Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Request Tracker>
  3. Users
RT 4.4.1 LDAP Authentication issue.
claudeduma at gmail
Dec 9, 2016, 2:11 AM
Post #1 of 9 (2488 views)
Permalink
Hi everyone.
First sorry for my english i'm french.

I try a couple of week to have LDAP authentication with my fresh RT 4.4.1
installation.
All seem good but login still fail.

As you ca see in logs, if it's first time that user try to login, he is
create in RT but and all cheks seem to be OK but user is not granted access.

below RT_Siteconfig.pm and logs.

Thank you for your help.
------------------
RT_Siteconfig.pm
-----------------

Set($MaxAttachmentSize , 10000000);
Set($FriendlyFromLineFormat, "\"%s\" <%s>");
Set($Timezone, "Europe/Paris");
Set($DisableGD, 0);
Set( $DisableGraphViz, 1 );
Set($LogToFile , 'debug');
Set($LogDir, '/var/log');
Set($LogToFileNamed , "rt.log");

Set($WebDomain, 'dmycopr');
Set($WebPort, 82);
Set($Organization, 'mycopr.com');
Set($CorrespondAddress , 'alert@mycoprservices.com');
Set($CommentAddress , 'alert@mycoprservices.com');
Set($SendmailPath, "/usr/lib/sendmail");
Set($SendmailArguments, "-t");
Set($OwnerEmail, "alert\@mycoprservices.com"); #who to email errors to
Set($UseTransactionBatch, '1');

# Use the below LDAP source for both authentication, as well as user
# information
Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
Set($ExternalServiceUsesSSLorTLS, 1);

# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 0);

# Minimal LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'server' => 'ldaps://ypmycoprldap.corp.mycopr.com',
'user' =>
'uid=mycopr-rtir-reader,ou=applicationAccounts,o=corp.mycopr.com',
'pass' =>
'SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21',
'base' => 'o=corp.mycopr.com',
'filter' => '(objectClass=privperson)',
'tls' => { verify => "require", cafile =>
"/etc/pki/tls/mycopr_CERTIFICATE_CHAIN.crt" },
'net_ldap_args' => [ version => 3, debug => 8 ],
'attr_match_list' => [
'Name',
'EmailAddress',
],
# Import the following properties of the user from LDAP upon
# login
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
'RealName' => 'cn',
}
},
}
);



1;


------
First login :
-----
[13619] [Wed Dec 7 16:42:02 2016] [debug]: UserExists params:
username: 20006587 , service: My_LDAP
(/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:487)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: LDAP Search === Base:
o=corp.mycorp.com == Filter: (&(objectClass=privperson)(uid=20006587)) ==
Attrs: cn,mail,uid (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:517)
[13619] [Wed Dec 7 16:42:02 2016] [debug]:
RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
/opt/rt4/sbin/../lib/RT/User.pm 699 with: Disabled: , EmailAddress: , Gecos:
20006587, Name: 20006587, Privileged: 1
(/opt/rt4/sbin/../lib/RT/User.pm:735)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Attempting to get user info
using this external service: My_LDAP (/opt/rt4/sbin/../lib/RT/User.pm:743)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Attempting to use this
canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.pm:752)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: LDAP Search === Base:
o=corp.mycorp.com == Filter: (&(objectClass=privperson)(uid=20006587)) ==
Attrs: cn,mail,uid (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:405)
[13619] [Wed Dec 7 16:42:02 2016] [info]:
RT::User::CanonicalizeUserInfoFromExternalAuth returning Disabled: ,
EmailAddress: user@ext.mycorp.com, Gecos: 20006587, Name: 20006587,
Privileged: 1, RealName: user (/opt/rt4/sbin/../lib/RT/User.pm:811)
[13619] [Wed Dec 7 16:42:02 2016] [info]: Autocreated external user
20006587 ( 716 ) (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:358)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Loading new user ( 20006587 )
into current session (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:364)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Password validation required for
service - Executing... (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:381)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Trying external auth service:
My_LDAP (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:201)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: LDAP Search === Base:
o=corp.mycorp.com == Filter: (&(uid=20006587)(objectClass=privperson)) ==
Attrs: dn (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:234)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Found LDAP DN:
uid=20006587,ou=people,ou=GO-LM,o=corp.mycorp.com
(/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:268)
[13619] [Wed Dec 7 16:42:02 2016] [info]:
RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP ):
20006587 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:349)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: LDAP password validation result:
1 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:560)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Password Validation Check
Result: 1 (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:385)
[13619] [Wed Dec 7 16:42:02 2016] [debug]: Autohandler called ExternalAuth.
Response: (0, No User) (/opt/rt4/share/html/Elements/DoAuth:58)
[13619] [Wed Dec 7 16:42:02 2016] [error]: FAILED LOGIN for 20006587 from
10.1.29.3 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: Attempting to use external auth
service: My_LDAP (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:288)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: Calling UserExists with
$username (20006587) and $service (My_LDAP)
(/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:329)

