Re: [rt-users] Error when initializing database with external auth enabled

[Bart Bunting]

Shawn,

Thanks for the fix.

I'll rework my configuration once the commit is merged, things in that
department are working ok at the moment and I'm still fighting other
small fires from the transition.

Much appreciate the update and fix though!


Kind regards

Bart

Shawn Moore  writes:

> On 2016年5月24日 at 20:27:02, Bart Bunting (bart.bunt...@ursys.com.au) wrote:
>> Hi there,
>
> Hi Bart,
>
>> I may be just missing something but this is failing miserably for me and
>> I am not sure what the correct way to fix it is:
>>  
>> Running rt 4.4.1 rc1 as of today.
>
> I’m glad to hear it. :)
>
>> When I have the external authentication configuration enabled in
>> RT_SiteConfig.pm the
>> initial database import breaks. I think this is because when it trys to
>> add the "root" user it attempts to canonicalize the name from ldap which
>> fails.
>
> You’re exactly right. It’s even trying to canonicalize the RT System and 
> Nobody users too.
>
>> I can work around this by having puppet install one version of 
>> RT_SiteConfig.pm without  
>> external authentication configured, run the database import and then
>> replace it with a version with external auth enabled.
>>  
>> This works, I've tested it.
>>  
>> It just feels terribly ugly and wrong.
>
> Indeed it is, but hey, it works.
>
>> Can anyone suggest what I might be doing wrong here or is this a genuine
>> issue?
>
> It’s a genuine issue. I’ve created an Issues ticket on your behalf:
>
> https://issues.bestpractical.com/Ticket/Display.html?id=32009
>
> I’ve also fixed the underlying issue with the following two commits (the 
> first for RT System and Nobody, the latter for the root user):
>
> https://github.com/bestpractical/rt/commit/86b45ac4e26
> https://github.com/bestpractical/rt/commit/a32c5813bdd
>
> These fixes will be included in RT 4.4.1rc2, but if you want to apply the 
> patches ahead of time, you can get rid of your double SiteConfig hack.
>
>> Kind regards
>> Bart
>
> Thank you for testing the RCs!
> Shawn
> -
> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
> * Los Angeles - September, 2016
Bart
-- 

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Los Angeles - September, 2016

Re: [rt-users] Error when initializing database with external auth enabled

[Shawn Moore]

On 2016年5月24日 at 20:27:02, Bart Bunting (bart.bunt...@ursys.com.au) wrote:
> Hi there,

Hi Bart,

> I may be just missing something but this is failing miserably for me and
> I am not sure what the correct way to fix it is:
>  
> Running rt 4.4.1 rc1 as of today.

I’m glad to hear it. :)

> When I have the external authentication configuration enabled in
> RT_SiteConfig.pm the
> initial database import breaks. I think this is because when it trys to
> add the "root" user it attempts to canonicalize the name from ldap which
> fails.

You’re exactly right. It’s even trying to canonicalize the RT System and Nobody 
users too.

> I can work around this by having puppet install one version of 
> RT_SiteConfig.pm without  
> external authentication configured, run the database import and then
> replace it with a version with external auth enabled.
>  
> This works, I've tested it.
>  
> It just feels terribly ugly and wrong.

Indeed it is, but hey, it works.

> Can anyone suggest what I might be doing wrong here or is this a genuine
> issue?

It’s a genuine issue. I’ve created an Issues ticket on your behalf:

https://issues.bestpractical.com/Ticket/Display.html?id=32009

I’ve also fixed the underlying issue with the following two commits (the first 
for RT System and Nobody, the latter for the root user):

https://github.com/bestpractical/rt/commit/86b45ac4e26
https://github.com/bestpractical/rt/commit/a32c5813bdd

These fixes will be included in RT 4.4.1rc2, but if you want to apply the 
patches ahead of time, you can get rid of your double SiteConfig hack.

> Kind regards
> Bart

Thank you for testing the RCs!
Shawn
-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Los Angeles - September, 2016

Re: [rt-users] Error when initializing database with external auth enabled

[Bart Bunting]

Hi Jim,

Sorry for not posting the relevant details.  It is a totally new install
being built to replace our customized version of rt 3.6 :).   Probably
time for an upgrade :).

Here are the configuration details that are to do with authentication.

