[rt-users] AD integration for external auth

Yan Seiner yan at seiner.com
Tue Jul 7 11:24:09 EDT 2015

I'm coming back to RT after a few years.  I am trying to set up external 
auth against our AD server.

I have a working implementation for mediawiki, so I know that it's 
possible on our system.  As far as possible I've duplicated the options 
from mediawiki/php to rt/perl, but I am still missing something 
important as all login attempts get rejected with a NoUser.

The only thing that I find different (and I'm searching my memory from a 
few years ago when I set up mediawiki) there is a line where the user 
name is pre-pended with the domain for AD:

$wgLDAPSearchStrings = array( 'HPM' => "HPM\\USER-NAME" );

And I can't find anything like that in the RT config.

Does anyone have a working AD external auth they can share?


Here's the logfile snippet:

[4835] [Tue Jul  7 15:17:14 2015] [debug]: Attempting to use external 
auth service: My_LDAP 
[4835] [Tue Jul  7 15:17:14 2015] [debug]: Calling UserExists with 
$username (yans) and $service (My_LDAP) 
[4835] [Tue Jul  7 15:17:14 2015] [debug]: UserExists params:
username: yans , service: My_LDAP 
[4835] [Tue Jul  7 15:17:14 2015] [debug]: LDAP Search ===  Base: 
ou=Staff,dc=hpm,dc=net == Filter: 
(&(objectClass=inetOrgPerson)(sAMAccountName=yans)) == Attrs: 
[4835] [Tue Jul  7 15:17:14 2015] [debug]: User Check Failed :: ( 
My_LDAP ) yans User not found 
[4835] [Tue Jul  7 15:17:14 2015] [debug]: Autohandler called 
ExternalAuth. Response: (0, No User) 
[4835] [Tue Jul  7 15:17:14 2015] [error]: FAILED LOGIN for yans from (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:810)

And here's the setup in RTSiteConfig.pm:

Set($ExternalAuthPriority,  [ 'My_LDAP' ]);
Set($ExternalInfoPriority,  [ 'My_LDAP' ]);
Set($ExternalSettings, {
      'My_LDAP'       =>  {
      'type'             =>  'ldap',
      'server'           =>  'file_print.hpm.net',
                 # By not passing 'user' and 'pass' we are using an 
                 # bind, which some servers to not allow
      'base'             =>  'dc=hpm,dc=net',
      'filter'           =>  '(objectClass=inetOrgPerson)',
                 # Users are allowed to log in via email address or account
                 # name
      'attr_match_list'  => [
#           'EmailAddress',
                 # Import the following properties of the user from LDAP 
                 # login
                 'attr_map' => {
                     'Name'         => 'sAMAccountName',
                     'EmailAddress' => 'mail',
                     'RealName'     => 'cn',
                     'WorkPhone'    => 'telephoneNumber',
                     'Address1'     => 'streetAddress',
                     'City'         => 'l',
                     'State'        => 'st',
                     'Zip'          => 'postalCode',
                     'Country'      => 'co',
         } );

More information about the rt-users mailing list