RT and LDAP authentication (Win2k AD)

I have set this up according to

http://wiki.bestpractical.com/?LDAP

and it is updating the user information from AD on login but I can’t log
on with any AD passwords - I have to use the RT internal passwords - any
ideas? Possibly TLS not working? But then I’d assume I wouldn’t get an
LDAP connection at all and the user information update wouldn’t work. If
I try to auto-create an AD user in RT by just logging in, the logs say:

[Fri Aug 11 03:49:33 2006] [warning]: Transaction->Create couldn’t, as
you didn’t specify an object type and id
(/usr/local/rt/lib/RT/Record.pm:1466)
[Fri Aug 11 03:49:33 2006] [error]: FAILED LOGIN for user from
192.168.0.100 (/usr/local/rt/share/html/autohandler:238)

Philip Kime
NOPS Systems Architect
310 401 0407

Did you double check the settings for the external Auth?

Enable/Disable LDAP services

Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Philip Kime
Sent: Thursday, August 10, 2006 11:30 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] RT and LDAP authentication (Win2k AD)

I have set this up according to

http://wiki.bestpractical.com/?LDAP

and it is updating the user information from AD on login but I can’t log on with any AD passwords - I have to use the RT internal passwords - any ideas? Possibly TLS not working? But then I’d assume I wouldn’t get an LDAP connection at all and the user information update wouldn’t work. If I try to auto-create an AD user in RT by just logging in, the logs say:

[Fri Aug 11 03:49:33 2006] [warning]: Transaction->Create couldn’t, as you didn’t specify an object type and id (/usr/local/rt/lib/RT/Record.pm:1466)
[Fri Aug 11 03:49:33 2006] [error]: FAILED LOGIN for user from 192.168.0.100 (/usr/local/rt/share/html/autohandler:238)

Philip Kime
NOPS Systems Architect
310 401 0407

Yes, both set …

DEBUG output doesn’t tell me anything, just that it failed to authenticate.

PK-----Original Message-----
From: Helmuth Ramirez [mailto:HelmuthRamirez@compupay.com]
Sent: 11 August 2006 07:00
To: Philip Kime; rt-users@lists.bestpractical.com
Subject: RE: [rt-users] RT and LDAP authentication (Win2k AD)

Did you double check the settings for the external Auth?

Enable/Disable LDAP services

Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Philip Kime
Sent: Thursday, August 10, 2006 11:30 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] RT and LDAP authentication (Win2k AD)

I have set this up according to

http://wiki.bestpractical.com/?LDAP

and it is updating the user information from AD on login but I can’t log on with any AD passwords - I have to use the RT internal passwords - any ideas? Possibly TLS not working? But then I’d assume I wouldn’t get an LDAP connection at all and the user information update wouldn’t work. If I try to auto-create an AD user in RT by just logging in, the logs say:

[Fri Aug 11 03:49:33 2006] [warning]: Transaction->Create couldn’t, as you didn’t specify an object type and id (/usr/local/rt/lib/RT/Record.pm:1466)
[Fri Aug 11 03:49:33 2006] [error]: FAILED LOGIN for user from 192.168.0.100 (/usr/local/rt/share/html/autohandler:238)

Philip Kime
NOPS Systems Architect
310 401 0407

AFAIK, and IIRC, Jim Meyer’s code requires an initial email from the user
to autocreate accounts from AD info. You can’t autocreate from web login
using his code.

Make sure your users have email addies configured in their AD records.

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

If you would like local RT accounts to be automatically created upon
first web login you’ll need to use Jim’s
http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback in
conjunction with the LDAP overlay.From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of
eric.valor@daimlerchrysler.com
Sent: Friday, August 11, 2006 12:17 PM
To: rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: [rt-users] RT and LDAP authentication (Win2k AD)

AFAIK, and IIRC, Jim Meyer’s code requires an initial email from the
user to autocreate accounts from AD info. You can’t autocreate from web
login using his code.

Make sure your users have email addies configured in their AD records.

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

You could always import all your AD users, assuming that’s where most
(if not all) your tickets will be coming from. Then you don’t have to
worry about them sending an e-mail the first time.From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Matt
Nichols
Sent: Friday, August 11, 2006 1:58 PM
To: eric.valor@daimlerchrysler.com; rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: RE: [rt-users] RT and LDAP authentication (Win2k AD)

If you would like local RT accounts to be automatically created upon
first web login you’ll need to use Jim’s
http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback in
conjunction with the LDAP overlay.

