ou=Corporate,dc=3leafnetworks,dc=corp’,
‘filter’ => ‘(objectclass=Person)’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘net_ldap_args’ => [ version => 3 ],
#‘group’ => ‘GROUP_NAME’,
#‘group_attr’ => ‘GROUP_ATTR’,

‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);

1;

When I uncomment the:

#Set($AutoCreateNonExternalUsers, 1);

line, my attempted user gets AUTO-CREATED in the system, but no
attributes are pulled over.

As you can see by the log file above, when a user (in log above, example
user is called ldapsearch) who is not within RT attempts to log on,
settings are pulled just fine - it even says it has authenticated
properly, but then the last line:

[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)

Shows me that the account is attempting to be created, but the “( )” is
missing an ID of some?

This coupled with the error further UP the log:

[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)

leads me to believe that I might be missing like ONE setting that would
allow this to all JIVE the way it should.

  • Bill Teeple * *

  • Manager of I.T. Department * 3255-1 Scott Blvd *

  • 3Leaf Systems * Suite 200 *

  •                               *           Santa Clara, CA 95054 *
    
  • http://www.3leafsystems.com * main (408) 572-5900 *

  •                               *              fax (408) 727-2008 *
    
  • AIM: t33ps * *

  • Yahoo: t33ps * direct (408) 572-5128 *

  • Bill Teeple * *

  • Manager of I.T. Department * 3255-1 Scott Blvd *

  • 3Leaf Systems * Suite 200 *

  •                               *           Santa Clara, CA 95054 *
    
  • http://www.3leafsystems.com * main (408) 572-5900 *

  •                               *              fax (408) 727-2008 *
    
  • AIM: t33ps * *

  • Yahoo: t33ps * direct (408) 572-5128 *


#2

Bill Teeple wrote:

(also - note - I put rt3 within the /var volume not the /opt volume)

Meh, I always stick it in /usr

Here is a part of my log:

[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)

I’m not sure what the cause of this message is, but it does not get int
the way of user creation, this is one of those messages that has ALWAYS
been there, I’ve just yet to get around to working out why.

[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/local/lib/RT/User_Vendor.pm:408)

I’ve never seen this one before, but I’m guessing it’s due to a lack of
a Set($ExternalInfoPriority, [‘My_LDAP’]); in your config. Auth and info
are treated as completely seperate services and so you need to define
the services for each.

[Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using
this external service: (/var/rt3/local/lib/RT/User_Vendor.pm:408)

Hence this line ^^

[Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo
returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name:
ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444)

[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)

And again ^^

[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)

This one ^^ is the nub of the problem. I have had a number of people
report having this issue, for some reason there just seems to be no user
object created or no principle ID assigned and, because it’s only debug
output, it’s not clear if anything is being created or not, or if it’s
just not reporting right to the debugging code.

If you can help me get to the cause of this issue I would greatly
appreciate it. The problem I have is that, because it’s never happened
to me, I do not have access to a copy of RT with the problem so that I
can debug it myself.

Here is my RT_SiteConfig.pm:

Set($AuthMethods, [‘LDAP’,‘internal’]);

This setting ^^ is irrelevant. It forms part of Jim Meyer’s LDAP
User_Local.pm overlay code which was deprecated by the ExternalAuth
extension. I recommend removing it. Also, since you have this line, make
sure you don’t have a $RTHOME/local/lib/RT/User_Local.pm or the same in
the non-local tree, because if you have accidentally combined my code
and Jim Meyer’s you could be looking at problems.

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set($ExternalAuthPriority,[‘My_LDAP’]);

Obviously insert ExternalInfoPriority here.

‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],

I think I’ll be updating the example config for the next release to
reduce the attr_match_list. I would recommend only using Name and
EmailAddress in your configuration. These should be attributes that
uniquely identify a user meaning you can’t have more than one with the
same Address or workphone. Name and Email give RT a username and an
e-mail address, each of which should be unique for each and every user.

When I uncomment the:

#Set($AutoCreateNonExternalUsers, 1);

line, my attempted user gets AUTO-CREATED in the system, but no
attributes are pulled over.

As per the comments, if you uncomment it, RT will create the user
whether they authenticated (and informaticated :/) correctly or not.

As you can see by the log file above, when a user (in log above, example
user is called ldapsearch) who is not within RT attempts to log on,
settings are pulled just fine - it even says it has authenticated
properly, but then the last line:

[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)

Shows me that the account is attempting to be created, but the “( )” is
missing an ID of some?

Precisely. A few of your own debugging statements may be able to help
you work out why and I would love to know. If I can help I’m always
around, especially in #rt on irc.perl.org. Just say Zordrak three times
and I shall appear. I’m magic like that.

This coupled with the error further UP the log:

[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)

Again, I think this is a red herring and completely unrelated as it is
always there.

leads me to believe that I might be missing like ONE setting that would
allow this to all JIVE the way it should.

