(RT::Authen::ExternalAuth) "email exists" problem authenticating trough AD

Hello

I’m using version 4.0.13 of RT.
I’m trying to authenticate via an AD.

As you can see in the log output I successfully find the user BUT I have an
error "Couldn’t create user myuser " which I don’t understand because YES
user exists but I just want to authenticate not recreate a user.

Any Idea ?

You can find below either logs or configuration.

==== Debug Logs Output ====

[Thu Jul 4 09:59:08 2013] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:186)

[Thu Jul 4 09:59:08 2013] [debug]: Calling UserExists with $username
(myuser ) and $service (My_LDAP)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:227)

[Thu Jul 4 09:59:08 2013] [debug]: UserExists params:
username: 791286 , service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:439)

[Thu Jul 4 09:59:08 2013] [debug]: LDAP Search === Base:
dc=mydomain,dc=local == Filter:
(&(&(ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=myuser)) ==
Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)

[Thu Jul 4 09:59:08 2013] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by
RT::Authen::ExternalAuth
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
675 with: Disabled: , EmailAddress: , Gecos: myuser , Name: myuser ,
Privileged:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:572)

[Thu Jul 4 09:59:08 2013] [debug]: Attempting to get user info using this
external service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:580)

[Thu Jul 4 09:59:08 2013] [debug]: Attempting to use this canonicalization
key: Name
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:594)

[Thu Jul 4 09:59:08 2013] [debug]: LDAP Search === Base:
dc=mydomain,dc=local == Filter:
(&(&(ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=myuser )) ==
Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357)

[Thu Jul 4 09:59:08 2013] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City:
Paris, Country: France, Disabled: , EmailAddress: myaddress@mydomain.com,
ExternalAuthId: myuser , Gecos: myuser , Name: myuser , Organization: ,
Privileged: , RealName: John DOE, State: , WorkPhone: myTel, Zip:
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:658)

[Thu Jul 4 09:59:08 2013] [error]: Couldn’t create user myuser : Email
address in use
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:251)

[Thu Jul 4 09:59:08 2013] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:16)
[Thu Jul 4 09:59:08 2013] [error]: FAILED LOGIN for myuser from
XX.xxx.XXX.xx (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:753)

==== End Debug Logs Output ====

==== Configuration ====

External Authentication Configuration

30 Set($ExternalAuthPriority, [ ‘My_LDAP’]);
31 Set($ExternalInfoPriority, [ ‘My_LDAP’]);
32
33 Set($ExternalSettings, {
34 # AN EXAMPLE LDAP SERVICE
35 ‘My_LDAP’ => {
36 ‘type’ => ‘ldap’,
37 ‘server’ => ‘myserver’,
38 ‘user’ => ‘myuser’,
39 ‘pass’ => ‘password’,
40 ‘base’ => ‘dc=domain,dc=local’,
41 ‘filter’ =>
’(&(ObjectCategory=User)(ObjectClass=Person))’,
42 ‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,
43 ‘group’ => ‘OU=Users &
Clients,OU=MyPrincipalOU,OU=FR,DC=mydomain,DC=local’,
44 ‘group_attr’ => ‘member’,
45 ‘tls’ => 0,
46 ‘ssl_version’ => 3,
47 ‘net_ldap_args’ => [ version => 3 ],
48 ‘group_scope’ => ‘base’,
49 ‘group_attr_value’ => ‘*’,
50 ‘attr_match_list’ => [
51 ‘Name’,
52 ‘EmailAddress’,
53 ‘RealName’,
54 ],
55 ‘attr_map’ => {
56 ‘Name’ => ‘sAMAccountName’,
57 ‘EmailAddress’ => ‘mail’,
58 ‘Organization’ => ‘physicalDeliveryOfficeName’,
59 ‘RealName’ => ‘cn’,
60 ‘ExternalAuthId’ => ‘sAMAccountName’,
61 ‘Gecos’ => ‘sAMAccountName’,
62 ‘WorkPhone’ => ‘telephoneNumber’,
63 ‘Address1’ => ‘streetAddress’,
64 ‘City’ => ‘l’,
65 ‘State’ => ‘st’,
66 ‘Zip’ => ‘postalCode’,
67 ‘Country’ => 'co’
68 },
69 },
70 } );
71
72
73 # You must install Plugins on your own, this is only an example
74 # of the correct syntax to use when activating them.
75 # There should only be one @Plugins declaration in your config file.
76 #Set(@Plugins,(qw(RT::Extension::QuickDelete
RT::Extension::CommandByMail)));
77 Set( @Plugins, qw(RT::Authen::ExternalAuth) );
78 1;
==== End Of Configuration ====

As you can see in the log output I successfully find the user BUT I have an error "Couldn’t
create user myuser " which I don’t understand because YES user exists but I just want to
authenticate not recreate a user.

Does the user exist with a matching Email Address AND username? Or is
the username different.

Also, as documented, you probably shouldn’t be using RealName here:

50 ‘attr_match_list’ => [
51 ‘Name’,
52 ‘EmailAddress’,
53 ‘RealName’,
54 ],

It means you can’t have two users named Kevin Falcone in your RT.

-kevin

Hi,

Both AD & RT have a user matching email && Username.

Regarding RealName, yes I read about it but in my case, real names are
NEVER the same they use Kevin FALCONE, KEVIN A FALCONE, KEVIN B FALCONE,
and so on. But yes you’re right about what’s documented.On Fri, Jul 5, 2013 at 4:14 PM, Kevin Falcone falcone@bestpractical.comwrote:

On Thu, Jul 04, 2013 at 05:00:23PM +0200, Maximilien Drouet wrote:

As you can see in the log output I successfully find the user BUT I
have an error "Couldn’t
create user myuser " which I don’t understand because YES user
exists but I just want to
authenticate not recreate a user.

Does the user exist with a matching Email Address AND username? Or is
the username different.

Also, as documented, you probably shouldn’t be using RealName here:

50 ‘attr_match_list’ => [
51 ‘Name’,
52 ‘EmailAddress’,
53 ‘RealName’,
54 ],

It means you can’t have two users named Kevin Falcone in your RT.

-kevin

Max

Hello,

Anyone with an idea ?
I’ve tried many times without any success.

Thanks for your help.On Fri, Jul 5, 2013 at 4:18 PM, Maximilien Drouet mdrouet@randco.fr wrote:

Hi,

Both AD & RT have a user matching email && Username.

Regarding RealName, yes I read about it but in my case, real names are
NEVER the same they use Kevin FALCONE, KEVIN A FALCONE, KEVIN B FALCONE,
and so on. But yes you’re right about what’s documented.

On Fri, Jul 5, 2013 at 4:14 PM, Kevin Falcone falcone@bestpractical.comwrote:

On Thu, Jul 04, 2013 at 05:00:23PM +0200, Maximilien Drouet wrote:

As you can see in the log output I successfully find the user BUT I
have an error "Couldn’t
create user myuser " which I don’t understand because YES user
exists but I just want to
authenticate not recreate a user.

Does the user exist with a matching Email Address AND username? Or is
the username different.

Also, as documented, you probably shouldn’t be using RealName here:

50 ‘attr_match_list’ => [
51 ‘Name’,
52 ‘EmailAddress’,
53 ‘RealName’,
54 ],

It means you can’t have two users named Kevin Falcone in your RT.

-kevin


Max

Cordialement,

Maximilien DROUET
Consultant Systèmes & Réseaux
RANDCO, Cabinet de conseil en Réseau, Sécurité & Systèmes
19 Rue Pierre LESCOT
75001 Paris
Mob. 06.30.91.70.09
Fax. 01.72.74.44.01
http://www.randco.fr

(&(&(ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=myuser ))

If you execute this LDAP search directly against your directory with the
same base dn as given in the logs, does it find the user?

Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

Hi,

Let me try, i never used ldapsearch before so i need to check the syntax.On Tue, Jul 23, 2013 at 11:04 AM, Craig Ringer craig@2ndquadrant.comwrote:

On 07/04/2013 11:00 PM, Maximilien Drouet wrote:

(&(&(ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=myuser ))

If you execute this LDAP search directly against your directory with the
same base dn as given in the logs, does it find the user?


Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

Cordialement,

Maximilien DROUET
Consultant Systèmes & Réseaux
RANDCO, Cabinet de conseil en Réseau, Sécurité & Systèmes
19 Rue Pierre LESCOT
75001 Paris
Mob. 06.30.91.70.09
Fax. 01.72.74.44.01
http://www.randco.fr

Hi,

Yes the user is found and data retrieved correctly (i.e address, zip, etc.
) .

Any other idea ?On Tue, Jul 23, 2013 at 11:19 AM, Maximilien Drouet mdrouet@randco.frwrote:

Hi,

Let me try, i never used ldapsearch before so i need to check the syntax.

On Tue, Jul 23, 2013 at 11:04 AM, Craig Ringer craig@2ndquadrant.comwrote:

On 07/04/2013 11:00 PM, Maximilien Drouet wrote:

(&(&(ObjectCategory=User)(ObjectClass=Person))(sAMAccountName=myuser ))

If you execute this LDAP search directly against your directory with the
same base dn as given in the logs, does it find the user?


Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

Cordialement,

Maximilien DROUET

Any other idea ?

Yes. As Kevin indicated, I would start with your ‘attr_match_list’. On
your testing/development RT instance, try running it with just:

‘attr_match_list’ => [ ‘Name’ ],

and see if the user can log in. Tell us what happens.

Also, judging from the “Couldn’t create user myuser : Email address in
use” error I would guess some other user has that email address. Try
searching for users with that email address in RT and tell us what you find.

Good luck.

Nathan

Hi,

Unfortunately same problem with this filter :frowning:

Regarding the address I tried many times, even fresh install :frowning:

Same problem.On Mon, Jul 29, 2013 at 3:37 PM, Nathan Cutler presnypreklad@gmail.comwrote:

Any other idea ?

Yes. As Kevin indicated, I would start with your ‘attr_match_list’. On
your testing/development RT instance, try running it with just:

‘attr_match_list’ => [ ‘Name’ ],

and see if the user can log in. Tell us what happens.

Also, judging from the “Couldn’t create user myuser : Email address in
use” error I would guess some other user has that email address. Try
searching for users with that email address in RT and tell us what you
find.

Good luck.

Nathan

Cordialement,

Maximilien DROUET
Consultant Systèmes & Réseaux
RANDCO, Cabinet de conseil en Réseau, Sécurité & Systèmes
19 Rue Pierre LESCOT
75001 Paris
Mob. 06.30.91.70.09
Fax. 01.72.74.44.01
http://www.randco.fr

Hello,

To be more specific, when i remove the user, at next login RT creates again
the user with the right values ( i.e. Name, ZIP code, etc. ) but fails at
authentication step.

Here are the debug logs for that specific scenario.

[Wed Jul 31 09:54:41 2013] [debug]: Loading new user ( myUser ) into
current session
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:287)

[Wed Jul 31 09:54:41 2013] [debug]: Password validation required for
service - Executing…
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:304)

[Wed Jul 31 09:54:41 2013] [debug]: Trying external auth service: My_LDAP
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153)

RegardsOn Tue, Jul 30, 2013 at 3:23 PM, Maximilien Drouet mdrouet@randco.frwrote:

Hi,

Unfortunately same problem with this filter :frowning:

Regarding the address I tried many times, even fresh install :frowning:

Same problem.

On Mon, Jul 29, 2013 at 3:37 PM, Nathan Cutler presnypreklad@gmail.comwrote:

Any other idea ?

Yes. As Kevin indicated, I would start with your ‘attr_match_list’. On
your testing/development RT instance, try running it with just:

‘attr_match_list’ => [ ‘Name’ ],

and see if the user can log in. Tell us what happens.

Also, judging from the “Couldn’t create user myuser : Email address in
use” error I would guess some other user has that email address. Try
searching for users with that email address in RT and tell us what you
find.

Good luck.

