LDAP authentication fails in RT 3.6.1

Hello,

I’ve been trying to setup LDAP integration in RT 3.6.1, however I am
unable to get authentication to work properly. Authentication
against the LDAP directory succeeds (the code is able to bind with
the supplied credentials), however the $UserObj->Id variable remains
undefined, and the rest of the code fails. I spent the weekend
poking around in the code, I’ve attached some logs below to help
explain what I have found.

Note, I’ve removed some details from the logs for privacy/security:
$MyUID is my ldap UID
$MyDN is my ldap DN
$MyEMAIL is my Email
$MyINFO is all of the LDAP info

The first key line in the logs seems to be: [Sat Nov 11 19:34:19
2006] [warning]: Transaction->Create couldn’t, as you didn’t specify
an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/Record.pm:
1466)
Which occurs at this line of code in the LDAP Auth callback: my
($val, $msg) = $UserObj->SetName($user);
What this means, I do not know. I’m not familiar enough with RT’s
structure to debug that line.

The next key log is: [Sat Nov 11 19:34:19 2006] [debug]:
RT::User::IsPassword auth method IsLDAPPassword SUCCEEDED (/usr/lib/
perl5/vendor_perl/5.8.8/RT/User_Local.pm:291)
So the code is able to bind with the credentials I supplied. Our
ldap server logs also indicate successful binding as my user

The next key log: [Sat Nov 11 19:34:19 2006] [info]: Autocreated
authenticated user $MyUID () (/usr/share/rt3/html/Callbacks/LDAP/
autohandler/Auth:23)
Which occurs at this line in the LDAP Auth callback: $RT::Logger->info
(“Autocreated authenticated user " . $UserObj->Name . " (” . $UserObj-

Id . “)\n”);
What’s interesting about this is that the $UserObj->Id is blank.
This means that no data is loaded into the $session{‘CurrentUser’}
variable, and remainder of the code fails to execute because it is
dependent on $session{‘CurrentUser’}->Id to be set

Is this a bug, or is something wrong with my LDAP mapping that cause
the $UserObj->Id value to not be set? Below are the relevant LDAP
settings from my RT_SiteConfig.pm (I’ve left out server settings
since I know those are working):

Set($AuthMethods, [‘LDAP’, ‘Internal’]);
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);
Set($LdapAutoCreateNonLdapUsers, 1);
Set($LdapAttrMap, {‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘o’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘uid’,
‘Gecos’ => ‘uid’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘street’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’}
);
Set($LdapRTAttrMatchList, [‘ExternalContactInfoId’,
‘Name’,
‘EmailAddress’,
‘RealName’]
);
Set($LdapEmailAttrMatchList, [‘mail’]);
Set($LdapEmailAttrMatchPrefix, [’’]);

-Garret

P.S. Logs

[Sat Nov 11 19:34:19 2006] [warning]: Transaction->Create couldn’t,
as you didn’t specify an object type and id (/usr/lib/perl5/
vendor_perl/5.8.8/RT/Record.pm:1466)
[Sat Nov 11 19:34:19 2006] [debug]: Trying LDAP authentication (/usr/
lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:153)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsLDAPPassword Found
LDAP DN: $MyDN (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:187)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::IsLDAPPassword AUTH OK:
$MyUID ($MyDN) (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:222)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsPassword auth method
IsLDAPPassword SUCCEEDED (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:291)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Overlay.pm 190 with: Disabled: 0, EmailAddress: , Gecos: $MyUID,
Name: $MyUID, Privileged: 0 (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:378)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN “MyDN” and filter “uid=$MyUID” by RT::User /usr/
lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 393 (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo :
$MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with “$MyEMAIL” by
RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 402 (/usr/
lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN “$MyDN” and filter “mail=$MyEMAIL” by RT::User /
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 332 (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo :
$MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeEmailAddress
$MyEMAIL => $MyEMAIL (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeUserInfo
returning $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:
411)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with “$MyEMAIL” by
RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 194 (/
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN “$MyDN” and filter “mail=$MyEMAIL” by RT::User /
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 332 (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo :
$MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeEmailAddress
$MyEMAIL => $MyEMAIL (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with “$MyEMAIL” by
RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 561 (/
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN “$MyDN” and filter “mail=$MyEMAIL” by RT::User /
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 332 (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::LookupExternalUserInfo :
$MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]:
RT::User::CanonicalizeEmailAddress $MyEMAIL => $MyEMAIL (/usr/lib/
perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [info]: Autocreated authenticated user
$MyUID () (/usr/share/rt3/html/Callbacks/LDAP/autohandler/Auth:23)
[Sat Nov 11 19:34:19 2006] [error]: FAILED LOGIN for $MyUID from
10.1.1.254 (/usr/share/rt3/html/autohandler:238)
Garret W. Huntress
System Administrator / System Developer

