OK,
I have just finished splunking about 4 months of back articles/e-mails
on LDAP Authentication within RT and have run up against some sort of
error that I might just be mis-interpretting.
DEBUG Logging is enabled.
I am using the ExternAuth using LDAP to Windows 2003 SP2 based Active
Directory controllers.
(also - note - I put rt3 within the /var volume not the /opt volume)
Running on CentOS 5.1 32 bit - fully patched.
Here is a part of my log:
[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)
[Thu May 29 19:37:57 2008] [debug]: RT::User::IsExternalPassword Trying
External authentication (/var/rt3/local/lib/RT/User_Vendor.pm:52)
[Thu May 29 19:37:57 2008] [debug]: Attempting to use external auth
service: My_LDAP (/var/rt3/local/lib/RT/User_Vendor.pm:63)
[Thu May 29 19:37:57 2008] [debug]: LDAP Search === Base:
ou=Corporate,dc=3leafnetworks,dc=corp == Filter:
(&(sAMAccountName=ldapsearch)(objectclass=Person)) == Attrs: dn
(/var/rt3/local/lib/RT/User_Vendor.pm:185)
[Thu May 29 19:37:57 2008] [debug]: Found LDAP DN: CN=LDAP
Search,OU=Corporate,DC=3leafnetworks,DC=corp
(/var/rt3/local/lib/RT/User_Vendor.pm:217)
[Thu May 29 19:37:57 2008] [info]: RT::User::IsExternalPassword External
Auth OK ( My_LDAP ): ldapsearch (/var/rt3/local/lib/RT/User_Vendor.pm:281)
[Thu May 29 19:37:57 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED (/var/rt3/local/lib/RT/User_Vendor.pm:360)
[Thu May 29 19:37:57 2008] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /var/rt3/lib/RT/User_Overlay.pm 192 with: Disabled:
0, EmailAddress: , Gecos: ldapsearch, Name: ldapsearch, Privileged: 0
(/var/rt3/local/lib/RT/User_Vendor.pm:400)
[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/local/lib/RT/User_Vendor.pm:408)
[Thu May 29 19:37:57 2008] [debug]: Attempting to get user info using
this external service: (/var/rt3/local/lib/RT/User_Vendor.pm:408)
[Thu May 29 19:37:57 2008] [info]: RT::User::CanonicalizeUserInfo
returning Disabled: 0, EmailAddress: , Gecos: ldapsearch, Name:
ldapsearch, Privileged: 0 (/var/rt3/local/lib/RT/User_Vendor.pm:444)
[Thu May 29 19:37:57 2008] [warning]: Use of uninitialized value in join
or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
Here is my RT_SiteConfig.pm:
Any configuration directives you include here will override
RT’s default configuration file, RT_Config.pm
To include a directive here, just copy the equivalent statement
from RT_Config.pm and change the value. We’ve included a single
sample value below.
This file is actually a perl module, so you can include valid
perl code, as well.
The converse is also true, if this file isn’t valid perl, you’re
going to run into trouble. To check your SiteConfig file, use
this comamnd:
perl -c /path/to/your/etc/RT_SiteConfig.pm
Set( $rtname, ‘3leafnetworks.com’);
Set($SendmailPath , “/usr/sbin/sendmail”);
Set($SendmailArguments , “-oi -t”);
Set($AuthMethods, [‘LDAP’,‘internal’]);
Set($LogToFileNamed, “/var/log/rt3/rt.log”);
Set($LogToFile, ‘debug’);
If this is set to 1, then users should be autocreated by RT
as internal users if they fail to authenticate from an
external service.
#Set($AutoCreateNonExternalUsers, 1);
These are the full settings for each external service as a HashOfHashes
Note that you may have as many external services as you wish. They will
be checked in the order specified in the Priority directives above.
e.g.
Set($ExternalAuthPriority,[‘My_LDAP’]);
Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘auth’ => 1,
‘info’ => 1,
‘server’ => ‘zeus.3leafnetworks.com’,
‘user’ => ‘3LEAF\ldapsearch’,
‘pass’ => ‘ldapsearch’,
‘base’ => ‘ou=Corporate,dc=3leafnetworks,dc=corp’,
‘filter’ => ‘(objectclass=Person)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘net_ldap_args’ => [ version => 3 ],
#‘group’ => ‘GROUP_NAME’,
#‘group_attr’ => ‘GROUP_ATTR’,
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);
1;
When I uncomment the:
#Set($AutoCreateNonExternalUsers, 1);
line, my attempted user gets AUTO-CREATED in the system, but no
attributes are pulled over.
As you can see by the log file above, when a user (in log above, example
user is called ldapsearch) who is not within RT attempts to log on,
settings are pulled just fine - it even says it has authenticated
properly, but then the last line:
[Thu May 29 19:37:57 2008] [info]: Autocreated authenticated user
ldapsearch ( )
(/var/rt3/share/html/Callbacks/ExternalAuth/autohandler/Auth:50)
Shows me that the account is attempting to be created, but the “( )” is
missing an ID of some?
This coupled with the error further UP the log:
[Thu May 29 19:37:57 2008] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id (/var/rt3/lib/RT/Record.pm:1486)
leads me to believe that I might be missing like ONE setting that would
allow this to all JIVE the way it should.
-
Bill Teeple * *
-
Manager of I.T. Department * 3255-1 Scott Blvd *
-
3Leaf Systems * Suite 200 *
-
* Santa Clara, CA 95054 *
-
http://www.3leafsystems.com * main (408) 572-5900 *
-
* fax (408) 727-2008 *
-
AIM: t33ps * *
-
Yahoo: t33ps * direct (408) 572-5128 *
-
Bill Teeple * *
-
Manager of I.T. Department * 3255-1 Scott Blvd *
-
3Leaf Systems * Suite 200 *
-
* Santa Clara, CA 95054 *
-
http://www.3leafsystems.com * main (408) 572-5900 *
-
* fax (408) 727-2008 *
-
AIM: t33ps * *
-
Yahoo: t33ps * direct (408) 572-5128 *