<div dir="ltr"><div>Review some of your LDAP settings. I think you have CN and DN in places where you may want OU, and your LDAP user should be in a different format, see below.</div><div><br></div><div>Hopefully this helps.</div><div><br></div><div>Use mine(working.. also cleaned..) as example:</div><div><br></div><div><pre class="" style="font-size:12px;line-height:16.7999992370605px;color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Menlo,Courier,monospace!important;padding:0px!important;margin-top:0px!important;margin-bottom:0px!important;border:0px!important;background-image:initial!important;background-repeat:initial!important"><div class="" id="file-rt_siteconfig-pm-LC106">Set(<span class="">$ExternalSettings</span>, {
</div><div class="" id="file-rt_siteconfig-pm-LC107"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>My_LDAP<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> {
</div><div class="" id="file-rt_siteconfig-pm-LC108"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>type<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>ldap<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC109"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>server<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>ldap://<a href="http://domain_name.com">domain_name.com</a><span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC110"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>user<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>domain_name\ldapreader<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC111"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>pass<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>ldapreader_password<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC112"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>base<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>ou=users,ou=services,dc=domain_name,dc=com<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC113"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>filter<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>(objectClass=person)<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC114"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>tls<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> 0,
</div><div class="" id="file-rt_siteconfig-pm-LC115">
</div><div class="" id="file-rt_siteconfig-pm-LC116"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>attr_match_list<span class="">'</span></span><span class="" style="color:rgb(167,29,93)"> =></span> [
</div><div class="" id="file-rt_siteconfig-pm-LC117"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Name<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC118"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>EmailAddress<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC119"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>RealName<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC120"> ],
</div><div class="" id="file-rt_siteconfig-pm-LC121">
</div><div class="" id="file-rt_siteconfig-pm-LC122"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>attr_map<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> {
</div><div class="" id="file-rt_siteconfig-pm-LC123"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Name<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>sAMAccountName<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC124"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>EmailAddress<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>mail<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC125"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Organization<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>department<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC126"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>RealName<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>cn<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC127"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>NickName<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>givenName<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC128"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>ExternalAuthId<span class="">'</span></span>=> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>sAMAccountName<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC129"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Gecos<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>sAMAccountName<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC130"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>WorkPhone<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>telephoneNumber<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC131"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>MobilePhone<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>mobile<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC132"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Address1<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>streetAddress<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC133"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>City<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>l<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC134"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>State<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>st<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC135"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Zip<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>postalCode<span class="">'</span></span>,
</div><div class="" id="file-rt_siteconfig-pm-LC136"> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>Country<span class="">'</span></span> <span class="" style="color:rgb(167,29,93)"> =></span> <span class="" style="color:rgb(223,80,0)"><span class="">'</span>co<span class="">'</span></span>
</div><div class="" id="file-rt_siteconfig-pm-LC137"> },
</div><div class="" id="file-rt_siteconfig-pm-LC138"> },</div></pre></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 24, 2015 at 9:35 AM, Guillaume Hilt <span dir="ltr"><<a href="mailto:ghilt@shadowprojects.org" target="_blank">ghilt@shadowprojects.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">No one is using LDAPS with Request Tracker ?<br>
<br>
Guillaume Hilt<br>
<br>
Le 18/02/2015 15:43, Guillaume Hilt a écrit :<div class="HOEnZb"><div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<br>
I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using .deb packages.<br>
<br>
I'm trying to make ExternalAuth work with LDAP over SSL (Active Directory on 2008 R2 x64), we an internal CA managed under Windows 2008 R2 x64.<br>
I added the CA cert in /etc/ssl/certs/srv2.lan.<u></u>domain.com_ca.pem.<br>
<br>
I followed a previous discussion on this matter here : <a href="http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html" target="_blank">http://lists.bestpractical.<u></u>com/pipermail/rt-users/2012-<u></u>March/075690.html</a><br>
I'm facing the same issue.<br>
<br>
$ openssl s_client -connect <a href="http://srv2.lan.domain.com:636" target="_blank">srv2.lan.domain.com:636</a> -CApath /etc/ssl/certs<br>
Return Verify return code: 21 (unable to verify the first certificate)<br>
<br>
$ openssl verify -CAfile /etc/ssl/certs/srv2.lan.<u></u>domain.com_ca.pem /etc/ssl/certs/srv2.lan.<u></u>domain.com_cert.pem<br>
/etc/ssl/certs/srv2.lan.<u></u>domain.com_cert.pem: OK<br>
<br>
Running LDP.exe on the domain controllers running in SSL mode works fine.<br>
<br>
<br>
RT's log gives the following :<br>
<br>
RT::Authen::ExternalAuth::<u></u>LDAP::_GetBoundLdapObj Can't bind: LDAP_OPERATIONS_ERROR 1<br>
<br>
<br>
An ldapsearch gives me this (snipped hex code) :<br>
<br>
ldap_initialize( ldaps://<a href="http://srv2.lan.domain.com:636/??base" target="_blank">srv2.lan.domain.com:<u></u>636/??base</a> )<br>
tls_write: want=117, written=117<br>
tls_read: want=3422, got=1443<br>
tls_read: want=1979, got=1448<br>
tls_read: want=531, got=531<br>
tls_write: want=12, written=12<br>
tls_write: want=267, written=267<br>
tls_write: want=6, written=6<br>
tls_write: want=117, written=117<br>
tls_read: want=5, got=5<br>
tls_read: want=1, got=1<br>
tls_read: want=5, got=5<br>
tls_read: want=80, got=80<br>
TLS: can't connect: (unknown error code).<br>
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br>
<br>
<br>
Here's my configuration :<br>
<br>
'AD_LAN' => {<br>
'type' => 'ldap',<br>
'server' => '<a href="http://srv2.lan.domain.com" target="_blank">srv2.lan.domain.com</a>',<br>
'user' => 'CN=r2-d2,CN=Users,DC=lan,DC=<u></u>domain,DC=com',<br>
'pass' => 'XXXXXXX',<br>
<br>
'base' => 'CN=Utilisateurs,DC=lan,DC=<u></u>domain,DC=com',<br>
'filter' => '(&(objectClass=<u></u>organizationalPerson)(mail=*))<u></u>',<br>
'd_filter' => '(userAccountControl:1.2.840.<u></u>113556.1.4.803:=2)',<br>
<br>
'group' => '',<br>
'group_attr' => '',<br>
<br>
'tls' => 0,<br>
'ssl_version' => 3,<br>
'net_ldap_args' => [ version => 3, port => 636, debug => 8 ],<br>
<br>
'attr_match_list' => [<br>
'Name',<br>
'EmailAddress',<br>
],<br>
'attr_map' => {<br>
'Name' => 'sAMAccountName',<br>
'EmailAddress' => 'mail',<br>
'Organization' => 'physicalDeliveryOfficeName',<br>
'RealName' => 'cn',<br>
'ExternalAuthId' => 'sAMAccountName',<br>
'Gecos' => 'sAMAccountName',<br>
'WorkPhone' => 'telephoneNumber',<br>
'Address1' => 'streetAddress',<br>
'City' => 'l',<br>
'State' => 'st',<br>
'Zip' => 'postalCode',<br>
'Country' => 'co'<br>
},<br>
},<br>
<br>
<br>
Setting tls to 1 give me his different error :<br>
<br>
RT::Authen::ExternalAuth::<u></u>LDAP::_GetBoundLdapObj Can't bind: LDAP_SERVER_DOWN 81<br>
<br>
<br>
Regards,<br>
<br>
</blockquote>
<br>
</div></div></blockquote></div><br></div>