RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses

Hi!

We use the ExternalAuth module to authenticate users against a LDAP
directory. Some users have multiple e-mail addresses, i.e. multiple
values for the LDAP mail attribute (e.g. gv2@example.com and
vogt@example.com)

Users can send e-mails to the RT server from the e-mail address which
made it into the RT MySQL database without problems. (let’s say
vogt@example.com works)

However, if they send from a different e-mail address (i.e.
gv2@example.com) it fails with error “Could not load a valid user”.

Documentations mentions it should work if the users has e-mail addresses
from different attributes. But it doesn’t say anything if there are
multiple values for the same attribute.

Browsing through the source code it looks to me as if RT first only
checks against it internal database to find out whether a user with the
sender address already exists, then tries to create a new user for the
address only to find that the user name matching in LDAP to this e-mail
address already exists in the internal database.

Is this not possible or am I missing something here?

Thanks!

Logs show this:

Jan 17 13:57:56 rt4 RT: [5002] The RTAddressRegexp option is not set in
the config. Not setting this option results in additional SQL queries to
check whether each address belongs to RT or not. It is especially
important to set this option if RT recieves emails on addresses that are
not in the database or config. (/usr/local/rt4/sbin/…/lib/RT/Config.pm:485)
Jan 17 13:57:57 rt4 RT: [5007] Encode::Guess guessed encoding: ascii
(/usr/local/rt4/sbin/…/lib/RT/I18N.pm:595)
Jan 17 13:57:57 rt4 RT: [5007] Encode::Guess guessed encoding: ascii
(/usr/local/rt4/sbin/…/lib/RT/I18N.pm:595)
Jan 17 13:57:57 rt4 RT: [5007] Converting ‘ascii’ to ‘utf-8’ for
text/plain - test (/usr/local/rt4/sbin/…/lib/RT/I18N.pm:295)
Jan 17 13:57:57 rt4 RT: [5007] Going to create user with address
’gv2@example.com’
(/usr/local/rt4/sbin/…/lib/RT/Interface/Email/Auth/MailFrom.pm:100)
Jan 17 13:57:57 rt4 RT: [5007]
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by
RT::Authen::ExternalAuth
/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
702 with: Comments: Autocreated on ticket submission, Disabled: ,
EmailAddress: gv2@example.com, Name: gv2@example.com, Password: ,
Privileged: , RealName:
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:599)
Jan 17 13:57:57 rt4 RT: [5007] Attempting to get user info using this
external service: LDAP
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607)
Jan 17 13:57:57 rt4 RT: [5007] Attempting to use this canonicalization
key: Name
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:621)
Jan 17 13:57:57 rt4 RT: [5007] LDAP Search === Base:
ou=people,o=ldap,o=root == Filter:
(&(objectclass=)(uid=gv2@example.com)) == Attrs:
l,gecos,st,mail,gecos,co,streetAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357)
Jan 17 13:57:57 rt4 RT: [5007] Attempting to use this canonicalization
key: EmailAddress
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:621)
Jan 17 13:57:57 rt4 RT: [5007] LDAP Search === Base:
ou=people,o=ldap,o=root == Filter:
(&(objectclass=
)(mail=gv2@example.com)) == Attrs:
l,gecos,st,mail,gecos,co,streetAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357)
Jan 17 13:57:57 rt4 RT: [5007]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Comments: Autocreated on ticket submission, Country: , Disabled:
, EmailAddress: vogt@example.com, ExternalAuthId: vogt, Gecos: Gerald
Vogt, Name: vogt, Organization: , Password: , Privileged: , RealName:
Gerald Vogt, State: , WorkPhone: , Zip:
Jan 17 13:57:57 rt4 RT: [5007] Use of uninitialized value $Username in
concatenation (.) or string at
/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm line 849.
Jan 17 13:57:57 rt4 RT: [5007] create new user. username = ,
emailaddress = gv2@example.com
(/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm:849)
Jan 17 13:57:57 rt4 RT: [5007] Use of uninitialized value in
concatenation (.) or string at
/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm line 859.
Jan 17 13:57:57 rt4 RT: [5007] loadbyemail got
(/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm:859)
Jan 17 13:57:57 rt4 RT: [5007] User could not be created: User creation
failed in mailgateway: Name in use
Jan 17 13:57:57 rt4 RT: [5007] Couldn’t load user
’gv2@example.com’.giving up
Jan 17 13:57:57 rt4 RT: [5007] User could not be loaded: User
’gv2@example.com’ could not be loaded in the mail gateway
Jan 17 13:57:57 rt4 RT: [5007] Could not load a valid user: RT could not
load a valid user, and RT’s configuration does not allow#012for the
creation of a new user for this email (gv2@example.com).#012#012You
might need to grant ‘Everyone’ the right ‘CreateTicket’ for the#012queue
Firewall.
Jan 17 13:57:57 rt4 RT: [5007] Could not load a valid user: RT could not
load a valid user, and RT’s configuration does not allow#012for the
creation of a new user for your email.
Jan 17 13:57:57 rt4 RT: [5007] Could not record email: Could not load a
valid user

