RT 4.4.1 LDAP Authentication issue

RT Users
1

Hi everyone.
First sorry for my english i’m french.

I try a couple of week to have LDAP authentication with my fresh RT 4.4.1
installation.
All seem good but login still fail.

As you ca see in logs, if it’s first time that user try to login, he is
create in RT but and all cheks seem to be OK but user is not granted access.

below RT_Siteconfig.pm and logs.

Thank you for your help.
RT_Siteconfig.pm

Set($MaxAttachmentSize , 10000000);
Set($FriendlyFromLineFormat, “"%s" <%s>”);
Set($Timezone, “Europe/Paris”);
Set($DisableGD, 0);
Set( $DisableGraphViz, 1 );
Set($LogToFile , ‘debug’);
Set($LogDir, ‘/var/log’);
Set($LogToFileNamed , “rt.log”);

Set($WebDomain, ‘dmycopr’);
Set($WebPort, 82);
Set($Organization, ‘mycopr.com’);
Set($CorrespondAddress , ‘alert@mycoprservices.com’);
Set($CommentAddress , ‘alert@mycoprservices.com’);
Set($SendmailPath, “/usr/lib/sendmail”);
Set($SendmailArguments, “-t”);
Set($OwnerEmail, “alert@mycoprservices.com”); #who to email errors to
Set($UseTransactionBatch, ‘1’);

Use the below LDAP source for both authentication, as well as user

# information
Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
Set($ExternalServiceUsesSSLorTLS, 1);

# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 0);

# Minimal LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
    'My_LDAP'       =>  {
        'type'             =>  'ldap',
        'server'           =>  'ldaps://ypmycoprldap.corp.mycopr.com',
        'user'             =>

‘uid=mycopr-rtir-reader,ou=applicationAccounts,o=corp.mycopr.com’,
‘pass’ =>
‘SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21’,
‘base’ => ‘o=corp.mycopr.com’,
‘filter’ => ‘(objectClass=privperson)’,
‘tls’ => { verify => “require”, cafile =>
“/etc/pki/tls/mycopr_CERTIFICATE_CHAIN.crt” },
‘net_ldap_args’ => [ version => 3, debug => 8 ],
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
# Import the following properties of the user from LDAP upon
# login
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
}
},
}
);

1;

First login :
[13619] [Wed Dec 7 16:42:02 2016] [debug]: UserExists params:
username: 20006587 , service: My_LDAP
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:487)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: LDAP Search === Base:
o=corp.mycorp.com == Filter: (&(objectClass=privperson)(uid=20006587)) ==
Attrs: cn,mail,uid (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:517)
[13619] [Wed Dec 7 16:42:02 2016] [debug]:
RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
/opt/rt4/sbin/…/lib/RT/User.pm 699 with: Disabled: , EmailAddress: , Gecos:
20006587, Name: 20006587, Privileged: 1
(/opt/rt4/sbin/…/lib/RT/User.pm:735)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Attempting to get user info
using this external service: My_LDAP (/opt/rt4/sbin/…/lib/RT/User.pm:743)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Attempting to use this
canonicalization key: Name (/opt/rt4/sbin/…/lib/RT/User.pm:752)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: LDAP Search === Base:
o=corp.mycorp.com == Filter: (&(objectClass=privperson)(uid=20006587)) ==
Attrs: cn,mail,uid (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:405)
[13619] [Wed Dec 7 16:42:02 2016] [info]:
RT::User::CanonicalizeUserInfoFromExternalAuth returning Disabled: ,
EmailAddress: user@ext.mycorp.com, Gecos: 20006587, Name: 20006587,
Privileged: 1, RealName: user (/opt/rt4/sbin/…/lib/RT/User.pm:811)
[13619] [Wed Dec 7 16:42:02 2016] [info]: Autocreated external user
20006587 ( 716 ) (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:358)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Loading new user ( 20006587 )
into current session (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:364)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Password validation required for
service - Executing… (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:381)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Trying external auth service:
My_LDAP (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:201)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: LDAP Search === Base:
o=corp.mycorp.com == Filter: (&(uid=20006587)(objectClass=privperson)) ==
Attrs: dn (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:234)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Found LDAP DN:
uid=20006587,ou=people,ou=GO-LM,o=corp.mycorp.com
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:268)
[13619] [Wed Dec 7 16:42:02 2016] [info]:
RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP ):
20006587 (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:349)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: LDAP password validation result:
1 (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:560)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Password Validation Check
Result: 1 (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:385)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Autohandler called ExternalAuth.
Response: (0, No User) (/opt/rt4/share/html/Elements/DoAuth:58)
[13619] [Wed Dec 7 16:42:02 2016] [error]: FAILED LOGIN for 20006587 from
10.1.29.3 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:826)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: Attempting to use external auth
service: My_LDAP (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:288)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: Calling UserExists with
$username (20006587) and $service (My_LDAP)
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:329)

