Good day all!<br><br>I've set up LDAP integration on a fresh RT 3.6.6 install to authenticate with our Windows 2003 Active Directory, as per <a href="http://wiki.bestpractical.com/view/LDAP">http://wiki.bestpractical.com/view/LDAP</a>. It seems to be working quite nicely (including authentication and user record field population), with one exception: enabling group membership checks breaks things.<br>
<br>These are the lines for our LDAP group settings in RT_SiteConfig.pm:<br><br># If you set these, only members of this group can auth via LDAP<br>Set($LdapGroup, 'cn=RT,ou=ITST,ou=Everyone,dc=domain,dc=tld');<br>
Set($LdapGroupAttr, 'uniqueMember');<br><br>The group RT in the OU ITST in the OU Everyone in the AD root definitely exists. It contains users that can log in just fine if those lines are commented out and RT is restarted. When we try to log in with these settings uncommented, the web interface says "Error: Your username or password is incorrect" and we get these lines in the debug logs:<br>
<br>Feb 29 12:32:26 stilgar RT: RT::User::CanonicalizeUserInfo called by RT::User /var/www/rt/local/lib/RT/User_Local.pm 628 with: Name: rttestuser<br>Feb 29 12:32:26 stilgar RT: RT::User::LookupExternalUserInfo called with baseDN "dc=domain,dc=tld" and filter "sAMAccountName=rttestuser" by RT::User /var/www/rt/local/lib/RT/User_Local.pm 404<br>
Feb 29 12:32:26 stilgar RT: RT::User::CanonicalizeEmailAddress : called with "<a href="mailto:rttestuser@domain.tld">rttestuser@domain.tld</a>" by RT::User /var/www/rt/local/lib/RT/User_Local.pm 413<br>Feb 29 12:32:26 stilgar RT: RT::User::LookupExternalUserInfo called with baseDN "dc=domain,dc=tld" and filter "mail=<a href="mailto:rttestuser@domain.tld">rttestuser@domain.tld</a>" by RT::User /var/www/rt/local/lib/RT/User_Local.pm 343<br>
Feb 29 12:32:26 stilgar RT: FOUND OK<br>Feb 29 12:32:26 stilgar RT: UPDATED user rttestuser from LDAP<br>Feb 29 12:32:26 stilgar RT: RT::User::CanonicalizeUserInfo called by RT::User /var/www/rt/local/lib/RT/User_Local.pm 628 with: Name: rttestuser<br>
Feb 29 12:32:26 stilgar RT: RT::User::LookupExternalUserInfo called with baseDN "dc=domain,dc=tld" and filter "sAMAccountName=rttestuser" by RT::User /var/www/rt/local/lib/RT/User_Local.pm 404<br>Feb 29 12:32:26 stilgar RT: RT::User::CanonicalizeEmailAddress : called with "<a href="mailto:rttestuser@domain.tld">rttestuser@domain.tld</a>" by RT::User /var/www/rt/local/lib/RT/User_Local.pm 413<br>
Feb 29 12:32:26 stilgar RT: RT::User::LookupExternalUserInfo called with baseDN "dc=domain,dc=tld" and filter "mail=<a href="mailto:rttestuser@domain.tld">rttestuser@domain.tld</a>" by RT::User /var/www/rt/local/lib/RT/User_Local.pm 343<br>
Feb 29 12:32:26 stilgar RT: FOUND OK<br>Feb 29 12:32:26 stilgar RT: UPDATED user rttestuser from LDAP<br>Feb 29 12:32:26 stilgar RT: Trying LDAP authentication<br>Feb 29 12:32:26 stilgar RT: RT::User::IsLDAPPassword Found LDAP DN: CN=rttestuser,OU=ITST,OU=Everyone,DC=domain,dc=tld<br>
Feb 29 12:32:26 stilgar RT: RT::User::IsLDAPPassword AUTH FAILED: rttestuser<br><br>Additional LDAP settings in RT_SiteConfig.pm:<br><br>Set($LdapServer, 'dc.domain.tld');<br>Set($LdapBase, 'dc=domain,dc=tld');<br>
Set($LdapFilter, '(objectclass=*)');<br>Set($LdapUser, 'cn=ldapuser,ou=ITST,ou=Everyone,dc=domain,dc=tld');<br>Set($LdapPass, 'passwordgoeshere');<br><br>I've been banging my head against the wall on this for a while and am starting to run out of ideas. If any of you fine folks can offer a suggestion, it would be highly appreciated :)<br>
<br>-Matt