From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of
eric.valor@daimlerchrysler.com
Sent: Friday, August 11, 2006 12:17 PM
To: rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: [rt-users] RT and LDAP authentication (Win2k AD)

AFAIK, and IIRC, Jim Meyer’s code requires an initial email from the
user to autocreate accounts from AD info. You can’t autocreate from web
login using his code.

Make sure your users have email addies configured in their AD records.

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

We thought of this but I didn’t want to keep up with new hires. Now, If
they’ve got an account in AD (anyone who would be using RT does) it’s
all transparent.From: Helmuth Ramirez [mailto:HelmuthRamirez@compupay.com]
Sent: Friday, August 11, 2006 1:04 PM
To: Matt Nichols; eric.valor@daimlerchrysler.com;
rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: RE: [rt-users] RT and LDAP authentication (Win2k AD)

You could always import all your AD users, assuming that’s where most
(if not all) your tickets will be coming from. Then you don’t have to
worry about them sending an e-mail the first time.

From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Matt
Nichols
Sent: Friday, August 11, 2006 1:58 PM
To: eric.valor@daimlerchrysler.com; rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: RE: [rt-users] RT and LDAP authentication (Win2k AD)

If you would like local RT accounts to be automatically created upon
first web login you’ll need to use Jim’s
http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback in
conjunction with the LDAP overlay.

From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of
eric.valor@daimlerchrysler.com
Sent: Friday, August 11, 2006 12:17 PM
To: rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: [rt-users] RT and LDAP authentication (Win2k AD)

AFAIK, and IIRC, Jim Meyer’s code requires an initial email from the
user to autocreate accounts from AD info. You can’t autocreate from web
login using his code.

Make sure your users have email addies configured in their AD records.

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

I set up LDAP authentication against W2K3 AD and have both
Web-first-time-login and email-first users autocreated. To the original
posting:

but I can’t log on with any AD passwords - I have to use the RT internal
passwords - any ideas?

I wonder if the lines:

What auth methods do you like and in what order?

Set($AuthMethods, [‘LDAP’, ‘Internal’]);

Are in the the etc/RT_SiteConfig.pm

Sounds like the system is set to Internal first. The users are getting
created, but then the system isn’t letting you login.

-Erik

I have a cron job running every morning at 4am to sync up with AD
because of the whole ‘new hire’ issueFrom: Matt Nichols [mailto:mnichols@wayport.net]
Sent: Friday, August 11, 2006 2:06 PM
To: Helmuth Ramirez; eric.valor@daimlerchrysler.com;
rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: RE: [rt-users] RT and LDAP authentication (Win2k AD)

We thought of this but I didn’t want to keep up with new hires. Now, If
they’ve got an account in AD (anyone who would be using RT does) it’s
all transparent.

From: Helmuth Ramirez [mailto:HelmuthRamirez@compupay.com]
Sent: Friday, August 11, 2006 1:04 PM
To: Matt Nichols; eric.valor@daimlerchrysler.com;
rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: RE: [rt-users] RT and LDAP authentication (Win2k AD)

You could always import all your AD users, assuming that’s where most
(if not all) your tickets will be coming from. Then you don’t have to
worry about them sending an e-mail the first time.

From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Matt
Nichols
Sent: Friday, August 11, 2006 1:58 PM
To: eric.valor@daimlerchrysler.com; rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: RE: [rt-users] RT and LDAP authentication (Win2k AD)

If you would like local RT accounts to be automatically created upon
first web login you’ll need to use Jim’s
http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback in
conjunction with the LDAP overlay.

From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of
eric.valor@daimlerchrysler.com
Sent: Friday, August 11, 2006 12:17 PM
To: rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: [rt-users] RT and LDAP authentication (Win2k AD)

AFAIK, and IIRC, Jim Meyer’s code requires an initial email from the
user to autocreate accounts from AD info. You can’t autocreate from web
login using his code.

Make sure your users have email addies configured in their AD records.