User is know by RT

[13620] [Wed Dec 7 16:42:10 2016] [debug]: UserExists params:
username: 20006587 , service: My_LDAP
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:487)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: LDAP Search === Base:
o=corp.mycopr.com == Filter: (&(objectClass=privperson)(uid=20006587)) ==
Attrs: cn,mail,uid (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:517)
[13620] [Wed Dec 7 16:42:10 2016] [debug]:
RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
/opt/rt4/sbin/…/lib/RT/User.pm 699 with: Disabled: , EmailAddress: , Gecos:
20006587, Name: 20006587, Privileged: 1
(/opt/rt4/sbin/…/lib/RT/User.pm:735)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: Attempting to get user info
using this external service: My_LDAP (/opt/rt4/sbin/…/lib/RT/User.pm:743)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: Attempting to use this
canonicalization key: Name (/opt/rt4/sbin/…/lib/RT/User.pm:752)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: LDAP Search === Base:
o=corp.mycopr.com == Filter: (&(objectClass=privperson)(uid=20006587)) ==
Attrs: cn,mail,uid (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:405)
[13620] [Wed Dec 7 16:42:10 2016] [info]:
RT::User::CanonicalizeUserInfoFromExternalAuth returning Disabled: ,
EmailAddress: user@ext.mycopr.com, Gecos: 20006587, Name: 20006587,
Privileged: 1, RealName: user (/opt/rt4/sbin/…/lib/RT/User.pm:811)
[13620] [Wed Dec 7 16:42:10 2016] [error]: Couldn’t create user 20006587:
Email address in use (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:355)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: Autohandler called ExternalAuth.
Response: (0, No User) (/opt/rt4/share/html/Elements/DoAuth:58)
[13620] [Wed Dec 7 16:42:10 2016] [error]: FAILED LOGIN for 20006587 from
10.1.29.3 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:826)

2

Hi everyone.
First sorry for my english i’m french.

I try a couple of week to have LDAP authentication with my fresh RT
4.4.1 installation.
All seem good but login still fail.

First login :

[13619] [Wed Dec 7 16:42:02 2016] [debug]: UserExists params:
username: 20006587 , service: My_LDAP
I think you may have a problem here. This has come up on the mailinglist
a few times but I think that usernames can’t start with a number.
Can you try with a ‘regular’ username consisting of only letters?

Regards,

Joop

3

Hi Joop,

Thank you for your quick answer.
We have tested with non numerical username and result is OK.
Well in my organisation we use ldap uid for username. Any suggestion
to resolve this issue ?

Please keep the list in the loop.

I think the problem is in the function(s) which load the user info.
These functions take a name OR an id and then load the corresponding
info. When usernames are IDs that doesn’t work any more. Other than
patching all functions which use this I don’t see another solution than
to change the use of uid as a username, sorry.

Joop

4

Hi,

You could either use another unique attribute i.e mail or add another
uid to each RT user prefixed by a letter.

dn: uid=123456,dc=my,dc=domain
uid: 123456
uid: x123456

Best Regards

MartinOn 2016-12-09 12:49, Joop wrote:

On 9-12-2016 13:38, Claude EDUMA wrote:

Hi Joop,

Thank you for your quick answer.
We have tested with non numerical username and result is OK.
Well in my organisation we use ldap uid for username. Any suggestion
to resolve this issue ?

Please keep the list in the loop.

I think the problem is in the function(s) which load the user info.
These functions take a name OR an id and then load the corresponding
info. When usernames are IDs that doesn’t work any more. Other than
patching all functions which use this I don’t see another solution than
to change the use of uid as a username, sorry.

Joop

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Los Angeles - January 9-11 2017
5

Well,

I will try to use user mail for authentication.

here is conf i tested without success :frowning:

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldap://ypmycorpldap.corp.mycorp.com’,
‘user’ =>
‘uid=mycorp-rtir-reader,ou=applicationAccounts,o=corp.mycorp.com’,
‘pass’ =>
‘SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21’,
‘base’ => ‘o=corp.mycorp.com’,
‘filter’ => ‘(objectClass=person)’,
‘tls’ => { verify => “require”, cafile =>
“/etc/pki/tls/mycorp_CERTIFICATE_CHAIN.crt” },
‘net_ldap_args’ => [ version => 3, debug => 8 ],
‘attr_match_list’ => [
‘Name’ ,
‘EmailAddress’,
],
# Import the following properties of the user from LDAP upon
# login
‘attr_map’ => {
‘Name’ => ‘mail’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
}
},
}
);

Regards

2016-12-09 13:59 GMT+01:00 Martin Wheldon <
martin.wheldon@greenhills-it.co.uk>:

6

LDAP logs show that user is retreive, but not bind.

