Re: [rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
Hi Kevin, On 29.01.14 20:08, Kevin Falcone wrote: On Fri, Jan 24, 2014 at 07:54:06AM +0100, Gerald Vogt wrote: On 22.01.2014 11:57, Albert Shih wrote: Because event manually through the web interface I can create a ticket with « requestor » is the second email-address. I got a error. That's the same problem. Considering there is no positive feedback on my question and seeing the source code I am pretty sure this doesn't work and actually never did even though the docs in the ExternalAuth SiteConfig says it would work since 0.10. Looks like the developer who merged the docs didn't also merge the code needed. You can see more in the ticket I filed. https://rt.cpan.org/Public/Bug/Display.html?id=92381 The multiple-emails branch could use more testing, but is not up to date with current master. Are you sure the current source code of the extension is actually capable of doing this? I can see in the sourcecode of RT/Interface/Email/Auth/MailFrom.pm that tries to find the user for the sender e-mail address using LoadByEmail. LoadByEmail only checks the email address in the local database. If it doesn't find it there it tries to create a new user with that email address. To me it looks as if this extension will never work properly unless it modifies the LoadByEmail function to do a LDAP lookup if not found in the local database. And I don't see any indication anywhere in the multiple-emails branch of the extension to do anything like that. So I kind of doubt it's just some more testing to get this working... Gerald
Re: [rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
On Fri, Jan 24, 2014 at 07:54:06AM +0100, Gerald Vogt wrote: On 22.01.2014 11:57, Albert Shih wrote: Because event manually through the web interface I can create a ticket with « requestor » is the second email-address. I got a error. That's the same problem. Considering there is no positive feedback on my question and seeing the source code I am pretty sure this doesn't work and actually never did even though the docs in the ExternalAuth SiteConfig says it would work since 0.10. Looks like the developer who merged the docs didn't also merge the code needed. You can see more in the ticket I filed. https://rt.cpan.org/Public/Bug/Display.html?id=92381 The multiple-emails branch could use more testing, but is not up to date with current master. -kevin pgpLGS86fXAeu.pgp Description: PGP signature
Re: [rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
On 22.01.2014 11:57, Albert Shih wrote: Because event manually through the web interface I can create a ticket with « requestor » is the second email-address. I got a error. That's the same problem. Considering there is no positive feedback on my question and seeing the source code I am pretty sure this doesn't work and actually never did even though the docs in the ExternalAuth SiteConfig says it would work since 0.10. I guess this is DIY... O.K. Just I have just noticed a new ticket on cpan: https://rt.cpan.org/Ticket/Display.html?id=92381 So basically, it's not yet supported. I am now trying to figure out what has been implemented on the multiple-emails branch to see if I can get it working... Gerald
Re: [rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
Le 22/01/2014 à 07:49:26+0100, Gerald Vogt a écrit I have tested the ExternalAuth module with the suggested configuration of two different attributes for EmailAddress as suggested in the configuration file: 'attr_map' = { 'Name' = 'uid', 'EmailAddress' = [ 'mail', 'mailAlternateAddress' ], This won't work at all: the call of postfix to rt-mailgateway fails: (temporary failure. Command output: RT server error. The RT server which handled your email did not behave as expected. It said: Can't call method as_string on an undefined value at /usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm line 357. Stack: [/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357] [/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:655] [/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:702] [/usr/local/rt4/sbin/../lib/RT/User.pm:143] [/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm:838] [/usr/local/rt4/sbin/../lib/RT/Interface/Email/Auth/MailFrom.pm:178] [/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm:1531] [/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm:1345] [/usr/local/rt4/share/html/REST/1.0/NoAuth/mail-gateway:61]) This is because it passes the EmailAddress key as array to the function and tries to built the LDAP filter from that which results in a string like this: ((objectclass=*)(ARRAY(0xacc5d0)=g...@example.com)) And with that the following call to Net::LDAP::Filter-new will fail. I don't see how this should work with version 0.17 of ExternalAuth and RT4.2.2. I've exact same problem here. For me it's the first time I encounter this problem, I can say if this is a new problem or it's old because we don't have many user with multiple email address. Today it's the first time So yes I would very like some solution. Because event manually through the web interface I can create a ticket with « requestor » is the second email-address. I got a error. Regards. JAS -- Albert SHIH DIO bâtiment 15 Observatoire de Paris 5 Place Jules Janssen 92195 Meudon Cedex France Téléphone : +33 1 45 07 76 26/+33 6 86 69 95 71 xmpp: j...@obspm.fr Heure local/Local time: mer 22 jan 2014 11:55:09 CET
