Turning the debugging mode seems to help me to see the exact error

[Tue Jan 22 13:16:38 2013] [debug]: UserExists params:
username: ymarinov , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:299)
[Tue Jan 22 13:16:38 2013] [debug]: LDAP Search === Base: (dc=xxxxx,dc=net)
== Filter: (&(objectClass=*)(uid=ymarinov)) == Attrs: mail,uid
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:329)
[Tue Jan 22 13:16:38 2013] [debug]: User Check Failed :: ( My_LDAP )
ymarinov User not found
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:343)
[Tue Jan 22 13:16:38 2013] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)

which lead me to that most probably the filter doesn’t work correctly.
But this filter is already described in the LDAPImport extension, and it
works fine.

View this message in context: http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52442.html

Turning the debugging mode seems to help me to see the exact error

[Tue Jan 22 13:16:38 2013] [debug]: UserExists params:
username: ymarinov , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:299)
[Tue Jan 22 13:16:38 2013] [debug]: LDAP Search === Base: (dc=xxxxx,dc=net)
== Filter: (&(objectClass=*)(uid=ymarinov)) == Attrs: mail,uid
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:329)
[Tue Jan 22 13:16:38 2013] [debug]: User Check Failed :: ( My_LDAP )
ymarinov User not found
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:343)
[Tue Jan 22 13:16:38 2013] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)

which lead me to that most probably the filter doesn’t work correctly.
But this filter is already described in the LDAPImport extension, and it
works fine.

The LDAPImport extension connects as a different user, your ymarinov
user may not have the same rights in LDAP. Use the ldapsearch command
line tool to run the search/filter manually and see what you get (also
check the server’s logs).

-kevin

executing the following command gives all of the users

ldapsearch -h ldap.xxxx.net -b “dc=xxxxx,dc=net” -s sub “objectclass=*”

now, i’m more confused

View this message in context: http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52452.html

Hi,

I beleive what Kevin had in mind was that you specify the user account
that you configured to carry out searches in the ldap external auth
config
using the -D option to ldap search i.e

% ldapsearch -D cn=xxxx -W -h ldap.xxxx.net -b “dc=xxxxx,dc=net” -s sub
“objectclass=*”

If you are still experiencing problems post a relevant snippet from
your LDAP logs (log level 256 is usually enough)

Hope that helps

MartinOn 2013-01-23 08:32, ymarinov wrote:

executing the following command gives all of the users

ldapsearch -h ldap.xxxx.net -b “dc=xxxxx,dc=net” -s sub
“objectclass=*”

now, i’m more confused

–
View this message in context:

http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52452.html
Sent from the Request Tracker - User mailing list archive at
Nabble.com.

!DSPAM:9,50ff978833231683852830!

our ldap accepts connections without using username or password

however executing the following command, again lists the users in ldap

ldapsearch -D cn=ymarinov -h ldap.xxx.net -b “dc=xxxx,dc=net”
“objectclass=*”

View this message in context: http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52457.html

Hi,

Is cn=ymarinov specified as the user to bind as in the External Auth
configuration?

Best Regards

MartinOn 2013-01-23 10:59, ymarinov wrote:

our ldap accepts connections without using username or password

however executing the following command, again lists the users in
ldap

ldapsearch -D cn=ymarinov -h ldap.xxx.net -b “dc=xxxx,dc=net”
“objectclass=*”

–
View this message in context:

http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52457.html
Sent from the Request Tracker - User mailing list archive at
Nabble.com.

!DSPAM:9,50ffb9e533231370321117!

not at all. i don’t use ANY user/pass for ExternalAuth extension

View this message in context: http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52459.html

Hi,

In that case then your config should have the following set:

‘user’ => ‘’,
‘pass’ => ‘’,

And looking at your comments the attr_match_list should look something
like:
attr_match_list’ => [‘cn,mail’],

Rather than:
attr_match_list’ => [‘uid,mail’],

Best Regards

MartinOn 2013-01-23 11:24, ymarinov wrote:

not at all. i don’t use ANY user/pass for ExternalAuth extension

–
View this message in context:

http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52459.html
Sent from the Request Tracker - User mailing list archive at
Nabble.com.

!DSPAM:9,50ffbfbe33231138812997!

this didn’t help at all
to be sure i’ll give you the exact current RT_SiteConfig.pm specifications
that i’ve got at the moment:

‘type’ => ‘ldap’,
‘server’ => ‘ldap.xxxx.net’,
‘user’ => ‘’,
‘pass’ => ‘’,
‘base’ => ‘(dc=neterra,dc=net)’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(objectClass=NonExistant)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘cn’, ‘mail’ ],
‘attr_map’ => { ‘Name’ => ‘uid’, ‘EmailAddress’ =>
‘mail’ }
},

Have in mind that I tried the attr match list to use ‘uid’ instead of ‘cn’ -
however LDAP return again

[Wed Jan 23 12:00:33 2013] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Wed Jan 23 12:00:33 2013] [error]: FAILED LOGIN for ymarinov from
xxxx.xxx.xxx.xxx (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

View this message in context: http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52461.html

Hi,

Sorry but my last post was incorrect regarding the attr_match_list here
is an extract from my working config.

‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’
],
‘attr_map’ => { ‘Name’ => ‘mail’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘uid’
}
},

Without knowing how your users are structured in LDAP the attr_map will
differ at a guess you will need to change ‘ExternalAuthId’ at the
very least.

Hope this helps

MartinOn 2013-01-23 12:06, ymarinov wrote:

this didn’t help at all
to be sure i’ll give you the exact current RT_SiteConfig.pm
specifications
that i’ve got at the moment:

‘type’ => ‘ldap’,
‘server’ => ‘ldap.xxxx.net’,
‘user’ => ‘’,
‘pass’ => ‘’,
‘base’ => ‘(dc=neterra,dc=net)’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(objectClass=NonExistant)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘cn’, ‘mail’ ],
‘attr_map’ => { ‘Name’ => ‘uid’, ‘EmailAddress’
=>
‘mail’ }
},

Have in mind that I tried the attr match list to use ‘uid’ instead of
‘cn’ -
however LDAP return again

[Wed Jan 23 12:00:33 2013] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Wed Jan 23 12:00:33 2013] [error]: FAILED LOGIN for ymarinov from
xxxx.xxx.xxx.xxx (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

–
View this message in context:

http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52461.html
Sent from the Request Tracker - User mailing list archive at
Nabble.com.

!DSPAM:9,50ffc9a733236974910902!

Martin, your help is really much appreciated! However i still can’t get this
working. I’ll paste my current attr match list +the structure of the LDAP
information

‘attr_match_list’ => [ ‘Name’, ‘EmailAddress’ ],

‘attr_map’ => { ‘Name’ => ‘uid’ ‘EmailAddress’ =>
‘mail’,
‘ExternalAuthId’ => ‘uid’
}
},

uid=XXXX,ou=People,dc=xxxx,dc=net
objectClass=mozillaAbPersonAlpha
objectClass=evolutionPerson
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetOrgPerson
objectClass=posixAccount
objectClass=shadowAccount
objectClass=sambaSamAccount
uidNumber=(binary value)
uid=(binary value)
gidNumber=(binary value)
givenName=Yavor
sn=Marinov
mail=ymarinov@xxxxxx.net
cn=Yavor Marinov
homeDirectory=(binary value)
loginShell=(binary value)
sambaSID=(binary value)
displayName=(binary value)
sambaPasswordHistory=(binary value)
sambaPwdLastSet=(binary value)
sambaAcctFlags=(binary value)

View this message in context: http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52463.html

Hi,

Just a couple of things don’t know if you just haven’t posted
information as its sensitive.

1. Do you have a userPassword set for your ldap user

In addition I don’t know if it is required or not, but try adding
‘RealName’ => ‘cn’,

to your attr_map config.

Regards

MartinOn 2013-01-23 13:05, ymarinov wrote:

Martin, your help is really much appreciated! However i still can’t
get this
working. I’ll paste my current attr match list +the structure of the
LDAP
information

‘attr_match_list’ => [ ‘Name’, ‘EmailAddress’ ],

‘attr_map’ => { ‘Name’ => ‘uid’ ‘EmailAddress’
=>
‘mail’,

‘ExternalAuthId’ => ‘uid’
}
},

uid=XXXX,ou=People,dc=xxxx,dc=net
objectClass=mozillaAbPersonAlpha
objectClass=evolutionPerson
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetOrgPerson
objectClass=posixAccount
objectClass=shadowAccount
objectClass=sambaSamAccount
uidNumber=(binary value)
uid=(binary value)
gidNumber=(binary value)
givenName=Yavor
sn=Marinov
mail=ymarinov@xxxxxx.net
cn=Yavor Marinov
homeDirectory=(binary value)
loginShell=(binary value)
sambaSID=(binary value)
displayName=(binary value)
sambaPasswordHistory=(binary value)
sambaPwdLastSet=(binary value)
sambaAcctFlags=(binary value)

–
View this message in context:

http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52463.html
Sent from the Request Tracker - User mailing list archive at
Nabble.com.

!DSPAM:9,50ffd75333231634411062!

adding RealName to the attr maps didn’t help, i still get No User in the
error logs.
i’ll try to investigate further which field should i map for the password,
but it doesn’t seem logical for me to map a password, since LDAP just
answers if the user is authenticated or not.

i’m completely lost …

View this message in context: http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52465.html

Hi,

If you can post information from both the ldap logs and the RT logs
that would help.

Best Regards

MartinOn 2013-01-23 13:42, ymarinov wrote:

adding RealName to the attr maps didn’t help, i still get No User in
the
error logs.
i’ll try to investigate further which field should i map for the
password,
but it doesn’t seem logical for me to map a password, since LDAP just
answers if the user is authenticated or not.

i’m completely lost …

–
View this message in context:

http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52465.html
Sent from the Request Tracker - User mailing list archive at
Nabble.com.

!DSPAM:9,50ffe00533231496217174!

actually the problem is that i don’t have access to the ldap machine, but a
colleague that have access, already told me that, we don’t save any logs (i
can die now) for the ldap.

and actually currently i can’t see any other options to look into in order
to keep trying to fix this

View this message in context: http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52467.html

I’ve managed to configure this extension to authenticate against ldap, but,
I’ve faced another problem.
Upon logging into, there isn’t any queue defined for the user, which means
nothing can be done from the user point. However when I try to assign some
roles, i wasn’t able to see any users listed, which made me think that those
users should be created automatically local once they are authenticated
against ldap.

I’ve made the following option, but i don’t think it’s enough to create
those users.

Set($AutoCreateNonExternalUsers, 0);

Any suggestions?

View this message in context: http://requesttracker.8502.n7.nabble.com/problems-with-RT-Authen-ExternalAuth-tp52440p52474.html