[rt-users] LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension

Mike Peachey mike.peachey at jennic.com
Thu Apr 10 04:51:40 EDT 2008

James Treleaven wrote:
> I have installed the ExternalAuth extension (thanks Mike!) to try and
> validate against my Active Directory server, but I am failing with the
> following message in my apache error_log:
> [Wed Apr  9 22:20:09 2008] [critical]: RT::User::_GetBoundLdapObj Can't
> (/usr/local/rt3/lib/RT/User_Vendor.pm:1056)
> This looked to me (and other messages on this list seemed to indicate)
> that my problem was one of not providing a correct username/password
> pair with which to connect to the AD server.  This seemed strange to me
> because I was able to validate, on the same machine that is running RT,
> against AD using the same username/password pair using ldapsearch.
> So I had our AD admin configure AD to allow "Anonymous Binding".  Now I
> am still getting the same error message as above

When you set anonymous binding, did you remove the user and pass lines 
from the LDAP config? There's no reason I know of why anonymous 
shouldn't work so long as you don't specify those two lines.

As for doing it WITH the credentials it's possible we could be looking 
at a bug, but it's difficult for me to tell because I don't have a 
non-anonymous LDAP server to test against.

If you want to do any debugging yourself, you need to be looking at the 
_GetBoundLdapObj function in $RTHOME/local/lib/RT/User_Vendor.pm which 
is pretty small and just reads in the config as you've written it.

This is only a small suggestion, but is there any chance that Active 
Directory is expecting a username in the form DOMAIN\USERNAME rather 
than just username? That causes problems all over the place.

Kind Regards,


Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

More information about the rt-users mailing list