Re: [rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
Anyone knows whether this should work? Did see any answers till now... Is it possible for a user to use more than one sender e-mail address for the same account if all e-mail addresses are in the LDAP directory? I have found this in the RT_SiteConfig.pm file which comes with the ExternalAuth module: However, if a user with an existing RT account with EmailAddress set to the Cmail address, sent mail from Calias, it would still match. The user's EmailAddress in RT would remain the primary Cmail address. This feature is useful for LDAP configurations where users have a primary institutional email address, but might also use aliases from subdomains or other email services. This prevents RT from creating multiple accounts for the same person. It doesn't clearly say whether e-mails sent from the alias email address would be accepted or not. Thanks! Gerald On 18.01.2014 14:27, Gerald Vogt wrote: Hi! We use the ExternalAuth module to authenticate users against a LDAP directory. Some users have multiple e-mail addresses, i.e. multiple values for the LDAP mail attribute (e.g. g...@example.com and v...@example.com) Users can send e-mails to the RT server from the e-mail address which made it into the RT MySQL database without problems. (let's say v...@example.com works) However, if they send from a different e-mail address (i.e. g...@example.com) it fails with error Could not load a valid user. Documentations mentions it should work if the users has e-mail addresses from different attributes. But it doesn't say anything if there are multiple values for the same attribute. Browsing through the source code it looks to me as if RT first only checks against it internal database to find out whether a user with the sender address already exists, then tries to create a new user for the address only to find that the user name matching in LDAP to this e-mail address already exists in the internal database. Is this not possible or am I missing something here? Thanks! Logs show this: Jan 17 13:57:56 rt4 RT: [5002] The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT recieves emails on addresses that are not in the database or config. (/usr/local/rt4/sbin/../lib/RT/Config.pm:485) Jan 17 13:57:57 rt4 RT: [5007] Encode::Guess guessed encoding: ascii (/usr/local/rt4/sbin/../lib/RT/I18N.pm:595) Jan 17 13:57:57 rt4 RT: [5007] Encode::Guess guessed encoding: ascii (/usr/local/rt4/sbin/../lib/RT/I18N.pm:595) Jan 17 13:57:57 rt4 RT: [5007] Converting 'ascii' to 'utf-8' for text/plain - test (/usr/local/rt4/sbin/../lib/RT/I18N.pm:295) Jan 17 13:57:57 rt4 RT: [5007] Going to create user with address 'g...@example.com' (/usr/local/rt4/sbin/../lib/RT/Interface/Email/Auth/MailFrom.pm:100) Jan 17 13:57:57 rt4 RT: [5007] RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::Authen::ExternalAuth /usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 702 with: Comments: Autocreated on ticket submission, Disabled: , EmailAddress: g...@example.com, Name: g...@example.com, Password: , Privileged: , RealName: (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:599) Jan 17 13:57:57 rt4 RT: [5007] Attempting to get user info using this external service: LDAP (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607) Jan 17 13:57:57 rt4 RT: [5007] Attempting to use this canonicalization key: Name (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:621) Jan 17 13:57:57 rt4 RT: [5007] LDAP Search === Base: ou=people,o=ldap,o=root == Filter: ((objectclass=*)(uid=g...@example.com)) == Attrs: l,gecos,st,mail,gecos,co,streetAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357) Jan 17 13:57:57 rt4 RT: [5007] Attempting to use this canonicalization key: EmailAddress (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:621) Jan 17 13:57:57 rt4 RT: [5007] LDAP Search === Base: ou=people,o=ldap,o=root == Filter: ((objectclass=*)(mail=g...@example.com)) == Attrs: l,gecos,st,mail,gecos,co,streetAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357) Jan 17 13:57:57 rt4 RT: [5007] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City: , Comments: Autocreated on ticket submission, Country: , Disabled: , EmailAddress: v...@example.com, ExternalAuthId: vogt, Gecos: Gerald Vogt, Name: vogt, Organization: , Password: , Privileged: , RealName: Gerald Vogt, State: , WorkPhone: , Zip: Jan 17 13:57:57 rt4 RT: [5007] Use of uninitialized
Re: [rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