Well, you’re missing ExternalInfoPriority, but I only think that will
fix your boogie-woogie problems, I think your jive-block is elsewhere.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com


#3

Mike,

I'm one of those who has the issue you mention.  I'd like to help.  Do you want some more output enabled?  Would you like me to add some code to my instance so you can output anything that might help you fix it?

Thanks,
CarlosOn Friday 30 May 2008 04:34:10 Mike Peachey wrote:

Bill Teeple wrote:

(also - note - I put rt3 within the /var volume not the /opt volume)

Meh, I always stick it in /usr

Here is a part of my log:

[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)

I’m not sure what the cause of this message is, but it does not get int
the way of user creation, this is one of those messages that has ALWAYS
been there, I’ve just yet to get around to working out why.

[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/local/lib/RT/User_Vendor.pm:408)

I’ve never seen this one before, but I’m guessing it’s due to a lack of
a Set($ExternalInfoPriority, [‘My_LDAP’]); in your config. Auth and info
are treated as completely seperate services and so you need to define
the services for each.

[Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using
this external service: (/var/rt3/local/lib/RT/User_Vendor.pm:408)

Hence this line ^^

[Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo
returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name:
ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444)

[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)

And again ^^

[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)

This one ^^ is the nub of the problem. I have had a number of people
report having this issue, for some reason there just seems to be no user
object created or no principle ID assigned and, because it’s only debug
output, it’s not clear if anything is being created or not, or if it’s
just not reporting right to the debugging code.

If you can help me get to the cause of this issue I would greatly
appreciate it. The problem I have is that, because it’s never happened
to me, I do not have access to a copy of RT with the problem so that I
can debug it myself.

Here is my RT_SiteConfig.pm:

Set($AuthMethods, [‘LDAP’,‘internal’]);

This setting ^^ is irrelevant. It forms part of Jim Meyer’s LDAP
User_Local.pm overlay code which was deprecated by the ExternalAuth
extension. I recommend removing it. Also, since you have this line, make
sure you don’t have a $RTHOME/local/lib/RT/User_Local.pm or the same in
the non-local tree, because if you have accidentally combined my code
and Jim Meyer’s you could be looking at problems.

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

Set($ExternalAuthPriority,[‘My_LDAP’]);

Obviously insert ExternalInfoPriority here.

‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],

I think I’ll be updating the example config for the next release to
reduce the attr_match_list. I would recommend only using Name and
EmailAddress in your configuration. These should be attributes that
uniquely identify a user meaning you can’t have more than one with the
same Address or workphone. Name and Email give RT a username and an
e-mail address, each of which should be unique for each and every user.

When I uncomment the:

#Set($AutoCreateNonExternalUsers, 1);

line, my attempted user gets AUTO-CREATED in the system, but no
attributes are pulled over.

As per the comments, if you uncomment it, RT will create the user
whether they authenticated (and informaticated :/) correctly or not.

As you can see by the log file above, when a user (in log above, example
user is called ldapsearch) who is not within RT attempts to log on,
settings are pulled just fine - it even says it has authenticated
properly, but then the last line:

[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)

Shows me that the account is attempting to be created, but the “( )” is
missing an ID of some?

Precisely. A few of your own debugging statements may be able to help
you work out why and I would love to know. If I can help I’m always
around, especially in #rt on irc.perl.org. Just say Zordrak three times
and I shall appear. I’m magic like that.

This coupled with the error further UP the log:

[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)

Again, I think this is a red herring and completely unrelated as it is
always there.

leads me to believe that I might be missing like ONE setting that would
allow this to all JIVE the way it should.

Well, you’re missing ExternalInfoPriority, but I only think that will
fix your boogie-woogie problems, I think your jive-block is elsewhere.

Carlos J. Velez-Rivera

Manager
CK Computing Corporation
cvelez@ckcomputingpr.com
Voice: (787)464-1182
Fax: 866-910-4798


#4

Carlos J. Velez-Rivera wrote:

Mike,

I’m one of those who has the issue you mention. I’d like to help. Do you want some more output enabled? Would you like me to add some code to my instance so you can output anything that might help you fix it?

It’s not something that is easily done by remote instruction. What I
really need is someone who is vaguely familiar with perl and RT to run
through the code with a few new debugging statements, and make
adjustments to them where necessary based on the log output to determine
where the ID is getting lost.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com


#5

Carlos J. Velez-Rivera wrote:

Mike,

I'm one of those who has the issue you mention.  I'd like to help.  Do you want some more output enabled?  Would you like me to add some code to my instance so you can output anything that might help you fix it?

It’s not something that is easily done by remote instruction. What I
really need is someone who is vaguely familiar with perl and RT to run
through the code with a few new debugging statements, and make
adjustments to them where necessary based on the log output to determine
where the ID is getting lost.

Honestly, I’m not familiar with the RT code, but have done extensive perl programing in the past. I’d like to give it a try, if you are up for it! Let me know if you have any recommended reading before I jump in.

Carlos J. Velez-Rivera

Manager
CK Computing Corporation
cvelez@ckcomputingpr.com
Voice: (787)464-1182
Fax: 866-910-4798