LDAP issues with new install

Hello all,
I’ve been having some trouble setting up a new install of 3.6
(on Ubuntu server 6.06) with LDAP authenticating against AD (on 2003 R1
SP1). Login fails for new AD users. I set up an account in RT (with a
different-from-in-AD password) and tried to log in using the AD
password, and the log reported having updated the user information, but
authentication failed. Logging in with the password set in RT seems to
find the user in AD and update info, but IsLDAPPassword fails. One
mystery is the “Transaction->Create couldn’t, as you didn’t specify an
object type and id” error. The other is that LDAP lookups seem to be
working - although LookupExternalUserInfo doesn’t report the values for
any of the fields - but authentication does not. At this point, I
really don’t know if my problem is in AD somewhere, or in my RT config.
Apologies for the lengthy, log-filled email, but can anyone offer any
hints? Thanks,

-Sean

** Here’s the LDAP sections of my SiteConfig **
Set($AuthMethods, [‘LDAP’,‘Internal’]);
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);
Set($LdapAutoCreateNonLdapUsers, 1);
Set($LdapAttrMap, {‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘company’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’}
);
Set($LdapRTAttrMatchList, [‘Name’,‘ExternalContactInfoId’,
‘EmailAddress’, ‘RealName’]
);
Set($LdapEmailAttrMatchList, [‘mail’, ‘mailRoutingAddress’,
‘mailAlternateAddress’]
);
Set($LdapServer, ‘[DC ip address]’);
Set($LdapBase, ‘CN=users,DC=smwm,DC=com’);
#Set($LdapBase, ‘CN=SMWM,OU=SMWMSF Distribution Lists,DC=smwm,DC=com’);
Set($LdapFilter, “(objectclass=sAMAccountName)”);
Set($LdapUser, ‘[user]@smwm.com’);
Set($LdapPass, ‘[password]’);
Set($LdapSSLVersion, 3);

Now some logs:

First off, a search to make sure LDAP is actually working, DNs are
correct, etc

ldapsearch -x -h [ip address] -b “CN=users,DC=smwm,DC=com” -D
"SMWMSF[user]" -w “[password]” “sn=smahan”

extended LDIF

LDAPv3

base <CN=users,DC=smwm,DC=com> with scope sub

filter: sn=smahan

requesting: ALL

search result

search: 2
result: 0 Success

numResponses: 1

Logging in as a user in AD, but not yet in RT
[Wed Jul 5 17:55:07 2006] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id
(/opt/rt3/lib/RT/Record.pm:1467)
[Wed Jul 5 17:55:07 2006] [debug]: Trying LDAP authentication
(/opt/rt3/local/lib/RT/User_Local.pm:155)
[Wed Jul 5 17:55:07 2006] [info]: RT::User::IsLDAPPassword AUTH FAILED:
smahan (/opt/rt3/local/lib/RT/User_Local.pm:184)
[Wed Jul 5 17:55:07 2006] [debug]: RT::User::IsPassword auth method
IsLDAPPassword FAILED (/opt/rt3/local/lib/RT/User_Local.pm:293)
[Wed Jul 5 17:55:07 2006] [info]: RT::User::IsInternalPassword AUTH
FAILED (no passwd): smahan (/opt/rt3/local/lib/RT/User_Local.pm:234)
[Wed Jul 5 17:55:07 2006] [debug]: RT::User::IsPassword auth method
IsInternalPassword FAILED (/opt/rt3/local/lib/RT/User_Local.pm:293)
[Wed Jul 5 17:55:07 2006] [error]: FAILED LOGIN for smahan from
172.16.1.170 (/opt/rt3/share/html/autohandler:238)