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

Besides, users normally have their first interaction with RT by sending an
email to “support@…” or whatever your alias is…

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

“Matt Nichols” mnichols@wayport.net
08/11/2006 11:06 AM

To
"Helmuth Ramirez" HelmuthRamirez@compupay.com,
eric.valor@daimlerchrysler.com, rt-users@lists.bestpractical.com
cc
pkime@Shopzilla.com
Subject
RE: [rt-users] RT and LDAP authentication (Win2k AD)

We thought of this but I didn?t want to keep up with new hires. Now, If
they?ve got an account in AD (anyone who would be using RT does) it?s all
transparent.From: Helmuth Ramirez [mailto:HelmuthRamirez@compupay.com]
Sent: Friday, August 11, 2006 1:04 PM
To: Matt Nichols; eric.valor@daimlerchrysler.com;
rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: RE: [rt-users] RT and LDAP authentication (Win2k AD)

You could always import all your AD users, assuming that’s where most (if
not all) your tickets will be coming from. Then you don’t have to worry
about them sending an e-mail the first time.

From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Matt
Nichols
Sent: Friday, August 11, 2006 1:58 PM
To: eric.valor@daimlerchrysler.com; rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: RE: [rt-users] RT and LDAP authentication (Win2k AD)

If you would like local RT accounts to be automatically created upon first
web login you?ll need to use Jim?s
http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback in
conjunction with the LDAP overlay.

From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of
eric.valor@daimlerchrysler.com
Sent: Friday, August 11, 2006 12:17 PM
To: rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: [rt-users] RT and LDAP authentication (Win2k AD)

AFAIK, and IIRC, Jim Meyer’s code requires an initial email from the user
to autocreate accounts from AD info. You can’t autocreate from web login
using his code.

Make sure your users have email addies configured in their AD records.

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

Hmm… Missed that. I knew Jim had promised me “soon” a few months back.

Kudos Jim!

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

“Matt Nichols” mnichols@wayport.net
08/11/2006 10:58 AM

To
eric.valor@daimlerchrysler.com, rt-users@lists.bestpractical.com
cc
pkime@Shopzilla.com
Subject
RE: [rt-users] RT and LDAP authentication (Win2k AD)

If you would like local RT accounts to be automatically created upon first
web login you?ll need to use Jim?s
http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback in
conjunction with the LDAP overlay.From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of
eric.valor@daimlerchrysler.com
Sent: Friday, August 11, 2006 12:17 PM
To: rt-users@lists.bestpractical.com
Cc: pkime@Shopzilla.com
Subject: [rt-users] RT and LDAP authentication (Win2k AD)

AFAIK, and IIRC, Jim Meyer’s code requires an initial email from the user
to autocreate accounts from AD info. You can’t autocreate from web login
using his code.

Make sure your users have email addies configured in their AD records.

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

I upgraded to Jim’s newest User_Local.pm and added the
LdapAutocreateAuthCallback, and I get this when trying to log in via web
with a new user:

error:
Can’t call method “new” without a package or object reference at
/usr/share/request-tracker3.4/lib/RT/Transaction_Overlay.pm line 910.
context:

906:
}
907:

908:
sub Object {
909:
my $self = shift;
910:
my $Object = $self->__Value(‘ObjectType’)->new($self->CurrentUser);
911:
$Object->Load($self->__Value(‘ObjectId’));
912:
return($Object);
913:
}
914:

code stack:
/usr/share/request-tracker3.4/lib/RT/Transaction_Overlay.pm:910
/usr/share/request-tracker3.4/lib/RT/Transaction_Overlay.pm:881
/usr/share/request-tracker3.4/lib/RT/Transaction_Overlay.pm:865
/usr/share/request-tracker3.4/lib/RT/Transaction_Overlay.pm:485
/usr/share/request-tracker3.4/lib/RT/User_Overlay.pm:1623
/usr/share/perl5/DBIx/SearchBuilder/Record.pm:438
/usr/local/share/request-tracker3.4/html/Callbacks/LDAP/autohandler/Auth:15
/usr/share/request-tracker3.4/html/Elements/Callback:70
/usr/share/request-tracker3.4/html/autohandler:180

From rt.log:

[warning]: Transaction->Create couldn’t, as you didn’t specify an object
type and id (/usr/share/request-tracker3.4/lib/RT/Record.pm:1393)

Current users (and autocreate on email) still works.

My RT_SiteConfig is good, and I’ve removed cached Mason objects. I’m
using the Debian Sarge RT package.

Eric N. Valor
Information Technology Manager
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :