I turned on logging on the Domain Controller and tried to auto-create a user by email. There weren’t any indications on the DC of an LDAP inquiry, so I’m wondering if I’m missing a perl module. Whereas command-line ldapsearch completes successfully and I see logging on the DC.
I don’t see anything indicative in /var/log/messages other than the errors I included below. Thanks for any suggestions.
MikeFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of mjames@guesswho.com
Sent: Monday, November 14, 2011 4:28 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] LDAP authentication problem
Hi, I know there are tons of questions on the list about getting LDAP authentication to work. And I have done it before at other employers, so I’m even more frustrated…
Here’s what I’ve got:
RT 4.0.2 on CentOS 5.7
RT-Authen-ExternalAuth-0.09.tar.gz
Active Directory on Server 2008 R2
I set up the /opt/rt4/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm file with the LDAP parameters that I thought would work. Also, I can do a successful ldapsearch from the command line against the AD server with the same credentials.
Here’s an ldapsearch run from the CLI on my RT server. This returns a successful result from the domain controller.
[root@host ~]# ldapsearch -h dc-01.mydomain.com -x -b “dc=mydomain,dc=com” -D “cn=mike james,cn=users,dc=mydomain,dc=com” -w ‘mypasswd’ “mail=anyuser@mydomain.commailto:mail=anyuser@mydomain.com”
Here’s the LDAP portion of my config file. I got the d_filter from a google search. It was mentioned in a couple of places as being the correct string for disabled users.
AN EXAMPLE LDAP SERVICE
'My_LDAP' => { ## GENERIC SECTION
'type' => 'ldap',
'server' => 'dc-01.mydomain.com',
'user' => 'cn=mike james,cn=users,dc=mydomain,dc=com',
'pass' => 'mypasswd',
'base' => 'dc=mydomain,dc=com',
'filter' => '(objectClass=*)',
'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2))',
'tls' => 0,
'ssl_version' => 3,
'net_ldap_args' => [ version => 3 ],
'attr_match_list' => [ 'Name',
'EmailAddress'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn'
}
All requests for new tickets are being rejected, and it’s making me crazy. Any ideas?
Nov 14 15:07:46 x-tracker-01 RT: Use of uninitialized value in join or string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 23. (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
Nov 14 15:07:46 x-tracker-01 RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Comments: Autocreated on ticket submission, Disabled: 0, EmailAddress: mjames@mydomain.commailto:mjames@mydomain.com, Name: mjames@mydomain.commailto:mjames@mydomain.com, Password: , Privileged: 0, RealName: (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Nov 14 15:07:46 x-tracker-01 RT: User creation failed in mailgateway: Could not set user info (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:244)
Nov 14 15:07:46 x-tracker-01 RT: Couldn’t load user ‘mjames@mydomain.com’.giving up (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:1016)
Nov 14 15:07:46 x-tracker-01 RT: User ‘mjames@mydomain.com’ could not be loaded in the mail gateway (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:244)
Nov 14 15:07:46 x-tracker-01 RT: RT could not load a valid user, and RT’s configuration does not allow for the creation of a new user for this email (mjames@mydomain.commailto:mjames@mydomain.com). You might need to grant ‘Everyone’ the right ‘CreateTicket’ for the queue general. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:244)
Nov 14 15:07:46 x-tracker-01 RT: RT could not load a valid user, and RT’s configuration does not allow for the creation of a new user for your email. (/opt/rt4/sbin/…/lib/RT/Interface/Email.pm:244)
Nov 14 15:07:46 x-tracker-01 RT: Could not record email: Could not load a valid user (/opt/rt4/share/html/REST/1.0/NoAuth/mail-gateway:75)
Thanks, Mike