Can't Configure RT for Active Directory

Hello good day,
I’ve been trying to configure Request tracker (5.0) for days to log in with my Active Directory users, the problem comes from the fact that there is no way to configure the “RT_SiteConfig.pm” file, I’ve also tried to create another file and still the “Internal Server Error 500”

This is my config file.
It should be noted that I have nothing else installed, other than RT, MariaDB, apache2, the necessary cpan and SSH.

Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, 'My_LDAP'       =>  {
            'type'                      =>  'ldap',
            'server'                    =>  '****.net',
  #        'user'                      =>  'rt_ldap_username',
  #        'pass'                      =>  'rt_ldap_password',
            'base'                      =>  'ou=Users,dc=*****,dc=net',
  #           'filter'                    =>  '(FILTER_STRING)',
  #         'd_filter'                  =>  '(FILTER_STRING)',
            'group'                     =>  'GROUP_NAME',
            'group_attr'                =>  'GROUP_ATTR',
            'tls'                       =>  { verify => "require", cafile => "/path/to/ca.pem" },
            'net_ldap_args'             => [    version =>  3   ],
            'attr_match_list' => [
                'Name',
                'EmailAddress',
            ],
            'attr_map' => {
                'Name' => 'sAMAccountName',
                'EmailAddress' => 'mail',
            },
        },
    } );

That is my file, I have tried different options but there is no way.

I understand that in the ‘My_LDAP’ section goes the IP of the server or ***.net etcetc
Any help, configuration example or something, anything, I would appreciate it.
Maybe the bug is silly but I don’t see it.

Thanks all.

Is that your local filesystem based configuration (something like /opt/rt5/local/etc/RT_SiteConfig.pm)? In RT5 they’ve started to put some bits of the configuration into the database, so it might be that this is being ignored and a version in the database is being used instead. You can see the what RT thinks it is using (and from where) by logging into RT with a local user with admin rights (for example the default enoch root account) and then looking in Admin->Tools->System Configuration option.

The file path is: /opt/rt5/etc/RT_SiteConfig.pm

The problem is that when modifying or adding any value referring to LDAP in that file, the RT does not work directly.
Maybe you refer to this, to see what he is using.

I’ve tried entering manually but it still doesn’t work, I don’t understand it.

Looks like it might be ignoring the contents of the file - try putting the same details in using the web UI.

I have tried to put the data in WebUI and it still doesn’t work, I don’t understand why.

Does anyone have a config file that works?
Even if it is covering the important data.

Actually this is my RT_SiteConfig.pm

Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set($AutoCreateNonExternalUsers, 1);

Set($ExternalSettings, 'My_LDAP'       =>  {
            'type'                      =>  'ldap',
            'server'                    =>  '****.net',
          'user'                      =>  '***',
          'pass'                      =>  '***',
            'base'                      =>  'ou=Users,dc=*****,dc=net',
  #           'filter'                    =>  '(FILTER_STRING)',
  #         'd_filter'                  =>  '(FILTER_STRING)',
            'group'                     =>  'GROUP_NAME',
            'group_attr'                =>  'GROUP_ATTR',
            'tls'                       =>  '1',
            'net_ldap_args'             => [    version =>  3   ],
            'attr_match_list' => [
                'Name',
                'EmailAddress',
            ],
            'attr_map' => {
                'Name' => 'sAMAccountName',
                'EmailAddress' => 'mail',
            },
        },
    } );

The asterisks in $ExternalAuthPriority and $ExternalInfoPriority should be My_LDAP I would have thought. Our config also has tls set to 1, but we use filter and d_filter rather than the group and group_attr. We also create non-priv users and map more AD attributes to RT user attributes, but that shouldn’t affect this.

Negative, i put it but the same error is here.

500 Internal Server Error

*Modify the previous answer to update the code

If there’s a 500 error from the web server, your web server error log (or your system messages log) should include more information about what caused the error. Might just be a typo (missing semi colon, etc). Actually looking at that config extract, do you have one too many closing braces for that structure?

Apparently, it has worked, I no longer get the Internal Error Server, my question is, how do I verify the user dump? Or how could I see if it has worked correctly?

Set($ExternalSettings, {
        'My_LDAP'       => {
                'type'  => 'ldap',
                'server'        => '*****.net',
                'user'          => '*****',
                'pass'          => '*****',
                'base'          => 'ou=*****,ou=*****,dc=*****,dc=net',
#               'filter'        => '(filterString)',
#               'd_filter'      => '(filterString)',
#               'group'         => 'groupName',
#               'group_attr'    => 'groupAttr',
                'tls'           => '1',
                'net_ldap_args' => [ version => 3 ],
                'attr_match_list'       =>[ 'Name', 'EmailAddress',],
                'attr_map'      => {
                         'Name' => 'sAMAccountName',
                         'EmailAddress' => 'mail'
                         },
                },
});

Can you login using a username/password that should auth via LDAP but not RT?

That is, I can’t log in with a user from my AD in RT.

It’s like the setup does nothing.
I don’t know if I’m missing some other file or if that’s enough

Do you see RT attempting to check your LDAP server in the debug logs when attempting the login?