Geophysical Laboratory
Carnegie Institution of Washington
5251 Broad Branch Road, NW
Washington, DC 20015

Garret Huntress wrote:

Hello,

I’ve been trying to setup LDAP integration in RT 3.6.1, however I am
unable to get authentication to work properly. Authentication against
the LDAP directory succeeds (the code is able to bind with the supplied
credentials), however the $UserObj->Id variable remains undefined, and
the rest of the code fails. I spent the weekend poking around in the
code, I’ve attached some logs below to help explain what I have found.

I don’t have an answer for you, but I’m interested if you
find a solution.

Scott Henson
LCSEE Systems Staff
WVU MAE Undergraduate
Ubuntu User

I’ve been trying to setup LDAP integration in RT 3.6.1, however I am
unable to get authentication to work properly.

The first key line in the logs seems to be: [Sat Nov 11 19:34:19
2006] [warning]: Transaction->Create couldn’t, as you didn’t specify
an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/Record.pm:
1466)
I’m also seeing this same problem. I got a different error message
after noticing that I had put User_Local.pm in the wrong place. Now I
think my problem is a firewall issue.

Ian Tegebo

I figured this one out after some more experimentation. In the event
that there is an user in the local database with the same e-mail
address as the user logging in, and the account for the ldap user
needs to be created, creation fails although no exception log is
thrown that this is the case. For example:

Local:
Username: testuser@domain.com
Email: testuser@domain.com
(Created prior to ldap integration through the e-mail gateway or when
added as a watcher to a ticket)

LDAP:
Username: testuser
Email: testuser@domain.com

When testuser attempts to log in, LDAP auth is successful, the
account creation fails, and testuser is denied the ability to login
to rt.

An error about the fact that there was an e-mail address conflict
during account creation would be most helpful.

-GarretOn Nov 13, 2006, at 9:21 PM, Garret Huntress wrote:

Hello,

I’ve been trying to setup LDAP integration in RT 3.6.1, however I
am unable to get authentication to work properly. Authentication
against the LDAP directory succeeds (the code is able to bind with
the supplied credentials), however the $UserObj->Id variable
remains undefined, and the rest of the code fails. I spent the
weekend poking around in the code, I’ve attached some logs below to
help explain what I have found.

Note, I’ve removed some details from the logs for privacy/security:
$MyUID is my ldap UID
$MyDN is my ldap DN
$MyEMAIL is my Email
$MyINFO is all of the LDAP info

The first key line in the logs seems to be: [Sat Nov 11 19:34:19
2006] [warning]: Transaction->Create couldn’t, as you didn’t
specify an object type and id (/usr/lib/perl5/vendor_perl/5.8.8/RT/
Record.pm:1466)
Which occurs at this line of code in the LDAP Auth callback: my
($val, $msg) = $UserObj->SetName($user);
What this means, I do not know. I’m not familiar enough with RT’s
structure to debug that line.

The next key log is: [Sat Nov 11 19:34:19 2006] [debug]:
RT::User::IsPassword auth method IsLDAPPassword SUCCEEDED (/usr/lib/
perl5/vendor_perl/5.8.8/RT/User_Local.pm:291)
So the code is able to bind with the credentials I supplied. Our
ldap server logs also indicate successful binding as my user

The next key log: [Sat Nov 11 19:34:19 2006] [info]: Autocreated
authenticated user $MyUID () (/usr/share/rt3/html/Callbacks/LDAP/
autohandler/Auth:23)
Which occurs at this line in the LDAP Auth callback: $RT::Logger-

info(“Autocreated authenticated user " . $UserObj->Name . " (” .
$UserObj->Id . “)\n”);
What’s interesting about this is that the $UserObj->Id is blank.
This means that no data is loaded into the $session{‘CurrentUser’}
variable, and remainder of the code fails to execute because it is
dependent on $session{‘CurrentUser’}->Id to be set

Is this a bug, or is something wrong with my LDAP mapping that
cause the $UserObj->Id value to not be set? Below are the relevant
LDAP settings from my RT_SiteConfig.pm (I’ve left out server
settings since I know those are working):

