<div dir="ltr">Oh man!  Thanks for that catch!  I see now that Shawn told me exactly that and I saw what I expected to see instead.  <div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 10, 2016 at 9:55 PM, Julian De Marchi <span dir="ltr"><<a href="mailto:jdemarchi@pivit.com.au" target="_blank">jdemarchi@pivit.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Set( $WebExternalAuth, 1 ); to Set( $ExternalAuth, 1 );<br>
<div><div class="h5">> On 11 Feb 2016, at 3:44 PM, John Andersen <<a href="mailto:john@yvig.com">john@yvig.com</a>> wrote:<br>
><br>
> One more thing I should note is that I'm quite sure there is not even an attempt to talk to the LDAP (Active Directory) server.  I log all auth attempts to the domain controllers and no attempts are showing in the logs.   I don't believe the requests are ever leaving the RT server.<br>
><br>
><br>
><br>
> On Wed, Feb 10, 2016 at 9:27 PM, John Andersen <<a href="mailto:john@yvig.com">john@yvig.com</a>> wrote:<br>
> Sorry, forgot to include the relevant part of the config.  Here is is again:<br>
><br>
> Set( $WebExternalAuth, 1 );<br>
> Set( $ExternalAuthPriority,['LDAP_DIR3']);<br>
> Set( $ExternalInfoPriority,['LDAP_DIR3']);<br>
> Set( $ExternalServiceUsesSSLorTLS, 0);<br>
> Set( $AutoCreateNonExternalUsers, 1);<br>
><br>
> Set($ExternalSettings,      {<br>
>         'LDAP_DIR3'       =>  {<br>
><br>
>                 'type'          =>  'ldap',<br>
>                 'server'        =>  '<a href="http://dir3.sch.ad" rel="noreferrer" target="_blank">dir3.sch.ad</a>',<br>
>                 'user'          => '<a href="mailto:ldapbind@sch.ad">ldapbind@sch.ad</a>',<br>
>                 'pass'          =>  '**********',<br>
>                 'base'          =>  'dc=sch,dc=ad',<br>
><br>
><br>
>                 'filter'   =>  '(mail=*)(sAMAccountType=805306368)',<br>
>                 'd_filter' =>  '(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',<br>
><br>
>                 'tls'                       =>  0,<br>
>                 'ssl_version'               =>  3,<br>
>                 'net_ldap_args'             => [    version =>  3   ],<br>
>                 #'group'                     =>  'GROUP',<br>
>                 #'group_attr'                =>  'GROUP_ATTR',<br>
><br>
>                 'attr_match_list'       => [    'Name',<br>
>                                                 'EmailAddress'<br>
>                 ],<br>
><br>
>                 # The mapping of RT attributes on to LDAP attributes<br>
>                 'attr_map'      =>  {   'Name' => 'sAMAccountName',<br>
>                                         'EmailAddress' => 'mail',<br>
>                                         'Organization' => 'company',<br>
>                                         'RealName' => 'cn',<br>
>                                         'WorkPhone' => 'telephoneNumber',<br>
>                                         'MobilePhone' => 'mobile',<br>
>                 }<br>
>         }<br>
> }<br>
> );<br>
><br>
><br>
> On Wed, Feb 10, 2016 at 9:07 PM, John Andersen <<a href="mailto:john@yvig.com">john@yvig.com</a>> wrote:<br>
> Thank you for the response Shawn.   I had rolled back to 4.2.12 but I threw up a test server based on my current production server and ran through the upgrade again, this time with your suggestion.  Same result.   What is maddening is that there don't seem to be any errors or anything.  Other than telling me "FAILED LOGIN" I can't find anything in the logs that would point me in the right direction.   In syslog I simply get:<br>
><br>
><br>
> Feb 10 21:02:27 rt RT: [5018] FAILED LOGIN for andersjp from 70.199.131.228<br>
><br>
><br>
><br>
> My LDAP config now looks like this:<br>
> ---------<br>
><br>
> Set($ExternalSettings,      {   # SCH LDAP Settings<br>
>         'LDAP_DIR3'       =>  {   ## GENERIC SECTION<br>
><br>
>                 'type'          =>  'ldap',<br>
>                 'server'        =>  '<a href="http://dir3.sch.ad" rel="noreferrer" target="_blank">dir3.sch.ad</a>',<br>
>                 'user'          => '<a href="mailto:ldapbind@sch.ad">ldapbind@sch.ad</a>',<br>
>                 'pass'          =>  '********',<br>
>                 'base'          =>  'dc=sch,dc=ad',<br>
><br>
><br>
>                 'filter'   =>  '(mail=*)(sAMAccountType=805306368)',<br>
>                 'd_filter' =>  '(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)',<br>
><br>
>                 'tls'                       =>  0,<br>
>                 'ssl_version'               =>  3,<br>
>                 'net_ldap_args'             => [    version =>  3   ],<br>
>                 #'group'                     =>  'GROUP',<br>
>                 #'group_attr'                =>  'GROUP_ATTR',<br>
><br>
>                 'attr_match_list'       => [    'Name',<br>
>                                                 'EmailAddress'<br>
>                 ],<br>
><br>
>                 # The mapping of RT attributes on to LDAP attributes<br>
>                 'attr_map'      =>  {   'Name' => 'sAMAccountName',<br>
>                                         'EmailAddress' => 'mail',<br>
>                                         'Organization' => 'company',<br>
>                                         'RealName' => 'cn',<br>
>                                         'WorkPhone' => 'telephoneNumber',<br>
>                                         'MobilePhone' => 'mobile',<br>
>                 }<br>
>         }<br>
> }<br>
> );<br>
><br>
><br>
> -John<br>
><br>
> On Wed, Feb 10, 2016 at 9:20 AM, Shawn Moore <<a href="mailto:shawn@bestpractical.com">shawn@bestpractical.com</a>> wrote:<br>
> Hi John,<br>
><br>
> On 2016年2月10日 at 2:11:18, John Andersen (<a href="mailto:john@yvig.com">john@yvig.com</a>) wrote:<br>
> > For background. this particular installation went live 10 years ago and has<br>
> > been carried over (mostly flawlessly I might add) from version to version<br>
> > over that 10 years; I try to stay on the most recent stable version.<br>
><br>
> I’m very happy to hear that RT has been running smoothly for you for so long!<br>
><br>
> > Set( $ExternalAuthPriority,['LDAP_DIR3']);<br>
> > Set( $ExternalInfoPriority,['LDAP_DIR3']);<br>
> > Set( $ExternalServiceUsesSSLorTLS, 0);<br>
> > Set( $AutoCreateNonExternalUsers, 1);<br>
> > Set($ExternalSettings, {<br>
> > ...<br>
> > );<br>
><br>
> Could you try adding this as well?<br>
><br>
> Set( $ExternalAuth, 1 );<br>
><br>
> > I'd be grateful for any ideas or pointers!<br>
><br>
> Please let us know if that gets you back up and running. We’ll do a better job about this in 4.4.1.<br>
><br>
> > Thank you,<br>
> > John<br>
><br>
> Thanks!<br>
> Shawn<br>
><br>
> ---------<br>
> RT 4.4 and RTIR Training Sessions (<a href="http://bestpractical.com/services/training.html" rel="noreferrer" target="_blank">http://bestpractical.com/services/training.html</a>)<br>
> * Hamburg Germany  March 14 & 15, 2016<br>
><br>
><br>
><br>
><br>
</div></div>> ______________________________________________________________________<br>
> This email has been scanned by the Symantec Email Security.cloud service.<br>
> For more information please visit <a href="http://www.symanteccloud.com" rel="noreferrer" target="_blank">http://www.symanteccloud.com</a><br>
> ______________________________________________________________________<br>
<div class="HOEnZb"><div class="h5">><br>
> ---------<br>
> RT 4.4 and RTIR Training Sessions (<a href="http://bestpractical.com/services/training.html" rel="noreferrer" target="_blank">http://bestpractical.com/services/training.html</a>)<br>
> * Hamburg Germany — March 14 & 15, 2016<br>
<br>
</div></div></blockquote></div><br></div>