Mailing List Archive

Hi Claude,

Seems you already have a user in the RT database with the same email
address, but different user name.

> [3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn't create user
> 20006583: Email address in use

Best Regards

Martin

On 2016-12-06 08:05, Claude EDUMA wrote:
> Hi Martin,
>
> Thank you for your response.
>
> File permissions for my CA.cert are "rw-r--r-".
>
> below rt.log
>
> ---------------------------
>
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use external
> auth service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:286)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Calling UserExists with
> $username (20006583) and $service (My_LDAP)
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:327)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: UserExists params:
> username: 20006583 , service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:488)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
> o=corp.mycorp.com [2] == Filter:
> (&(objectClass=privperson)(uid=20006583)) == Attrs: co,cn,mail,uid,uid
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:518)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]:
> RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
> /opt/rt4/sbin/../lib/RT/User.pm 699 with: Disabled: , EmailAddress: ,
> Gecos: 20006583, Name: 20006583, Privileged: 1
> (/opt/rt4/sbin/../lib/RT/User.pm:735)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to get user info
> using this external service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/User.pm:743)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use this
> canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.pm:752)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
> o=corp.mycorp.com [2] == Filter:
> (&(objectClass=privperson)(uid=20006583)) == Attrs: co,cn,mail,uid,uid
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:406)
> [3605] [Tue Dec 6 07:58:02 2016] [info]:
> RT::User::CanonicalizeUserInfoFromExternalAuth returning Country: ,
> Disabled: , EmailAddress: claude.eduma@ext.mycorp.com, Gecos:
> 20006583, Name: 20006583, Privileged: 1, RealName: CLAUDE EDUMA
> (/opt/rt4/sbin/../lib/RT/User.pm:812)
> [3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn't create user
> 20006583: Email address in use
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:353)
> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Autohandler called
> ExternalAuth. Response: (0, No User)
> (/opt/rt4/share/html/Elements/DoAuth:58)
> [3605] [Tue Dec 6 07:58:02 2016] [error]: FAILED LOGIN for 20006583
> from 10.1.179.71 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
>
> ----------------
>
> Thank you one more time.
>
> Regards.
>
> 2016-12-05 23:35 GMT+01:00 Martin Wheldon
> <martin.wheldon@greenhills-it.co.uk>:
>
>> Hi Claude,
>>
>> Your english is much better than my french :)
>> I've cc'd the RT users list as they may have additional suggestions.
