<div dir="ltr">Hi everyone.<div>First sorry for my english i'm french.</div><div><br></div><div>I try a couple of week to have LDAP authentication with my fresh RT 4.4.1 installation.</div><div>All seem good but login still fail.</div><div><br></div><div><span style="font-size:12.8px">As you ca see in logs, if it's first time that user try to login, he is</span><br style="font-size:12.8px"><span style="font-size:12.8px">create in RT but and all cheks seem to be OK but user is not granted access.</span><br></div><div><br></div><div>below RT_Siteconfig.pm and logs.</div><div><br></div><div>Thank you for your help.</div><div>------------------</div><div>RT_Siteconfig.pm<span style="font-size:12.8px"><br></span></div><div>-----------------</div><div><br></div><div><div>Set($MaxAttachmentSize , 10000000);</div><div>Set($FriendlyFromLineFormat, "\"%s\" <%s>");</div><div>Set($Timezone, "Europe/Paris");</div><div>Set($DisableGD, 0);</div><div>Set( $DisableGraphViz, 1 );</div><div>Set($LogToFile , 'debug');</div><div>Set($LogDir, '/var/log');</div><div>Set($LogToFileNamed , "rt.log");</div><div><br></div><div>Set($WebDomain, 'dmycopr');</div><div>Set($WebPort, 82);</div><div>Set($Organization, '<a href="http://mycopr.com">mycopr.com</a>');</div><div>Set($CorrespondAddress , '<a href="mailto:alert@mycoprservices.com">alert@mycoprservices.com</a>');</div><div>Set($CommentAddress , '<a href="mailto:alert@mycoprservices.com">alert@mycoprservices.com</a>');</div><div>Set($SendmailPath, "/usr/lib/sendmail");</div><div>Set($SendmailArguments, "-t");</div><div>Set($OwnerEmail, "alert\@<a href="http://mycoprservices.com">mycoprservices.com</a>"); #who to email errors to</div><div>Set($UseTransactionBatch, '1');</div><div><br></div><div> # Use the below LDAP source for both authentication, as well as user</div><div>    # information</div><div>    Set( $ExternalAuthPriority, ["My_LDAP"] );</div><div>    Set( $ExternalInfoPriority, ["My_LDAP"] );</div><div>    Set($ExternalServiceUsesSSLorTLS, 1);</div><div><br></div><div>    # Make users created from LDAP Privileged</div><div>    Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );</div><div><br></div><div>    # Users should still be autocreated by RT as internal users if they</div><div>    # fail to exist in an external service; this is so requestors (who</div><div>    # are not in LDAP) can still be created when they email in.</div><div>    Set($AutoCreateNonExternalUsers, 0);</div><div><br></div><div>    # Minimal LDAP configuration; see RT::Authen::ExternalAuth::LDAP for</div><div>    # further details and examples</div><div>    Set($ExternalSettings, {</div><div>        'My_LDAP'       =>  {</div><div>            'type'             =>  'ldap',</div><div>            'server'           =>  'ldaps://<a href="http://ypmycoprldap.corp.mycopr.com">ypmycoprldap.corp.mycopr.com</a>',</div><div>            'user'             =>  'uid=mycopr-rtir-reader,ou=applicationAccounts,o=<a href="http://corp.mycopr.com">corp.mycopr.com</a>',</div><div>            'pass'             =>  'SikH2mmKLtPi0E4ZYcqldTXAgILVxGVhXWlHBF3o21',</div><div>            'base'             =>  'o=<a href="http://corp.mycopr.com">corp.mycopr.com</a>',</div><div>            'filter'           =>  '(objectClass=privperson)',</div><div>            'tls'              => { verify => "require", cafile => "/etc/pki/tls/mycopr_CERTIFICATE_CHAIN.crt" },</div><div>            'net_ldap_args'    => [    version =>  3, debug => 8   ],</div><div>            'attr_match_list'  => [</div><div>                'Name',</div><div>                'EmailAddress',</div><div>            ],</div><div>            # Import the following properties of the user from LDAP upon</div><div>            # login</div><div>            'attr_map' => {</div><div>                'Name'         => 'uid',</div><div>                'EmailAddress' => 'mail',</div><div>                'RealName'     => 'cn',</div><div>            }</div><div>        },</div><div>    }</div><div>);</div><div><br></div><div><br></div><div><br></div><div>1;</div></div><div><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">------</span><br style="font-size:12.8px"><span style="font-size:12.8px">First login :</span><br style="font-size:12.8px"><span style="font-size:12.8px">-----</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: UserExists params:</span><br style="font-size:12.8px"><span style="font-size:12.8px">username: 20006587 , service: My_LDAP</span><br style="font-size:12.8px"><span style="font-size:12.8px">(/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth/LDAP.pm:</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">487)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: LDAP Search ===  Base:</span><br style="font-size:12.8px"><span style="font-size:12.8px">o=</span><a href="http://corp.mycorp.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">corp.mycorp.com</a><span style="font-size:12.8px"> == Filter: (&(objectClass=privperson)(</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">uid=20006587)) ==</span><br style="font-size:12.8px"><span style="font-size:12.8px">Attrs: cn,mail,uid (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth/LDAP.pm:</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">517)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]:</span><br style="font-size:12.8px"><span style="font-size:12.8px">RT::User::</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">CanonicalizeUserInfoFromExtern</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">alAuth called by RT::User</span><br style="font-size:12.8px"><span style="font-size:12.8px">/opt/rt4/sbin/../lib/RT/User.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pm 699 with: Disabled: , EmailAddress: , Gecos:</span><br style="font-size:12.8px"><span style="font-size:12.8px">20006587, Name: 20006587, Privileged: 1</span><br style="font-size:12.8px"><span style="font-size:12.8px">(/opt/rt4/sbin/../lib/RT/User.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pm:735)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: Attempting to get user info</span><br style="font-size:12.8px"><span style="font-size:12.8px">using this external service: My_LDAP (/opt/rt4/sbin/../lib/RT/User.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pm:743)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: Attempting to use this</span><br style="font-size:12.8px"><span style="font-size:12.8px">canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pm:752)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: LDAP Search ===  Base:</span><br style="font-size:12.8px"><span style="font-size:12.8px">o=</span><a href="http://corp.mycorp.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">corp.mycorp.com</a><span style="font-size:12.8px"> == Filter: (&(objectClass=privperson)(</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">uid=20006587)) ==</span><br style="font-size:12.8px"><span style="font-size:12.8px">Attrs: cn,mail,uid (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth/LDAP.pm:</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">405)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [info]:</span><br style="font-size:12.8px"><span style="font-size:12.8px">RT::User::</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">CanonicalizeUserInfoFromExtern</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">alAuth returning Disabled: ,</span><br style="font-size:12.8px"><span style="font-size:12.8px">EmailAddress: </span><a href="mailto:user@ext.mycorp.com" style="font-size:12.8px">user@ext.mycorp.com</a><span style="font-size:12.8px">, Gecos: 20006587, Name: 20006587,</span><br style="font-size:12.8px"><span style="font-size:12.8px">Privileged: 1, RealName: user (/opt/rt4/sbin/../lib/RT/User.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pm:811)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [info]: Autocreated external user</span><br style="font-size:12.8px"><span style="font-size:12.8px">20006587 ( 716 ) (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth.pm:358)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: Loading new user ( 20006587 )</span><br style="font-size:12.8px"><span style="font-size:12.8px">into current session (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth.pm:364)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: Password validation required for</span><br style="font-size:12.8px"><span style="font-size:12.8px">service - Executing... (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth.pm:381)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: Trying external auth service:</span><br style="font-size:12.8px"><span style="font-size:12.8px">My_LDAP (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth/LDAP.pm:</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">201)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: LDAP Search ===  Base:</span><br style="font-size:12.8px"><span style="font-size:12.8px">o=</span><a href="http://corp.mycorp.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">corp.mycorp.com</a><span style="font-size:12.8px"> == Filter: (&(uid=20006587)(objectClass=</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">privperson)) ==</span><br style="font-size:12.8px"><span style="font-size:12.8px">Attrs: dn (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth/LDAP.pm:</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">234)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: Found LDAP DN:</span><br style="font-size:12.8px"><span style="font-size:12.8px">uid=20006587,ou=people,ou=GO-</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">LM,o=</span><a href="http://corp.mycorp.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">corp.mycorp.com</a><br style="font-size:12.8px"><span style="font-size:12.8px">(/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth/LDAP.pm:</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">268)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [info]:</span><br style="font-size:12.8px"><span style="font-size:12.8px">RT::Authen::ExternalAuth::</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">LDAP::GetAuth External Auth OK ( My_LDAP ):</span><br style="font-size:12.8px"><span style="font-size:12.8px">20006587 (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth/LDAP.pm:</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">349)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: LDAP password validation result:</span><br style="font-size:12.8px"><span style="font-size:12.8px">1 (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth.pm:560)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: Password Validation Check</span><br style="font-size:12.8px"><span style="font-size:12.8px">Result:  1 (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth.pm:385)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [debug]: Autohandler called ExternalAuth.</span><br style="font-size:12.8px"><span style="font-size:12.8px">Response: (0, No User) (/opt/rt4/share/html/Elements/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">DoAuth:58)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13619] [Wed Dec  7 16:42:02 2016] [error]: FAILED LOGIN for 20006587 from</span><br style="font-size:12.8px"><span style="font-size:12.8px">10.1.29.3 (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Interface/Web.pm:826)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [debug]: Attempting to use external auth</span><br style="font-size:12.8px"><span style="font-size:12.8px">service: My_LDAP (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth.pm:288)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [debug]: Calling UserExists with</span><br style="font-size:12.8px"><span style="font-size:12.8px">$username (20006587) and $service (My_LDAP)</span><br style="font-size:12.8px"><span style="font-size:12.8px">(/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth.pm:329)</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">-------</span><br style="font-size:12.8px"><span style="font-size:12.8px">User is know by RT</span><br style="font-size:12.8px"><span style="font-size:12.8px">-------</span><br style="font-size:12.8px"><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [debug]: UserExists params:</span><br style="font-size:12.8px"><span style="font-size:12.8px">username: 20006587 , service: My_LDAP</span><br style="font-size:12.8px"><span style="font-size:12.8px">(/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth/LDAP.pm:</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">487)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [debug]: LDAP Search ===  Base:</span><br style="font-size:12.8px"><span style="font-size:12.8px">o=</span><a href="http://corp.mycopr.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">corp.mycopr.com</a><span style="font-size:12.8px"> == Filter: (&(objectClass=privperson)(</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">uid=20006587)) ==</span><br style="font-size:12.8px"><span style="font-size:12.8px">Attrs: cn,mail,uid (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth/LDAP.pm:</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">517)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [debug]:</span><br style="font-size:12.8px"><span style="font-size:12.8px">RT::User::</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">CanonicalizeUserInfoFromExtern</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">alAuth called by RT::User</span><br style="font-size:12.8px"><span style="font-size:12.8px">/opt/rt4/sbin/../lib/RT/User.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pm 699 with: Disabled: , EmailAddress: , Gecos:</span><br style="font-size:12.8px"><span style="font-size:12.8px">20006587, Name: 20006587, Privileged: 1</span><br style="font-size:12.8px"><span style="font-size:12.8px">(/opt/rt4/sbin/../lib/RT/User.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pm:735)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [debug]: Attempting to get user info</span><br style="font-size:12.8px"><span style="font-size:12.8px">using this external service: My_LDAP (/opt/rt4/sbin/../lib/RT/User.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pm:743)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [debug]: Attempting to use this</span><br style="font-size:12.8px"><span style="font-size:12.8px">canonicalization key: Name (/opt/rt4/sbin/../lib/RT/User.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pm:752)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [debug]: LDAP Search ===  Base:</span><br style="font-size:12.8px"><span style="font-size:12.8px">o=</span><a href="http://corp.mycopr.com/" rel="noreferrer" target="_blank" style="font-size:12.8px">corp.mycopr.com</a><span style="font-size:12.8px"> == Filter: (&(objectClass=privperson)(</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">uid=20006587)) ==</span><br style="font-size:12.8px"><span style="font-size:12.8px">Attrs: cn,mail,uid (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth/LDAP.pm:</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">405)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [info]:</span><br style="font-size:12.8px"><span style="font-size:12.8px">RT::User::</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">CanonicalizeUserInfoFromExtern</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">alAuth returning Disabled: ,</span><br style="font-size:12.8px"><span style="font-size:12.8px">EmailAddress: </span><a href="mailto:user@ext.mycopr.com" style="font-size:12.8px">user@ext.mycopr.com</a><span style="font-size:12.8px">, Gecos: 20006587, Name: 20006587,</span><br style="font-size:12.8px"><span style="font-size:12.8px">Privileged: 1, RealName: user  (/opt/rt4/sbin/../lib/RT/User.</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">pm:811)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [error]: Couldn't create user 20006587:</span><br style="font-size:12.8px"><span style="font-size:12.8px">Email address in use (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Authen/ExternalAuth.pm:355)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [debug]: Autohandler called ExternalAuth.</span><br style="font-size:12.8px"><span style="font-size:12.8px">Response: (0, No User) (/opt/rt4/share/html/Elements/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">DoAuth:58)</span><br style="font-size:12.8px"><span style="font-size:12.8px">[13620] [Wed Dec  7 16:42:10 2016] [error]: FAILED LOGIN for 20006587 from</span><br style="font-size:12.8px"><span style="font-size:12.8px">10.1.29.3 (/opt/rt4/sbin/../lib/RT/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">Interface/Web.pm:826)</span><br style="font-size:12.8px"></div><div><br></div></div>