[rt-users] LDAP Integration in RT

Randy Thompson rthompson at handmark.com
Thu Apr 26 18:44:13 EDT 2007


I'm having some LDAP woes with RT.   I've followed the instructions from
- New Installs -  This is a new installation of rt-3.6.3

Here are the instructions I've followed:

Installation is very straightforward if you haven't installed any
previous LDAP auth/info implementations and don't currently have a

1. Copy the code from LdapUserLocalOverlay
<http://wiki.bestpractical.com/index.cgi?LdapUserLocalOverlay> into
${RTHOME}/local/lib/RT/User_Local.pm (if it doesn't exist, create it)

2. Copy the config settings from LdapSiteConfigSettings
<http://wiki.bestpractical.com/index.cgi?LdapSiteConfigSettings> into
${RTHOME}/etc/RT_SiteConfig.pm (I'd put it at the end, but it shouldn't

3. Customize the configuration settings; pay careful attention to
LdapAttrMap <http://wiki.bestpractical.com/index.cgi?LdapAttrMap>, which
is a hash reference to map RT's attributes to the appropriate fields of
your LDAP schema. *It's very unlikely that the LdapAttrMap
<http://wiki.bestpractical.com/index.cgi?LdapAttrMap> shown in
<http://wiki.bestpractical.com/index.cgi?LdapSiteConfigSettings> will
work for you without customization! In particular, ActiveDirectory
<http://wiki.bestpractical.com/index.cgi?ActiveDirectory> users should

Name => 'sAMAccountName'

If your LDAP server does not allow anonymous binding, $LdapUser
<http://wiki.bestpractical.com/index.cgi?LdapUser> and $LdapPass
<http://wiki.bestpractical.com/index.cgi?LdapPass> should be set to the
appropriate DN and password for intial connection.

4. Optionally, copy the code from LdapAutocreateAuthCallback
into ${RTHOME}/local/html/Callbacks/LDAP/autohandler/Auth (most likely
this doesn't exist, so create it)

5. If you haven't already done so, you will need to install the Perl
Net::LDAP module from CPAN. ( perl -MCPAN -eshell ; install Net::LDAP ).

6. Stop your RT instance (e.g., /sbin/service httpd stop ) and
<http://wiki.bestpractical.com/index.cgi?CleanMasonCache> then start the
web server back up.

Here's what I've done, so far:

I've installed Net::LDAP module, set the $AuthMethod for LDAP only -
Internal is disabled.  Existing internal users still authenticate. 
Added the relevant pieces to /opt/rt3/etc/RT_SiteConfig.pm for LDAP
support from http://wiki.bestpractical.com/index.cgi?LdapOverlay
Configured the parameters for $LdapServer, $LdapBase, $LdapFilter
Enabled debugging (aware of the passwords getting logged - using a test
account), but that only tells me that it didn't work.  Any way to set
this for more output?
Copied User_Local.pm into /opt/rt3/local/lib
Stopped and restarted Apache after making changes and cleared the
/opt/rt3/var/mason_data/obj/*, as needed.

Sample from rt.log contains:

[Thu Apr 26 22:12:23 2007] [error]: FAILED LOGIN for jsamples from
<ip-address> (/opt/rt3/share/html/autohandler:249)

I can't see anything from the RT side or the LDAP side;
/var/log/ldap.log shows nothing out of the ordinary;  they're not even
talking to each other from what I can tell.

Relevant software

Web server:  Apache 2.0.54
RT version:  3.6.3
Perl version:  5.8.7
OS:    Linux
LDAP:  OpenLDAP 2.2.28

I've been through some of the archives (it's late in the day), but
haven't had any luck.  Any help or advice is greatly appreciated!

Best regards,
Randy Thompson

More information about the rt-users mailing list