On Tue, Jan 21, 2014 at 09:27:50AM +0100, Gerald Vogt wrote: Anyone knows whether this should work? Did see any answers till now... You asked on a Saturday of a holiday weekend. Is it possible for a user to use more than one sender e-mail address for the same account if all e-mail addresses are in the LDAP directory? I have found this in the RT_SiteConfig.pm file which comes with the ExternalAuth module: However, if a user with an existing RT account with EmailAddress set to the Cmail address, sent mail from Calias, it would still match. The user's EmailAddress in RT would remain the primary Cmail address. This feature is useful for LDAP configurations where users have a primary institutional email address, but might also use aliases from subdomains or other email services. This prevents RT from creating multiple accounts for the same person. It doesn't clearly say whether e-mails sent from the alias email address would be accepted or not. I'm glad you found the example config. The key is the first sentence you quote. RT will look up against alias and treat it as though they sent from their primary email address. -kevin pgpBrUaLH6nqk.pgp Description: PGP signature
Re: [rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
On 21.01.14 20:29, Kevin Falcone wrote: It doesn't clearly say whether e-mails sent from the alias email address would be accepted or not. I'm glad you found the example config. The key is the first sentence you quote. RT will look up against alias and treat it as though they sent from their primary email address. Then why doesn't this happen when it has two or more values set for the mail attribute? When RT receives an e-mail I don't see any access to the LDAP server at first. It searches the sender address in the internal database. Doesn't find it. Then wants to create a new user. And only then it checks against the LDAP database and finds that the user with that uid (which maps to the Name column in the RT database) exists and refuses to create this user. Why doesn't this work and does this reject e-mails from that sender address? Thanks! Gerald
Re: [rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
On Tue, Jan 21, 2014 at 08:49:49PM +0100, Gerald Vogt wrote: When RT receives an e-mail I don't see any access to the LDAP server at first. It searches the sender address in the internal database. Doesn't find it. Then wants to create a new user. And only then it checks against the LDAP database and finds that the user with that uid (which maps to the Name column in the RT database) exists and refuses to create this user. Why doesn't this work and does this reject e-mails from that sender address? You haven't provided your configuration or debug logs for the condition so any answers would be pure guesses. -kevin pgp5tV1qCZt6B.pgp Description: PGP signature
Re: [rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
On 21.01.2014, at 21:33, Kevin Falcone falc...@bestpractical.com wrote: On Tue, Jan 21, 2014 at 08:49:49PM +0100, Gerald Vogt wrote: When RT receives an e-mail I don't see any access to the LDAP server at first. It searches the sender address in the internal database. Doesn't find it. Then wants to create a new user. And only then it checks against the LDAP database and finds that the user with that uid (which maps to the Name column in the RT database) exists and refuses to create this user. Why doesn't this work and does this reject e-mails from that sender address? You haven't provided your configuration or debug logs for the condition so any answers would be pure guesses. That was in my first email and fully quoted in my second. -Gerald
Re: [rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
I have tested the ExternalAuth module with the suggested configuration of two different attributes for EmailAddress as suggested in the configuration file: 'attr_map' = { 'Name' = 'uid', 'EmailAddress' = [ 'mail', 'mailAlternateAddress' ], This won't work at all: the call of postfix to rt-mailgateway fails: (temporary failure. Command output: RT server error. The RT server which handled your email did not behave as expected. It said: Can't call method as_string on an undefined value at /usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm line 357. Stack: [/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357] [/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:655] [/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:702] [/usr/local/rt4/sbin/../lib/RT/User.pm:143] [/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm:838] [/usr/local/rt4/sbin/../lib/RT/Interface/Email/Auth/MailFrom.pm:178] [/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm:1531] [/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm:1345] [/usr/local/rt4/share/html/REST/1.0/NoAuth/mail-gateway:61]) This is because it passes the EmailAddress key as array to the function and tries to built the LDAP filter from that which results in a string like this: ((objectclass=*)(ARRAY(0xacc5d0)=g...@example.com)) And with that the following call to Net::LDAP::Filter-new will fail. I don't see how this should work with version 0.17 of ExternalAuth and RT4.2.2. Thanks! Gerald On 21.01.2014 22:43, Gerald Vogt wrote: On 21.01.2014, at 21:33, Kevin Falcone falc...@bestpractical.com wrote: On Tue, Jan 21, 2014 at 08:49:49PM +0100, Gerald Vogt wrote: When RT receives an e-mail I don't see any access to the LDAP server at first. It searches the sender address in the internal database. Doesn't find it. Then wants to create a new user. And only then it checks against the LDAP database and finds that the user with that uid (which maps to the Name column in the RT database) exists and refuses to create this user. Why doesn't this work and does this reject e-mails from that sender address? You haven't provided your configuration or debug logs for the condition so any answers would be pure guesses. That was in my first email and fully quoted in my second. -Gerald
