[rt-users] Authen::ExternalAuth not connecting to LDAP

Josiah Philipsen jphilipsen at georgefox.edu
Fri Jul 24 11:03:19 EDT 2015

I have 3 instances of RT running right now. 2 old ones running RT 3.8.7 and
a new one running 4.2.10. Everything on 3.8.7 is running on Ubuntu 10.0.4
and working well. We are transitioning to 14.0.4 and upgrading RT at the
same time.

I will try to make this obvious and to the point. Below is my RT_Site
Config and a few perl modules that I have installed to confirm this should
be working. I have turned on all debugging logs and the only error I can
find is Login Failed for user ....

I can connect and bind with multiple users including the one used in the
script below using ldapsearch.

Thank you all in advance for any help that you may provide and I look
forward to getting this to work.


(I have commented out the new things that I have tried, but the original
items are what we use on the 3.8.7 servers that work.)

# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them:
#     Plugin( "RT::Extension::SLA" );

### LDAP Configuration ###
Set ( $ExternalAuthPriority,  [ 'GFU_LDAP' ] );
Set ( $ExternalInfoPriority,  [ 'GFU_LDAP' ] );

# Users created from LDAP should be Privileged; this is a core RT
# option.  Additionally, this is the 4.2 name for the option; for RT
# 4.0, is it named $AutoCreate   See the core RT documentation at
# http://docs.bestpractical.com/RT_Config#UserAutocreateDefaultsOnLogin
# for for further details.
#Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS,    1);

# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, {
        'GFU_LDAP' => {
                'type'                      =>  'ldap',
                'server'                    =>  'myldapserver',
#                'server'                   => 'ldaps://myldapserver'
#                'use_ldaps'                 =>  1,
                'user'                      =>  'CN=***,OU=***,
                'pass'                      =>  '*****',

                'base'                      =>  'DC=****,DC=****,DC=***',
                'filter'                    =>  '(objectClass=user)',
                # The filter that will only match disabled users
                'd_filter'                  =>

                # Should we try to use TLS to encrypt connections?
                'tls'                       =>  0,
#                'tls'                       =>  {verify => "require",
capath => "/etc/ldap/cacerts/cert.pem" },
                # SSL Version to provide to Net::SSLeay *if* using SSL
                'ssl_version'               =>  3,
                # What other args should I pass to
Net::LDAP->new($host, at args)?
                'net_ldap_args'             => [    version =>  3, port =>
636   ],
#                'net_ldap_args'             => [    version =>  3   ],
                # Does authentication depend on group membership? What
group name?
                'group'                     =>  'CN=All Users,OU=Shared
Mail Groups,DC=campus,DC=georgefox,DC=edu',
                # What is the attribute for the group object that
determines membership?
                'group_attr'                =>  'member',
                # The list of RT attributes that uniquely identify a user
                # This example shows what you *can* specify.. I recommend
reducing this
                # to just the Name and EmailAddress to save encountering
problems later.
                'attr_match_list'           => [        'Name',
                # The mapping of RT attributes on to LDAP attributes
                'attr_map'                  =>  {       'Name' =>
                                                        'EmailAddress' =>
                                                        'ExternalAuthId' =>
                                                        'Gecos' =>

*Perl Modules:*
This is perl 5, version 18, subversion 2 (v5.18.2) built for

Net::SSLeay is up to date (1.70).
Net::LDAP is up to date (0.65).
Net::LDAPS is up to date (0.06).
Crypt::SSLeay is up to date (0.72).

I installed RT::Authen::ExternalAuth with cpan and with sudo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20150724/cfe25fc8/attachment.htm>

More information about the rt-users mailing list