As previously mentioned I think the error is happening when RT is trying
to use the external ldap server to canonicalize the root user when it's
added from initialdata:

use utf8;
#* Authentication
# configure external authentication

#Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
Set( $ExternalInfoPriority, ['URSYS_LDAP'] );

# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);

# LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
'URSYS_LDAP'   =>  {
'type' =>  'ldap',
'server'   =>  'xxx',
'base' =>  'cn=users,cn=accounts,dc=xxx',
'user' => 'uid=system,cn=sysaccounts,cn=etc,dc=xxx',
'pass' => 'xxx',
'filter' => '(&(memberOf=cn=helpdesk-*))',
'attr_match_list'  => [
'Name',
],
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
},
},
} );

#* Ldapimport Configuration

Set($LDAPBase,'cn=users,cn=accounts,dc=xxx');
Set($LDAPHost,'xxx');
Set($LDAPUser,'uid=system,cn=sysaccounts,cn=etc,dc=xxx');
Set($LDAPPassword,'xxx');
Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
Set($LDAPMapping, {Name => 'uid', # required
   EmailAddress => 'mail',
   RealName => 'cn',
   WorkPhone=> 'telephoneNumber',
   Organization => 'departmentName'});

# create users as privileged
Set($LDAPCreatePrivileged, 1);

# sync Groups from LDAP into RT
Set($LDAPGroupBase, 'cn=accounts,dc=xxx');
Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
Set($LDAPGroupMapping, {Name   => 'cn',
Description   => 'description',
Member_Attr=> 'member',
Member_Attr_Value  => 'dn',
});

#* Slack Notifier configuration
# All parameters with the exclusion of Proxy are directly passed to the 
WebService::Slack::IncomingWebHook object




Kind regards
Bart

Jim Brandt  writes:

> To clarify the previous question, if you were using 
> RT::Authen::ExternalAuth in a previous version of RT (pre-4.4) and have 
> it pulled in as a Plugin, you need to remove it because it is now in 
> core. It's not clear to me if your RT_SiteConfig.pm is from an earlier 
> RT version. If so, you will need to make some updates due to the RT 
> version change:
>
> https://docs.bestpractical.com/rt/4.4.1/UPGRADING-4.4.html
>
> On 5/25/16 10:21 PM, Bart Bunting wrote:
>> Peter,
>>
>> Not sure, but this is a new install using rt 4.4.
>>
>>
>>
>> Kind regards
>> Peter Viskup  writes:
>>
>>> Couldn't this be related to RT::Authen::ExternalAuth migration to RT
>>> core since 4.4 version?
>>>
>>> https://docs.bestpractical.com/rt/4.4.0/UPGRADING-4.4.html
>>>
>>> --
>>> Peter
>>>
>>> On Wed, May 25, 2016 at 2:26 AM, Bart Bunting  
>>> wrote:

 Hi there,

 I may be just missing something but this is failing miserably for me and
 I am not sure what the correct way to fix it is:

 Running rt 4.4.1 rc1 as of today.

 The situation is I have external authentication working fine using both
 RT::Authen::ExternalAuth and RT::LDAPImport.

 I use puppet to provision the machine.

 When I have the external authentication configuration enabled in
 RT_SiteConfig.pm the
 initial database import breaks.  I think this is because when it trys to
 add the "root" user it attempts to canonicalize the name from ldap which
 fails.

 Here is an example of the run:

   make initialize-database
 /usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database 
 --action init --prompt-for-dba-password
 In order to create or update your RT database, this script needs to 
 connect to your  mysql instance on localhost (port '') as root
 Please specify that user's database password below. If the user has no 
 database
 password, just press return.

 Password:
 Working with:
 Type:   mysql
 Host:   localhost
 Port:
 Name:   rt4
 User:   rt
 DBA:root
 Now creating a mysql database rt4 for RT.
 Done.
 Now populating database schema.

Re: [rt-users] Error when initializing database with external auth enabled

[Jim Brandt]

To clarify the previous question, if you were using 
RT::Authen::ExternalAuth in a previous version of RT (pre-4.4) and have 
it pulled in as a Plugin, you need to remove it because it is now in 
core. It's not clear to me if your RT_SiteConfig.pm is from an earlier 
RT version. If so, you will need to make some updates due to the RT 
version change:


https://docs.bestpractical.com/rt/4.4.1/UPGRADING-4.4.html

On 5/25/16 10:21 PM, Bart Bunting wrote:

Peter,

Not sure, but this is a new install using rt 4.4.



Kind regards
Peter Viskup  writes:


Couldn't this be related to RT::Authen::ExternalAuth migration to RT
core since 4.4 version?

https://docs.bestpractical.com/rt/4.4.0/UPGRADING-4.4.html

--
Peter

On Wed, May 25, 2016 at 2:26 AM, Bart Bunting  wrote:


Hi there,

I may be just missing something but this is failing miserably for me and
I am not sure what the correct way to fix it is:

Running rt 4.4.1 rc1 as of today.