LDAP configuration is this:

Plugin( “RT::Authen::ExternalAuth” );

Set($ExternalAuthPriority, [ ‘LDAP’ ]);
Set($ExternalInfoPriority, [ ‘LDAP’ ]);
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => [ ‘ldaps://dsp1.example.com’,
‘ldaps://dsp2.example.com’ ],
‘user’ => ‘cn=agent, ou=Special Users,
dc=adm’,
‘pass’ => ‘password’,
‘base’ => ‘ou=people,o=ldap,o=root’,
‘filter’ => ‘(objectclass=*)’,

‘d_filter’ => ‘(FILTER_STRING)’,

‘group’ => ‘GROUP_NAME’,

‘group_attr’ => ‘GROUP_ATTR’,

    'tls'                       =>  1,
    'ssl_version'               =>  3,
    'net_ldap_args'             => [    version =>  3   ],

‘group_scope’ => ‘base’,

‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,

    'attr_match_list' => [
        'Name',
        'EmailAddress',
    ],
    'attr_map' => {
        'Name' => 'uid',
        'EmailAddress' => 'mail',
        'Organization' => 'physicalDeliveryOfficeName',
        'RealName' => 'gecos',
        'ExternalAuthId' => 'uid',
        'Gecos' => 'gecos',
        'WorkPhone' => 'telephoneNumber',
        'Address1' => 'streetAddress',
        'City' => 'l',
        'State' => 'st',
        'Zip' => 'postalCode',
        'Country' => 'co'
    },
},

} );

Gerald

Anyone knows whether this should work? Did see any answers till now…

Is it possible for a user to use more than one sender e-mail address for
the same account if all e-mail addresses are in the LDAP directory?

I have found this in the RT_SiteConfig.pm file which comes with the
ExternalAuth module:

"However, if a user with an existing RT account with EmailAddress set to
the C address, sent mail from C, it would still match. The
user’s EmailAddress in RT would remain the primary C address.

This feature is useful for LDAP configurations where users have a
primary institutional email address, but might also use aliases from
subdomains or other email services. This prevents RT from creating
multiple accounts for the same person."

It doesn’t clearly say whether e-mails sent from the “alias” email
address would be accepted or not.

Thanks!

GeraldOn 18.01.2014 14:27, Gerald Vogt wrote:

Hi!

We use the ExternalAuth module to authenticate users against a LDAP
directory. Some users have multiple e-mail addresses, i.e. multiple
values for the LDAP mail attribute (e.g. gv2@example.com and
vogt@example.com)

Users can send e-mails to the RT server from the e-mail address which
made it into the RT MySQL database without problems. (let’s say
vogt@example.com works)

However, if they send from a different e-mail address (i.e.
gv2@example.com) it fails with error “Could not load a valid user”.

Documentations mentions it should work if the users has e-mail addresses
from different attributes. But it doesn’t say anything if there are
multiple values for the same attribute.

