<div dir="ltr"><div>Review some of your LDAP settings. I think you have CN and DN in places where you may want OU, and your LDAP user should be in a different format, see below.</div><div><br></div><div>Hopefully this helps.</div><div><br></div><div>Use mine(working.. also cleaned..) as example:</div><div><br></div><div><pre class="" style="font-size:12px;line-height:16.7999992370605px;color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace!important;padding:0px!important;margin-top:0px!important;margin-bottom:0px!important;border:0px!important;background-image:initial!important;background-repeat:initial!important"><div class="" id="file-rt_siteconfig-pm-LC106">Set(<span class="">$ExternalSettings</span>, {
</div><div class="" id="file-rt_siteconfig-pm-LC107">    <span class="" style="color:rgb(223,80,0)"><span class="">'</span>My_LDAP<span class="">'</span></span>      <span class="" style="color:rgb(167,29,93)"> =></span>  {
</div><div class="" id="file-rt_siteconfig-pm-LC108">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>type<span class="">'</span></span>         <span class="" style="color:rgb(167,29,93)"> =></span>  <span class="" style="color:rgb(223,80,0)"><span class="">'</span>ldap<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC109">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>server<span class="">'</span></span>       <span class="" style="color:rgb(167,29,93)"> =></span>  <span class="" style="color:rgb(223,80,0)"><span class="">'</span>ldap://<a href="http://domain_name.com">domain_name.com</a><span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC110">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>user<span class="">'</span></span>         <span class="" style="color:rgb(167,29,93)"> =></span>  <span class="" style="color:rgb(223,80,0)"><span class="">'</span>domain_name\ldapreader<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC111">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>pass<span class="">'</span></span>         <span class="" style="color:rgb(167,29,93)"> =></span>  <span class="" style="color:rgb(223,80,0)"><span class="">'</span>ldapreader_password<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC112">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>base<span class="">'</span></span>         <span class="" style="color:rgb(167,29,93)"> =></span>  <span class="" style="color:rgb(223,80,0)"><span class="">'</span>ou=users,ou=services,dc=domain_name,dc=com<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC113">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>filter<span class="">'</span></span>       <span class="" style="color:rgb(167,29,93)"> =></span>  <span class="" style="color:rgb(223,80,0)"><span class="">'</span>(objectClass=person)<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC114">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>tls<span class="">'</span></span>          <span class="" style="color:rgb(167,29,93)"> =></span>  0,
</div><div class="" id="file-rt_siteconfig-pm-LC115"> 
</div><div class="" id="file-rt_siteconfig-pm-LC116">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>attr_match_list<span class="">'</span></span><span class="" style="color:rgb(167,29,93)"> =></span> [
</div><div class="" id="file-rt_siteconfig-pm-LC117">            <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Name<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC118">            <span class="" style="color:rgb(223,80,0)"><span class="">'</span>EmailAddress<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC119">            <span class="" style="color:rgb(223,80,0)"><span class="">'</span>RealName<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC120">        ],
</div><div class="" id="file-rt_siteconfig-pm-LC121"> 
</div><div class="" id="file-rt_siteconfig-pm-LC122">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>attr_map<span class="">'</span></span>     <span class="" style="color:rgb(167,29,93)"> =></span> {
</div><div class="" id="file-rt_siteconfig-pm-LC123">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Name<span class="">'</span></span>         <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>sAMAccountName<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC124">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>EmailAddress<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>mail<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC125">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Organization<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>department<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC126">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>RealName<span class="">'</span></span>     <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>cn<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC127">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>NickName<span class="">'</span></span>     <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>givenName<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC128">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>ExternalAuthId<span class="">'</span></span>=> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>sAMAccountName<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC129">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Gecos<span class="">'</span></span>        <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>sAMAccountName<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC130">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>WorkPhone<span class="">'</span></span>    <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>telephoneNumber<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC131">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>MobilePhone<span class="">'</span></span>  <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>mobile<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC132">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Address1<span class="">'</span></span>     <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>streetAddress<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC133">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>City<span class="">'</span></span>         <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>l<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC134">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>State<span class="">'</span></span>        <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>st<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC135">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Zip<span class="">'</span></span>          <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>postalCode<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC136">        <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Country<span class="">'</span></span>      <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>co<span class="">'</span></span>
</div><div class="" id="file-rt_siteconfig-pm-LC137">        },
</div><div class="" id="file-rt_siteconfig-pm-LC138">    },</div></pre></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 24, 2015 at 9:35 AM, Guillaume Hilt <span dir="ltr"><<a href="mailto:ghilt@shadowprojects.org" target="_blank">ghilt@shadowprojects.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">No one is using LDAPS with Request Tracker ?<br>
<br>
  Guillaume Hilt<br>
<br>
Le 18/02/2015 15:43, Guillaume Hilt a écrit :<div class="HOEnZb"><div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<br>
I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using .deb packages.<br>
<br>
I'm trying to make ExternalAuth work with LDAP over SSL (Active Directory on 2008 R2 x64), we an internal CA managed under Windows 2008 R2 x64.<br>
I added the CA cert in /etc/ssl/certs/srv2.lan.<u></u>domain.com_ca.pem.<br>
<br>
I followed a previous discussion on this matter here : <a href="http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html" target="_blank">http://lists.bestpractical.<u></u>com/pipermail/rt-users/2012-<u></u>March/075690.html</a><br>
I'm facing the same issue.<br>
<br>
$ openssl s_client -connect <a href="http://srv2.lan.domain.com:636" target="_blank">srv2.lan.domain.com:636</a> -CApath /etc/ssl/certs<br>
Return Verify return code: 21 (unable to verify the first certificate)<br>
<br>
$ openssl verify -CAfile /etc/ssl/certs/srv2.lan.<u></u>domain.com_ca.pem /etc/ssl/certs/srv2.lan.<u></u>domain.com_cert.pem<br>
/etc/ssl/certs/srv2.lan.<u></u>domain.com_cert.pem: OK<br>
<br>
Running LDP.exe on the domain controllers running in SSL mode works fine.<br>
<br>
<br>
RT's log gives the following :<br>
<br>
RT::Authen::ExternalAuth::<u></u>LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1<br>
<br>
<br>
An ldapsearch gives me this (snipped hex code) :<br>
<br>
ldap_initialize( ldaps://<a href="http://srv2.lan.domain.com:636/??base" target="_blank">srv2.lan.domain.com:<u></u>636/??base</a> )<br>
tls_write: want=117, written=117<br>
tls_read: want=3422, got=1443<br>
tls_read: want=1979, got=1448<br>
tls_read: want=531, got=531<br>
tls_write: want=12, written=12<br>
tls_write: want=267, written=267<br>
tls_write: want=6, written=6<br>
tls_write: want=117, written=117<br>
tls_read: want=5, got=5<br>
tls_read: want=1, got=1<br>
tls_read: want=5, got=5<br>
tls_read: want=80, got=80<br>
TLS: can't connect: (unknown error code).<br>
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br>
<br>
<br>
Here's my configuration :<br>
<br>
        'AD_LAN' => {<br>
                'type'                      =>  'ldap',<br>
                'server'                    => '<a href="http://srv2.lan.domain.com" target="_blank">srv2.lan.domain.com</a>',<br>
                'user'                      => 'CN=r2-d2,CN=Users,DC=lan,DC=<u></u>domain,DC=com',<br>
                'pass'                      =>  'XXXXXXX',<br>
<br>
                'base'                      => 'CN=Utilisateurs,DC=lan,DC=<u></u>domain,DC=com',<br>
                'filter'                    => '(&(objectClass=<u></u>organizationalPerson)(mail=*))<u></u>',<br>
                'd_filter'                  => '(userAccountControl:1.2.840.<u></u>113556.1.4.803:=2)',<br>
<br>
                'group'                     =>  '',<br>
                'group_attr'                =>  '',<br>
<br>
                'tls'                       =>  0,<br>
                'ssl_version'               =>  3,<br>
                'net_ldap_args'             =>  [ version => 3, port => 636, debug => 8 ],<br>
<br>
                'attr_match_list' => [<br>
                        'Name',<br>
                        'EmailAddress',<br>
                ],<br>
                'attr_map' => {<br>
                        'Name' => 'sAMAccountName',<br>
                        'EmailAddress' => 'mail',<br>
                        'Organization' => 'physicalDeliveryOfficeName',<br>
                        'RealName' => 'cn',<br>
                        'ExternalAuthId' => 'sAMAccountName',<br>
                        'Gecos' => 'sAMAccountName',<br>
                        'WorkPhone' => 'telephoneNumber',<br>
                        'Address1' => 'streetAddress',<br>
                        'City' => 'l',<br>
                        'State' => 'st',<br>
                        'Zip' => 'postalCode',<br>
                        'Country' => 'co'<br>
                },<br>
        },<br>
<br>
<br>
Setting tls to 1 give me his different error :<br>
<br>
RT::Authen::ExternalAuth::<u></u>LDAP::_GetBoundLdapObj Can't bind: LDAP_SERVER_DOWN 81<br>
<br>
<br>
Regards,<br>
<br>
</blockquote>
<br>
</div></div></blockquote></div><br></div>