SRCH base=“o=corp.mycorp.com” scope=2
filter=“(&(objectClass=privperson)(mail=claude.eduma@ext.mycorp.com))”
attrs=“cn mail mail”
[09/Dec/2016:14:16:47 +0100] conn=9480527 op=2 msgId=3 - RESULT err=0
tag=101 nentries=1 etime=0

Regards.2016-12-09 14:21 GMT+01:00 Claude EDUMA claudeduma@gmail.com:

Well,

I will try to use user mail for authentication.

here is conf i tested without success :frowning:

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldap://ypmycorpldap.corp.mycorp.com’,
‘user’ => ‘uid=mycorp-rtir-reader,ou=
applicationAccounts,o=corp.mycorp.com’,
‘pass’ => ‘SikH2mmKLtPi0E4ZYcqldTXAgILVxG
VhXWlHBF3o21’,
‘base’ => ‘o=corp.mycorp.com’,
‘filter’ => ‘(objectClass=person)’,
‘tls’ => { verify => “require”, cafile =>
“/etc/pki/tls/mycorp_CERTIFICATE_CHAIN.crt” },
‘net_ldap_args’ => [ version => 3, debug => 8 ],
‘attr_match_list’ => [
‘Name’ ,
‘EmailAddress’,
],
# Import the following properties of the user from LDAP upon
# login
‘attr_map’ => {
‘Name’ => ‘mail’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
}
},
}
);

Regards

2016-12-09 13:59 GMT+01:00 Martin Wheldon <martin.wheldon@greenhills-it.
co.uk>:

Hi,

You could either use another unique attribute i.e mail or add another uid
to each RT user prefixed by a letter.

dn: uid=123456,dc=my,dc=domain
uid: 123456
uid: x123456

Best Regards

Martin

On 2016-12-09 12:49, Joop wrote:

On 9-12-2016 13:38, Claude EDUMA wrote:

Hi Joop,

Thank you for your quick answer.
We have tested with non numerical username and result is OK.
Well in my organisation we use ldap uid for username. Any suggestion
to resolve this issue ?

Please keep the list in the loop.

I think the problem is in the function(s) which load the user info.
These functions take a name OR an id and then load the corresponding
info. When usernames are IDs that doesn’t work any more. Other than
patching all functions which use this I don’t see another solution than
to change the use of uid as a username, sorry.

Joop

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Los Angeles - January 9-11 2017

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Los Angeles - January 9-11 2017
7

Hi,

Looks like a ldap acl issue, is your ldap search user able to access the
users mail attribute?

Best Regards

MartinOn 2016-12-09 13:37, Claude EDUMA wrote:

LDAP logs show that user is retreive, but not bind.

SRCH base=“o=corp.mycorp.com [2]” scope=2
filter=“(&(objectClass=privperson)(mail=claude.eduma@ext.mycorp.com))”
attrs=“cn mail mail”
[09/Dec/2016:14:16:47 +0100] conn=9480527 op=2 msgId=3 - RESULT err=0
tag=101 nentries=1 etime=0

Regards.

2016-12-09 14:21 GMT+01:00 Claude EDUMA claudeduma@gmail.com:

Well,

I will try to use user mail for authentication.

here is conf i tested without success :frowning:

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ =>
‘ldap://ypmycorpldap.corp.mycorp.com [1]’,
‘user’ =>
‘uid=mycorp-rtir-reader,ou=applicationAccounts,o=corp.mycorp.com
[2]’,
‘pass’ =>
‘SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21’,
‘base’ => ‘o=corp.mycorp.com [2]’,
‘filter’ => ‘(objectClass=person)’,
‘tls’ => { verify => “require”, cafile =>
“/etc/pki/tls/mycorp_CERTIFICATE_CHAIN.crt” },
‘net_ldap_args’ => [ version => 3, debug => 8
],
‘attr_match_list’ => [
‘Name’ ,
‘EmailAddress’,
],

Import the following properties of the user from LDAP

upon

login

‘attr_map’ => {
‘Name’ => ‘mail’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
}
},
}
);

Regards

2016-12-09 13:59 GMT+01:00 Martin Wheldon
martin.wheldon@greenhills-it.co.uk:
Hi,

You could either use another unique attribute i.e mail or add
another uid to each RT user prefixed by a letter.

dn: uid=123456,dc=my,dc=domain
uid: 123456
uid: x123456

Best Regards

Martin

On 2016-12-09 12:49, Joop wrote:
On 9-12-2016 13:38, Claude EDUMA wrote:
Hi Joop,

Thank you for your quick answer.
We have tested with non numerical username and result is OK.
Well in my organisation we use ldap uid for username. Any suggestion
to resolve this issue ?