Logging in as a domain user manually added to RT, using the AD
password

[Wed Jul 5 18:05:26 2006] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /opt/rt3/local/lib/RT/User_Local.pm 608 with: Name:
officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:373)
[Wed Jul 5 18:05:26 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN “CN=users,DC=smwm,DC=com” and filter
"sAMAccountName=officelaptop" by RT::User
/opt/rt3/local/lib/RT/User_Local.pm 388
(/opt/rt3/local/lib/RT/User_Local.pm:503)
[Wed Jul 5 18:05:26 2006] [info]: RT::User::LookupExternalUserInfo :
CN=users,DC=smwm,DC=com sAMAccountName=officelaptop => EmailAddress: ,
Name: , RealName: (/opt/rt3/local/lib/RT/User_Local.pm:558)
[Wed Jul 5 18:05:26 2006] [info]: RT::User::CanonicalizeUserInfo
returning Name: officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:406)
[Wed Jul 5 18:05:26 2006] [debug]: UPDATED user officelaptop from LDAP
(/opt/rt3/local/lib/RT/User_Local.pm:617)
[Wed Jul 5 18:05:26 2006] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /opt/rt3/local/lib/RT/User_Local.pm 608 with: Name:
officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:373)
[Wed Jul 5 18:05:26 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN “CN=users,DC=smwm,DC=com” and filter
"sAMAccountName=officelaptop" by RT::User
/opt/rt3/local/lib/RT/User_Local.pm 388
(/opt/rt3/local/lib/RT/User_Local.pm:503)
[Wed Jul 5 18:05:27 2006] [info]: RT::User::LookupExternalUserInfo :
CN=users,DC=smwm,DC=com sAMAccountName=officelaptop => EmailAddress: ,
Name: , RealName: (/opt/rt3/local/lib/RT/User_Local.pm:558)
[Wed Jul 5 18:05:27 2006] [info]: RT::User::CanonicalizeUserInfo
returning Name: officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:406)
[Wed Jul 5 18:05:27 2006] [debug]: UPDATED user officelaptop from LDAP
(/opt/rt3/local/lib/RT/User_Local.pm:617)
[Wed Jul 5 18:05:27 2006] [debug]: Trying LDAP authentication
(/opt/rt3/local/lib/RT/User_Local.pm:155)
[Wed Jul 5 18:05:27 2006] [info]: RT::User::IsLDAPPassword AUTH FAILED:
officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:184)
[Wed Jul 5 18:05:27 2006] [debug]: RT::User::IsPassword auth method
IsLDAPPassword FAILED (/opt/rt3/local/lib/RT/User_Local.pm:293)
[Wed Jul 5 18:05:27 2006] [info]: RT::User::IsInternalPassword AUTH
FAILED: officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:257)
[Wed Jul 5 18:05:27 2006] [debug]: RT::User::IsPassword auth method
IsInternalPassword FAILED (/opt/rt3/local/lib/RT/User_Local.pm:293)
[Wed Jul 5 18:05:27 2006] [debug]: Trying LDAP authentication
(/opt/rt3/local/lib/RT/User_Local.pm:155)
[Wed Jul 5 18:05:27 2006] [info]: RT::User::IsLDAPPassword AUTH FAILED:
officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:184)
[Wed Jul 5 18:05:27 2006] [debug]: RT::User::IsPassword auth method
IsLDAPPassword FAILED (/opt/rt3/local/lib/RT/User_Local.pm:293)
[Wed Jul 5 18:05:27 2006] [info]: RT::User::IsInternalPassword AUTH
FAILED: officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:257)
[Wed Jul 5 18:05:27 2006] [debug]: RT::User::IsPassword auth method
IsInternalPassword FAILED (/opt/rt3/local/lib/RT/User_Local.pm:293)
[Wed Jul 5 18:05:27 2006] [error]: FAILED LOGIN for officelaptop from
172.16.1.170 (/opt/rt3/share/html/autohandler:238)