Couple things. They suggest you add a separate .pm file to the RT_Siteconfig.d directory. This makes it easier to troubleshoot your LDAP stuff from everything else. Have you tried running ldapsearch against your AD to see if your bind account is able to query the AD? I would start there and eliminate that it isn’t an RT issue. Second, you set TLS to 1. I believe you need to refer to certs and such. You should without and see what happens.

This is a simple config I know works.

Set( $ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘IP Address of LDAP server’,
‘port’ => ‘389’,
‘user’ => ‘bind user’,
‘pass’ => ‘bind user password’,
‘base’ => ‘dc=blahdomain,dc=local’,
‘filter’ => ‘(objectClass=*)’,
‘d_filter’ => ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’, ‘EmailAddress’ ],
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
},
},
} );

Hello,

You will see I have changed the configuration file. now I have it in /opt/rt5/etc/RT_SiteConfig.d/cfg_config.pm

If necessary I can put it in another directory, but I don’t know if I have to link it somewhere to get the configuration.
The file does not give problems and in error.log the following appears when doing a systemctl restart apache2.

[Fri Nov 25 07:55:00.193225 2022] [fcgid:warn] [pid 24400:tid 140265905972800] (104)Connection reset by peer: [client *****:17681] mod_fcgid: error reading data from FastCGI server, referer: http://172.21.1.124:>
[Fri Nov 25 07:55:00.193297 2022] [core:error] [pid 24400:tid 140265905972800] [client *****:17681] End of script output before headers: rt-server.fcgi, referer: http://*****:8081/Ticket/Display.html?id=65
[Fri Nov 25 07:56:57.728533 2022] [mpm_event:notice] [pid 24397:tid 140266039908224] AH00492: caught SIGWINCH, shutting down gracefully
[Fri Nov 25 07:56:57.874659 2022] [mpm_event:notice] [pid 24473:tid 140078344279936] AH00489: Apache/2.4.52 (Ubuntu) mod_fcgid/2.3.9 mod_perl/2.0.12 Perl/v5.34.0 configured -- resuming normal operations
[Fri Nov 25 07:56:57.874795 2022] [core:notice] [pid 24473:tid 140078344279936] AH00094: Command line: '/usr/sbin/apache2'
[Fri Nov 25 08:03:04.034055 2022] [mpm_event:notice] [pid 24473:tid 140078344279936] AH00492: caught SIGWINCH, shutting down gracefully
[Fri Nov 25 08:03:04.454486 2022] [mpm_event:notice] [pid 24565:tid 140090101315456] AH00489: Apache/2.4.52 (Ubuntu) mod_fcgid/2.3.9 mod_perl/2.0.12 Perl/v5.34.0 configured -- resuming normal operations
[Fri Nov 25 08:03:04.454622 2022] [core:notice] [pid 24565:tid 140090101315456] AH00094: Command line: '/usr/sbin/apache2'
[Fri Nov 25 08:04:40.112640 2022] [mpm_event:notice] [pid 24565:tid 140090101315456] AH00492: caught SIGWINCH, shutting down gracefully
[Fri Nov 25 08:04:40.535080 2022] [mpm_event:notice] [pid 24642:tid 139912850569088] AH00489: Apache/2.4.52 (Ubuntu) mod_fcgid/2.3.9 mod_perl/2.0.12 Perl/v5.34.0 configured -- resuming normal operations
[Fri Nov 25 08:04:40.535212 2022] [core:notice] [pid 24642:tid 139912850569088] AH00094: Command line: '/usr/sbin/apache2'

How do I verify that users have successfully passed? There is no message, bbdd that I can confirm?

I have created a new test user in AD to test and I get the following error in error.log
Message: [24792] [Fri Nov 25 08:18:26 2022] [error]: FAILED LOGIN for UPROVA from ***** (/opt/rt5/sbin/../lib/RT/Interface/Web.pm:840)

PD: All ***** so IP’s
Thanks.

The confirmation is that your user can log in and is privileged. If you can’t do that, your LDAP set up still isn’t working right I’m afraid.

Also With debug log enabled, you should see something about RT reaching out to the LDAP server when you try to log in

I inherited an RT install (recently upgrading it to 5.0.3) and we have the external LDAP settings, but also run some import scripts (/opt/rt5/sbin/ldapimport<students, staff, etc> to pull the AD users into RT, and use existing AD groups we import into RT to automatically place staff into. I’m not sure if this way is unnecessary or a work-around discovered by my predecessor, but it does seem to work well. In our Site config we have some of the following settings:

if ($0 =~ /ldapImportStudents/ ){
Set($LDAPHost,‘ad.contoso.com’);
Set($LDAPUser,‘helpdesk\rtbinduser’);
Set($LDAPPassword,‘password’);
Set($LDAPFilter, ‘objectClass=user’);
Set($LDAPSizeLimit, 10000);
Set($LDAPBase, ‘ou=helpdesk,ou=helpdesk,dc=rt,dc=contoso,dc=com’);
Set($LDAPGroupName, ‘helpdesk’);
Set($LDAPMapping, {Name => ‘mail’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’});

The curled brackets are not balanced in the first two examples. You fixed it in the later one, though. That was the cause of the 500 error, I suspect.