Browsing through the source code it looks to me as if RT first only
checks against it internal database to find out whether a user with the
sender address already exists, then tries to create a new user for the
address only to find that the user name matching in LDAP to this e-mail
address already exists in the internal database.

Is this not possible or am I missing something here?

Thanks!

Logs show this:

Jan 17 13:57:56 rt4 RT: [5002] The RTAddressRegexp option is not set in
the config. Not setting this option results in additional SQL queries to
check whether each address belongs to RT or not. It is especially
important to set this option if RT recieves emails on addresses that are
not in the database or config. (/usr/local/rt4/sbin/…/lib/RT/Config.pm:485)
Jan 17 13:57:57 rt4 RT: [5007] Encode::Guess guessed encoding: ascii
(/usr/local/rt4/sbin/…/lib/RT/I18N.pm:595)
Jan 17 13:57:57 rt4 RT: [5007] Encode::Guess guessed encoding: ascii
(/usr/local/rt4/sbin/…/lib/RT/I18N.pm:595)
Jan 17 13:57:57 rt4 RT: [5007] Converting ‘ascii’ to ‘utf-8’ for
text/plain - test (/usr/local/rt4/sbin/…/lib/RT/I18N.pm:295)
Jan 17 13:57:57 rt4 RT: [5007] Going to create user with address
’gv2@example.com’
(/usr/local/rt4/sbin/…/lib/RT/Interface/Email/Auth/MailFrom.pm:100)
Jan 17 13:57:57 rt4 RT: [5007]
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by
RT::Authen::ExternalAuth
/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
702 with: Comments: Autocreated on ticket submission, Disabled: ,
EmailAddress: gv2@example.com, Name: gv2@example.com, Password: ,
Privileged: , RealName:
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:599)
Jan 17 13:57:57 rt4 RT: [5007] Attempting to get user info using this
external service: LDAP
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607)
Jan 17 13:57:57 rt4 RT: [5007] Attempting to use this canonicalization
key: Name
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:621)
Jan 17 13:57:57 rt4 RT: [5007] LDAP Search === Base:
ou=people,o=ldap,o=root == Filter:
(&(objectclass=)(uid=gv2@example.com)) == Attrs:
l,gecos,st,mail,gecos,co,streetAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357)
Jan 17 13:57:57 rt4 RT: [5007] Attempting to use this canonicalization
key: EmailAddress
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:621)
Jan 17 13:57:57 rt4 RT: [5007] LDAP Search === Base:
ou=people,o=ldap,o=root == Filter:
(&(objectclass=
)(mail=gv2@example.com)) == Attrs:
l,gecos,st,mail,gecos,co,streetAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid
(/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357)
Jan 17 13:57:57 rt4 RT: [5007]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Comments: Autocreated on ticket submission, Country: , Disabled:
, EmailAddress: vogt@example.com, ExternalAuthId: vogt, Gecos: Gerald
Vogt, Name: vogt, Organization: , Password: , Privileged: , RealName:
Gerald Vogt, State: , WorkPhone: , Zip:
Jan 17 13:57:57 rt4 RT: [5007] Use of uninitialized value $Username in
concatenation (.) or string at
/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm line 849.
Jan 17 13:57:57 rt4 RT: [5007] create new user. username = ,
emailaddress = gv2@example.com
(/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm:849)
Jan 17 13:57:57 rt4 RT: [5007] Use of uninitialized value in
concatenation (.) or string at
/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm line 859.
Jan 17 13:57:57 rt4 RT: [5007] loadbyemail got
(/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm:859)
Jan 17 13:57:57 rt4 RT: [5007] User could not be created: User creation
failed in mailgateway: Name in use
Jan 17 13:57:57 rt4 RT: [5007] Couldn’t load user
’gv2@example.com’.giving up
Jan 17 13:57:57 rt4 RT: [5007] User could not be loaded: User
’gv2@example.com’ could not be loaded in the mail gateway
Jan 17 13:57:57 rt4 RT: [5007] Could not load a valid user: RT could not
load a valid user, and RT’s configuration does not allow#012for the
creation of a new user for this email (gv2@example.com).#012#012You
might need to grant ‘Everyone’ the right ‘CreateTicket’ for the#012queue
Firewall.
Jan 17 13:57:57 rt4 RT: [5007] Could not load a valid user: RT could not
load a valid user, and RT’s configuration does not allow#012for the
creation of a new user for your email.
Jan 17 13:57:57 rt4 RT: [5007] Could not record email: Could not load a
valid user

LDAP configuration is this:

Plugin( “RT::Authen::ExternalAuth” );

Set($ExternalAuthPriority, [ ‘LDAP’ ]);
Set($ExternalInfoPriority, [ ‘LDAP’ ]);
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalSettings, {
‘LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => [ ‘ldaps://dsp1.example.com’,
‘ldaps://dsp2.example.com’ ],
‘user’ => ‘cn=agent, ou=Special Users,
dc=adm’,
‘pass’ => ‘password’,
‘base’ => ‘ou=people,o=ldap,o=root’,
‘filter’ => ‘(objectclass=*)’,

‘d_filter’ => ‘(FILTER_STRING)’,

‘group’ => ‘GROUP_NAME’,

‘group_attr’ => ‘GROUP_ATTR’,

    'tls'                       =>  1,
    'ssl_version'               =>  3,
    'net_ldap_args'             => [    version =>  3   ],

‘group_scope’ => ‘base’,

‘group_attr_value’ => ‘GROUP_ATTR_VALUE’,

    'attr_match_list' => [
        'Name',
        'EmailAddress',
    ],
    'attr_map' => {
        'Name' => 'uid',
        'EmailAddress' => 'mail',
        'Organization' => 'physicalDeliveryOfficeName',
        'RealName' => 'gecos',
        'ExternalAuthId' => 'uid',
        'Gecos' => 'gecos',
        'WorkPhone' => 'telephoneNumber',
        'Address1' => 'streetAddress',
        'City' => 'l',
        'State' => 'st',
        'Zip' => 'postalCode',
        'Country' => 'co'
    },
},

} );

Gerald

Anyone knows whether this should work? Did see any answers till now…

You asked on a Saturday of a holiday weekend.

Is it possible for a user to use more than one sender e-mail address for
the same account if all e-mail addresses are in the LDAP directory?

I have found this in the RT_SiteConfig.pm file which comes with the
ExternalAuth module:

"However, if a user with an existing RT account with EmailAddress set to
the C address, sent mail from C, it would still match. The
user’s EmailAddress in RT would remain the primary C address.

This feature is useful for LDAP configurations where users have a
primary institutional email address, but might also use aliases from
subdomains or other email services. This prevents RT from creating
multiple accounts for the same person."

It doesn’t clearly say whether e-mails sent from the “alias” email
address would be accepted or not.

I’m glad you found the example config. The key is the first sentence
you quote. RT will look up against alias and treat it as though they

-kevin

It doesn’t clearly say whether e-mails sent from the “alias” email
address would be accepted or not.

I’m glad you found the example config. The key is the first sentence
you quote. RT will look up against alias and treat it as though they
sent from their primary email address.

Then why doesn’t this happen when it has two or more values set for the
"mail" attribute?

When RT receives an e-mail I don’t see any access to the LDAP server at
first. It searches the sender address in the internal database. Doesn’t
find it. Then wants to create a new user. And only then it checks
against the LDAP database and finds that the user with that uid (which
maps to the “Name” column in the RT database) exists and refuses to
create this user.

Why doesn’t this work and does this reject e-mails from that sender address?

Thanks!

Gerald

When RT receives an e-mail I don’t see any access to the LDAP server at
first. It searches the sender address in the internal database. Doesn’t
find it. Then wants to create a new user. And only then it checks
against the LDAP database and finds that the user with that uid (which
maps to the “Name” column in the RT database) exists and refuses to
create this user.

Why doesn’t this work and does this reject e-mails from that sender address?

You haven’t provided your configuration or debug logs for the
condition so any answers would be pure guesses.

-kevin

When RT receives an e-mail I don’t see any access to the LDAP server at
first. It searches the sender address in the internal database. Doesn’t
find it. Then wants to create a new user. And only then it checks
against the LDAP database and finds that the user with that uid (which
maps to the “Name” column in the RT database) exists and refuses to
create this user.

Why doesn’t this work and does this reject e-mails from that sender address?

You haven’t provided your configuration or debug logs for the
condition so any answers would be pure guesses.

That was in my first email and fully quoted in my second. -Gerald

I have tested the ExternalAuth module with the suggested configuration
of two different attributes for EmailAddress as suggested in the
configuration file:

    'attr_map' => {
        'Name' => 'uid',
        'EmailAddress' => [ 'mail', 'mailAlternateAddress' ],

This won’t work at all: the call of postfix to rt-mailgateway fails:

(temporary failure. Command output: RT server error. The RT server
which handled your email did not behave as expected. It said: Can’t
call method “as_string” on an undefined value at
/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm
line 357. Stack:
[/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357]

[/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:655]

[/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:702]
[/usr/local/rt4/sbin/…/lib/RT/User.pm:143]
[/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm:838]
[/usr/local/rt4/sbin/…/lib/RT/Interface/Email/Auth/MailFrom.pm:178]
[/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm:1531]
[/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm:1345]
[/usr/local/rt4/share/html/REST/1.0/NoAuth/mail-gateway:61])

This is because it passes the EmailAddress key as array to the function
and tries to built the LDAP filter from that which results in a string
like this:

(&(objectclass=*)(ARRAY(0xacc5d0)=gv@example.com))

And with that the following call to Net::LDAP::Filter->new will fail.

I don’t see how this should work with version 0.17 of ExternalAuth and
RT4.2.2.

Thanks!

GeraldOn 21.01.2014 22:43, Gerald Vogt wrote:

On 21.01.2014, at 21:33, Kevin Falcone falcone@bestpractical.com wrote:

On Tue, Jan 21, 2014 at 08:49:49PM +0100, Gerald Vogt wrote:
When RT receives an e-mail I don’t see any access to the LDAP server at
first. It searches the sender address in the internal database. Doesn’t
find it. Then wants to create a new user. And only then it checks
against the LDAP database and finds that the user with that uid (which
maps to the “Name” column in the RT database) exists and refuses to
create this user.

Why doesn’t this work and does this reject e-mails from that sender address?

You haven’t provided your configuration or debug logs for the
condition so any answers would be pure guesses.

That was in my first email and fully quoted in my second. -Gerald

Le 22/01/2014 � 07:49:26+0100, Gerald Vogt a �crit

I have tested the ExternalAuth module with the suggested configuration
of two different attributes for EmailAddress as suggested in the
configuration file:

    'attr_map' => {
        'Name' => 'uid',
        'EmailAddress' => [ 'mail', 'mailAlternateAddress' ],

This won’t work at all: the call of postfix to rt-mailgateway fails:

(temporary failure. Command output: RT server error. The RT server
which handled your email did not behave as expected. It said: Can’t
call method “as_string” on an undefined value at
/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm
line 357. Stack:
[/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357]

[/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:655]

[/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:702]
[/usr/local/rt4/sbin/…/lib/RT/User.pm:143]
[/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm:838]
[/usr/local/rt4/sbin/…/lib/RT/Interface/Email/Auth/MailFrom.pm:178]
[/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm:1531]
[/usr/local/rt4/sbin/…/lib/RT/Interface/Email.pm:1345]
[/usr/local/rt4/share/html/REST/1.0/NoAuth/mail-gateway:61])

This is because it passes the EmailAddress key as array to the function
and tries to built the LDAP filter from that which results in a string
like this:

(&(objectclass=*)(ARRAY(0xacc5d0)=gv@example.com))

And with that the following call to Net::LDAP::Filter->new will fail.

I don’t see how this should work with version 0.17 of ExternalAuth and
RT4.2.2.

I’ve exact same problem here. For me it’s the first time I encounter this
problem, I can say if this is a new problem or it’s old because we don’t
have many user with multiple email address. Today it’s the first time…

So yes I would very like some solution.

Because event manually through the web interface I can create a ticket with
��requestor ��is the second email-address. I got a error.

Regards.

JAS

Albert SHIH
DIO b�timent 15
Observatoire de Paris
5 Place Jules Janssen
92195 Meudon Cedex
France
T�l�phone : +33 1 45 07 76 26/+33 6 86 69 95 71
xmpp: jas@obspm.fr
Heure local/Local time:
mer 22 jan 2014 11:55:09 CET

Because event manually through the web interface I can create a ticket with
� requestor � is the second email-address. I got a error.

That’s the same problem.

Considering there is no positive feedback on my question and seeing the
source code I am pretty sure this doesn’t work and actually never did
even though the docs in the ExternalAuth SiteConfig says it would work
since 0.10.

I guess this is DIY…

O.K. Just I have just noticed a new ticket on cpan:

https://rt.cpan.org/Ticket/Display.html?id=92381

So basically, it’s not yet supported.

I am now trying to figure out what has been implemented on the
multiple-emails branch to see if I can get it working…

Gerald

Because event manually through the web interface I can create a ticket with
« requestor » is the second email-address. I got a error.

That’s the same problem.

Considering there is no positive feedback on my question and seeing the
source code I am pretty sure this doesn’t work and actually never did
even though the docs in the ExternalAuth SiteConfig says it would work
since 0.10.

Looks like the developer who merged the docs didn’t also merge the
code needed. You can see more in the ticket I filed.
https://rt.cpan.org/Public/Bug/Display.html?id=92381

The multiple-emails branch could use more testing, but is not up to
date with current master.

-kevin

Hi Kevin,On 29.01.14 20:08, Kevin Falcone wrote:

On Fri, Jan 24, 2014 at 07:54:06AM +0100, Gerald Vogt wrote:

On 22.01.2014 11:57, Albert Shih wrote:

Because event manually through the web interface I can create a ticket with
� requestor � is the second email-address. I got a error.

That’s the same problem.

Considering there is no positive feedback on my question and seeing the
source code I am pretty sure this doesn’t work and actually never did
even though the docs in the ExternalAuth SiteConfig says it would work
since 0.10.

Looks like the developer who merged the docs didn’t also merge the
code needed. You can see more in the ticket I filed.
https://rt.cpan.org/Public/Bug/Display.html?id=92381

The multiple-emails branch could use more testing, but is not up to
date with current master.

Are you sure the current source code of the extension is actually
capable of doing this?

I can see in the sourcecode of RT/Interface/Email/Auth/MailFrom.pm that
tries to find the user for the sender e-mail address using LoadByEmail.
LoadByEmail only checks the email address in the local database. If it
doesn’t find it there it tries to create a new user with that email address.

To me it looks as if this extension will never work properly unless it
modifies the LoadByEmail function to do a LDAP lookup if not found in
the local database. And I don’t see any indication anywhere in the
multiple-emails branch of the extension to do anything like that.

So I kind of doubt it’s just some more testing to get this working…

Gerald

not sure reopening this 7 y old issue is the best way to go forward, but we ran into exactly the same problem: ppl can have multiple email addresses in our LDAP and if they try to create a ticket using an alias, RT fails to create the internal user and the requestor is told “permission denied”.
I managed to come up with a ~10 lines patch of lib/RT/User.pm that seems to fix the problem for us, so now I’m wondering if anyone would be willing to take a look - I have no idea what it’ll break elsewhere… Let me know.

thanks,
-Christian

Having multiple mail addressess for one user is quite a problem in RT. We mitigated this issue by using https://metacpan.org/pod/RT::Extension::MergeUsers plugin. So now we import all mail addresses of a concrete user which create several user identities. Then we merge all such identities into one.

yeah I don’t think that would work for us. We have thousands of potential users and new ones (and new aliases) coming each day…

Is there an underlying logic to the users name so that some code could map email addresses to existing records?

Hopefully you’re importing users from LDAP. BP has a plugin that they wrote for us years ago:
RT-Extension-LDAPImport-MultiEmail
It automatically tracks and links multiple users based on the email addresses reported by LDAPImport.
I"m not sure if the original one has a branch for LDAPImport being moved into core.
I didn’t see it immediately with a CPAN search so you may have to ask someone at BP about it.

Jeff Voskamp

that is basically what my hack does: it rewrites the requestor’s email address to the primary one, hence mapping all tickets from a specific user (regardless of the alias they were sent from) to the same user db entry

If I understand the man page of this plugin correctly, it dumps the whole LDAP into RT’s user db. That’s not what we want, as only a certain percentage of our ~10k users will use RT. So we’d prefer the dynamic approach (db entry upon ticket), and the ‘merge’ is done by my hack

FTR here’s my hack

--- User.pm	2021-11-02 09:25:04.597956393 +0100
+++ User.pm.aliasmod	2021-11-02 09:28:59.198789265 +0100
@@ -145,6 +145,7 @@
     }
 
     $args{'EmailAddress'} = $self->CanonicalizeEmailAddress($args{'EmailAddress'});
+    my $realEmail = $args{'EmailAddress'};  #this ugly hack allows us to deal with users that have email aliases
 
     # if the user doesn't have a name defined, set it to the email address
     $args{'Name'} = $args{'EmailAddress'} unless ($args{'Name'});
@@ -161,7 +162,7 @@
         $args{'Password'} = '*NO-PASSWORD*';
     } else {
         my ($ok, $msg) = $self->ValidatePassword($args{'Password'});
-        return ($ok, $msg) if !$ok;
+        return ($ok, $msg, $realEmail) if !$ok;
 
         $args{'Password'} = $self->_GeneratePassword($args{'Password'});
     }
@@ -169,13 +170,13 @@
     #TODO Specify some sensible defaults.
 
     unless ( $args{'Name'} ) {
-        return ( 0, $self->loc("Must specify 'Name' attribute") );
+        return ( 0, $self->loc("Must specify 'Name' attribute"), $realEmail );
     }
 
     my ( $val, $msg ) = $self->ValidateName( $args{'Name'} );
-    return ( 0, $msg ) unless $val;
+    return ( 0, $msg, $realEmail ) unless $val;
     ( $val, $msg ) = $self->ValidateEmailAddress( $args{'EmailAddress'} );
-    return ( 0, $msg ) unless ($val);
+    return ( 0, $msg, $realEmail ) unless ($val);
 
     $RT::Handle->BeginTransaction();
     # Groups deal with principal ids, rather than user ids.
@@ -265,7 +266,7 @@
 
     $RT::Handle->Commit;
 
-    return ( $id, $self->loc('User created') );
+    return ( $id, $self->loc('User created'), $realEmail );
 }
 
 =head2 UpdateObjectCustomFieldValues
@@ -693,15 +694,15 @@
     $create{Privileged} ||= 0;
     $create{Comments}   //= 'Autocreated when added as a watcher';
 
-    my ($val, $message) = $self->Create( %create );
+    my ($val, $message, $realEmail) = $self->Create( %create );
     return wantarray ? ($self->Id, $self->loc("User loaded")) : $self->Id
         if $self->Id;
 
     # Deal with the race condition of two account creations at once
-    $self->LoadByEmail( $create{EmailAddress} );
+    $self->LoadByEmail( $realEmail );
     unless ( $self->Id ) {
         sleep 5;
-        $self->LoadByEmail( $create{EmailAddress} );
+        $self->LoadByEmail( $realEmail );
     }
 
     if ( $self->Id ) {
1 Like