Hola,
My RT install has the following environment:
- Debian 12.9
- RT5 from APT (5.0.3+dfsg-3~deb12u2)
- Samba at a different host (Ubuntu 22.04)
The installation was configured using debconf, allowing it to control the RT_SiteConfig settings. Given that, I’ve added the LDAP settings under /etc/request-tracker5/RT_SiteConfig.d/80-ldap.pm, which content is below.
What happens is that although I’m able to login successfully with RT’s root user with the said configuration. I’m not able to use any user from Samba’s LDAP database. All attempts return FAILED LOGIN error at RT. It doesn’t matter which format do I use for the username.
Set($LDAPCreatePrivileged, 1);
Set($LDAPUpdateUsers, 1);
Set($LDAPGroupMapping, { Name => 'cn', Member_Attr => 'member', Member_Attr_Value => 'dn' });
Set($LDAPGroupBase, 'CN=Users,DC=dominio,DC=red');
Set($LDAPGroupFilter, '(|(cn=Domain Users)(cn=Technical Operations)(cn=Management))');
Set($ExternalAuthPriority, ['My_LDAP', ]);
Set($ExternalInfoPriority, ['My_LDAP', ]);
Set($UserAutocreateDefaultsOnLogin, { Privileged => 1 });
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'tls' => 0,
'server' => '192.168.1.5',
'user' => 'rt_user@DOMINIO.RED',
'pass' => 'nosecomparte',
'base' => 'CN=Users,dc=dominio,dc=red',
'filter' => '(objectClass=person)',
'attr_match_list' => ['Name', 'EmailAddress', ],
'attr_map' => {
'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'RealName' => 'cn',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co',
},
},
});
Samba’s log:
auth_check_password_send: Checking password for unmapped user [DOMINIO]\[rt_user]@[ORDENADOR04]
auth_check_password_send: user is: [DOMINIO]\[rt_user]@[ORDENADOR04]
Auth: [LDAP,simple bind] user [DOMINIO]\[rt_user@DOMINIO.RED] at [Fri, 24 Jan 2025 10:28:09.362469 -05] with [Plaintext] status [NT_STATUS_OK] workstation [ORDENADOR04] remote host [ipv4:192.168.1.13:54192] became [DOMINIO]\[rt_user] [S-1-5-21-2795409746-889793459-1347831397-1114]. local host [ipv4:192.168.1.5:389]
As you can see, the LDAP bind authentication is correct at Samba, but there is no trace of it using the webform credentials.
To discard incorrect credentials I can say that I’m able to authenticate correctly from the RT host to Samba using different credentials with ldapsearch. Here I’ve used the format user@DOMINIO.RED, as it is in the configuration, and DOMINIO\user.
Now, when I comment out the user/pass elements from RT_SiteConfig.d’s it is like the Login webform is not passing the user/password values to the LDAP authentication. Samba’s log that before displayed the configured user (rt_user) look totally empty for the auth settings.
RT’s log:
[error]: Can't locate object method "as_string" via package "(objectClass=person)" (perhaps you forgot to load "(objectClass=person)"?) at /usr/share/request-tracker5/lib/RT/Authen/ExternalAuth/LDAP.pm line 624.
Stack:
[/usr/share/request-tracker5/lib/RT/Authen/ExternalAuth/LDAP.pm:624]
[/usr/share/request-tracker5/lib/RT/Authen/ExternalAuth.pm:669]
[/usr/share/request-tracker5/lib/RT/Authen/ExternalAuth.pm:408]
[/usr/share/request-tracker5/html/Elements/DoAuth:57]
[/usr/share/request-tracker5/lib/RT/Interface/Web.pm:356]
[/usr/share/request-tracker5/html/autohandler:53] (/usr/share/request-tracker5/lib/RT/Interface/Web/Handler.pm:217)
Samba’s log:
auth_check_password_send: Checking password for unmapped user []\[]@[ORDENADOR04]
auth_check_password_send: user is: []\[]@[ORDENADOR04]
To me, it seems there is some misconfiguration or something that I’m missing at RT level.
I thought I’d added this fix to our packages, when I checked yesterday I found that I hadn’t. Please raise a bug in the Debian Bug Tracking System against the request-tracker5 package.