<div dir="ltr"><div>I'm hoping a second (or more) set of eyes can help me out here.</div><div><br></div>I upgraded from 4.2.12 to 4.4.0 and somehow broke LDAP authentication. For background. this particular installation went live 10 years ago and has been carried over (mostly flawlessly I might add) from version to version over that 10 years; I try to stay on the most recent stable version. <div><br></div><div>Things I have done to test so far:</div><div><br></div><div>1) Tested with my existing config carried over from the working 4.2.12 install -- NO GOOD</div><div><br></div><div>2) I changed my settings to exactly what is in the documentation -- NO GOOD</div><div><br></div><div>3) I installed ldap-utils and tested my filters with success. I'm sure they work. I have also confirmed that my ldap user is binding correctly and can pull permissions. </div><div><br></div><div>Interestingly, I have the exact same settings on LDAPImport and it **IS** working correctly. </div><div><br></div><div><br></div><div>The frustrating thing is that, even with debugging turned on (logging to syslog), I can get no detailed error message on LDAP under either syslog or the apache log. All I get is the following message:</div><div><br></div><div>-------</div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Feb 9 23:00:15 rt RT: [21718] FAILED LOGIN for andersjp from 172.28.160.152</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">-----</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Internal auth is working. Here is my LDAP config. Any ideas? Happy to provide any troubleshooting info I have. </p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Also for what it's worth, the odd-looking ldap filter is a way to filter out some unwanted data and has been working for years. I also attempted adding the '(&(...' to the beginning of the filters (which LDAP Auth seems to infer automatically for some reason). Again, still wouldn't work. </p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">-----</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $ExternalAuthPriority,['LDAP_DIR3']);</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $ExternalInfoPriority,['LDAP_DIR3']);</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $ExternalServiceUsesSSLorTLS, 0);</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $AutoCreateNonExternalUsers, 1);</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set($ExternalSettings, {</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'LDAP_DIR3' => {</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'type' => 'ldap',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'server' => '<a href="http://dir3.sch.ad">dir3.sch.ad</a>',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'user' => '<a href="mailto:ldapbind@sch.ad">ldapbind@sch.ad</a>',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'pass' => '*censored*',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'base' => 'dc=sch,dc=ad',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> # YOU **MUST** SPECIFY A filter AND A d_filter!!</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> # The filter to use to match RT-Users</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'filter' => '(mail=*)(sAMAccountType=805306368)',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> #'filter' => '(objectClass=*)',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> # The filter that will only match disabled users</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'd_filter' => '(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> #'tls' => 0,</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> #'ssl_version' => 3,</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'net_ldap_args' => [ version => 3 ],</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> #'group' => 'GROUP',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> #'group_attr' => 'GROUP_ATTR',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'attr_match_list' => [ 'Name',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'EmailAddress'</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> ],</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> # The mapping of RT attributes on to LDAP attributes</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'attr_map' => { 'Name' => 'sAMAccountName',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'EmailAddress' => 'mail',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'Organization' => 'company',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'RealName' => 'cn',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'WorkPhone' => 'telephoneNumber',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'MobilePhone' => 'mobile',</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> }</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> }</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">}</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">
</p><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">);</p></div><div><br></div><div><br></div><div>For some added information, here is the WORKING LDAPImport config:</div><div><br></div><div>------</div><div><br></div><div><p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">## LDAPImport Settings</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPHost, '<a href="http://dir3.sch.ad">dir3.sch.ad</a>' );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPUser, '<a href="mailto:ldapbind@sch.ad">ldapbind@sch.ad</a>' );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPPassword, '*censored*' );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPBase, 'ou=SCH Users,dc=sch,dc=ad' );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPFilter, '(&(mail=*)(sAMAccountType=805306368))' );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPDisabledFilter, '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))' );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPSkipAutogeneratedGroup, 1 );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPUpdateUsers, 1 );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"># Get groups from LDAP too</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPGroupBase, 'ou=SCH Groups,dc=sch,dc=ad' );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPGroupFilter, '(objectClass=group)' );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPGroupMapping, { Name => 'cn',</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> Member_Attr => 'member',</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> Member_Attr_Value => 'dn'</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">} );</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">Set( $LDAPMapping,</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">{ </p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'Name' => 'sAMAccountName',</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'EmailAddress' => 'mail',</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'Organization' => 'company',</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'UserCF.Department' => 'department',</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'RealName' => 'cn',</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'WorkPhone' => 'telephoneNumber',</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"> 'MobilePhone' => 'mobile'</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">}</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">);</p></div><div><br></div><div><br></div><div><br></div><div>I'd be grateful for any ideas or pointers! </div><div><br></div><div>Thank you,</div><div><br></div><div>John </div></div>