[rt-users] RT 4.2.1 - ExternalAuth against LDAP server and users with multiple mail addresses
Hi! We use the ExternalAuth module to authenticate users against a LDAP directory. Some users have multiple e-mail addresses, i.e. multiple values for the LDAP mail attribute (e.g. g...@example.com and v...@example.com) Users can send e-mails to the RT server from the e-mail address which made it into the RT MySQL database without problems. (let's say v...@example.com works) However, if they send from a different e-mail address (i.e. g...@example.com) it fails with error Could not load a valid user. Documentations mentions it should work if the users has e-mail addresses from different attributes. But it doesn't say anything if there are multiple values for the same attribute. Browsing through the source code it looks to me as if RT first only checks against it internal database to find out whether a user with the sender address already exists, then tries to create a new user for the address only to find that the user name matching in LDAP to this e-mail address already exists in the internal database. Is this not possible or am I missing something here? Thanks! Logs show this: Jan 17 13:57:56 rt4 RT: [5002] The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT recieves emails on addresses that are not in the database or config. (/usr/local/rt4/sbin/../lib/RT/Config.pm:485) Jan 17 13:57:57 rt4 RT: [5007] Encode::Guess guessed encoding: ascii (/usr/local/rt4/sbin/../lib/RT/I18N.pm:595) Jan 17 13:57:57 rt4 RT: [5007] Encode::Guess guessed encoding: ascii (/usr/local/rt4/sbin/../lib/RT/I18N.pm:595) Jan 17 13:57:57 rt4 RT: [5007] Converting 'ascii' to 'utf-8' for text/plain - test (/usr/local/rt4/sbin/../lib/RT/I18N.pm:295) Jan 17 13:57:57 rt4 RT: [5007] Going to create user with address 'g...@example.com' (/usr/local/rt4/sbin/../lib/RT/Interface/Email/Auth/MailFrom.pm:100) Jan 17 13:57:57 rt4 RT: [5007] RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::Authen::ExternalAuth /usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 702 with: Comments: Autocreated on ticket submission, Disabled: , EmailAddress: g...@example.com, Name: g...@example.com, Password: , Privileged: , RealName: (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:599) Jan 17 13:57:57 rt4 RT: [5007] Attempting to get user info using this external service: LDAP (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607) Jan 17 13:57:57 rt4 RT: [5007] Attempting to use this canonicalization key: Name (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:621) Jan 17 13:57:57 rt4 RT: [5007] LDAP Search === Base: ou=people,o=ldap,o=root == Filter: ((objectclass=*)(uid=g...@example.com)) == Attrs: l,gecos,st,mail,gecos,co,streetAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357) Jan 17 13:57:57 rt4 RT: [5007] Attempting to use this canonicalization key: EmailAddress (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:621) Jan 17 13:57:57 rt4 RT: [5007] LDAP Search === Base: ou=people,o=ldap,o=root == Filter: ((objectclass=*)(mail=g...@example.com)) == Attrs: l,gecos,st,mail,gecos,co,streetAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/usr/local/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:357) Jan 17 13:57:57 rt4 RT: [5007] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City: , Comments: Autocreated on ticket submission, Country: , Disabled: , EmailAddress: v...@example.com, ExternalAuthId: vogt, Gecos: Gerald Vogt, Name: vogt, Organization: , Password: , Privileged: , RealName: Gerald Vogt, State: , WorkPhone: , Zip: Jan 17 13:57:57 rt4 RT: [5007] Use of uninitialized value $Username in concatenation (.) or string at /usr/local/rt4/sbin/../lib/RT/Interface/Email.pm line 849. Jan 17 13:57:57 rt4 RT: [5007] create new user. username = , emailaddress = g...@example.com (/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm:849) Jan 17 13:57:57 rt4 RT: [5007] Use of uninitialized value in concatenation (.) or string at /usr/local/rt4/sbin/../lib/RT/Interface/Email.pm line 859. Jan 17 13:57:57 rt4 RT: [5007] loadbyemail got (/usr/local/rt4/sbin/../lib/RT/Interface/Email.pm:859) Jan 17 13:57:57 rt4 RT: [5007] User could not be created: User creation failed in mailgateway: Name in use Jan 17 13:57:57 rt4 RT: [5007] Couldn't load user 'g...@example.com'.giving up Jan 17 13:57:57 rt4 RT: [5007] User could not be loaded: User 'g...@example.com' could not be loaded in the mail gateway Jan 17 13:57:57 rt4 RT: [5007] Could not load a valid user: RT could not load a valid user, and RT's configuration does not allow#012for the creation of a new user for