-------
User is know by RT
-------

[13620] [Wed Dec 7 16:42:10 2016] [debug]: UserExists params:
username: 20006587 , service: My_LDAP
(/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:487)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: LDAP Search === Base:
o=corp.mycopr.com == Filter: (&(objectClass=privperson)(uid=20006587)) ==
Attrs: cn,mail,uid (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:517)
[13620] [Wed Dec 7 16:42:10 2016] [debug]:
RT::User::CanonicalizeUserInfoFromExternalAuth called by RT::User
/opt/rt4/sbin/../lib/RT/User.pm 699 with: Disabled: , EmailAddress: , Gecos:
20006587, Name: 20006587, Privileged: 1
(/opt/rt4/sbin/../lib/RT/User.pm:735)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: Attempting to get user info
using this external service: My_LDAP (/opt/rt4/sbin/../lib/RT/User.pm:743)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: Attempting to use this
canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.pm:752)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: LDAP Search === Base:
o=corp.mycopr.com == Filter: (&(objectClass=privperson)(uid=20006587)) ==
Attrs: cn,mail,uid (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth/LDAP.pm:405)
[13620] [Wed Dec 7 16:42:10 2016] [info]:
RT::User::CanonicalizeUserInfoFromExternalAuth returning Disabled: ,
EmailAddress: user@ext.mycopr.com, Gecos: 20006587, Name: 20006587,
Privileged: 1, RealName: user (/opt/rt4/sbin/../lib/RT/User.pm:811)
[13620] [Wed Dec 7 16:42:10 2016] [error]: Couldn't create user 20006587:
Email address in use (/opt/rt4/sbin/../lib/RT/Authen/ExternalAuth.pm:355)
[13620] [Wed Dec 7 16:42:10 2016] [debug]: Autohandler called ExternalAuth.
Response: (0, No User) (/opt/rt4/share/html/Elements/DoAuth:58)
[13620] [Wed Dec 7 16:42:10 2016] [error]: FAILED LOGIN for 20006587 from
10.1.29.3 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:826)
Re: RT 4.4.1 LDAP Authentication issue. [ In reply to ]
jvdwege at xs4all
Dec 9, 2016, 2:20 AM
Post #2 of 9 (2484 views)
Permalink
On 9-12-2016 11:11, Claude EDUMA wrote:
> Hi everyone.
> First sorry for my english i'm french.
>
> I try a couple of week to have LDAP authentication with my fresh RT
> 4.4.1 installation.
> All seem good but login still fail.
>
> ------
> First login :
> -----
> [13619] [Wed Dec 7 16:42:02 2016] [debug]: UserExists params:
> username: 20006587 , service: My_LDAP
I think you may have a problem here. This has come up on the mailinglist
a few times but I think that usernames can't start with a number.
Can you try with a 'regular' username consisting of only letters?

Regards,

Joop
Re: RT 4.4.1 LDAP Authentication issue. [ In reply to ]
jvdwege at xs4all
Dec 9, 2016, 4:49 AM
Post #3 of 9 (2484 views)
Permalink
On 9-12-2016 13:38, Claude EDUMA wrote:
> Hi Joop,
>
>
> Thank you for your quick answer.
> We have tested with non numerical username and result is OK.
> Well in my organisation we use ldap uid for username. Any suggestion
> to resolve this issue ?
>
Please keep the list in the loop.

