[rt-users] I can't authenticate via LDAP; I don't see the log messages I expect

Micah R Ledbetter mledbetter at neuric.com
Tue Mar 8 18:57:17 EST 2011


On 3/8/2011 5:37 PM, Mark Farver wrote:
> You might turn up the log level, add:
>
> Set($LogToScreen    , 'debug');
>
> And see if anything interesting turns up in the Apache logs.
>
> You could also try using the same credentials, hostname etc with
> ldapsearch on the command line to verify that you have AD configured
> correctly.
>
> Mark

Actually, LogToScreen is already set in my RT_SiteConfig.pm and the only 
thing I get out of Apache's error.log is this stuff:

> [Tue Mar 08 17:45:27 2011] [info] [client 192.168.55.133] Connection 
> to child 5 established (server alpha:443)
> [Tue Mar 08 17:45:27 2011] [info] Seeding PRNG with 648 bytes of entropy
> [Tue Mar 08 17:45:27 2011] [info] Initial (No.1) HTTPS request 
> received for child 5 (server alpha:443)
> [Tue Mar  8 23:45:27 2011] [error]: FAILED LOGIN for mledbetter from 
> 192.168.55.133 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
> [Tue Mar 08 17:45:27 2011] [info] Subsequent (No.2) HTTPS request 
> received for child 5 (server alpha:443)
> [Tue Mar 08 17:45:27 2011] [info] [client 192.168.55.133] Spelling 
> fix: /rt/NoAuth/RichText/fckeditor.js: 1 candidates from 
> https://alpha/rt/, referer: https://alpha/rt/
> [Tue Mar 08 17:45:27 2011] [info] Subsequent (No.3) HTTPS request 
> received for child 5 (server alpha:443)
> [Tue Mar 08 17:45:27 2011] [info] [client 192.168.55.133] Spelling 
> fix: /rt/NoAuth/RichText/fckeditor.js: 1 candidates from 
> https://alpha/rt/, referer: https://alpha/rt/
> [Tue Mar 08 17:45:42 2011] [info] [client 192.168.55.133] (70007)The 
> timeout specified has expired: SSL input filter read failed.
> [Tue Mar 08 17:45:42 2011] [info] [client 192.168.55.133] Connection 
> closed to child 5 with standard shutdown (server alpha:443)

And I'm not even sure that those [info] lines don't come from apache 
itself anyway. At any rate, there is no evidence that it's even trying 
LDAP authentication.


As for running ldapsearch with the credentials in my RT_SiteConfig.pm, 
I've already tried that and it works. If I run this command:
 > ldapsearch -h fattire -p 3268 -D rtldap -w 'PASSWORD' \
 > -b 'ou=Services,dc=neuric,dc=internal'

And it will return my RT Users group:
 > dn: CN=RT Users,OU=Services,DC=neuric,DC=internal
 > ... etc ...

I've tried setting the 'user' in $ExternalSettings to 'rtldap' and the 
full 'cn=rtldap,ou=Services,dc=internal,dc=local' because I've seen it 
both ways online, but neither one works, or produces any different log 
output.


However, going any further toward debugging this without any LDAP 
related logging at all is obviously no fun, and I'd really like to 
actually get logging working before jumping ahead and trying to just 
troubleshoot through a black box.

Thanks for your suggestions.

- Micah




More information about the rt-users mailing list