Logging in as a domain user manually added to RT, using the RT
password

[Wed Jul 5 18:09:06 2006] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /opt/rt3/local/lib/RT/User_Local.pm 608 with: Name:
officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:373)
[Wed Jul 5 18:09:06 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN “CN=users,DC=smwm,DC=com” and filter
"sAMAccountName=officelaptop" by RT::User
/opt/rt3/local/lib/RT/User_Local.pm 388
(/opt/rt3/local/lib/RT/User_Local.pm:503)
[Wed Jul 5 18:09:06 2006] [info]: RT::User::LookupExternalUserInfo :
CN=users,DC=smwm,DC=com sAMAccountName=officelaptop => EmailAddress: ,
Name: , RealName: (/opt/rt3/local/lib/RT/User_Local.pm:558)
[Wed Jul 5 18:09:06 2006] [info]: RT::User::CanonicalizeUserInfo
returning Name: officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:406)
[Wed Jul 5 18:09:06 2006] [debug]: UPDATED user officelaptop from LDAP
(/opt/rt3/local/lib/RT/User_Local.pm:617)
[Wed Jul 5 18:09:06 2006] [debug]: RT::User::CanonicalizeUserInfo
called by RT::User /opt/rt3/local/lib/RT/User_Local.pm 608 with: Name:
officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:373)
[Wed Jul 5 18:09:06 2006] [debug]: RT::User::LookupExternalUserInfo
called with baseDN “CN=users,DC=smwm,DC=com” and filter
"sAMAccountName=officelaptop" by RT::User
/opt/rt3/local/lib/RT/User_Local.pm 388
(/opt/rt3/local/lib/RT/User_Local.pm:503)
[Wed Jul 5 18:09:06 2006] [info]: RT::User::LookupExternalUserInfo :
CN=users,DC=smwm,DC=com sAMAccountName=officelaptop => EmailAddress: ,
Name: , RealName: (/opt/rt3/local/lib/RT/User_Local.pm:558)
[Wed Jul 5 18:09:06 2006] [info]: RT::User::CanonicalizeUserInfo
returning Name: officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:406)
[Wed Jul 5 18:09:06 2006] [debug]: UPDATED user officelaptop from LDAP
(/opt/rt3/local/lib/RT/User_Local.pm:617)
[Wed Jul 5 18:09:06 2006] [debug]: Trying LDAP authentication
(/opt/rt3/local/lib/RT/User_Local.pm:155)
[Wed Jul 5 18:09:06 2006] [info]: RT::User::IsLDAPPassword AUTH FAILED:
officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:184)
[Wed Jul 5 18:09:06 2006] [debug]: RT::User::IsPassword auth method
IsLDAPPassword FAILED (/opt/rt3/local/lib/RT/User_Local.pm:293)
[Wed Jul 5 18:09:06 2006] [info]: RT::User::IsInternalPassword AUTH
OKAY: officelaptop (/opt/rt3/local/lib/RT/User_Local.pm:241)
[Wed Jul 5 18:09:06 2006] [debug]: RT::User::IsPassword auth method
IsInternalPassword SUCCEEDED (/opt/rt3/local/lib/RT/User_Local.pm:293)
[Wed Jul 5 18:09:06 2006] [info]: Successful login for officelaptop
from 172.16.1.170
(/opt/rt3/local/html/Callbacks/LDAP/autohandler/Auth:46)

Sean W. Mahan
IT Services
smahan@smwm.com

    SMWM
    989 Market Street, 3rd Floor
    San Francisco, CA 94103
    415.882.3092 D
    415.882.7098 F
    www.smwm.com


    This e-mail is intended only for use and/or review of the 
    individual or entity to whom it is addressed and may be 
    for a limited purpose and/or confidential and/or privileged
    communication protected by law.  Any unauthorized use, 
    dissemination, distribution, disclosure or copying is strictly 
    prohibited. If you have received this communication in 
    error, please notify us immediately by return e-mail and 
    kindly delete this message from your system. Thank you in
    advance for your cooperation.

I don’t think your lookups are working. The user you specified in
RT_SiteConfig.pm probably can’t search the LDAP tree.

Try “Set($LdapUser, ‘[user]’);” in your RT_SiteConfig.pm (without the
"@smwm.com"). Make sure you have the correct LdapBase setting. Check by
looking at a user record on your AD in the Object tab. If it is
smwm.com/Users/ then your current setting should be OK.

Also, unless you’re getting a dump of the LDAP record, your ldapsearch
isn’t working either.

Eric N. Valor
Sr. Systems Administrator
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

rt-users-request@lists.bestpractical.com
Sent by: rt-users-bounces@lists.bestpractical.com
07/05/2006 12:10 PM
Please respond to
rt-users@lists.bestpractical.com

To
rt-users@lists.bestpractical.com
cc

Subject
RT-Users Digest, Vol 28, Issue 8

Hello all,
I’ve been having some trouble setting up a new install of
3.6
(on Ubuntu server 6.06) with LDAP authenticating against AD (on 2003 R1
SP1). Login fails for new AD users. I set up an account in RT (with a
different-from-in-AD password) and tried to log in using the AD
password, and the log reported having updated the user information, but
authentication failed. Logging in with the password set in RT seems to
find the user in AD and update info, but IsLDAPPassword fails. One
mystery is the “Transaction->Create couldn’t, as you didn’t specify an
object type and id” error. The other is that LDAP lookups seem to be
working - although LookupExternalUserInfo doesn’t report the values for
any of the fields - but authentication does not. At this point, I
really don’t know if my problem is in AD somewhere, or in my RT config.
Apologies for the lengthy, log-filled email, but can anyone offer any
hints? Thanks,

