[rt-users] Problems with RT::Authen::ExternalAuth::LDAP after upgrade to 4.4

John Andersen john at yvig.com
Wed Feb 10 02:11:12 EST 2016

I'm hoping a second (or more) set of eyes can help me out here.

I upgraded from 4.2.12 to 4.4.0 and somehow broke LDAP authentication.
For background. this particular installation went live 10 years ago and has
been carried over (mostly flawlessly I might add) from version to version
over that 10 years; I try to stay on the most recent stable version.

Things I have done to test so far:

1) Tested with my existing config carried over from the working 4.2.12
install -- NO GOOD

2) I changed my settings to exactly what is in the documentation -- NO GOOD

3) I installed ldap-utils and tested my filters with success.  I'm sure
they work.  I have also confirmed that my ldap user is binding correctly
and can pull permissions.

Interestingly, I have the exact same settings on LDAPImport and it **IS**
working correctly.

The frustrating thing is that, even with debugging turned on (logging to
syslog), I can get no detailed error message on LDAP under either syslog or
the apache log.    All I get is the following message:


Feb  9 23:00:15 rt RT: [21718] FAILED LOGIN for andersjp from


Internal auth is working.    Here is my LDAP config.   Any ideas? Happy to
provide any troubleshooting info I have.

Also for what it's worth, the odd-looking ldap filter is a way to filter
out some unwanted data and has been working for years.  I also attempted
adding the '(&(...' to the beginning of the filters (which LDAP Auth seems
to infer automatically for some reason). Again, still wouldn't work.


Set( $ExternalAuthPriority,['LDAP_DIR3']);

Set( $ExternalInfoPriority,['LDAP_DIR3']);

Set( $ExternalServiceUsesSSLorTLS, 0);

Set( $AutoCreateNonExternalUsers, 1);

Set($ExternalSettings,      {

        'LDAP_DIR3'       =>  {

                'type'          => 'ldap',

                'server'        => 'dir3.sch.ad',

                'user'          => 'ldapbind at sch.ad',

                'pass'          => '*censored*',

                'base'          => 'dc=sch,dc=ad',


                # YOU **MUST** SPECIFY A filter AND A d_filter!!

                # The filter to use to match RT-Users

                'filter'        =>  '(mail=*)(sAMAccountType=805306368)',

                #'filter'       =>  '(objectClass=*)',

                # The filter that will only match disabled users

                'd_filter'      =>

                #'tls'          =>  0,

                #'ssl_version'  =>  3,

                'net_ldap_args' => [    version =>  3   ],

                #'group'        =>  'GROUP',

                #'group_attr'   =>  'GROUP_ATTR',

                'attr_match_list'       => [    'Name',



                # The mapping of RT attributes on to LDAP attributes

                'attr_map'      =>  {   'Name'                  =>

                                        'EmailAddress'          => 'mail',

                                        'Organization'          =>

                                        'RealName'              => 'cn',

                                        'WorkPhone'             =>

                                        'MobilePhone'           => 'mobile',





For some added information, here is the WORKING LDAPImport config:


## LDAPImport Settings

Set( $LDAPHost, 'dir3.sch.ad' );

Set( $LDAPUser, 'ldapbind at sch.ad' );

Set( $LDAPPassword, '*censored*' );

Set( $LDAPBase, 'ou=SCH Users,dc=sch,dc=ad' );

Set( $LDAPFilter, '(&(mail=*)(sAMAccountType=805306368))' );

Set( $LDAPDisabledFilter,

Set( $LDAPSkipAutogeneratedGroup, 1 );

Set( $LDAPUpdateUsers, 1 );

# Get groups from LDAP too

Set( $LDAPGroupBase, 'ou=SCH Groups,dc=sch,dc=ad' );

Set( $LDAPGroupFilter, '(objectClass=group)' );

Set( $LDAPGroupMapping, {       Name                    => 'cn',

                                Member_Attr             => 'member',

                                Member_Attr_Value       => 'dn'

} );

Set( $LDAPMapping,


        'Name'                  =>      'sAMAccountName',

        'EmailAddress'          =>      'mail',

        'Organization'          =>      'company',

        'UserCF.Department'     =>      'department',

        'RealName'              =>      'cn',

        'WorkPhone'             =>      'telephoneNumber',

        'MobilePhone'           =>      'mobile'



I'd be grateful for any ideas or pointers!

Thank you,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20160209/6f06bade/attachment.html>

More information about the rt-users mailing list