The situation is I have external authentication working fine using both
RT::Authen::ExternalAuth and RT::LDAPImport.

I use puppet to provision the machine.

When I have the external authentication configuration enabled in
RT_SiteConfig.pm the
initial database import breaks.  I think this is because when it trys to
add the "root" user it attempts to canonicalize the name from ldap which
fails.

Here is an example of the run:

  make initialize-database
/usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database 
--action init --prompt-for-dba-password
In order to create or update your RT database, this script needs to connect to 
your  mysql instance on localhost (port '') as root
Please specify that user's database password below. If the user has no database
password, just press return.

Password:
Working with:
Type:   mysql
Host:   localhost
Port:
Name:   rt4
User:   rt
DBA:root
Now creating a mysql database rt4 for RT.
Done.
Now populating database schema.
Done.
Now inserting database ACLs.
Done.
Now inserting RT core system objects.
[15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine 
::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at 
/opt/rt_source/sbin/../lib/RT/User.pm line 787. 
(/opt/rt_source/sbin/../lib/RT.pm:390)
Undefined subroutine ::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo 
called at /opt/rt_source/sbin/../lib/RT/User.pm line 787.
Makefile:386: recipe for target 'initialize-database' failed
make: *** [initialize-database] Error 2
root@rt-dev:/opt/rt_source#

I can work around this by having puppet install one version of RT_SiteConfig.pm 
without
external authentication configured, run the database import and then
replace it with a version with external auth enabled.

This works, I've tested it.

It just feels terribly ugly and wrong.

Can anyone suggest what I might be doing wrong here or is this a genuine
issue?


Kind regards
Bart
--

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Los Angeles - September, 2016

Bart


-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Los Angeles - September, 2016

Re: [rt-users] Error when initializing database with external auth enabled

[Bart Bunting]

Peter,

Not sure, but this is a new install using rt 4.4.



Kind regards
Peter Viskup  writes:

> Couldn't this be related to RT::Authen::ExternalAuth migration to RT
> core since 4.4 version?
>
> https://docs.bestpractical.com/rt/4.4.0/UPGRADING-4.4.html
>
> -- 
> Peter
>
> On Wed, May 25, 2016 at 2:26 AM, Bart Bunting  
> wrote:
>>
>> Hi there,
>>
>> I may be just missing something but this is failing miserably for me and
>> I am not sure what the correct way to fix it is:
>>
>> Running rt 4.4.1 rc1 as of today.
>>
>> The situation is I have external authentication working fine using both
>> RT::Authen::ExternalAuth and RT::LDAPImport.
>>
>> I use puppet to provision the machine.
>>
>> When I have the external authentication configuration enabled in
>> RT_SiteConfig.pm the
>> initial database import breaks.  I think this is because when it trys to
>> add the "root" user it attempts to canonicalize the name from ldap which
>> fails.
>>
>> Here is an example of the run:
>>
>>   make initialize-database
>> /usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database 
>> --action init --prompt-for-dba-password
>> In order to create or update your RT database, this script needs to connect 
>> to your  mysql instance on localhost (port '') as root
>> Please specify that user's database password below. If the user has no 
>> database
>> password, just press return.
>>
>> Password:
>> Working with:
>> Type:   mysql
>> Host:   localhost
>> Port:
>> Name:   rt4
>> User:   rt
>> DBA:root
>> Now creating a mysql database rt4 for RT.
>> Done.
>> Now populating database schema.
>> Done.
>> Now inserting database ACLs.
>> Done.
>> Now inserting RT core system objects.
>> [15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine 
>> ::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at 
>> /opt/rt_source/sbin/../lib/RT/User.pm line 787. 
>> (/opt/rt_source/sbin/../lib/RT.pm:390)
>> Undefined subroutine ::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo 
>> called at /opt/rt_source/sbin/../lib/RT/User.pm line 787.
>> Makefile:386: recipe for target 'initialize-database' failed
>> make: *** [initialize-database] Error 2
>> root@rt-dev:/opt/rt_source#
>>
>> I can work around this by having puppet install one version of 
>> RT_SiteConfig.pm without
>> external authentication configured, run the database import and then
>> replace it with a version with external auth enabled.
>>
>> This works, I've tested it.
>>
>> It just feels terribly ugly and wrong.
>>
>> Can anyone suggest what I might be doing wrong here or is this a genuine
>> issue?
>>
>>
>> Kind regards
>> Bart
>> --
>>
>> Bart Bunting - URSYS
>> PH: 02 87452811
>> Mbl: 0409560005
>> -
>> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
>> * Los Angeles - September, 2016
Bart
-- 

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Los Angeles - September, 2016

Re: [rt-users] Error when initializing database with external auth enabled

[Peter Viskup]

Couldn't this be related to RT::Authen::ExternalAuth migration to RT
core since 4.4 version?

https://docs.bestpractical.com/rt/4.4.0/UPGRADING-4.4.html

-- 
Peter

On Wed, May 25, 2016 at 2:26 AM, Bart Bunting  wrote:
>
> Hi there,
>
> I may be just missing something but this is failing miserably for me and
> I am not sure what the correct way to fix it is:
>
> Running rt 4.4.1 rc1 as of today.
>
> The situation is I have external authentication working fine using both
> RT::Authen::ExternalAuth and RT::LDAPImport.
>
> I use puppet to provision the machine.
>
> When I have the external authentication configuration enabled in
> RT_SiteConfig.pm the
> initial database import breaks.  I think this is because when it trys to
> add the "root" user it attempts to canonicalize the name from ldap which
> fails.
>
> Here is an example of the run:
>
>   make initialize-database
> /usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database 
> --action init --prompt-for-dba-password
> In order to create or update your RT database, this script needs to connect 
> to your  mysql instance on localhost (port '') as root
> Please specify that user's database password below. If the user has no 
> database
> password, just press return.
>
> Password:
> Working with:
> Type:   mysql
> Host:   localhost
> Port:
> Name:   rt4
> User:   rt
> DBA:root
> Now creating a mysql database rt4 for RT.
> Done.
> Now populating database schema.
> Done.
> Now inserting database ACLs.
> Done.
> Now inserting RT core system objects.
> [15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine 
> ::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at 
> /opt/rt_source/sbin/../lib/RT/User.pm line 787. 
> (/opt/rt_source/sbin/../lib/RT.pm:390)
> Undefined subroutine ::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo 
> called at /opt/rt_source/sbin/../lib/RT/User.pm line 787.
> Makefile:386: recipe for target 'initialize-database' failed
> make: *** [initialize-database] Error 2
> root@rt-dev:/opt/rt_source#
>
> I can work around this by having puppet install one version of 
> RT_SiteConfig.pm without
> external authentication configured, run the database import and then
> replace it with a version with external auth enabled.
>
> This works, I've tested it.
>
> It just feels terribly ugly and wrong.
>
> Can anyone suggest what I might be doing wrong here or is this a genuine
> issue?
>
>
> Kind regards
> Bart
> --
>
> Bart Bunting - URSYS
> PH: 02 87452811
> Mbl: 0409560005
> -
> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
> * Los Angeles - September, 2016
-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Los Angeles - September, 2016

[rt-users] Error when initializing database with external auth enabled

[Bart Bunting]

Hi there,

I may be just missing something but this is failing miserably for me and
I am not sure what the correct way to fix it is:

Running rt 4.4.1 rc1 as of today.

The situation is I have external authentication working fine using both
RT::Authen::ExternalAuth and RT::LDAPImport.

I use puppet to provision the machine.

When I have the external authentication configuration enabled in
RT_SiteConfig.pm the
initial database import breaks.  I think this is because when it trys to
add the "root" user it attempts to canonicalize the name from ldap which
fails.

Here is an example of the run:

  make initialize-database
/usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database 
--action init --prompt-for-dba-password
In order to create or update your RT database, this script needs to connect to 
your  mysql instance on localhost (port '') as root
Please specify that user's database password below. If the user has no database
password, just press return.

Password: 
Working with:
Type:   mysql
Host:   localhost
Port:   
Name:   rt4
User:   rt
DBA:root
Now creating a mysql database rt4 for RT.
Done.
Now populating database schema.
Done.
Now inserting database ACLs.
Done.
Now inserting RT core system objects.
[15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine 
::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at 
/opt/rt_source/sbin/../lib/RT/User.pm line 787. 
(/opt/rt_source/sbin/../lib/RT.pm:390)
Undefined subroutine ::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo 
called at /opt/rt_source/sbin/../lib/RT/User.pm line 787.
Makefile:386: recipe for target 'initialize-database' failed
make: *** [initialize-database] Error 2
root@rt-dev:/opt/rt_source# 

I can work around this by having puppet install one version of RT_SiteConfig.pm 
without
external authentication configured, run the database import and then
replace it with a version with external auth enabled.

This works, I've tested it.

It just feels terribly ugly and wrong.

Can anyone suggest what I might be doing wrong here or is this a genuine
issue?


Kind regards
Bart
-- 

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Los Angeles - September, 2016