I think the problem is in the function(s) which load the user info.
These functions take a name OR an id and then load the corresponding
info. When usernames are IDs that doesn't work any more. Other than
patching all functions which use this I don't see another solution than
to change the use of uid as a username, sorry.

Joop

---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Los Angeles - January 9-11 2017
Re: RT 4.4.1 LDAP Authentication issue. [ In reply to ]
martin.wheldon at greenhills-it
Dec 9, 2016, 4:59 AM
Post #4 of 9 (2484 views)
Permalink
Hi,

You could either use another unique attribute i.e mail or add another
uid to each RT user prefixed by a letter.

dn: uid=123456,dc=my,dc=domain
uid: 123456
uid: x123456

Best Regards

Martin

On 2016-12-09 12:49, Joop wrote:
> On 9-12-2016 13:38, Claude EDUMA wrote:
>> Hi Joop,
>>
>>
>> Thank you for your quick answer.
>> We have tested with non numerical username and result is OK.
>> Well in my organisation we use ldap uid for username. Any suggestion
>> to resolve this issue ?
>>
> Please keep the list in the loop.
>
> I think the problem is in the function(s) which load the user info.
> These functions take a name OR an id and then load the corresponding
> info. When usernames are IDs that doesn't work any more. Other than
> patching all functions which use this I don't see another solution than
> to change the use of uid as a username, sorry.
>
> Joop
>
> ---------
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training
> * Los Angeles - January 9-11 2017
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Los Angeles - January 9-11 2017
Re: RT 4.4.1 LDAP Authentication issue. [ In reply to ]
claudeduma at gmail
Dec 9, 2016, 5:21 AM
Post #5 of 9 (2484 views)
Permalink
Well,

I will try to use user mail for authentication.

here is conf i tested without success :(

-----
Set($ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'server' => 'ldap://ypmycorpldap.corp.mycorp.com',
'user' =>
'uid=mycorp-rtir-reader,ou=applicationAccounts,o=corp.mycorp.com',
'pass' =>
'SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21',
'base' => 'o=corp.mycorp.com',
'filter' => '(objectClass=person)',
'tls' => { verify => "require", cafile =>
"/etc/pki/tls/mycorp_CERTIFICATE_CHAIN.crt" },
'net_ldap_args' => [ version => 3, debug => 8 ],
'attr_match_list' => [
'Name' ,
'EmailAddress',
],
# Import the following properties of the user from LDAP upon
# login
'attr_map' => {
'Name' => 'mail',
'EmailAddress' => 'mail',
'RealName' => 'cn',
}
},
}
);

---

Regards



2016-12-09 13:59 GMT+01:00 Martin Wheldon <
martin.wheldon@greenhills-it.co.uk>:

> Hi,
>
> You could either use another unique attribute i.e mail or add another uid
> to each RT user prefixed by a letter.
>
> dn: uid=123456,dc=my,dc=domain
> uid: 123456
> uid: x123456
>
> Best Regards
>
> Martin
>
>
> On 2016-12-09 12:49, Joop wrote:
>
>> On 9-12-2016 13:38, Claude EDUMA wrote:
>>
>>> Hi Joop,
>>>
>>>
>>> Thank you for your quick answer.
>>> We have tested with non numerical username and result is OK.
>>> Well in my organisation we use ldap uid for username. Any suggestion
>>> to resolve this issue ?
>>>
>>> Please keep the list in the loop.
>>
>> I think the problem is in the function(s) which load the user info.
>> These functions take a name OR an id and then load the corresponding
>> info. When usernames are IDs that doesn't work any more. Other than
>> patching all functions which use this I don't see another solution than
>> to change the use of uid as a username, sorry.
>>
>> Joop
>>
>> ---------
>> RT 4.4 and RTIR training sessions, and a new workshop day!
>> https://bestpractical.com/training
>> * Los Angeles - January 9-11 2017
>>
> ---------
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training
> * Los Angeles - January 9-11 2017
>
Re: RT 4.4.1 LDAP Authentication issue. [ In reply to ]
claudeduma at gmail
Dec 9, 2016, 5:37 AM
Post #6 of 9 (2484 views)
Permalink
LDAP logs show that user is retreive, but not bind.

