Mailing List Archive: Request Tracker: Users

LDAPImport succeds with user LDAP bind but fails with group

Index | Next | Previous | View Threaded

kevin.elliott at alaska

Aug 5, 2013, 10:45 AM

Post #1 of 4 (31 views)
Permalink

LDAPImport succeds with user LDAP bind but fails with group

Continuing onwards with my attempt to pull groups and their members from Active Directory into Request Tracker I've made some progress. However, I'm currently stymied - LDAPImport will successfully connect and search for users but when re-using the LDAP connection it fails to connect for the group search.

Here's the debugging information from an rtldapimport run:

Running test import, no data will be changed
Rerun command with --import to perform the import
Rerun command with --debug for more information
connecting to ldap://domaincontroller.alaska.gov
binding as CN=dor-requesttracker,OU=Security Groups and Accounts,OU=IT,OU=Divisions,OU=DOR,OU=State Departments,DC=soa,DC=alaska,DC=gov
searching with: base => 'OU=Security Groups and Accounts,OU=IT,OU=Divisions,OU=DOR,OU=State Departments,DC=soa,DC=alaska,DC=gov' control => 'Net::LDAP::Control::Paged=HASH(0x524cd80)' filter => '(&(cn = users))'
search found 0 objects
No results found, no import
Testing group import
searching with: base => 'OU=Security Groups and Accounts,OU=IT,OU=Divisions,OU=DOR,OU=State Departments,DC=soa,DC=alaska,DC=gov' control => 'Net::LDAP::Control::Paged=HASH(0x86973b8)' filter => '(|(CN=dor-requesttracker-admins)(CN=dor-asd-rt-staff))'
[Mon Aug 5 17:10:47 2013] [error]: LDAP search failed Can't contact LDAP server (/usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:1237)
LDAP search failed Can't contact LDAP server
search found 0 objects
No results found, no group import
Finished test

Looking at the perl for LDAPImport.pm shows me that the _run_search method is generating the "LDAP search failed" part of the debugging output. I'm assuming this means that Net::LDAP is generating the "Can't contact LDAP server" from $result->code. I feel this hypothesis is further supported by the fact that a 'grep "contact" LDAPImport.pm' turn up nothing. It looks like Net:LDAP just gets the base and filter and off it goes. I've confirmed that my filter works with ldapsearch.

I there something different I need to do get a successful LDAP bind when looking performing the group import?

---
Kevin Elliott
Networking Specialist II
Alaska Department of Revenue, ASD-IT
(907) 465-2314

presnypreklad at gmail

Aug 5, 2013, 11:20 AM

Post #2 of 4 (29 views)
Permalink

Re: LDAPImport succeds with user LDAP bind but fails with group [In reply to]

Hi Kevin,

> I’ve confirmed
> that my filter works with ldapsearch.

Can you send the working ldapsearch command? Seems suspicious to me
that the initial search for the user comes up empty.

falcone at bestpractical

Aug 5, 2013, 11:26 AM

Post #3 of 4 (29 views)
Permalink

Re: LDAPImport succeds with user LDAP bind but fails with group [In reply to]

On Mon, Aug 05, 2013 at 05:45:58PM +0000, Elliott, Kevin C (DOR) wrote:
> [Mon Aug 5 17:10:47 2013] [error]: LDAP search failed Can't contact LDAP server
> (/usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:1237)
>
> LDAP search failed Can't contact LDAP server
>
> Looking at the perl for LDAPImport.pm shows me that the _run_search method is generating the
> "LDAP search failed" part of the debugging output. I'm assuming this means that Net::LDAP is
> generating the "Can't contact LDAP server" from $result->code. I feel this hypothesis is
> further supported by the fact that a `grep "contact" LDAPImport.pm' turn up nothing. It looks
> like Net:LDAP just gets the base and filter and off it goes. I've confirmed that my filter
> works with ldapsearch.

Correct - those errors come from Net::LDAP->error().
What do the logs on your LDAP server say?

-kevin

kevin.elliott at alaska

Aug 5, 2013, 5:37 PM

Post #4 of 4 (23 views)
Permalink

Re: LDAPImport succeds with user LDAP bind but fails with group [In reply to]

Ah! That's it. I forgot to change and test the filter ($LDAPFilter) used for the User import - not enough coffee this morning, I guess. The example used in the documentation is not applicable to Active Directory. Changing it from '(&(cn = users))' to '(&(objectclass=person)(!(objectclass=computer)))' allowed the User import to run successfully followed by the Group Import.

Thanks all!

> -----Original Message-----
> From: rt-users-bounces [at] lists [mailto:rt-users-
> bounces [at] lists] On Behalf Of Nathan Cutler
> Sent: Monday, August 05, 2013 10:20 AM
> To: rt-users [at] lists
> Subject: Re: [rt-users] LDAPImport succeds with user LDAP bind but fails with
> group
>
> Hi Kevin,
>
> > I’ve confirmed
> > that my filter works with ldapsearch.
>
> Can you send the working ldapsearch command? Seems suspicious to me
> that the initial search for the user comes up empty.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads