[rt-users] Question about LdapOverlay and Windows Active Directory

Dario Luis Coneglian Oliveros oliveros at cpqd.com.br
Fri Jul 21 14:45:46 EDT 2006

I finally got it working !!! It was configuration data issues (cn, ou, 
...). Thanks to everyone !!!
To solve that, I installed Softerra Ldap Browser to get the correct LDAP 
settings and also to do some LDAP searchs. Special thanks to Joachim and 
Now everything looks fine, except for the user auto creation.
When trying to login with a LDAP user who does not exist in RT database 
yet, the user authentication fails. Somehow the LDAP filter got messed 
up and the sAMAccountName is not filled. Starting from the Auth 
callback, the IsPassword method is called and it does, the filter gets 
created before LDAP search.

autohandler/Auth callback:

unless ($session{'CurrentUser'}) {
    if (defined ($user) && defined ($pass) ) {
        $session{'CurrentUser'} = RT::CurrentUser->new();
        unless ($session{'CurrentUser'}->Id) {
            my $UserObj = RT::User->new($RT::SystemUser);
            my ($val, $msg) = $UserObj->SetName($user);

            if ($UserObj->IsPassword($pass)) { // CALL IsPassword in User_Local.pm


sub IsLDAPPassword {
    my $filter_string = '(&(' . $RT::LdapAttrMap->{'Name'} . '=' . 
      $self->Name . ')' . $ldap_filter . ')';
    // filter_string = (&(sAMAccountName=)(objectclass=user))


Not sure why sAMAccountName is empty. If I create the same user locally 
in RT and log in again, the LDAP authentication will be OK.
Any help will be appreciated.


Helmuth Ramirez wrote:

>One thing that got me (due to my COMPLETE LAMP newness) was installing the Net::LDAP module.  The other thing I did differently was my objectclass=user not PosixAccount
>-----Original Message-----
>From: Dario Luis Coneglian Oliveros [mailto:oliveros at cpqd.com.br] 
>Sent: Thursday, July 20, 2006 2:13 PM
>To: Helmuth Ramirez
>Cc: rt-users at lists.bestpractical.com
>Subject: Re: [rt-users] Question about LdapOverlay and Windows Active Directory
>Hi Helmuth,
>That's the one I looked at, but even though I could not get it working. 
>Whenever I try to login, I got the following error:
>RT::User::IsLDAPPassword search for 
>(&(sAMAccountName=oliveros)(objectclass=posixAccount)) failed: 
>LDAP_REFERRAL 10 (/l/disk0/tools/rt/local/lib/RT/User_Local.pm:177
>I am not sure whether it's just a configuration problem or not.
>Do you happen to know what this error means ?
>FYI the only step I did not follow in the "New Installs" section of 
>http://wiki.bestpractical.com/?LDAP was #4, which is optional.
>Helmuth Ramirez wrote:
>>There were two ways of doing it in the Wiki...one I failed miserably with, the one that worked for me was this one:
>>-----Original Message-----
>>From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Dario Luis Coneglian Oliveros
>>Sent: Thursday, July 20, 2006 1:41 PM
>>To: rt-users at lists.bestpractical.com
>>Subject: [rt-users] Question about LdapOverlay and Windows Active Directory
>>Hi there,
>>Has anyone gotten the LdapOverlay working with Windows Active Directory ?
>>Basically I would like to authenticate user against Windows AD without 
>>doing it thru Apache.
>>I followed the steps in the section LDAP at RT Wiki, but couldn't get it 
>>working yet.
>>Any tips, suggestions or working samples will be appreciated.
>>Community help: http://wiki.bestpractical.com
>>Commercial support: sales at bestpractical.com
>>Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
>>Buy a copy at http://rtbook.bestpractical.com
>>We're hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20060721/ccc89553/attachment.htm>

More information about the rt-users mailing list