We have a RT v4.4.2 running on CentOS 7.3. It was working fine until we installed a new root certificate CA. The new root ca works fine with other services. For example, we also have a Gitlab server which also use LDAP/TLS to authenticate users and that server works fine. So I know our SSL certs is working.
On this RT, the apache works fine with the new host certificates signed by the new CA. The login page load up with correct certificate. But user can’t login any more. Here is our config file and debug log, please help to troubleshoot this issue.
03_ldap.pm:
Plugin( “RT::Authen::ExternalAuth” );
Set( $WebFallbackToRTLogin, 1 );
Set( $ExternalAuthPriority, [‘My_LDAP’] );
Set( $ExternalInfoPriority, [‘My_LDAP’] );
Set( $ExternalSettings, {
My_LDAP => {
‘type’ => ‘ldap’,
‘server’ => ‘ldap.hq.mydomain.com’,
‘tls’ => {
verify => ‘require’,
cafile => ‘/etc/pki/ca-trust/source/anchors/root-ca.pem’,
},
‘base’ => ‘ou=employees,ou=people,dc=hq,dc=mydomain,dc=com’,
‘group’ => ‘cn=users,ou=group,dc=hq,dc=mydomain,dc=com’,
‘group_attr’ => ‘member’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
‘attr_match_list’ => [‘Name’],
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘MobilePhone’ => ‘mobile’
},
},
});
Plugin( "RT::LDAPImport" );
# Connection Details
Set( $LDAPHost, 'ldap-01.hq.mydomain.com' );
Set( $LDapOptions, [ port => 389,
scheme => 'ldap', # Hopefully TLS support comes soon
raw => qr/(\;binary)/,
version => 3,
verify => 'required',
cafile => '/etc/pki/ca-trust/source/anchors/root-ca.pem'
]);
Set( $LDAPUser, 'uid=RTBind,ou=binds,dc=hq,dc=mydomain,dc=com' );
Set( $LDAPPassword, '8B6f9023mdrtggggsd' );
# Import Users
Set( $LDAPBase, 'ou=employees,ou=people,dc=hq,dc=mydomain,dc=com' );
Set( $LDAPFilter, '(objectClass=inetOrgPerson)' );
Set( $LDAPMapping, { 'Name' => 'uid',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'WorkPhone' => 'telephoneNumber',
'MobilePhone' => 'mobile'
});
Set( $LDAPCreatePrivileged, 1 );
# Import Groups
Set( $LDAPGroupBase, 'ou=group,dc=hq,dc=mydomain,dc=com' );
Set( $LDAPGroupFilter, '(objectClass=groupOfNames)' );
Set( $LDAPGroupMapping, { 'Name' => 'cn',
'Member_Attr' => 'member',
'Member_Attr_Value' => 'dn'
});
Debug log:
[4426] [Mon Apr 8 18:05:44 2019] [debug]: Using internal Perl HTML → text conversion (/usr/sbin/…/lib/RT/Interface/Email.pm:1475)
[4426] [Mon Apr 8 18:05:44 2019] [debug]: The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT receives emails on addresses that are not in the database or config. (/usr/sbin/…/lib/RT/Config.pm:577)
[4426] [Mon Apr 8 18:05:44 2019] [debug]: Attempting to use external auth service: My_LDAP (/usr/sbin/…/lib/RT/Authen/ExternalAuth.pm:288)
[4426] [Mon Apr 8 18:05:44 2019] [debug]: SSO Failed and no user to test with. Nexting (/usr/sbin/…/lib/RT/Authen/ExternalAuth.pm:316)
[4426] [Mon Apr 8 18:05:44 2019] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/usr/share/html/Elements/DoAuth:58)
[4426] [Mon Apr 8 18:05:44 2019] [debug]: Attempting to use external auth service: My_LDAP (/usr/sbin/…/lib/RT/Authen/ExternalAuth.pm:288)
[4426] [Mon Apr 8 18:05:44 2019] [debug]: SSO Failed and no user to test with. Nexting (/usr/sbin/…/lib/RT/Authen/ExternalAuth.pm:316)
[4426] [Mon Apr 8 18:05:44 2019] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/usr/share/html/Elements/DoAuth:58)
[4426] [Mon Apr 8 18:05:47 2019] [debug]: Attempting to use external auth service: My_LDAP (/usr/sbin/…/lib/RT/Authen/ExternalAuth.pm:288)
[4426] [Mon Apr 8 18:05:47 2019] [debug]: Calling UserExists with $username (gao) and $service (My_LDAP) (/usr/sbin/…/lib/RT/Authen/ExternalAuth.pm:329)
[4426] [Mon Apr 8 18:05:47 2019] [debug]: UserExists params:
username: gao , service: My_LDAP (/usr/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:486)
[4426] [Mon Apr 8 18:05:47 2019] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind: LDAP_OPERATIONS_ERROR 1 (/usr/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:678)
[4426] [Mon Apr 8 18:05:47 2019] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/usr/share/html/Elements/DoAuth:58)
[4426] [Mon Apr 8 18:05:47 2019] [error]: FAILED LOGIN for gao from 10.36.9.18 (/usr/sbin/…/lib/RT/Interface/Web.pm:826)
[4457] [Mon Apr 8 18:06:02 2019] [warning]: RT::Authen::ExternalAuth has been cored since RT 4.4, please check the upgrade document for more details (/usr/sbin/…/lib/RT.pm:754)
[4457] [Mon Apr 8 18:06:02 2019] [warning]: RT::Authen::ExternalAuth has been cored since RT 4.4, please check the upgrade document for more details (/usr/sbin/…/lib/RT.pm:754)
[4457] [Mon Apr 8 18:06:02 2019] [debug]: Using internal Perl HTML → text conversion (/usr/sbin/…/lib/RT/Interface/Email.pm:1475)
[4457] [Mon Apr 8 18:06:02 2019] [debug]: The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT receives emails on addresses that are not in the database or config. (/usr/sbin/…/lib/RT/Config.pm:577)