>> The short answer is no I don't believe your problem is caused by TLS
>> bugs.
>>
>> You seem to be mixing up the new RT 4.4 LDAP configuration syntax
>> with the older RT::Authen::ExternalAuth syntax.
>>
>> If you are using RT 4.4.x then you don't need the following, because
>> it is the old style syntax:
>>
>>> Set($LDAPBase,'MYLDAPSERVER');
>>> Set($LDAPFilter, '(&(objectClass=person))');
>>> Set($LDAPMapping, {
>>> Name => 'uid',
>>> EmailAddress => 'mail',
>>> RealName => 'cn'
>>> });
>>
>> The following option should also be removed when using RT4.4.x
>>
>>> 'ssl_version' => 3,
>>
>> Is RT able to read your CAcert file? Please could you check the file
>> permissions.
>> Do you see any errors in the logs?
>>
>> Best Regards
>>
>> Martin
>>
>> On 2016-12-05 13:22, claudeduma@gmail.com wrote:
>>
>>> Hi Martin,
>>>
>>> I try to configure LDAP authentication but it don't work.
>>> I'm sure all my config is correct (see below). I tried with
>>> ladapsearch and all it's OK. I look my ldap's server logs and i
>>> bind
>>> users correctly. Do you thinks it's TLS bugs ?
>>>
>>> (sorry for my english I'm french)
>>> Thank you.
>>>
>>> --------------
>>> Set($LDAPBase,'MYLDAPSERVER');
>>> Set($LDAPFilter, '(&(objectClass=person))');
>>> Set($LDAPMapping, {
>>> Name => 'uid',
>>> EmailAddress => 'mail',
>>> RealName => 'cn'
>>> });
>>>
>>> # Use the below LDAP source for both authentication, as well
>>> as user
>>> # information
>>> Set( $ExternalAuthPriority, ["My_LDAP"] );
>>> Set( $ExternalInfoPriority, ["My_LDAP"] );
>>> Set($ExternalServiceUsesSSLorTLS, 1);
>>>
>>> # Make users created from LDAP Privileged
>>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>>
>>> # Users should still be autocreated by RT as internal users if
>>> they
>>> # fail to exist in an external service; this is so requestors
>>> (who
>>> # are not in LDAP) can still be created when they email in.
>>> Set($AutoCreateNonExternalUsers, 0);
>>>
>>> # Minimal LDAP configuration; see
>>> RT::Authen::ExternalAuth::LDAP for
>>> # further details and examples
>>> Set($ExternalSettings, {
>>> 'My_LDAP' => {
>>> 'type' => 'ldap',
>>> 'server' => 'ldaps://MYLDAPSERVER',
>>> 'user' => 'MYUSER',
>>> 'pass' => 'MYPASS',
>>> 'base' => 'MYBASE',
>>> 'filter' => '(objectClass=privperson)',
>>> 'tls' => { verify => "require", cafile =>
>>> "/etc/CA.crt" },
>>> 'ssl_version' => 3,
>>> 'net_ldap_args' => [ version => 3, debug => 8
>>> ],
>>> 'attr_match_list' => [
>>> 'Name',
>>> 'EmailAddress',
>>> ],
>>>
>>> 'attr_map' => {
>>> 'Name' => 'uid',
>>> 'EmailAddress' => 'mail',
>>> 'RealName' => 'cn',
>>> 'Gecos' => 'uid',
>>> 'Country' => 'co',
>>> }
>>> },
>>> }
>>> );
>>>
>>> 1;
>>>
>>> _____________________________________
>>> Sent from http://requesttracker.8502.n7.nabble.com [1]
>
>
>
> Links:
> ------
> [1] http://requesttracker.8502.n7.nabble.com
> [2] http://corp.mycorp.com
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Los Angeles - January 9-11 2017

