[rt-users] LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension

James Treleaven J.Treleaven at greenfieldethanol.com
Wed Apr 9 18:57:02 EDT 2008

I have installed the ExternalAuth extension (thanks Mike!) to try and
validate against my Active Directory server, but I am failing with the
following message in my apache error_log:

[Wed Apr  9 22:20:09 2008] [critical]: RT::User::_GetBoundLdapObj Can't

This looked to me (and other messages on this list seemed to indicate)
that my problem was one of not providing a correct username/password
pair with which to connect to the AD server.  This seemed strange to me
because I was able to validate, on the same machine that is running RT,
against AD using the same username/password pair using ldapsearch.

So I had our AD admin configure AD to allow "Anonymous Binding".  Now I
am still getting the same error message as above, even though the
following use of ldapsearch binds against AD just fine with no
usercode/password provided:
   ldapsearch -b dc=comalc,dc=com -H ldap://redacted.comalc.com
"(objectclass=*)" -x

I suspect that I must have misconfigured ExternalAuth, so I have pasted
in my RT_SiteConfig.pm below.  Thanks in advance for any help.


# Any configuration directives you include  here will override 
# RT's default configuration file, RT_Config.pm
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
# This file is actually a perl module, so you can include valid
# perl code, as well.
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#   perl -c /path/to/your/etc/RT_SiteConfig.pm

Set( $rtname, 'greenfieldethanol.com');

# Set( $Organization , "example.com");

# Look into the zoneinfo database for valid values
Set( $Timezone , 'US/Eastern');

# Set( $WebBaseURL , "http://localhost");

Set( $WebPath , "/rt3");

Set($LogToSyslog, '');
Set($LogToFile, 'debug');
Set($LogDir, '/var/log/rt');
Set($LogToFileNamed , "rt.log");

# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority,  ['My_LDAP']);

# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled. 
# Once user info is found, no more services are checked.
Set($ExternalInfoPriority,  ['My_LDAP']);

# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS,    0);

# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,    0);

Set($ExternalSettings,      { # AN EXAMPLE LDAP SERVICE
'My_LDAP'       =>  {   ## GENERIC SECTION
                # The type of service (db/ldap/cookie) 
                'type'                      =>  'ldap',
                # Should the service be used for authentication?
                'auth'                      =>  1,
                # Should the service be used for information?
                'info'                      =>  1,
                # The server hosting the service
                'server'                    =>  'redacted.comalc.com',
                # If you can bind to your LDAP server anonymously you
                # remove the user and pass config lines, otherwise
specify them here:
                # The username RT should use to connect to the LDAP
                'user'                      =>  'redacted',
                # The password RT should use to connect to the LDAP
                'pass'                    =>  'redacted',
                # The LDAP search base
                'base'                      =>  'ou=Organisational
                # The filter to use to match RT-Users
                'filter'                    =>  '(objectclass=*)',
                # The filter that will only match disabled users
                'd_filter'                  =>
                # Should we try to use TLS to encrypt connections?
                'tls'                       =>  0,
                # What other args should I pass to
Net::LDAP->new($host, at args)?
                'net_ldap_args'             => [    version =>  3   ],
                # Does authentication depend on group membership? What
group name?
                #'group'                     =>  'GROUP_NAME',
                # What is the attribute for the group object that
determines membership?
                #'group_attr'                =>  'GROUP_ATTR',
                # The list of RT attributes that uniquely identify a
                'attr_match_list' => [  'Name',
                # The mapping of RT attributes on to LDAP attributes
                'attr_map'                  =>  {   'Name' =>
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'


This email has been scanned for viruses and spam by the MessageLabs Email Security System.

More information about the rt-users mailing list