-----

SRCH base="o=corp.mycorp.com" scope=2
filter="(&(objectClass=privperson)(mail=claude.eduma@ext.mycorp.com))"
attrs="cn mail mail"
[09/Dec/2016:14:16:47 +0100] conn=9480527 op=2 msgId=3 - RESULT err=0
tag=101 nentries=1 etime=0

----

Regards.

2016-12-09 14:21 GMT+01:00 Claude EDUMA <claudeduma@gmail.com>:

> Well,
>
> I will try to use user mail for authentication.
>
> here is conf i tested without success :(
>
> -----
> Set($ExternalSettings, {
> 'My_LDAP' => {
> 'type' => 'ldap',
> 'server' => 'ldap://ypmycorpldap.corp.mycorp.com',
> 'user' => 'uid=mycorp-rtir-reader,ou=
> applicationAccounts,o=corp.mycorp.com',
> 'pass' => 'SikH2mmKLtPi0E4ZYcqldTXAgILVxG
> VhXWlHBF3o21',
> 'base' => 'o=corp.mycorp.com',
> 'filter' => '(objectClass=person)',
> 'tls' => { verify => "require", cafile =>
> "/etc/pki/tls/mycorp_CERTIFICATE_CHAIN.crt" },
> 'net_ldap_args' => [ version => 3, debug => 8 ],
> 'attr_match_list' => [
> 'Name' ,
> 'EmailAddress',
> ],
> # Import the following properties of the user from LDAP upon
> # login
> 'attr_map' => {
> 'Name' => 'mail',
> 'EmailAddress' => 'mail',
> 'RealName' => 'cn',
> }
> },
> }
> );
>
> ---
>
> Regards
>
>
>
> 2016-12-09 13:59 GMT+01:00 Martin Wheldon <martin.wheldon@greenhills-it.
> co.uk>:
>
>> Hi,
>>
>> You could either use another unique attribute i.e mail or add another uid
>> to each RT user prefixed by a letter.
>>
>> dn: uid=123456,dc=my,dc=domain
>> uid: 123456
>> uid: x123456
>>
>> Best Regards
>>
>> Martin
>>
>>
>> On 2016-12-09 12:49, Joop wrote:
>>
>>> On 9-12-2016 13:38, Claude EDUMA wrote:
>>>
>>>> Hi Joop,
>>>>
>>>>
>>>> Thank you for your quick answer.
>>>> We have tested with non numerical username and result is OK.
>>>> Well in my organisation we use ldap uid for username. Any suggestion
>>>> to resolve this issue ?
>>>>
>>>> Please keep the list in the loop.
>>>
>>> I think the problem is in the function(s) which load the user info.
>>> These functions take a name OR an id and then load the corresponding
>>> info. When usernames are IDs that doesn't work any more. Other than
>>> patching all functions which use this I don't see another solution than
>>> to change the use of uid as a username, sorry.
>>>
>>> Joop
>>>
>>> ---------
>>> RT 4.4 and RTIR training sessions, and a new workshop day!
>>> https://bestpractical.com/training
>>> * Los Angeles - January 9-11 2017
>>>
>> ---------
>> RT 4.4 and RTIR training sessions, and a new workshop day!
>> https://bestpractical.com/training
>> * Los Angeles - January 9-11 2017
>>
>
>
Re: RT 4.4.1 LDAP Authentication issue. [ In reply to ]
martin.wheldon at greenhills-it
Dec 9, 2016, 5:44 AM
Post #7 of 9 (2484 views)
Permalink
Hi,

Looks like a ldap acl issue, is your ldap search user able to access the
users mail attribute?