Hi Claude,

OK from your logs you can see successful lookup from LDAP of the user
and a successful validation.
So we can rule out issues with communication with the LDAP server and
user credentials.

The following line however is an issue as you seem to be only
getting/requesting the dn attribute returned. I'm not quite certain
which :)

"... == Attrs: dn"
> [4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP Search === Base:
> o=corp.mycorp.com [1] == Filter:
> (&(uid=20005528)(objectClass=privperson)) == Attrs: dn

This is what I get on my test system:

"... == Attrs:
mail,cn,street,telephoneNumber,mobile,st,mail,ukFirmGhITAccOrg,postalCode,l"

The configuration you sent earlier is expecting uid,mail,cn and co:

>> 'attr_map' => {
>> 'Name' => 'uid',
>> 'EmailAddress' => 'mail',
>> 'RealName' => 'cn',
>> 'Gecos' => 'uid',
>> 'Country' => 'co',
>> }

Is your ldap search account able to get this information from the
ldapserver?

Best Regards

Martin

On 2016-12-06 10:25, Claude EDUMA wrote:
> Yes,
>
> But even if it'is a new user, user is create but I still have LOGIN
> FAILED.
>
> below log with a new user
>
> ---------------------------
>
> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Trying external auth
> service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:201)
> [4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP Search === Base:
> o=corp.mycorp.com [1] == Filter:
> (&(uid=20005528)(objectClass=privperson)) == Attrs: dn
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:234)
> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Found LDAP DN:
> uid=20005528,ou=people,ou=GO-LM,o=corp.mycorp.com [1]
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:268)
> [4110] [Tue Dec 6 10:22:44 2016] [info]:
> RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP ):
> 20005528 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:350)
> [4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP password validation
> result: 1 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:558)
> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Password Validation Check
> Result: 1 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:383)
> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Autohandler called
> ExternalAuth. Response: (0, No User)
> (/opt/rt4/share/html/Elements/DoAuth:58)
> [4110] [Tue Dec 6 10:22:44 2016] [error]: FAILED LOGIN for 20005528
> from 10.1.52.222 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Attempting to use external
> auth service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:286)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Calling UserExists with
> $username (20005528) and $service (My_LDAP)
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:327)
>
> 2016-12-06 11:12 GMT+01:00 Martin Wheldon
> <martin.wheldon@greenhills-it.co.uk>:
>
>> Hi Claude,
>>
>> Seems you already have a user in the RT database with the same email
>> address, but different user name.
>>
>>> [3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn't create user
>>> 20006583: Email address in use
>>
>> Best Regards
>>
>> Martin
>>
>> On 2016-12-06 08:05, Claude EDUMA wrote:
>> Hi Martin,
>>
>> Thank you for your response.
>>
>> File permissions for my CA.cert are "rw-r--r-".
>>
>> below rt.log
>>
>> ---------------------------
>>
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use
>> external
>> auth service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:286)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Calling UserExists with
>> $username (20006583) and $service (My_LDAP)
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:327)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: UserExists params:
>> username: 20006583 , service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:488)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
>> o=corp.mycorp.com [1] [2] == Filter:
>> (&(objectClass=privperson)(uid=20006583)) == Attrs:
>> co,cn,mail,uid,uid
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:518)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]:
>> RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
>> /opt/rt4/sbin/../lib/RT/User.pm 699 with: Disabled: , EmailAddress:
>> ,
>> Gecos: 20006583, Name: 20006583, Privileged: 1
>> (/opt/rt4/sbin/../lib/RT/User.pm:735)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to get user
>> info
>> using this external service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/User.pm:743)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use this
>> canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.pm:752)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
>> o=corp.mycorp.com [1] [2] == Filter:
>>
>> (&(objectClass=privperson)(uid=20006583)) == Attrs:
>> co,cn,mail,uid,uid
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:406)
>> [3605] [Tue Dec 6 07:58:02 2016] [info]:
>> RT::User::CanonicalizeUserInfoFromExternalAuth returning Country: ,
>> Disabled: , EmailAddress: claude.eduma@ext.mycorp.com, Gecos:
>> 20006583, Name: 20006583, Privileged: 1, RealName: CLAUDE EDUMA
>> (/opt/rt4/sbin/../lib/RT/User.pm:812)
>> [3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn't create user
>> 20006583: Email address in use
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:353)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Autohandler called
>> ExternalAuth. Response: (0, No User)
>> (/opt/rt4/share/html/Elements/DoAuth:58)
>> [3605] [Tue Dec 6 07:58:02 2016] [error]: FAILED LOGIN for 20006583
>> from 10.1.179.71 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
>>
>> ----------------
>>
>> Thank you one more time.
>>
>> Regards.
>>
>> 2016-12-05 23:35 GMT+01:00 Martin Wheldon
>> <martin.wheldon@greenhills-it.co.uk>:
>>
>> Hi Claude,
>>
>> Your english is much better than my french :)
>> I've cc'd the RT users list as they may have additional suggestions.
>> The short answer is no I don't believe your problem is caused by TLS
>> bugs.
>>
>> You seem to be mixing up the new RT 4.4 LDAP configuration syntax
>> with the older RT::Authen::ExternalAuth syntax.
>>
>> If you are using RT 4.4.x then you don't need the following, because
>> it is the old style syntax:
>>
>> Set($LDAPBase,'MYLDAPSERVER');
>> Set($LDAPFilter, '(&(objectClass=person))');
>> Set($LDAPMapping, {
>> Name => 'uid',
>> EmailAddress => 'mail',
>> RealName => 'cn'
>> });
>>
>> The following option should also be removed when using RT4.4.x
>>
>> 'ssl_version' => 3,
>>
>> Is RT able to read your CAcert file? Please could you check the file
>> permissions.
>> Do you see any errors in the logs?
>>
>> Best Regards
>>
>> Martin
>>
>> On 2016-12-05 13:22, claudeduma@gmail.com wrote:
>>
>> Hi Martin,
>>
>> I try to configure LDAP authentication but it don't work.
>> I'm sure all my config is correct (see below). I tried with
>> ladapsearch and all it's OK. I look my ldap's server logs and i
>> bind
>> users correctly. Do you thinks it's TLS bugs ?
>>
>> (sorry for my english I'm french)
>> Thank you.
>>
>> --------------
>> Set($LDAPBase,'MYLDAPSERVER');
>> Set($LDAPFilter, '(&(objectClass=person))');
>> Set($LDAPMapping, {
>> Name => 'uid',
>> EmailAddress => 'mail',
>> RealName => 'cn'
>> });
>>
>> # Use the below LDAP source for both authentication, as well
>> as user
>> # information
>> Set( $ExternalAuthPriority, ["My_LDAP"] );
>> Set( $ExternalInfoPriority, ["My_LDAP"] );
>> Set($ExternalServiceUsesSSLorTLS, 1);
>>
>> # Make users created from LDAP Privileged
>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>
>> # Users should still be autocreated by RT as internal users if
>> they
>> # fail to exist in an external service; this is so requestors
>> (who
>> # are not in LDAP) can still be created when they email in.
>> Set($AutoCreateNonExternalUsers, 0);
>>
>> # Minimal LDAP configuration; see
>> RT::Authen::ExternalAuth::LDAP for
>> # further details and examples
>> Set($ExternalSettings, {
>> 'My_LDAP' => {
>> 'type' => 'ldap',
>> 'server' => 'ldaps://MYLDAPSERVER',
>> 'user' => 'MYUSER',
>> 'pass' => 'MYPASS',
>> 'base' => 'MYBASE',
>> 'filter' => '(objectClass=privperson)',
>> 'tls' => { verify => "require", cafile =>
>> "/etc/CA.crt" },
>> 'ssl_version' => 3,
>> 'net_ldap_args' => [ version => 3, debug => 8
>> ],
>> 'attr_match_list' => [
>> 'Name',
>> 'EmailAddress',
>> ],
>>
>> 'attr_map' => {
>> 'Name' => 'uid',
>> 'EmailAddress' => 'mail',
>> 'RealName' => 'cn',
>> 'Gecos' => 'uid',
>> 'Country' => 'co',
>> }
>> },
>> }
>> );
>>
>> 1;
>>
>> _____________________________________
>> Sent from http://requesttracker.8502.n7.nabble.com [2] [1]
>
> Links:
> ------
> [1] http://requesttracker.8502.n7.nabble.com [2]
> [2] http://corp.mycorp.com
>
>
>
> Links:
> ------
> [1] http://corp.mycorp.com
> [2] http://requesttracker.8502.n7.nabble.com
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Los Angeles - January 9-11 2017