Nathan


Cordialement,

Maximilien

Maximilien

To be more specific, when i remove the user, at next login RT creates again
the user with the right values ( i.e. Name, ZIP code, etc. ) but fails at
authentication step.

IIRC you are using RT::Authen::ExternalAuth, right? That extension
authenticates by attempting to bind to the LDAP server with the
credentials entered by the user. But before it tries to bind, it first
looks up the user in LDAP anonymously. This is consistent with what
you are seeing. Here’s what I see in my log when a known user attempts
to login and fails:

Jul 30 11:09:56 myserv RT: My_LDAP AUTH FAILED myuser (can’t bind:
LDAP_INVALID_CREDENTIALS 49 )
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth/LDAP.pm:90)
Jul 30 11:09:56 myserv RT: FAILED LOGIN for myuser from 10.120.5.61
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Interface/Web.pm:753)

And this is the log when an unknown (to RT) user attempts to login and fails:
Jul 29 13:06:44 myserv RT:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: myuser, Name: myuser, Privileged:
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth.pm:665)
Jul 29 13:06:45 myserv RT: Autocreated external user myuser ( 988 )
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth.pm:254)
Jul 29 13:06:48 myserv RT: My_LDAP AUTH FAILED myuser (can’t bind:
LDAP_INVALID_CREDENTIALS 49 )
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth/LDAP.pm:90)
Jul 29 13:06:48 myserv RT: FAILED LOGIN for myuser from 10.120.4.148
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Interface/Web.pm:753)

Note that it first creates the user in RT. Only then does it attempt to bind.

Now, in my case the bind fails because the user’s credentials are
wrong. But this is not the only possible failure modality. There are
any number of reasons why bind might be failing.

Can you bind to the LDAP server using the ‘ldapsearch’ command? If you
can get bind to work that way, first, that would be a start. In my
case, the successful ldapsearch command looked something like this:

ldapsearch -LLL -H ldaps://login.example.com -x
-D cn=myuser,ou=users,dc=example,dc=com -W
-b ou=users,dc=example,dc=com uid=myuser

(Note that you have to know myuser’s password – and enter it
correctly – for this to work.)

Hope this helps.

Nathan

Hi

You are right, i’m using RT::Authen::ExternalAuth.

It binds because i receive all aditional fields and even creates the user
with those .

The problem is really focused on authentication step and i can’t understand
why :frowning:

It binds because i receive all aditional fields and even creates the user
with those .

Yes, it binds, but anonymously. All the information fields are first
retrieved that way. Only then does the authentication phase start,
when it attempts to bind as the user with the password that the user
enters in the login window.

The problem is really focused on authentication step and i can’t understand
why :frowning:

Yes, so the question is (once again): can you bind as the user and
with the user’s password from the command line?

Hi Nathan,

After many searchs with your help and our AD Administrator we found that
the account was not authorized.

I was given another one and now, command line binds and authenticate well
but no chance with RT. Here is the command line

ldapsearch -LLL -H ldap://myserver.mydomain.local -x -D ‘mydomain\ldapuser’
-W -b ou=FR,dc=mydomain,dc=local uid=mysuer

and the output.

dn: CN=Firstname Lastname,OU=z - y - x,OU=city,OU=Users &
Clients,OU=mydomain,OU=FR,DC=mydomain,DC=local
v
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Firstname Lastname
sn: Lastname
c: FR
l: city
title: myTitle
postalCode: Zipcode
physicalDeliveryOfficeName: z - y - x
telephoneNumber: myTelephonenumber
givenName: FirstName
distinguishedName: CN=Firstname Lastname,OU=z - y - x,OU=city,OU=Users &
Clients,OU=mydomain,OU=FR,
DC=mydomain,DC=local
instanceType: 4
whenCreated: 20100701014148.0Z
whenChanged: 20130821001737.0Z
displayName: Firstname Lastname
uSNCreated: 73679
memberOf: CN=LL.microsoftproject,OU=SDG Groups,DC=mydomain,DC=local
memberOf: CN=LL.Crystal.Reports.XI,OU=SDG Groups,DC=mydomain,DC=local
memberOf: CN=LL.IE8,OU=SDG Groups,DC=mydomain,DC=local
memberOf: CN=LL.itop,OU=Groups,OU=mydomain,OU=FR,DC=mydomain,DC=local
memberOf: CN=LL.msvisio2003,OU=SDG Groups,DC=mydomain,DC=local
memberOf: CN=LL.ClickToCall,OU=SDG Groups,DC=mydomain,DC=local
memberOf:
CN=mydomain.LL.dsi,OU=Groups,OU=mydomain,OU=FR,DC=mydomain,DC=local
uSNChanged: 10019507
co: FRANCE
department: z - y - x
streetAddress: myaddress
name: Firstname Lastname
objectGUID:: l8cI/GO3KEOyA0E8neccKA==
userAccountControl: 544
badPwdCount: 0
codePage: 0
countryCode: 250
badPasswordTime: 130215493735596806
lastLogoff: 0
lastLogon: 130214762950697235
pwdLastSet: 130214610102266437
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAEQz3vwuoUpdtKTGZJPEAAA==
accountExpires: 130251384000000000
logonCount: 197
sAMAccountName: mysuer
sAMAccountType: 805306368
userPrincipalName: mymail
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=local
dSCorePropagationData: 20130524093118.0Z
dSCorePropagationData: 20130523093743.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 130214610103032919
uid: mysuer
mail: mymail

I’m quite confused with the RT configuration file and it’s option, even
looking at the documentation I’m a litte bit lost, maybe the problem is
there.

Here is the RT_Config extract

External Authentication Configuration

Set($ExternalAuthPriority, [ ‘My_LDAP’]);
Set($ExternalInfoPriority, [ ‘My_LDAP’]);
Set($ExternalSettings, {

AN EXAMPLE LDAP SERVICE

'My_LDAP'       =>  {
    'type'                      =>  'ldap',
    'server'                    =>  'myserver.mydomain.local',
    'user'                      =>  'ldapaccount',
    'pass'                      =>  'ldapaccountpassword',
    'base'                      =>  'ou=FR,dc=mydomain,dc=local',
    'filter'                    =>

‘(&(ObjectCategory=User)(ObjectClass=Person))’,
‘d_filter’ =>
’(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘group’ => ‘OU=Users &
Clients,OU=MYDOMAIN,OU=FR,DC=mydomain,DC=local’,
‘group_attr’ => ‘member’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘group_scope’ => ‘base’,
‘group_attr_value’ => ‘*’,
‘attr_match_list’ => [‘Name’],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
},
},
} );

Any other Idea ?

Regards

Maximilien

Hi,

After many searches, it works for some of my users and don’t work for some
others.
Is it possible that parameter $RTAddressRegexp interfers with
RT::Authen::ExternalAuth
?

On Active directory side no error, only successes logs.

Do you no about any other debug options I could use ?

ThanksOn Wed, Aug 21, 2013 at 12:33 PM, Maximilien Drouet mdrouet@randco.frwrote:

Hi Nathan,

After many searchs with your help and our AD Administrator we found that
the account was not authorized.

I was given another one and now, command line binds and authenticate well
but no chance with RT. Here is the command line

ldapsearch -LLL -H ldap://myserver.mydomain.local -x -D
‘mydomain\ldapuser’ -W -b ou=FR,dc=mydomain,dc=local uid=mysuer

and the output.

dn: CN=Firstname Lastname,OU=z - y - x,OU=city,OU=Users &
Clients,OU=mydomain,OU=FR,DC=mydomain,DC=local
v
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Firstname Lastname
sn: Lastname
c: FR
l: city
title: myTitle
postalCode: Zipcode
physicalDeliveryOfficeName: z - y - x
telephoneNumber: myTelephonenumber
givenName: FirstName
distinguishedName: CN=Firstname Lastname,OU=z - y - x,OU=city,OU=Users &
Clients,OU=mydomain,OU=FR,
DC=mydomain,DC=local
instanceType: 4
whenCreated: 20100701014148.0Z
whenChanged: 20130821001737.0Z
displayName: Firstname Lastname
uSNCreated: 73679
memberOf: CN=LL.microsoftproject,OU=SDG Groups,DC=mydomain,DC=local
memberOf: CN=LL.Crystal.Reports.XI,OU=SDG Groups,DC=mydomain,DC=local
memberOf: CN=LL.IE8,OU=SDG Groups,DC=mydomain,DC=local
memberOf: CN=LL.itop,OU=Groups,OU=mydomain,OU=FR,DC=mydomain,DC=local
memberOf: CN=LL.msvisio2003,OU=SDG Groups,DC=mydomain,DC=local
memberOf: CN=LL.ClickToCall,OU=SDG Groups,DC=mydomain,DC=local
memberOf:
CN=mydomain.LL.dsi,OU=Groups,OU=mydomain,OU=FR,DC=mydomain,DC=local
uSNChanged: 10019507
co: FRANCE
department: z - y - x
streetAddress: myaddress
name: Firstname Lastname
objectGUID:: l8cI/GO3KEOyA0E8neccKA==
userAccountControl: 544
badPwdCount: 0
codePage: 0
countryCode: 250
badPasswordTime: 130215493735596806
lastLogoff: 0
lastLogon: 130214762950697235
pwdLastSet: 130214610102266437
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAEQz3vwuoUpdtKTGZJPEAAA==
accountExpires: 130251384000000000
logonCount: 197
sAMAccountName: mysuer
sAMAccountType: 805306368
userPrincipalName: mymail
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=local
dSCorePropagationData: 20130524093118.0Z
dSCorePropagationData: 20130523093743.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 130214610103032919
uid: mysuer
mail: mymail

I’m quite confused with the RT configuration file and it’s option, even
looking at the documentation I’m a litte bit lost, maybe the problem is
there.

Here is the RT_Config extract

External Authentication Configuration

Set($ExternalAuthPriority, [ ‘My_LDAP’]);
Set($ExternalInfoPriority, [ ‘My_LDAP’]);
Set($ExternalSettings, {

AN EXAMPLE LDAP SERVICE

'My_LDAP'       =>  {
    'type'                      =>  'ldap',
    'server'                    =>  'myserver.mydomain.local',
    'user'                      =>  'ldapaccount',
    'pass'                      =>  'ldapaccountpassword',
    'base'                      =>  'ou=FR,dc=mydomain,dc=local',
    'filter'                    =>

‘(&(ObjectCategory=User)(ObjectClass=Person))’,

    'd_filter'                  =>

‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘group’ => ‘OU=Users &
Clients,OU=MYDOMAIN,OU=FR,DC=mydomain,DC=local’,
‘group_attr’ => ‘member’,
‘tls’ => 0,
‘ssl_version’ => 3,

    'net_ldap_args'             => [    version =>  3   ],
    'group_scope'               =>  'base',
    'group_attr_value'          =>  '*',
    'attr_match_list'           => ['Name'],
    'attr_map' => {
        'Name' => 'sAMAccountName',
        'EmailAddress' => 'mail',
        'Organization' => 'physicalDeliveryOfficeName',
        'RealName' => 'cn',
        'ExternalAuthId' => 'sAMAccountName',
        'Gecos' => 'sAMAccountName',
        'WorkPhone' => 'telephoneNumber',
        'Address1' => 'streetAddress',
        'City' => 'l',
        'State' => 'st',
        'Zip' => 'postalCode',

‘Country’ => ‘co’
},
},
} );

Any other Idea ?


Regards

Maximilien

Regards

Maximilien

Hi

Is it possible that parameter $RTAddressRegexp interfers with
RT::Authen::ExternalAuth ?

I doubt it.

On Active directory side no error, only successes logs.

Are you saying that a user attempts to log in, you see successful LDAP
bind on the LDAP server, and RT login fails? If so, please send us the
relevant debug-level RT log excerpt. Also the LDAP server log excerpt
if possible.

Do you no about any other debug options I could use ?

I did notice that, after upgrading to RT 4.0.17 and ExternalAuth 0.12,
I get much more detailed debug-level log messages for ExternalAuth.

Hope this helps.

Nathan