Best Regards

Martin

On 2016-12-09 13:37, Claude EDUMA wrote:
> LDAP logs show that user is retreive, but not bind.
>
> -----
>
> SRCH base="o=corp.mycorp.com [2]" scope=2
> filter="(&(objectClass=privperson)(mail=claude.eduma@ext.mycorp.com))"
> attrs="cn mail mail"
> [09/Dec/2016:14:16:47 +0100] conn=9480527 op=2 msgId=3 - RESULT err=0
> tag=101 nentries=1 etime=0
>
> ----
>
> Regards.
>
> 2016-12-09 14:21 GMT+01:00 Claude EDUMA <claudeduma@gmail.com>:
>
>> Well,
>>
>> I will try to use user mail for authentication.
>>
>> here is conf i tested without success :(
>>
>> -----
>>
>> Set($ExternalSettings, {
>> 'My_LDAP' => {
>> 'type' => 'ldap',
>> 'server' =>
>> 'ldap://ypmycorpldap.corp.mycorp.com [1]',
>> 'user' =>
>> 'uid=mycorp-rtir-reader,ou=applicationAccounts,o=corp.mycorp.com
>> [2]',
>> 'pass' =>
>> 'SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21',
>> 'base' => 'o=corp.mycorp.com [2]',
>> 'filter' => '(objectClass=person)',
>> 'tls' => { verify => "require", cafile =>
>> "/etc/pki/tls/mycorp_CERTIFICATE_CHAIN.crt" },
>> 'net_ldap_args' => [ version => 3, debug => 8
>> ],
>> 'attr_match_list' => [
>> 'Name' ,
>> 'EmailAddress',
>> ],
>> # Import the following properties of the user from LDAP
>> upon
>> # login
>> 'attr_map' => {
>> 'Name' => 'mail',
>> 'EmailAddress' => 'mail',
>> 'RealName' => 'cn',
>> }
>> },
>> }
>> );
>>
>> ---
>>
>> Regards
>>
>> 2016-12-09 13:59 GMT+01:00 Martin Wheldon
>> <martin.wheldon@greenhills-it.co.uk>:
>> Hi,
>>
>> You could either use another unique attribute i.e mail or add
>> another uid to each RT user prefixed by a letter.
>>
>> dn: uid=123456,dc=my,dc=domain
>> uid: 123456
>> uid: x123456
>>
>> Best Regards
>>
>> Martin
>>
>> On 2016-12-09 12:49, Joop wrote:
>> On 9-12-2016 13:38, Claude EDUMA wrote:
>> Hi Joop,
>>
>> Thank you for your quick answer.
>> We have tested with non numerical username and result is OK.
>> Well in my organisation we use ldap uid for username. Any suggestion
>> to resolve this issue ?
>>
>> Please keep the list in the loop.
>>
>> I think the problem is in the function(s) which load the user info.
>> These functions take a name OR an id and then load the corresponding
>> info. When usernames are IDs that doesn't work any more. Other than
>> patching all functions which use this I don't see another solution
>> than
>> to change the use of uid as a username, sorry.
>>
>> Joop
>>
>> ---------
>> RT 4.4 and RTIR training sessions, and a new workshop day!
>> https://bestpractical.com/training [3]
>> * Los Angeles - January 9-11 2017
> ---------
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training [3]
> * Los Angeles - January 9-11 2017
>
>
>
> Links:
> ------
> [1] http://ypmycorpldap.corp.mycorp.com
> [2] http://corp.mycorp.com
> [3] https://bestpractical.com/training
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Los Angeles - January 9-11 2017
Re: RT 4.4.1 LDAP Authentication issue. [ In reply to ]
martin.wheldon at greenhills-it
Dec 9, 2016, 5:56 AM
Post #8 of 9 (2484 views)
Permalink
Hi,

Sorry, please disregard my last response, the user account has been
found.
Could you post the RT logs please?

Best Regards

Martin

On 2016-12-09 13:44, Martin Wheldon wrote:
> Hi,
>
> Looks like a ldap acl issue, is your ldap search user able to access
> the users mail attribute?
>
> Best Regards
>
> Martin
>
> On 2016-12-09 13:37, Claude EDUMA wrote:
>> LDAP logs show that user is retreive, but not bind.
>>
>> -----
>>
>> SRCH base="o=corp.mycorp.com [2]" scope=2
>> filter="(&(objectClass=privperson)(mail=claude.eduma@ext.mycorp.com))"
>> attrs="cn mail mail"
>> [09/Dec/2016:14:16:47 +0100] conn=9480527 op=2 msgId=3 - RESULT err=0
>> tag=101 nentries=1 etime=0
>>
>> ----
>>
>> Regards.
>>
>> 2016-12-09 14:21 GMT+01:00 Claude EDUMA <claudeduma@gmail.com>:
>>
>>> Well,
>>>
>>> I will try to use user mail for authentication.
>>>
>>> here is conf i tested without success :(
>>>
>>> -----
>>>
>>> Set($ExternalSettings, {
>>> 'My_LDAP' => {
>>> 'type' => 'ldap',
>>> 'server' =>
>>> 'ldap://ypmycorpldap.corp.mycorp.com [1]',
>>> 'user' =>
>>> 'uid=mycorp-rtir-reader,ou=applicationAccounts,o=corp.mycorp.com
>>> [2]',
>>> 'pass' =>
>>> 'SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21',
>>> 'base' => 'o=corp.mycorp.com [2]',
>>> 'filter' => '(objectClass=person)',
>>> 'tls' => { verify => "require", cafile =>
>>> "/etc/pki/tls/mycorp_CERTIFICATE_CHAIN.crt" },
>>> 'net_ldap_args' => [ version => 3, debug => 8
>>> ],
>>> 'attr_match_list' => [
>>> 'Name' ,
>>> 'EmailAddress',
>>> ],
>>> # Import the following properties of the user from LDAP
>>> upon
>>> # login
>>> 'attr_map' => {
>>> 'Name' => 'mail',
>>> 'EmailAddress' => 'mail',
>>> 'RealName' => 'cn',
>>> }
>>> },
>>> }
>>> );
>>>
>>> ---
>>>
>>> Regards
>>>
>>> 2016-12-09 13:59 GMT+01:00 Martin Wheldon
>>> <martin.wheldon@greenhills-it.co.uk>:
>>> Hi,
>>>
>>> You could either use another unique attribute i.e mail or add
>>> another uid to each RT user prefixed by a letter.
>>>
>>> dn: uid=123456,dc=my,dc=domain
>>> uid: 123456
>>> uid: x123456
>>>
>>> Best Regards
>>>
>>> Martin
>>>
>>> On 2016-12-09 12:49, Joop wrote:
>>> On 9-12-2016 13:38, Claude EDUMA wrote:
>>> Hi Joop,
>>>
>>> Thank you for your quick answer.
>>> We have tested with non numerical username and result is OK.
>>> Well in my organisation we use ldap uid for username. Any suggestion
>>> to resolve this issue ?
>>>
>>> Please keep the list in the loop.
>>>
>>> I think the problem is in the function(s) which load the user info.
>>> These functions take a name OR an id and then load the corresponding
>>> info. When usernames are IDs that doesn't work any more. Other than
>>> patching all functions which use this I don't see another solution
>>> than
>>> to change the use of uid as a username, sorry.
>>>
>>> Joop
>>>
>>> ---------
>>> RT 4.4 and RTIR training sessions, and a new workshop day!
>>> https://bestpractical.com/training [3]
>>> * Los Angeles - January 9-11 2017
>> ---------
>> RT 4.4 and RTIR training sessions, and a new workshop day!
>> https://bestpractical.com/training [3]
>> * Los Angeles - January 9-11 2017
>>
>>
>>
>> Links:
>> ------
>> [1] http://ypmycorpldap.corp.mycorp.com
>> [2] http://corp.mycorp.com
>> [3] https://bestpractical.com/training
> ---------
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training
> * Los Angeles - January 9-11 2017
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Los Angeles - January 9-11 2017
Re: RT 4.4.1 LDAP Authentication issue. [ In reply to ]
claudeduma at gmail
Dec 9, 2016, 6:05 AM
Post #9 of 9 (2484 views)
Permalink
Hi,

Sorry, i used the shredder to remove all user from RT user's DB an now it's
work fine.

Thank you everyone for your help.


Regards,

2016-12-09 14:56 GMT+01:00 Martin Wheldon <
martin.wheldon@greenhills-it.co.uk>:

> Hi,
>
> Sorry, please disregard my last response, the user account has been found.
> Could you post the RT logs please?
>
> Best Regards
>
> Martin
>
>
> On 2016-12-09 13:44, Martin Wheldon wrote:
>
>> Hi,
>>
>> Looks like a ldap acl issue, is your ldap search user able to access
>> the users mail attribute?
>>
>> Best Regards
>>
>> Martin
>>
>> On 2016-12-09 13:37, Claude EDUMA wrote:
>>
>>> LDAP logs show that user is retreive, but not bind.
>>>
>>> -----
>>>
>>> SRCH base="o=corp.mycorp.com [2]" scope=2
>>> filter="(&(objectClass=privperson)(mail=claude.eduma@ext.mycorp.com))"
>>> attrs="cn mail mail"
>>> [09/Dec/2016:14:16:47 +0100] conn=9480527 op=2 msgId=3 - RESULT err=0
>>> tag=101 nentries=1 etime=0
>>>
>>> ----
>>>
>>> Regards.
>>>
>>> 2016-12-09 14:21 GMT+01:00 Claude EDUMA <claudeduma@gmail.com>:
>>>
>>> Well,
>>>>
>>>> I will try to use user mail for authentication.
>>>>
>>>> here is conf i tested without success :(
>>>>
>>>> -----
>>>>
>>>> Set($ExternalSettings, {
>>>> 'My_LDAP' => {
>>>> 'type' => 'ldap',
>>>> 'server' =>
>>>> 'ldap://ypmycorpldap.corp.mycorp.com [1]',
>>>> 'user' =>
>>>> 'uid=mycorp-rtir-reader,ou=applicationAccounts,o=corp.mycorp.com
>>>> [2]',
>>>> 'pass' =>
>>>> 'SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21',
>>>> 'base' => 'o=corp.mycorp.com [2]',
>>>> 'filter' => '(objectClass=person)',
>>>> 'tls' => { verify => "require", cafile =>
>>>> "/etc/pki/tls/mycorp_CERTIFICATE_CHAIN.crt" },
>>>> 'net_ldap_args' => [ version => 3, debug => 8
>>>> ],
>>>> 'attr_match_list' => [
>>>> 'Name' ,
>>>> 'EmailAddress',
>>>> ],
>>>> # Import the following properties of the user from LDAP
>>>> upon
>>>> # login
>>>> 'attr_map' => {
>>>> 'Name' => 'mail',
>>>> 'EmailAddress' => 'mail',
>>>> 'RealName' => 'cn',
>>>> }
>>>> },
>>>> }
>>>> );
>>>>
>>>> ---
>>>>
>>>> Regards
>>>>
>>>> 2016-12-09 13:59 GMT+01:00 Martin Wheldon
>>>> <martin.wheldon@greenhills-it.co.uk>:
>>>> Hi,
>>>>
>>>> You could either use another unique attribute i.e mail or add
>>>> another uid to each RT user prefixed by a letter.
>>>>
>>>> dn: uid=123456,dc=my,dc=domain
>>>> uid: 123456
>>>> uid: x123456
>>>>
>>>> Best Regards
>>>>
>>>> Martin
>>>>
>>>> On 2016-12-09 12:49, Joop wrote:
>>>> On 9-12-2016 13:38, Claude EDUMA wrote:
>>>> Hi Joop,
>>>>
>>>> Thank you for your quick answer.
>>>> We have tested with non numerical username and result is OK.
>>>> Well in my organisation we use ldap uid for username. Any suggestion
>>>> to resolve this issue ?
>>>>
>>>> Please keep the list in the loop.
>>>>
>>>> I think the problem is in the function(s) which load the user info.
>>>> These functions take a name OR an id and then load the corresponding
>>>> info. When usernames are IDs that doesn't work any more. Other than
>>>> patching all functions which use this I don't see another solution
>>>> than
>>>> to change the use of uid as a username, sorry.
>>>>
>>>> Joop
>>>>
>>>> ---------
>>>> RT 4.4 and RTIR training sessions, and a new workshop day!
>>>> https://bestpractical.com/training [3]
>>>> * Los Angeles - January 9-11 2017
>>>>
>>> ---------
>>> RT 4.4 and RTIR training sessions, and a new workshop day!
>>> https://bestpractical.com/training [3]
>>> * Los Angeles - January 9-11 2017
>>>
>>>
>>>
>>> Links:
>>> ------
>>> [1] http://ypmycorpldap.corp.mycorp.com
>>> [2] http://corp.mycorp.com
>>> [3] https://bestpractical.com/training
>>>
>> ---------
>> RT 4.4 and RTIR training sessions, and a new workshop day!
>> https://bestpractical.com/training
>> * Los Angeles - January 9-11 2017
>>
> ---------
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training
> * Los Angeles - January 9-11 2017
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal