[rt-users] LDAP external auth

Tim Dunphy bluethundr at jokefire.com
Tue Nov 8 18:55:51 EST 2011

hello list!

 I am attempting to use ExternalAuth to have RT authenticate against an LDAP database. 

  Our RT users have a sparate common name under our Group ou.


   I have devised an LDAP query that successfully retrieves information that could be used to log into RT. 

   ldapsearch -x -p 389 -h ldap01.example.com -b dc=example,dc=com -D "uid=dunphy,ou=People,dc=example,dc=com" -w 'secret' "(&(objectClass=top)(|(cn=RTUsers)))" "uniqueMember"

   I am a little new at LDAP but from what I can see above I am performing a 'simple' bind with my ldap account and searching for the RTUsers group with a filter.

 This is an example of what it finds:

 # extended LDIF
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(objectClass=top)(|(cn=RTUsers)))
# requesting: uniqueMember 

# RTUsers, Groups, example.com
dn: cn=RTUsers,ou=Groups,dc=example,dc=com
uniqueMember: uid=user1,ou=People,dc=example,dc=com
uniqueMember: uid=user2,ou=People,dc=example,dc=com
uniqueMember: uid=user3,ou=People,dc=example,dc=com
uniqueMember: uid=user4t,ou=People,dc=example,dc=com


# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

In the ldap server logs everything is looking good at this point:

[08/Nov/2011:18:30:54 -0500] conn=1735740 op=1 msgId=2 - SRCH base="dc=example,dc=com" scope=2 filter="(uid=jvazquez)" attrs=ALL
[08/Nov/2011:18:30:54 -0500] conn=1735740 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0
[08/Nov/2011:18:30:54 -0500] conn=1735740 op=2 msgId=3 - UNBIND

However, as you might have guessed I'm having a little difficulty translating this success on the command line into an RT config. :)

This is what I have, currently, as my LDAP service:

                                # AN EXAMPLE LDAP SERVICE
                                'My_LDAP'       =>  {   ## GENERIC SECTION
                                                        # The type of service (db/ldap/cookie) 
                                                        'type'                      =>  'ldap',
                                                        # The server hosting the service
                                                        'server'                    =>  'ldap01.example.com',
                                                        ## SERVICE-SPECIFIC SECTION
                                                        # If you can bind to your LDAP server anonymously you should 
                                                        # remove the user and pass config lines, otherwise specify them here:
                                                        # The username RT should use to connect to the LDAP server 
                                                        'user'                      =>  'uid=myuser,ou=People,cn=example,cn=com',
                                                        # The password RT should use to connect to the LDAP server
                                                        'pass'                    =>  'secret',
                                                        # The LDAP search base
                                                        'base'                      =>  'ou=Groups,dc=example,dc=com',
                                                        # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                        # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                        # The filter to use to match RT-Users
                                                        'filter'                    =>  '"(&(objectClass=top)(|(cn=RTUsers))) uniqueMember"',
                                                        # A catch-all example filter: '(objectClass=*)'
                                                        # The filter that will only match disabled users
                                                        'd_filter'                  =>  '(objectClass=FooBarBaz)',
                                                        # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                        # Should we try to use TLS to encrypt connections?
                                                        'tls'                       =>  0,
                                                        # SSL Version to provide to Net::SSLeay *if* using SSL
                                                        'ssl_version'               =>  3,
                                                        # What other args should I pass to Net::LDAP->new($host, at args)?
                                                        'net_ldap_args'             => [    version =>  3   ],
                                                        # Does authentication depend on group membership? What group name?
                                                        'group'                     =>  'RTUsers',
                                                        # What is the attribute for the group object that determines membership?
                                                        'group_attr'                =>  'cn',
                                                        ## RT ATTRIBUTE MATCHING SECTION
                                                        # The list of RT attributes that uniquely identify a user
							# This example shows what you *can* specify.. I recommend reducing this
                                                        # to just the Name and EmailAddress to save encountering problems later.
                                                        'attr_match_list'           => [    'Name',
                                                        # The mapping of RT attributes on to LDAP attributes
                                                        'attr_map'                  =>  {   'Name' => 'uid',
                                                                                            'EmailAddress' => 'mail',

But for some reason I am still trying to determine when I attempt to log in from the RT interface this is what results in the LDAP logs:

[08/Nov/2011:18:36:04 -0500] conn=1735759 op=0 msgId=1 - BIND dn="uid=myuser,ou=People,cn=example,cn=com" method=128 version=3
[08/Nov/2011:18:36:04 -0500] conn=1735759 op=0 msgId=1 - RESULT err=32 tag=97 nentries=0 etime=0
[08/Nov/2011:18:36:04 -0500] conn=1735759 op=1 msgId=0 - RESULT err=80 tag=120 nentries=0 etime=0

Now error 32 is what constitutes a 'no such object' error. And error 80 indicates a password error. My theory is that because the object is not found password authentication is failing. I was hoping that someone with a knowledge of LDAP may be willing to assist.

Thank you and best regards,

More information about the rt-users mailing list