Hi Claude,

Yes, your problem seems to be a little odd.

I believe that this is the code that is rejecting your authentication
from
/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm

> # If we got here and don't have a user loaded we must have failed to
> # get a full, valid user from an authoritative external source.
> unless ($session->{'CurrentUser'} && $session->{'CurrentUser'}->Id)
> {
> $session->{'CurrentUser'} = RT::CurrentUser->new;
> return (0, "No User");
> }

Do you have multiple external auth mechanisms configured??
Would you be able to post your full RT configuration, with sensitive
information obfuscated obviously?

Best Regards

Martin

On 2016-12-06 11:37, Claude EDUMA wrote:
> Martin,
>
> It request only the "dn" attribute because the user is not internal.
> once user is created, it will request the others attributes.
>
> I have seen our ldap administrator and for him all is OK. Accounts are
> well binded with LDAP.
> It seem like after binding account it request another validation wich
> failed.
>
> My question is why RT retreive all attributes on LDAP but still fail
> to grant acces to users ?
>
> I'm sorry to take your presious time and thank you once more.
>
> -------------------------------------------
>
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: UserExists params:
> username: 20005528 , service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:488)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: LDAP Search === Base:
> o=corp.mycorp.com [1] == Filter:
> (&(objectClass=privperson)(uid=20005528)) == Attrs: co,cn,mail,uid,uid
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:518)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]:
> RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
> /opt/rt4/sbin/../lib/RT/User.pm 699 with : Disabled: , EmailAddress:
> , Gecos: 20005528, Name: 20005528, Privileged: 1
> (/opt/rt4/sbin/../lib/RT/User.pm:735)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Attempting to get user info
> using this external service: My_LDAP
> (/opt/rt4/sbin/../lib/RT/User.pm:743)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Attempting to use this
> canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.pm:752)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: LDAP Search === Base:
> o=corp.mycorp.com [1] == Filter:
> (&(objectClass=privperson)(uid=20005528)) == Attrs: co,cn,mail,uid,uid
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:406)
> [4109] [Tue Dec 6 10:22:50 2016] [info]:
> RT::User::CanonicalizeUserInfoFromExternalAuth returning Country: ,
> Disabled: , EmailAddress: jonathan.laigle@ext.mycorpservices.com,
> Gecos: 20005528, Name: 20005528, Privileged: 1, RealName: JONATHAN
> LAIGLE (/opt/rt4/sbin/../lib/RT/User.pm:812)
> [4109] [Tue Dec 6 10:22:50 2016] [error]: Couldn't create user
> 20005528: Email address in use
> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:353)
> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Autohandler called
> ExternalAuth. Response: (0, No User)
> (/opt/rt4/share/html/Elements/DoAuth:58)
> [4109] [Tue Dec 6 10:22:50 2016] [error]: FAILED LOGIN for 20005528
> from 10.1.52.222 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
> -------------------------
>
> Regards
>
> 2016-12-06 12:04 GMT+01:00 Martin Wheldon
> <martin.wheldon@greenhills-it.co.uk>:
>
>> Hi Claude,
>>
>> OK from your logs you can see successful lookup from LDAP of the
>> user and a successful validation.
>> So we can rule out issues with communication with the LDAP server
>> and user credentials.
>>
>> The following line however is an issue as you seem to be only
>> getting/requesting the dn attribute returned. I'm not quite certain
>> which :)
>>
>> "... == Attrs: dn"
>>
>>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP Search === Base:
>>> o=corp.mycorp.com [1] [1] == Filter:
>>> (&(uid=20005528)(objectClass=privperson)) == Attrs: dn
>>
>> This is what I get on my test system:
>>
>> "... == Attrs:
>>
> mail,cn,street,telephoneNumber,mobile,st,mail,ukFirmGhITAccOrg,postalCode,l"
>>
>> The configuration you sent earlier is expecting uid,mail,cn and co:
>>
>> 'attr_map' => {
>> 'Name' => 'uid',
>> 'EmailAddress' => 'mail',
>> 'RealName' => 'cn',
>> 'Gecos' => 'uid',
>> 'Country' => 'co',
>> }
>
> Is your ldap search account able to get this information from the
> ldapserver?
>
> Best Regards
>
> Martin
>
> On 2016-12-06 10:25, Claude EDUMA wrote:
>
>> Yes,
>>
>> But even if it'is a new user, user is create but I still have LOGIN
>> FAILED.
>>
>> below log with a new user
>>
>> ---------------------------
>>
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Trying external auth
>> service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:201)
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP Search === Base:
>> o=corp.mycorp.com [1] [1] == Filter:
>> (&(uid=20005528)(objectClass=privperson)) == Attrs: dn
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:234)
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Found LDAP DN:
>> uid=20005528,ou=people,ou=GO-LM,o=corp.mycorp.com [1] [1]
>>
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:268)
>> [4110] [Tue Dec 6 10:22:44 2016] [info]:
>> RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP
>> ):
>> 20005528 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:350)
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: LDAP password validation
>> result: 1 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:558)
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Password Validation Check
>> Result: 1 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:383)
>> [4110] [Tue Dec 6 10:22:44 2016] [debug]: Autohandler called
>> ExternalAuth. Response: (0, No User)
>> (/opt/rt4/share/html/Elements/DoAuth:58)
>> [4110] [Tue Dec 6 10:22:44 2016] [error]: FAILED LOGIN for 20005528
>> from 10.1.52.222 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
>> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Attempting to use
>> external
>> auth service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:286)
>> [4109] [Tue Dec 6 10:22:50 2016] [debug]: Calling UserExists with
>> $username (20005528) and $service (My_LDAP)
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:327)
>>
>> 2016-12-06 11:12 GMT+01:00 Martin Wheldon
>> <martin.wheldon@greenhills-it.co.uk>:
>>
>> Hi Claude,
>>
>> Seems you already have a user in the RT database with the same email
>> address, but different user name.
>>
>> [3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn't create user
>> 20006583: Email address in use
>>
>> Best Regards
>>
>> Martin
>>
>> On 2016-12-06 08:05, Claude EDUMA wrote:
>> Hi Martin,
>>
>> Thank you for your response.
>>
>> File permissions for my CA.cert are "rw-r--r-".
>>
>> below rt.log
>>
>> ---------------------------
>>
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use
>> external
>> auth service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:286)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Calling UserExists with
>> $username (20006583) and $service (My_LDAP)
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:327)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: UserExists params:
>> username: 20006583 , service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:488)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
>> o=corp.mycorp.com [1] [1] [2] == Filter:
>> (&(objectClass=privperson)(uid=20006583)) == Attrs:
>> co,cn,mail,uid,uid
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:518)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]:
>> RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
>> /opt/rt4/sbin/../lib/RT/User.pm 699 with: Disabled: , EmailAddress:
>> ,
>> Gecos: 20006583, Name: 20006583, Privileged: 1
>> (/opt/rt4/sbin/../lib/RT/User.pm:735)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to get user
>> info
>> using this external service: My_LDAP
>> (/opt/rt4/sbin/../lib/RT/User.pm:743)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Attempting to use this
>> canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.pm:752)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: LDAP Search === Base:
>> o=corp.mycorp.com [1] [1] [2] == Filter:
>>
>> (&(objectClass=privperson)(uid=20006583)) == Attrs:
>> co,cn,mail,uid,uid
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:406)
>> [3605] [Tue Dec 6 07:58:02 2016] [info]:
>> RT::User::CanonicalizeUserInfoFromExternalAuth returning Country: ,
>> Disabled: , EmailAddress: claude.eduma@ext.mycorp.com, Gecos:
>> 20006583, Name: 20006583, Privileged: 1, RealName: CLAUDE EDUMA
>> (/opt/rt4/sbin/../lib/RT/User.pm:812)
>> [3605] [Tue Dec 6 07:58:02 2016] [error]: Couldn't create user
>> 20006583: Email address in use
>> (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:353)
>> [3605] [Tue Dec 6 07:58:02 2016] [debug]: Autohandler called
>> ExternalAuth. Response: (0, No User)
>> (/opt/rt4/share/html/Elements/DoAuth:58)
>> [3605] [Tue Dec 6 07:58:02 2016] [error]: FAILED LOGIN for 20006583
>> from 10.1.179.71 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
>>
>> ----------------
>>
>> Thank you one more time.
>>
>> Regards.
>>
>> 2016-12-05 23:35 GMT+01:00 Martin Wheldon
>> <martin.wheldon@greenhills-it.co.uk>:
>>
>> Hi Claude,
>>
>> Your english is much better than my french :)
>> I've cc'd the RT users list as they may have additional suggestions.
>> The short answer is no I don't believe your problem is caused by TLS
>> bugs.
>>
>> You seem to be mixing up the new RT 4.4 LDAP configuration syntax
>> with the older RT::Authen::ExternalAuth syntax.
>>
>> If you are using RT 4.4.x then you don't need the following, because
>> it is the old style syntax:
>>
>> Set($LDAPBase,'MYLDAPSERVER');
>> Set($LDAPFilter, '(&(objectClass=person))');
>> Set($LDAPMapping, {
>> Name => 'uid',
>> EmailAddress => 'mail',
>> RealName => 'cn'
>> });
>>
>> The following option should also be removed when using RT4.4.x
>>
>> 'ssl_version' => 3,
>>
>> Is RT able to read your CAcert file? Please could you check the file
>> permissions.
>> Do you see any errors in the logs?
>>
>> Best Regards
>>
>> Martin
>>
>> On 2016-12-05 13:22, claudeduma@gmail.com wrote:
>>
>> Hi Martin,
>>
>> I try to configure LDAP authentication but it don't work.
>> I'm sure all my config is correct (see below). I tried with
>> ladapsearch and all it's OK. I look my ldap's server logs and i
>> bind
>> users correctly. Do you thinks it's TLS bugs ?
>>
>> (sorry for my english I'm french)
>> Thank you.
>>
>> --------------
>> Set($LDAPBase,'MYLDAPSERVER');
>> Set($LDAPFilter, '(&(objectClass=person))');
>> Set($LDAPMapping, {
>> Name => 'uid',
>> EmailAddress => 'mail',
>> RealName => 'cn'
>> });
>>
>> # Use the below LDAP source for both authentication, as well
>> as user
>> # information
>> Set( $ExternalAuthPriority, ["My_LDAP"] );
>> Set( $ExternalInfoPriority, ["My_LDAP"] );
>> Set($ExternalServiceUsesSSLorTLS, 1);
>>
>> # Make users created from LDAP Privileged
>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>
>> # Users should still be autocreated by RT as internal users if
>> they
>> # fail to exist in an external service; this is so requestors
>> (who
>> # are not in LDAP) can still be created when they email in.
>> Set($AutoCreateNonExternalUsers, 0);
>>
>> # Minimal LDAP configuration; see
>> RT::Authen::ExternalAuth::LDAP for
>> # further details and examples
>> Set($ExternalSettings, {
>> 'My_LDAP' => {
>> 'type' => 'ldap',
>> 'server' => 'ldaps://MYLDAPSERVER',
>> 'user' => 'MYUSER',
>> 'pass' => 'MYPASS',
>> 'base' => 'MYBASE',
>> 'filter' => '(objectClass=privperson)',
>> 'tls' => { verify => "require", cafile =>
>> "/etc/CA.crt" },
>> 'ssl_version' => 3,
>> 'net_ldap_args' => [ version => 3, debug => 8
>> ],
>> 'attr_match_list' => [
>> 'Name',
>> 'EmailAddress',
>> ],
>>
>> 'attr_map' => {
>> 'Name' => 'uid',
>> 'EmailAddress' => 'mail',
>> 'RealName' => 'cn',
>> 'Gecos' => 'uid',
>> 'Country' => 'co',
>> }
>> },
>> }
>> );
>>
>> 1;
>>
>> _____________________________________
>> Sent from http://requesttracker.8502.n7.nabble.com [2] [2] [1]
>
> Links:
> ------
> [1] http://requesttracker.8502.n7.nabble.com [2] [2]
> [2] http://corp.mycorp.com
>
> Links:
> ------
> [1] http://corp.mycorp.com
> [2] http://requesttracker.8502.n7.nabble.com [2]
>
>
>
> Links:
> ------
> [1] http://corp.mycorp.com
> [2] http://requesttracker.8502.n7.nabble.com
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Los Angeles - January 9-11 2017