-Sean

** Here’s the LDAP sections of my SiteConfig **
Set($AuthMethods, [‘LDAP’,‘Internal’]);
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);
Set($LdapAutoCreateNonLdapUsers, 1);
Set($LdapAttrMap, {‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘company’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’}
);
Set($LdapRTAttrMatchList, [‘Name’,‘ExternalContactInfoId’,
‘EmailAddress’, ‘RealName’]
);
Set($LdapEmailAttrMatchList, [‘mail’, ‘mailRoutingAddress’,
‘mailAlternateAddress’]
);
Set($LdapServer, ‘[DC ip address]’);
Set($LdapBase, ‘CN=users,DC=smwm,DC=com’);
#Set($LdapBase, ‘CN=SMWM,OU=SMWMSF Distribution Lists,DC=smwm,DC=com’);
Set($LdapFilter, “(objectclass=sAMAccountName)”);
Set($LdapUser, ‘[user]@smwm.com’);
Set($LdapPass, ‘[password]’);
Set($LdapSSLVersion, 3);

Now some logs:

First off, a search to make sure LDAP is actually working, DNs are
correct, etc

ldapsearch -x -h [ip address] -b “CN=users,DC=smwm,DC=com” -D
"SMWMSF[user]" -w “[password]” “sn=smahan”

extended LDIF

LDAPv3

base <CN=users,DC=smwm,DC=com> with scope sub

filter: sn=smahan

requesting: ALL

search result

search: 2
result: 0 Success

numResponses: 1

Well, this first message to the list has been a complete success - it
works! My issue ended up being that we have a separate OU set up for
our users/employees (the AD setup predates me, here, and I’m clearly not
as up on AD ins and outs as I should be). So I had to set my $LdapBase
to ‘OU=Domain Users, DC=corp, DC=com’, and the $LdapFilter to
"(objectclass=User)". Incidentally, though, I do have to specify the
domain of the user performing the LDAP lookup, or I get an Error 49.

Anyway, lots of “Thanks” to Eric, Jim and Steve,

-SeanFrom: eric.valor@daimlerchrysler.com
[mailto:eric.valor@daimlerchrysler.com]
Sent: Wednesday, July 05, 2006 12:38 PM
To: rt-users@lists.bestpractical.com
Cc: Sean W. Mahan
Subject: Re: LDAP issues with new install

I don’t think your lookups are working. The user you specified in
RT_SiteConfig.pm probably can’t search the LDAP tree.

Try “Set($LdapUser, ‘[user]’);” in your RT_SiteConfig.pm (without the
"@smwm.com"). Make sure you have the correct LdapBase setting. Check by
looking at a user record on your AD in the Object tab. If it is
smwm.com/Users/ then your current setting should be OK.

Also, unless you’re getting a dump of the LDAP record, your ldapsearch
isn’t working either.

Eric N. Valor
Sr. Systems Administrator
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

rt-users-request@lists.bestpractical.com
Sent by: rt-users-bounces@lists.bestpractical.com

07/05/2006 12:10 PM
Please respond to
rt-users@lists.bestpractical.com

To
rt-users@lists.bestpractical.com
cc
Subject
RT-Users Digest, Vol 28, Issue 8

Sean W. Mahan
IT Services
smahan@smwm.com

    SMWM
    989 Market Street, 3rd Floor
    San Francisco, CA 94103
    415.882.3092 D
    415.882.7098 F
    www.smwm.com


    This e-mail is intended only for use and/or review of the 
    individual or entity to whom it is addressed and may be 
    for a limited purpose and/or confidential and/or privileged
    communication protected by law.  Any unauthorized use, 
    dissemination, distribution, disclosure or copying is strictly 
    prohibited. If you have received this communication in 
    error, please notify us immediately by return e-mail and 
    kindly delete this message from your system. Thank you in
    advance for your cooperation.