Re: [rt-users] RT Extension LDAPImport Using LDAPS?

Mon, 09 Apr 2012 13:51:07 -0700 

Kevin,
Thomas's notes helped me get my import working. Users are now imported into our RT instance. However we do get a lot of noise: 


[Mon Apr  9 19:51:49 2012] [critical]: 
RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo : Search for  
(&(|(objectClass=posixAccount)(objectClass=account))([email protected]))  
failed:  LDAP_NO_SUCH_OBJECT 32 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:232)
[Mon Apr  9 19:51:49 2012] [critical]: 
RT::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo : Search for  
(&(|(objectClass=posixAccount)(objectClass=account))(uid=USERID))  
failed:  LDAP_NO_SUCH_OBJECT 32 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:232)



    For each user we get the above two "critical" errors, and the below 
"info" message (which I don't mind aside from the "Disabled" part):



[Mon Apr  9 19:51:49 2012] [info]: 
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , 
EmailAddress: [email protected], ExternalAuthId: USERID, Gecos: 
USERFULLNAME, Name: USERID, Privileged: 1, RealName: USERFULLNAME 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:651)



    When I inspected the MySQL tables that were created, I found that 
all the users appeared to be created as I wanted.  I am having trouble 
with the Web view at the moment, so I need to verify them through that 
view as well.


    For reference, here are the settings / bindings from RT_SiteConfig.pm

Set($LDAPHost,'ldaps://OURLDAPS.linguamatics.com');
Set($LDAPUser,'uid=OURBINDUSER,dc=linguamatics,dc=com');
Set($LDAPPassword, 'OURBINDPW');
Set($LDAPBase, 'ou=OURUSERTREE,dc=linguamatics,dc=com');
Set($LDAPFilter, '(|(objectClass=posixAccount)(objectClass=account))');
Set($LDAPMapping, {     'Name' => 'uid',
                        'EmailAddress' => 'mail',
                        'RealName' => 'cn',
                        'ExternalAuthId' => 'uid',
                        'Gecos' => 'gecos'
                }
);
Set($LDAPCreatePrivileged, 1);
#For now we don't need groups, from what I can tell so:
#Set($LDAPGroupName, 'Imported Users');
#The previous line is commented out and we use this line:
Set($LDAPSkipAutogeneratedGroup, 1);
Set($LDAPUpdateUsers, 0);
Set($LDAPUpdateOnly, 0);
#Set($LDAPGroupBase, '');
#Set($LDAPGroupFilter, '');
#Set($LDAPGroupMapping, { });


    Please let me know if anything jumps out at you about why we're 
generating so many "critical" messages.  Otherwise, I'm more or less 
happy with how RT Extension LDAPImport works, inspecting the data sent 
into the MySQL database showed me data that looked good.


-Scott

On 4/9/2012 3:10 PM, Kevin Falcone wrote:

On Mon, Apr 09, 2012 at 02:25:47PM -0400, Scott Pestana wrote:

     I'm having trouble setting up LDAPImport over LDAPS.  The README
with the package on CPAN details set up and includes "Hostname or
ldap(s):// uri" which suggests to me that secure transmission should
work.  I have settings in RT_SiteConfig.pm for Security, but I don't
see a specific flag for the Extension::LDAPImport package to set
that secure communication is requested.

     I run into the following error trying to run rtldapimport:

[root@owlwoman bin]# ./rtldapimport
Running test import, no data will be changed
Rerun command with --import to perform the import
Rerun command with --debug for more information
[Mon Apr  9 18:19:15 2012] [error]: LDAP search failed No such
object 
(/opt/rt4/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:866)
LDAP search failed No such object
Testing group import
[Mon Apr  9 18:19:15 2012] [warning]: Not running a group import,
configuration not set 
(/opt/rt4/local/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:874)
Not running a group import, configuration not set
Finished test

Please show your LDAPimport configuration for LDAPHost / LDAPUser and
a sanitized version of LDAPPassword.

Your port # implies that Net::LDAP didn't think you needed ssl.

-kevin


     Digging into the PERL code being executed by rtldapimport, I
found that the LDAP object can't be created because the
configuration being used is insecure:

   DB<9>  x $ldap
0  Net::LDAP=HASH(0x5af6f00)
    'net_ldap_async' =>  0
    'net_ldap_debug' =>  0
    'net_ldap_host' =>  'OURLDAPS.linguamatics.com'
    'net_ldap_port' =>  389
    'net_ldap_refcnt' =>  1
    'net_ldap_resp' =>  HASH(0x86044f0)
         empty hash
    'net_ldap_scheme' =>  'ldap'
    'net_ldap_socket' =>  IO::Socket::INET=GLOB(0x8604718)
       ->  *Symbol::GEN46
             FileHandle({*Symbol::GEN46}) =>  fileno(8)
    'net_ldap_uri' =>  'OURLDAPS.linguamatics.com'
    'net_ldap_version' =>  3

     What flags do I need to set for rtldapimport to use secure
communication when doing the import?  I have set $LDAPUser and
$LDAPPassword in the RT_SiteConfig.pm but aren't reflected here
either (perhaps they are applied later).



--
N. Scott Pestana
IT Infrastructure
Linguamatics
275 Grove Street, Suite 2-400
Newton, MA 02466

Tel: +1-774-571-7135

US Tel: +1-617-674-3256
UK Tel: 011-44-1223-421360
UK Fax: 011-44-1223-421361
Web: www.linguamatics.com



--
N. Scott Pestana
IT Infrastructure
Linguamatics
275 Grove Street, Suite 2-400
Newton, MA 02466

Tel: +1-774-571-7135

US Tel: +1-617-674-3256
UK Tel: 011-44-1223-421360
UK Fax: 011-44-1223-421361
Web: www.linguamatics.com























					Reply via email to