LDAPImport bug with RT-Authen-ExternalAuth

I have been implementing a test installation of rt4 and am migrating to LDAPImport to replace a very old rt to ldap sync script we had.

However whenever I run LDAPImport I get the following errors:

[Mon Jul 11 15:31:00 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: Unassigned, Disabled: 0, EmailAddress: NAME@geneseo.edu, Name: NAME, Organization: , Privileged: 0, RealName: NAME Esmaili, WorkPhone: Unlisted (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Jul 11 15:31:00 2011] [error]: couldn’t create user_obj for oe1: Could not set user info (/opt/rt4devel/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:866)
couldn’t create user_obj for oe1: Could not set user info

When I run LDAPImport with --debug it reports all the info just fine. But then I do --imnport I get the above error.

Is LDAPImport compatible with the External Auth plugin?

Thanks for any help!

Shawn Plummer
Systems Manager
CIT SUNY Geneseo
"The mind can make substance, and people planets of its own with beings brighter than have been, and give a breath to forms which can outlive all flesh." -Lord Byron

I have been implementing a test installation of rt4 and am migrating to LDAPImport to replace a very old rt to ldap sync script we had.
However whenever I run LDAPImport I get the following errors:

[Mon Jul 11 15:31:00 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: Unassigned, Disabled: 0, EmailAddress: NAME@geneseo.edu, Name: NAME, Organization: , Privileged: 0, RealName: NAME Esmaili, WorkPhone: Unlisted (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Jul 11 15:31:00 2011] [error]: couldn’t create user_obj for oe1: Could not set user info (/opt/rt4devel/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:866)
couldn’t create user_obj for oe1: Could not set user info

When I run LDAPImport with --debug it reports all the info just fine. But then I do --imnport I get the above error.

Is LDAPImport compatible with the External Auth plugin?

They are compatible, but it’s entirely possible that you have some
crufty user data.

Do you already have a user whose Name and EMailAddress are both
NAME@geneseo.edu ?

If you log in as this user, can RT-Authen-ExternalAuth find and
authenticate this user?

You can also run with both --debug and --import

-kevin

We do have a lot of users already in RT that are in AD. Updates may be working correctly with the script but it’s new users it seems to have an issue with.

Imported 311/9795 users
Processing user USER1
User USER1 already exists as 173389, updating their data
no change
Imported 312/9795 users
Processing user USER2
User USER2 already exists as 148069, updating their data
no change
Imported 313/9795 users
Processing user USER3
[Mon Jul 11 17:35:38 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: Off-Campus, Disabled: 0, EmailAddress: USER3@geneseo.edu, Name: USER3, Organization: Student, Privileged: 0, RealName: USER3 FULL NAME, WorkPhone: USER3PHONE (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Jul 11 17:35:38 2011] [error]: couldn’t create user_obj for USER3: Could not set user info (/opt/rt4devel/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:866)
couldn’t create user_obj for USER3: Could not set user info
Imported 314/9795 users

USER3 exists in our AD currently but does not exist in RTs database and it fails to create that user. We do have alots of users in RT that no longer exist in AD but those do not seem to be causing any errors, or if they are it is not a problem.

  • ShawnOn Jul 11, 2011, at 12:01 PM, Kevin Falcone wrote:

On Mon, Jul 11, 2011 at 11:53:42AM -0400, Shawn M Plummer wrote:

I have been implementing a test installation of rt4 and am migrating to LDAPImport to replace a very old rt to ldap sync script we had.
However whenever I run LDAPImport I get the following errors:

[Mon Jul 11 15:31:00 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: Unassigned, Disabled: 0, EmailAddress: NAME@geneseo.edu, Name: NAME, Organization: , Privileged: 0, RealName: NAME Esmaili, WorkPhone: Unlisted (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Jul 11 15:31:00 2011] [error]: couldn’t create user_obj for oe1: Could not set user info (/opt/rt4devel/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:866)
couldn’t create user_obj for oe1: Could not set user info

When I run LDAPImport with --debug it reports all the info just fine. But then I do --imnport I get the above error.

Is LDAPImport compatible with the External Auth plugin?

They are compatible, but it’s entirely possible that you have some
crufty user data.

Do you already have a user whose Name and EMailAddress are both
NAME@geneseo.edu ?

If you log in as this user, can RT-Authen-ExternalAuth find and
authenticate this user?

You can also run with both --debug and --import

-kevin


2011 Training: http://bestpractical.com/services/training.html

Shawn Plummer
Systems Manager
CIT SUNY Geneseo
"The mind can make substance, and people planets of its own with beings brighter than have been, and give a breath to forms which can outlive all flesh." -Lord Byron

We do have a lot of users already in RT that are in AD. Updates may be working correctly with the script but it’s new users it seems to have an issue with.

USER3 exists in our AD currently but does not exist in RTs database and it fails to create that user. We do have alots of users in RT that no longer exist in AD but those do not seem to be causing any errors, or if they are it is not a problem.

Ok, what about this question:

If you log in as this user, can RT-Authen-ExternalAuth find and
authenticate this user?

You might also want to provide some of your config settings.

-kevin

We do have a lot of users already in RT that are in AD. Updates may be working correctly with the script but it’s new users it seems to have an issue with.

USER3 exists in our AD currently but does not exist in RTs database and it fails to create that user. We do have alots of users in RT that no longer exist in AD but those do not seem to be causing any errors, or if they are it is not a problem.

Ok, what about this question:

If you log in as this user, can RT-Authen-ExternalAuth find and
authenticate this user?

You might also want to provide some of your config settings.

I should also note that if you set RT to log in debug mode, you’ll see
both LDAPImport and ExternalAuth in your RT log, whereas the tool can
only show you LDAPIMport logs in the console.

-kevin

Sorry for the delay in responding to this.

They are compatible, but it’s entirely possible that you have some
crufty user data.

Do you already have a user whose Name and EMailAddress are both
NAME@geneseo.edu ?

I do not.

If you log in as this user, can RT-Authen-ExternalAuth find and
authenticate this user?

I created a new user in AD that I knew would not be in RT and that I would know the username and password. It does appear that ExternalAuth cannot create a new user but it seems to be authenticating existing user just fine.

Relevant logs:
[Wed Jul 27 16:08:09 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 20:08:09 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536), referer: https://rtdevel.geneseo.edu/
[Wed Jul 27 16:08:09 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 20:08:09 2011] [error]: Couldn’t create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129), referer: https://rtdevel.geneseo.edu/
[Wed Jul 27 16:08:09 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 20:08:09 2011] [error]: FAILED LOGIN for rttestuser f, referer: https://rtdevel.geneseo.edu/
[Wed Jul 27 16:08:09 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: rom 137.238.60.9 (/opt/rt4devel/sbin/…/lib/RT/Interface/Web.pm:655), referer: https://rtdevel.geneseo.edu/

I have had no issue logging in as myself, using my AD password. Granted my account already existed.

Any idea why external auth would be able to authenticate existing users but fail to create new users?

Shawn Plummer
Systems Manager
CIT SUNY Geneseo
"The mind can make substance, and people planets of its own with beings brighter than have been, and give a breath to forms which can outlive all flesh." -Lord Byron

Sorry for the delay in responding to this.

They are compatible, but it’s entirely possible that you have some
crufty user data.

Do you already have a user whose Name and EMailAddress are both
NAME@geneseo.edu ?

I do not.

If you log in as this user, can RT-Authen-ExternalAuth find and
authenticate this user?

I created a new user in AD that I knew would not be in RT and that I would know the username and password. It does appear that ExternalAuth cannot create a new user but it seems to be authenticating existing user just fine.

Relevant logs:
[Wed Jul 27 16:08:09 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 20:08:09 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536), referer: https://rtdevel.geneseo.edu/
[Wed Jul 27 16:08:09 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 20:08:09 2011] [error]: Couldn’t create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129), referer: https://rtdevel.geneseo.edu/
[Wed Jul 27 16:08:09 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 20:08:09 2011] [error]: FAILED LOGIN for rttestuser f, referer: https://rtdevel.geneseo.edu/
[Wed Jul 27 16:08:09 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: rom 137.238.60.9 (/opt/rt4devel/sbin/…/lib/RT/Interface/Web.pm:655), referer: https://rtdevel.geneseo.edu/

I have had no issue logging in as myself, using my AD password. Granted my account already existed.

Any idea why external auth would be able to authenticate existing users but fail to create new users?

You’ve left off a number of useful debugging messages from
CanonicalizeUserInfo which came right before this. Without those,
it’s hard to tell what’s going on

-kevin

You’ve left off a number of useful debugging messages from
CanonicalizeUserInfo which came right before this. Without those,
it’s hard to tell what’s going on

I set $LogToSyslog to debug in RT_Config and tried again. Is this what you were referring to? Or do I need to turn something on to get better messages from CanonicalizeUserInfo?

Here is everything I got from tailing /var/log/httpd/* and /var/log/message while I attempted to login with the new AD user I created today.

Jul 27 19:44:28 rtdevel RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Jul 27 19:44:28 rtdevel RT: Couldn’t create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)

==> /var/log/httpd/rt4devel_error_log <==
[Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
[Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [error]: Couldn’t create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
[Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [error]: FAILED LOGIN for rttestuser f, referer: https://rtdevel.geneseo.edu/NoAuth/Login.html

==> /var/log/messages <==
Jul 27 19:44:28 rtdevel RT: FAILED LOGIN for rttestuser from 137.238.60.9 (/opt/rt4devel/sbin/…/lib/RT/Interface/Web.pm:655)

==> /var/log/httpd/rt4devel_error_log <==
[Wed Jul 27 19:44:31 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: rom 137.238.60.9 (/opt/rt4devel/sbin/…/lib/RT/Interface/Web.pm:655), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html

==> /var/log/httpd/rt4devel_access_log <==
137.238.60.9 - - [27/Jul/2011:19:44:27 -0400] “POST /NoAuth/Login.html HTTP/1.1” 200 4534 “https://rtdevel.geneseo.edu/NoAuth/Login.html” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3”

Shawn Plummer
Systems Manager
CIT SUNY Geneseo
"The mind can make substance, and people planets of its own with beings brighter than have been, and give a breath to forms which can outlive all flesh." -Lord Byron

You’ve left off a number of useful debugging messages from
CanonicalizeUserInfo which came right before this. Without those,
it’s hard to tell what’s going on

I set $LogToSyslog to debug in RT_Config and tried again. Is this what you were referring to? Or do I need to turn something on to get better messages from CanonicalizeUserInfo?

I’d expect to see the output of
$RT::Logger->debug( (caller(0))[3],
“called by”,
caller,
“with:”,
join(", “, map {sprintf(”%s: %s", $, $args->{$})}
sort(keys(%$args))));

and a reference to every Info service queried

You may want to post your RT-Authen-ExternalAuth config and version

-kevin

Here is the RT_Siteconfig entries for ldapimport and external auth

For the Ldapimport extension

Set($LDAPHost,‘server.geneseo.edu’);
Set($LDAPUser, ‘cn=username,cn=Users,dc=w2k,dc=geneseo,dc=edu’);
Set($LDAPPassword, ‘password’);
Set($LDAPBase, ‘cn=Users,dc=w2k,dc=geneseo,dc=edu’);
Set($LDAPFilter, ‘(objectClass=*)’);
Set($LDAPMapping, {Name => ‘sAMAccountName’,
EmailAddress => ‘mail’,
RealName => ‘displayName’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘department’,
Address1 => ‘street’
});

Set($LDAPGroupName,‘Imported Users’);
Set($LDAPSkipAutogeneratedGroup, 1);
Set($LDAPUpdateUsers,1);
Set($LDAPUpdateOnly,0);

Set($ExternalAuthPriority, [‘Geneseo_AD’]);
Set($ExternalInfoPriority, [‘Geneseo_AD’]);
Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings,{‘Geneseo_AD’ => { ## GENERIC SECTION
’type’ => ‘ldap’,
‘server’ => ‘server.geneseo.edu’,
# The username RT should use to connect to the LDAP server
’user’ => ‘cn=username,cn=users,dc=w2k,dc=geneseo,dc=edu’,
# The password RT should use to connect to the LDAP server
’pass’ => ‘password’,
# The LDAP search base
’base’ => ‘cn=Users,DC=w2k,DC=geneseo,DC=edu’,
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU MUST SPECIFY A filter AND A d_filter!!
# The filter to use to match RT-Users
’filter’ => ‘(objectClass=)’,
# A catch-all example filter: '(objectClass=
)’
# The filter that will only match disabled users
’d_filter’ => ‘(objectClass=FooBarBaz)’,
# A catch-none example d_filter: ‘(objectClass=FooBarBaz)’
# Should we try to use TLS to encrypt connections?
‘tls’ => 0,
# SSL Version to provide to Net::SSLeay if using SSL
’ssl_version’ => 3,
# What other args should I pass to Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3 ],
# Does authentication depend on group membership? What group name?
#‘group’ => ‘GROUP_NAME’,
# What is the attribute for the group object that determines membership?
#‘group_attr’ => ‘GROUP_ATTR’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
‘attr_match_list’ => [ ‘sAMAccountName’,
‘mail’
],
# The mapping of RT attributes on to LDAP attributes
’attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘department’,
‘RealName’ => ‘displayName’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);On Jul 27, 2011, at 8:06 PM, Kevin Falcone wrote:

On Wed, Jul 27, 2011 at 07:48:11PM -0400, Shawn M Plummer wrote:

On Jul 27, 2011, at 5:40 PM, Kevin Falcone wrote:

You’ve left off a number of useful debugging messages from
CanonicalizeUserInfo which came right before this. Without those,
it’s hard to tell what’s going on

I set $LogToSyslog to debug in RT_Config and tried again. Is this what you were referring to? Or do I need to turn something on to get better messages from CanonicalizeUserInfo?

I’d expect to see the output of
$RT::Logger->debug( (caller(0))[3],
“called by”,
caller,
“with:”,
join(", “, map {sprintf(”%s: %s", $, $args->{$})}
sort(keys(%$args))));

and a reference to every Info service queried

You may want to post your RT-Authen-ExternalAuth config and version

-kevin

Here is everything I got from tailing /var/log/httpd/* and /var/log/message while I attempted to login with the new AD user I created today.

Jul 27 19:44:28 rtdevel RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Jul 27 19:44:28 rtdevel RT: Couldn’t create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)

==> /var/log/httpd/rt4devel_error_log <==
[Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
[Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [error]: Couldn’t create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html
[Wed Jul 27 19:44:28 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: [Wed Jul 27 23:44:28 2011] [error]: FAILED LOGIN for rttestuser f, referer: https://rtdevel.geneseo.edu/NoAuth/Login.html

==> /var/log/messages <==
Jul 27 19:44:28 rtdevel RT: FAILED LOGIN for rttestuser from 137.238.60.9 (/opt/rt4devel/sbin/…/lib/RT/Interface/Web.pm:655)

==> /var/log/httpd/rt4devel_error_log <==
[Wed Jul 27 19:44:31 2011] [warn] [client 137.238.60.9] mod_fcgid: stderr: rom 137.238.60.9 (/opt/rt4devel/sbin/…/lib/RT/Interface/Web.pm:655), referer: https://rtdevel.geneseo.edu/NoAuth/Login.html

==> /var/log/httpd/rt4devel_access_log <==
137.238.60.9 - - [27/Jul/2011:19:44:27 -0400] “POST /NoAuth/Login.html HTTP/1.1” 200 4534 “https://rtdevel.geneseo.edu/NoAuth/Login.html” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3”

Shawn Plummer
Systems Manager
CIT SUNY Geneseo
"The mind can make substance, and people planets of its own with beings brighter than have been, and give a breath to forms which can outlive all flesh." -Lord Byron


--------
2011 Training: http://bestpractical.com/services/training.html

2011 Training: http://bestpractical.com/services/training.html

Here is the RT_Siteconfig entries for ldapimport and external auth

Versions?

Also, any luck finding the expected log messages I note below?

-kevin

RT 4.0.1 and External Auth 0.9

No luck on the log messages. Do I need to change to log to a file rather than syslog?On Jul 28, 2011, at 5:36 PM, Kevin Falcone wrote:

On Thu, Jul 28, 2011 at 01:32:40PM -0400, Shawn Plummer wrote:

Here is the RT_Siteconfig entries for ldapimport and external auth

Versions?

Also, any luck finding the expected log messages I note below?

-kevin

I’d expect to see the output of
$RT::Logger->debug( (caller(0))[3],
“called by”,
caller,
“with:”,
join(", “, map {sprintf(”%s: %s", $, $args->{$})}
sort(keys(%$args))));

and a reference to every Info service queried

You may want to post your RT-Authen-ExternalAuth config and version


2011 Training: http://bestpractical.com/services/training.html

RT 4.0.1 and External Auth 0.9

No luck on the log messages. Do I need to change to log to a file rather than syslog?

syslog may put messages into different files depending on level and
other properties. Try LogToScreen or LogToFile. Things logged to
screen end up in apache’s logs and in console output when you run
command line tools. Don’t use LogToFile in production for a long
time. LogToFile requires users using RT tools on the server to have
permissions on the file.> On Jul 28, 2011, at 5:36 PM, Kevin Falcone wrote:

On Thu, Jul 28, 2011 at 01:32:40PM -0400, Shawn Plummer wrote:

Here is the RT_Siteconfig entries for ldapimport and external auth

Versions?

Also, any luck finding the expected log messages I note below?

-kevin

I’d expect to see the output of
$RT::Logger->debug( (caller(0))[3],
“called by”,
caller,
“with:”,
join(", “, map {sprintf(”%s: %s", $, $args->{$})}
sort(keys(%$args))));

and a reference to every Info service queried

You may want to post your RT-Authen-ExternalAuth config and version


2011 Training: http://bestpractical.com/services/training.html


2011 Training: http://bestpractical.com/services/training.html

Best regards, Ruslan.

Got more log information by turning on logging to rt. log

==> var/log/rt.log <==
[Fri Jul 29 12:57:14 2011] [debug]: Attempting to use external auth service: Geneseo_AD (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Fri Jul 29 12:57:14 2011] [debug]: Calling UserExists with $username (rttestuser) and $service (Geneseo_AD) (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Fri Jul 29 12:57:14 2011] [debug]: UserExists params:
username: rttestuser , service: Geneseo_AD (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Fri Jul 29 12:57:14 2011] [debug]: LDAP Search === Base: cn=Users,DC=w2k,DC=geneseo,DC=edu == Filter: (&(objectClass=*)(sAMAccountName=rttestuser)) == Attrs: l,displayName,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,department,sAMAccountName (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Fri Jul 29 12:57:14 2011] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::Authen::ExternalAuth /opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 553 with: Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Fri Jul 29 12:57:14 2011] [debug]: Attempting to get user info using this external service: Geneseo_AD (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Fri Jul 29 12:57:14 2011] [debug]: Attempting to use this canonicalization key: sAMAccountName (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Fri Jul 29 12:57:14 2011] [debug]: This attribute ( sAMAccountName ) is null or incorrectly defined in the attr_map for this service ( Geneseo_AD ) (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:474)
[Fri Jul 29 12:57:14 2011] [debug]: Attempting to use this canonicalization key: mail (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Fri Jul 29 12:57:14 2011] [debug]: This attribute ( mail ) is null or incorrectly defined in the attr_map for this service ( Geneseo_AD ) (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:474)
[Fri Jul 29 12:57:14 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Fri Jul 29 12:57:14 2011] [error]: Couldn’t create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[Fri Jul 29 12:57:14 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Fri Jul 29 12:57:14 2011] [error]: FAILED LOGIN for rttestuser from 137.238.60.9 (/opt/rt4devel/sbin/…/lib/RT/Interface/Web.pm:655)

I see it says that This attribute ( sAMAccountName ) is null or incorrectly defined in the attr_map for this service ( Geneseo_AD )

But looking at the attribute editor on my AD server I see that user has an sAMAccountName of rttestuser so I am not sure why it thinks the it is incorrectly defined in the attar_map for the service. Is my config file wrong some how?

It also appears that I can authenticate existing users in RT and I don’t see any errors logged for them. it is only new users that are not in RT that are failing to be created.

  • ShawnOn Jul 28, 2011, at 5:43 PM, Shawn Plummer wrote:

RT 4.0.1 and External Auth 0.9

No luck on the log messages. Do I need to change to log to a file rather than syslog?

On Jul 28, 2011, at 5:36 PM, Kevin Falcone wrote:

On Thu, Jul 28, 2011 at 01:32:40PM -0400, Shawn Plummer wrote:

Here is the RT_Siteconfig entries for ldapimport and external auth

Versions?

Also, any luck finding the expected log messages I note below?

-kevin

I’d expect to see the output of
$RT::Logger->debug( (caller(0))[3],
“called by”,
caller,
“with:”,
join(", “, map {sprintf(”%s: %s", $, $args->{$})}
sort(keys(%$args))));

and a reference to every Info service queried

You may want to post your RT-Authen-ExternalAuth config and version


2011 Training: http://bestpractical.com/services/training.html


2011 Training: http://bestpractical.com/services/training.html

Looks like external Auth can create users again.

Turns out I changed attr_match_list and put in the name of the AD attribute not the RT attribute.

Changed them back to
’attr_match_list’ => [ ‘Name’,
‘Gecos’,
‘EmailAddress’
],

And not it works!

  • ShawnOn Aug 2, 2011, at 9:56 AM, Shawn Plummer wrote:

Got more log information by turning on logging to rt. log

==> var/log/rt.log <==
[Fri Jul 29 12:57:14 2011] [debug]: Attempting to use external auth service: Geneseo_AD (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Fri Jul 29 12:57:14 2011] [debug]: Calling UserExists with $username (rttestuser) and $service (Geneseo_AD) (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105)
[Fri Jul 29 12:57:14 2011] [debug]: UserExists params:
username: rttestuser , service: Geneseo_AD (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[Fri Jul 29 12:57:14 2011] [debug]: LDAP Search === Base: cn=Users,DC=w2k,DC=geneseo,DC=edu == Filter: (&(objectClass=*)(sAMAccountName=rttestuser)) == Attrs: l,displayName,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,department,sAMAccountName (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304)
[Fri Jul 29 12:57:14 2011] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::Authen::ExternalAuth /opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 553 with: Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Fri Jul 29 12:57:14 2011] [debug]: Attempting to get user info using this external service: Geneseo_AD (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Fri Jul 29 12:57:14 2011] [debug]: Attempting to use this canonicalization key: sAMAccountName (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Fri Jul 29 12:57:14 2011] [debug]: This attribute ( sAMAccountName ) is null or incorrectly defined in the attr_map for this service ( Geneseo_AD ) (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:474)
[Fri Jul 29 12:57:14 2011] [debug]: Attempting to use this canonicalization key: mail (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Fri Jul 29 12:57:14 2011] [debug]: This attribute ( mail ) is null or incorrectly defined in the attr_map for this service ( Geneseo_AD ) (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:474)
[Fri Jul 29 12:57:14 2011] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0, EmailAddress: , Gecos: rttestuser, Name: rttestuser, Privileged: 0 (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Fri Jul 29 12:57:14 2011] [error]: Couldn’t create user rttestuser: Could not set user info (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:129)
[Fri Jul 29 12:57:14 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4devel/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Fri Jul 29 12:57:14 2011] [error]: FAILED LOGIN for rttestuser from 137.238.60.9 (/opt/rt4devel/sbin/…/lib/RT/Interface/Web.pm:655)

I see it says that This attribute ( sAMAccountName ) is null or incorrectly defined in the attr_map for this service ( Geneseo_AD )

But looking at the attribute editor on my AD server I see that user has an sAMAccountName of rttestuser so I am not sure why it thinks the it is incorrectly defined in the attar_map for the service. Is my config file wrong some how?

It also appears that I can authenticate existing users in RT and I don’t see any errors logged for them. it is only new users that are not in RT that are failing to be created.

  • Shawn

On Jul 28, 2011, at 5:43 PM, Shawn Plummer wrote:

RT 4.0.1 and External Auth 0.9

No luck on the log messages. Do I need to change to log to a file rather than syslog?

On Jul 28, 2011, at 5:36 PM, Kevin Falcone wrote:

On Thu, Jul 28, 2011 at 01:32:40PM -0400, Shawn Plummer wrote:

Here is the RT_Siteconfig entries for ldapimport and external auth

Versions?

Also, any luck finding the expected log messages I note below?

-kevin

I’d expect to see the output of
$RT::Logger->debug( (caller(0))[3],
“called by”,
caller,
“with:”,
join(", “, map {sprintf(”%s: %s", $, $args->{$})}
sort(keys(%$args))));

and a reference to every Info service queried

You may want to post your RT-Authen-ExternalAuth config and version


2011 Training: http://bestpractical.com/services/training.html


2011 Training: http://bestpractical.com/services/training.html


2011 Training: http://bestpractical.com/services/training.html