Set($AuthMethods, [‘LDAP’, ‘Internal’]);
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);
Set($LdapAutoCreateNonLdapUsers, 1);
Set($LdapAttrMap, {‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘o’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘uid’,
‘Gecos’ => ‘uid’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘street’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’}
);
Set($LdapRTAttrMatchList, [‘ExternalContactInfoId’,
‘Name’,
‘EmailAddress’,
‘RealName’]
);
Set($LdapEmailAttrMatchList, [‘mail’]);
Set($LdapEmailAttrMatchPrefix, [‘’]);

-Garret

P.S. Logs

[Sat Nov 11 19:34:19 2006] [warning]: Transaction->Create couldn’t,
as you didn’t specify an object type and id (/usr/lib/perl5/
vendor_perl/5.8.8/RT/Record.pm:1466)
[Sat Nov 11 19:34:19 2006] [debug]: Trying LDAP authentication (/
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:153)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsLDAPPassword Found
LDAP DN: $MyDN (/usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:187)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::IsLDAPPassword AUTH
OK: $MyUID ($MyDN) (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:222)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::IsPassword auth
method IsLDAPPassword SUCCEEDED (/usr/lib/perl5/vendor_perl/5.8.8/
RT/User_Local.pm:291)
[Sat Nov 11 19:34:19 2006] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Overlay.pm 190 with: Disabled: 0, EmailAddress: , Gecos:
$MyUID, Name: $MyUID, Privileged: 0 (/usr/lib/perl5/vendor_perl/
5.8.8/RT/User_Local.pm:378)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::LookupExternalUserInfo called with baseDN “MyDN” and
filter “uid=$MyUID” by RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm 393 (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]:
RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with “$MyEMAIL” by
RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm 402 (/
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::LookupExternalUserInfo called with baseDN “$MyDN” and
filter “mail=$MyEMAIL” by RT::User /usr/lib/perl5/vendor_perl/5.8.8/
RT/User_Local.pm 332 (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]:
RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]:
RT::User::CanonicalizeEmailAddress $MyEMAIL => $MyEMAIL (/usr/lib/
perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [info]: RT::User::CanonicalizeUserInfo
returning $MyINFO (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:411)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with “$MyEMAIL” by
RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 194 (/
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::LookupExternalUserInfo called with baseDN “$MyDN” and
filter “mail=$MyEMAIL” by RT::User /usr/lib/perl5/vendor_perl/5.8.8/
RT/User_Local.pm 332 (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]:
RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]:
RT::User::CanonicalizeEmailAddress $MyEMAIL => $MyEMAIL (/usr/lib/
perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with “$MyEMAIL” by
RT::User /usr/lib/perl5/vendor_perl/5.8.8/RT/User_Overlay.pm 561 (/
usr/lib/perl5/vendor_perl/5.8.8/RT/User_Local.pm:326)
[Sat Nov 11 19:34:19 2006] [debug]:
RT::User::LookupExternalUserInfo called with baseDN “$MyDN” and
filter “mail=$MyEMAIL” by RT::User /usr/lib/perl5/vendor_perl/5.8.8/
RT/User_Local.pm 332 (/usr/lib/perl5/vendor_perl/5.8.8/RT/
User_Local.pm:508)
[Sat Nov 11 19:34:19 2006] [info]:
RT::User::LookupExternalUserInfo : $MyINFO (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:563)
[Sat Nov 11 19:34:19 2006] [debug]: FOUND OK (/usr/lib/perl5/
vendor_perl/5.8.8/RT/User_Local.pm:335)
[Sat Nov 11 19:34:19 2006] [info]:
RT::User::CanonicalizeEmailAddress $MyEMAIL => $MyEMAIL (/usr/lib/
perl5/vendor_perl/5.8.8/RT/User_Local.pm:345)
[Sat Nov 11 19:34:19 2006] [info]: Autocreated authenticated user
$MyUID () (/usr/share/rt3/html/Callbacks/LDAP/autohandler/Auth:23)
[Sat Nov 11 19:34:19 2006] [error]: FAILED LOGIN for $MyUID from
10.1.1.254 (/usr/share/rt3/html/autohandler:238)

Garret W. Huntress
System Administrator / System Developer

Geophysical Laboratory
Carnegie Institution of Washington
5251 Broad Branch Road, NW
Washington, DC 20015


The rt-users Archives

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Garret W. Huntress
System Administrator / System Developer

Geophysical Laboratory
Carnegie Institution of Washington
5251 Broad Branch Road, NW
Washington, DC 20015

Email: ghuntress@ciw.edu
Phone: (202)-478-8973
AIM: Garret Huntress

Garret Huntress.vcf (17.6 KB)