[rt-users] Problems with external auth and double prompting for authentication

Bart Bunting bart.bunting at ursys.com.au
Wed May 11 03:50:22 EDT 2016

Hi everyone,

I have been trying to get external authentication with ldapauth and
ldapimport working on a brand new rt 4.4 from the latest pull of

I have the ldap authentication and rt-ldapimport working correctly
against our ldap server.

The one issue I can not appear to resolve is that I am prompted first
by the browsers authentication prompt and then by the RT login screen.
So you need to enter your authentication credentials twice.

I am hoping to just have the RT login screen, no browser authentication

I'm sure it's something simple but I'm pulling my hair out :).

If someone could take a look at my config and tell me where the error is
I'd be eternally grateful:

Here is the section of my rt config.

The first few options are commented out as they are part of previous
attempts to make it work as expected.

#* Authentication
# configure external authentication

#Set($WebRemoteUserAuth, 1);
# check authentication on each request rather than just once
#Set($WebRemoteUserContinuous, 1);

# fall back to rt login if external auth fails.
#Set($WebFallbackToRTLogin, 1);

Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
Set( $ExternalInfoPriority, ['URSYS_LDAP'] );

# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);

# LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
    'URSYS_LDAP'       =>  {
	'type'             =>  'ldap',
	    'server'           =>  'ldap.xxxxx,
	    'base'             =>  'cn=users,cn=accounts,dc=xxxxxx',
	    'user' => 'uid=system,cn=sysaccounts,xxxxx',
	    'pass' => 'xxxxxx',
	    'filter' => '(&(memberOf=cn=helpdesk-*))',
	    'attr_match_list'  => [
	    'attr_map' => {
		'Name' => 'uid',
		'EmailAddress' => 'mail',
    } );

# * rt-ldapimport configuration
# enable plugin
Plugin( qw(RT::LDAPImport));

Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
Set($LDAPMapping, {Name         => 'uid', # required
		   EmailAddress => 'mail',
		   RealName     => 'cn',
		   WorkPhone    => 'telephoneNumber',
		   Organization => 'departmentName'});
# create users as privileged
  Set($LDAPCreatePrivileged, 1);

# sync Groups from LDAP into RT
Set($LDAPGroupBase, 'cn=accounts,xxxxx');
Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
Set($LDAPGroupMapping, {Name               => 'cn',
			Description               => 'description',
			Member_Attr        => 'member',
			Member_Attr_Value  => 'dn',

As above all the ldap stuff appears to work apart from the double
request for authentication.

Kind regards

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005

More information about the rt-users mailing list