Authen::ExternalAuth not connecting to LDAP

Josiah_Philipsen · July 24, 2015, 3:03pm

I have 3 instances of RT running right now. 2 old ones running RT 3.8.7 and
a new one running 4.2.10. Everything on 3.8.7 is running on Ubuntu 10.0.4
and working well. We are transitioning to 14.0.4 and upgrading RT at the
same time.

I will try to make this obvious and to the point. Below is my RT_Site
Config and a few perl modules that I have installed to confirm this should
be working. I have turned on all debugging logs and the only error I can
find is Login Failed for user …

I can connect and bind with multiple users including the one used in the
script below using ldapsearch.

Thank you all in advance for any help that you may provide and I look
forward to getting this to work.

Thanks,
Josiah

RT_SiteConfig.pm
(I have commented out the new things that I have tried, but the original
items are what we use on the 3.8.7 servers that work.)

You must install Plugins on your own, this is only an example

of the correct syntax to use when activating them:

Plugin( “RT::Extension::SLA” );

    Plugin('RT::Authen::ExternalAuth');

LDAP Configuration

Set ( $ExternalAuthPriority, [ ‘GFU_LDAP’ ] );
Set ( $ExternalInfoPriority, [ ‘GFU_LDAP’ ] );

Users created from LDAP should be Privileged; this is a core RT

option. Additionally, this is the 4.2 name for the option; for RT

4.0, is it named $AutoCreate See the core RT documentation at

http://docs.bestpractical.com/RT_Config#UserAutocreateDefaultsOnLogin

for for further details.

#Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 1);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, {
‘GFU_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘myldapserver’,

‘server’ => ‘ldaps://myldapserver’

‘use_ldaps’ => 1,

            'user'                      =>  'CN=***,OU=***,

DC=,DC=,DC=',
‘pass’ => '***',

            'base'                      =>  'DC=****,DC=****,DC=***',
            'filter'                    =>  '(objectClass=user)',
            # The filter that will only match disabled users
            'd_filter'                  =>

‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,

            # Should we try to use TLS to encrypt connections?
            'tls'                       =>  0,

‘tls’ => {verify => “require”,

capath => “/etc/ldap/cacerts/cert.pem” },
# SSL Version to provide to Net::SSLeay if using SSL
‘ssl_version’ => 3,
# What other args should I pass to
Net::LDAP->new($host,@args)?
‘net_ldap_args’ => [ version => 3, port =>
636 ],

‘net_ldap_args’ => [ version => 3 ],

            # Does authentication depend on group membership? What

group name?
‘group’ => ‘CN=All Users,OU=Shared
Mail Groups,DC=campus,DC=georgefox,DC=edu’,
# What is the attribute for the group object that
determines membership?
‘group_attr’ => ‘member’,
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you can specify… I recommend
reducing this
# to just the Name and EmailAddress to save encountering
problems later.
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’,
],
# The mapping of RT attributes on to LDAP attributes
‘attr_map’ => { ‘Name’ =>
‘sAMAccountName’,
‘EmailAddress’ =>
‘mail’,
‘ExternalAuthId’ =>
‘sAMAccountName’,
‘Gecos’ =>
‘sAMAccountName’,
}
}
}
);

Perl Modules:
This is perl 5, version 18, subversion 2 (v5.18.2) built for
x86_64-linux-gnu-thread-multi

Net::SSLeay is up to date (1.70).
Net::LDAP is up to date (0.65).
Net::LDAPS is up to date (0.06).
Crypt::SSLeay is up to date (0.72).

I installed RT::Authen::ExternalAuth with cpan and with sudo