Please keep the list in the loop.

I think the problem is in the function(s) which load the user info.
These functions take a name OR an id and then load the corresponding
info. When usernames are IDs that doesn’t work any more. Other than
patching all functions which use this I don’t see another solution
than
to change the use of uid as a username, sorry.

Joop

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training [3]

  • Los Angeles - January 9-11 2017

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training [3]

  • Los Angeles - January 9-11 2017

Links:

[1] http://ypmycorpldap.corp.mycorp.com
[2] http://corp.mycorp.com
[3] https://bestpractical.com/training

8

Hi,

Sorry, please disregard my last response, the user account has been
found.
Could you post the RT logs please?

Best Regards

MartinOn 2016-12-09 13:44, Martin Wheldon wrote:

Hi,

Looks like a ldap acl issue, is your ldap search user able to access
the users mail attribute?

Best Regards

Martin

On 2016-12-09 13:37, Claude EDUMA wrote:

LDAP logs show that user is retreive, but not bind.

SRCH base=“o=corp.mycorp.com [2]” scope=2
filter=“(&(objectClass=privperson)(mail=claude.eduma@ext.mycorp.com))”
attrs=“cn mail mail”
[09/Dec/2016:14:16:47 +0100] conn=9480527 op=2 msgId=3 - RESULT err=0
tag=101 nentries=1 etime=0

Regards.

2016-12-09 14:21 GMT+01:00 Claude EDUMA claudeduma@gmail.com:

Well,

I will try to use user mail for authentication.

here is conf i tested without success :frowning:

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ =>
‘ldap://ypmycorpldap.corp.mycorp.com [1]’,
‘user’ =>
‘uid=mycorp-rtir-reader,ou=applicationAccounts,o=corp.mycorp.com
[2]’,
‘pass’ =>
‘SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21’,
‘base’ => ‘o=corp.mycorp.com [2]’,
‘filter’ => ‘(objectClass=person)’,
‘tls’ => { verify => “require”, cafile =>
“/etc/pki/tls/mycorp_CERTIFICATE_CHAIN.crt” },
‘net_ldap_args’ => [ version => 3, debug => 8
],
‘attr_match_list’ => [
‘Name’ ,
‘EmailAddress’,
],

Import the following properties of the user from LDAP

upon

login

‘attr_map’ => {
‘Name’ => ‘mail’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
}
},
}
);

Regards

2016-12-09 13:59 GMT+01:00 Martin Wheldon
martin.wheldon@greenhills-it.co.uk:
Hi,

You could either use another unique attribute i.e mail or add
another uid to each RT user prefixed by a letter.

dn: uid=123456,dc=my,dc=domain
uid: 123456
uid: x123456

Best Regards

Martin

On 2016-12-09 12:49, Joop wrote:
On 9-12-2016 13:38, Claude EDUMA wrote:
Hi Joop,

Thank you for your quick answer.
We have tested with non numerical username and result is OK.
Well in my organisation we use ldap uid for username. Any suggestion
to resolve this issue ?

Please keep the list in the loop.

I think the problem is in the function(s) which load the user info.
These functions take a name OR an id and then load the corresponding
info. When usernames are IDs that doesn’t work any more. Other than
patching all functions which use this I don’t see another solution
than
to change the use of uid as a username, sorry.

Joop

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training [3]

  • Los Angeles - January 9-11 2017

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training [3]

  • Los Angeles - January 9-11 2017

Links:

[1] http://ypmycorpldap.corp.mycorp.com
[2] http://corp.mycorp.com
[3] https://bestpractical.com/training

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Los Angeles - January 9-11 2017
9

Hi,

Sorry, i used the shredder to remove all user from RT user’s DB an now it’s
work fine.

Thank you everyone for your help.

Regards,

2016-12-09 14:56 GMT+01:00 Martin Wheldon <
martin.wheldon@greenhills-it.co.uk>: