User could not be loaded

RT Users
1

Hi all,

I have RT set up and am using RT::Authen::ExternalAuth to authenticate
users against LDAP which is working great. We now have an external
company we are working with and they don’t have LDAP accounts and
when they send an email in to the RT system they receive a bounce that
says:

“User xxx@xxx.com could not be loaded in the mail gateway”

My RT_SiteConfig.pm looks like:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set( $rtname, ‘x’);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($LogToFile , ‘debug’);

Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC SECTION
‘type’ => ‘ldap’,
‘server’ => ‘x’,
‘user’ => ‘x’,
‘pass’ => ‘x’,
‘base’ => ‘x’,
‘filter’ => ‘(objectclass=user)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
#‘group’ => ‘GROUP_NAME’,
#‘group_attr’ => ‘GROUP_ATTR’,
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ =>
‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
},

                            }

);

1;

2

Hi all,

I have RT set up and am using RT::Authen::ExternalAuth to authenticate
users against LDAP which is working great. We now have an external
company we are working with and they don’t have LDAP accounts and
when they send an email in to the RT system they receive a bounce that
says:

“User xxx@xxx.com could not be loaded in the mail gateway”

There is usually a more detailed error in the logs and sent to the
OwnerEmail

-kevin

3

Here’s the log from when an external email address sends in a ticket
via email (in this case xxx@gmail.com). I have the granted the
Everyone group CreateTicket both globally and at the queue level:

[Mon Aug 23 20:33:39 2010] [debug]: Converting ‘ISO-8859-1’ to ‘utf-8’
for text/plain - Test (/opt/rt3/bin/…/lib/RT/I18N.pm:249)
[Mon Aug 23 20:33:39 2010] [debug]: Going to create user with address
‘xxx@gmail.com’
(/opt/rt3/bin/…/lib/RT/Interface/Email/Auth/MailFrom.pm:94)
[Mon Aug 23 20:33:39 2010] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20
with: Comments: Autocreated on ticket submission, Disabled: 0,
EmailAddress: xxx@gmail.com, Name: xxx@gmail.com, Password: ,
Privileged: 0, RealName: Steve Berg
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Mon Aug 23 20:33:39 2010] [debug]: Attempting to get user info using
this external service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Mon Aug 23 20:33:39 2010] [debug]: Attempting to use this
canonicalization key: Name
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Aug 23 20:33:39 2010] [debug]: LDAP Search === Base:
ou=xxx,dc=xxx,dc=local == Filter:
(&(objectclass=user)(sAMAccountName=xxx@gmail.com)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Mon Aug 23 20:33:39 2010] [debug]: Attempting to use this
canonicalization key: EmailAddress
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Aug 23 20:33:39 2010] [debug]: LDAP Search === Base:
ou=xxx,dc=xxx,dc=local == Filter:
(&(objectclass=user)(mail=xxx@gmail.com)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Mon Aug 23 20:33:39 2010] [debug]: Attempting to use this
canonicalization key: RealName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Aug 23 20:33:40 2010] [debug]: LDAP Search === Base:
ou=xxx,dc=xxx,dc=local == Filter: (&(objectclass=user)(cn=Steve Berg))
== Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Mon Aug 23 20:33:40 2010] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: Warana, Comments: Autocreated on ticket submission, Country:
Australia, Disabled: 0, EmailAddress: xxx.xxx@xxx.com.au,
ExternalAuthId: xxx.xxx, Gecos: xxx.xxx, Name: xxx.xxx, Organization:
Warana, Password: , Privileged: 0, RealName: Steve Berg, State: Qld,
WorkPhone: 07 5343 3326, Zip: 4575
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Aug 23 20:33:40 2010] [crit]: User creation failed in
mailgateway: Name in use
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Mon Aug 23 20:33:40 2010] [warning]: Couldn’t load user
‘xxx@gmail.com’.giving up
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:947)
[Mon Aug 23 20:33:40 2010] [crit]: User ‘xxx@gmail.com’ could not be
loaded in the mail gateway
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Mon Aug 23 20:33:40 2010] [error]: RT could not load a valid user,
and RT’s configuration does not allow
for the creation of a new user for this email (xxx@gmail.com).

You might need to grant ‘Everyone’ the right ‘CreateTicket’ for the
queue IT_Support. (/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Mon Aug 23 20:33:40 2010] [error]: RT could not load a valid user,
and RT’s configuration does not allow
for the creation of a new user for your email.
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Mon Aug 23 20:33:40 2010] [error]: Could not record email: Could not
load a valid user
(/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)On 24 August 2010 05:43, Kevin Falcone falcone@bestpractical.com wrote:

On Mon, Aug 23, 2010 at 12:27:58PM +1000, Steve Berg wrote:

Hi all,

I have RT set up and am using RT::Authen::ExternalAuth to authenticate
users against LDAP which is working great. We now have an external
company we are working with and they don’t have LDAP accounts and
when they send an email in to the RT system they receive a bounce that
says:

“User xxx@xxx.com could not be loaded in the mail gateway”

There is usually a more detailed error in the logs and sent to the
OwnerEmail

-kevin

My RT_SiteConfig.pm looks like:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set( $rtname, ‘x’);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($LogToFile , ‘debug’);

Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC SECTION
‘type’ => ‘ldap’,
‘server’ => ‘x’,
‘user’ => ‘x’,
‘pass’ => ‘x’,
‘base’ => ‘x’,
‘filter’ => ‘(objectclass=user)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
#‘group’ => ‘GROUP_NAME’,
#‘group_attr’ => ‘GROUP_ATTR’,
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ =>
‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
},

                            }

);

1;

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

4

Here’s the log from when an external email address sends in a ticket
via email (in this case xxx@gmail.com). I have the granted the
Everyone group CreateTicket both globally and at the queue level:

[Mon Aug 23 20:33:39 2010] [debug]: Attempting to use this
canonicalization key: RealName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Aug 23 20:33:40 2010] [debug]: LDAP Search === Base:
ou=xxx,dc=xxx,dc=local == Filter: (&(objectclass=user)(cn=Steve Berg))
== Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)

you’ve told RT-Authen-ExternalAuth that RealName is an acceptable
canonicalization key, so when it searches for Steve Berg (presumably
because your test email is from “Steve Berg” something@gmail.com)
it loads your real internal account and then blows up when the From:
address user account doesn’t exist.

Don’t match on things that aren’t actually unique.

-kevin

5

Kevin -

Thank you very much. I changed the Ldap settings to match on the following:

        'attr_match_list'           => [    'Name',
                                            'EmailAddress',
                                                             ],

Now it works perfectly.

-SteveOn 24 August 2010 23:36, Kevin Falcone falcone@bestpractical.com wrote:

On Tue, Aug 24, 2010 at 06:37:41AM +1000, Steve Berg wrote:

Here’s the log from when an external email address sends in a ticket
via email (in this case xxx@gmail.com). I have the granted the
Everyone group CreateTicket both globally and at the queue level:

[Mon Aug 23 20:33:39 2010] [debug]: Attempting to use this
canonicalization key: RealName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Mon Aug 23 20:33:40 2010] [debug]: LDAP Search === Base:
ou=xxx,dc=xxx,dc=local == Filter: (&(objectclass=user)(cn=Steve Berg))
== Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)

you’ve told RT-Authen-ExternalAuth that RealName is an acceptable
canonicalization key, so when it searches for Steve Berg (presumably
because your test email is from “Steve Berg” something@gmail.com)
it loads your real internal account and then blows up when the From:
address user account doesn’t exist.

Don’t match on things that aren’t actually unique.

-kevin

[Mon Aug 23 20:33:40 2010] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: Warana, Comments: Autocreated on ticket submission, Country:
Australia, Disabled: 0, EmailAddress: xxx.xxx@xxx.com.au,
ExternalAuthId: xxx.xxx, Gecos: xxx.xxx, Name: xxx.xxx, Organization:
Warana, Password: , Privileged: 0, RealName: Steve Berg, State: Qld,
WorkPhone: 07 5343 3326, Zip: 4575
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
[Mon Aug 23 20:33:40 2010] [crit]: User creation failed in
mailgateway: Name in use
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Mon Aug 23 20:33:40 2010] [warning]: Couldn’t load user
‘xxx@gmail.com’.giving up
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:947)
[Mon Aug 23 20:33:40 2010] [crit]: User ‘xxx@gmail.com’ could not be
loaded in the mail gateway
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Mon Aug 23 20:33:40 2010] [error]: RT could not load a valid user,
and RT’s configuration does not allow
for the creation of a new user for this email (xxx@gmail.com).

You might need to grant ‘Everyone’ the right ‘CreateTicket’ for the
queue IT_Support. (/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Mon Aug 23 20:33:40 2010] [error]: RT could not load a valid user,
and RT’s configuration does not allow
for the creation of a new user for your email.
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:244)
[Mon Aug 23 20:33:40 2010] [error]: Could not record email: Could not
load a valid user
(/opt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)

On 24 August 2010 05:43, Kevin Falcone falcone@bestpractical.com wrote:

On Mon, Aug 23, 2010 at 12:27:58PM +1000, Steve Berg wrote:

Hi all,

I have RT set up and am using RT::Authen::ExternalAuth to authenticate
users against LDAP which is working great. We now have an external
company we are working with and they don’t have LDAP accounts and
when they send an email in to the RT system they receive a bounce that
says:

“User xxx@xxx.com could not be loaded in the mail gateway”

There is usually a more detailed error in the logs and sent to the
OwnerEmail

-kevin

My RT_SiteConfig.pm looks like:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set( $rtname, ‘x’);
Set(@Plugins, qw(RT::Authen::ExternalAuth) );
Set($LogToFile , ‘debug’);

Set($ExternalAuthPriority, [‘My_LDAP’]);
Set($ExternalInfoPriority, [‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 1);
Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC SECTION
‘type’ => ‘ldap’,
‘server’ => ‘x’,
‘user’ => ‘x’,
‘pass’ => ‘x’,
‘base’ => ‘x’,
‘filter’ => ‘(objectclass=user)’,
‘d_filter’ =>
‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
#‘group’ => ‘GROUP_NAME’,
#‘group_attr’ => ‘GROUP_ATTR’,
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
‘RealName’,
‘WorkPhone’,
‘Address2’
],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ =>
‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ =>
‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
},

                            }

);

1;

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!