ExternalAuth not being invoked at all?

I’m trying to stand up a fresh RT 4.4.3 instance using AD authentication, and am failing but can’t tell why.
Running rt-server with debug-level console logging shows that ExternalAuth::LDAP is never even invoked during (failed) authentication attempts. I believe I’ve followed all the instructions, correctly, and I’ve verified that my LDAP URI, credentials, base DN, etc. are all correct (using ldapsearch(1)).

My RT_SiteConfig.pm:

Set( $rtname, 'rt.merlin.mb.ca' );
Set( $Organization, 'merlin.mb.ca' );
Set( $WebDomain, 'rt.merlin.mb.ca' );
Set( $Timezone, 'America/Winnipeg' );
Set( $DatabaseType, 'Pg' );
Set( $DatabaseHost, 'XXX' );
Set( $DatabaseRTHost, 'XXX' );
Set( $DatabaseUser, 'XXX' );
Set( $DatabasePassword, 'XXX' );
Set( $DatabaseName, 'XXX' );
Set( $LogToScreen, 'debug' );
Set( $LogStackTraces, 'debug');
Set( $StatementLog, 'debug' ); 
Set( $CorrespondAddress, 'rt@merlin.mb.ca');
Set( $CommentAddress, 'rt@merlin.mb.ca');
Set( $OwnerEmail, 'athompson@merlin.mb.ca');
Set( $ExternalAuthPriority, ['My_LDAP'] );
Set( $ExternalInfoPriority, ['My_LDAP'] );
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
Set( $AutoCreateNonExternalUsers, 1);
Set( $ExternalSettings, {
    'My_LDAP'       =>  {
        'type'             =>  'ldap',
        'server'           =>  'merlinoffice.local',
        'tls'              =>  1,
        'user'             =>  'CN=Request Tracker,OU=Service Accounts,OU=Staff,DC=MERLINOffice,DC=local',
        'pass'             =>  'XXXX',
        'base'             =>  'OU=Staff,DC=MERLINOffice,DC=local',
        'filter'           =>  '(objectClass=inetOrgPerson)',
        'd_filter'         =>  '(userAccountControl:1.2.840.113556.1.4.803:=2)',
        'attr_match_list'  => [ 'Name', 'EmailAddress', ],
        'attr_map' => {
            'Name'         => 'sAMAccountName',
            'EmailAddress' => 'mail',
            'RealName'     => 'cn',
            'WorkPhone'    => 'telephoneNumber',
            'Address1'     => 'streetAddress',
            'City'         => 'l',
            'State'        => 'st',
            'Zip'          => 'postalCode',
            'Country'      => 'co',
} );

and the console output from rt-server:

rt@rt$         rt-server --port 8080
[6919] [Mon Jan 28 19:01:23 2019] [error]: FAILED LOGIN for athompson from (/var/www/rt/sbin/../lib/RT/Interface/Web.pm:827)
Trace begun at /var/www/rt/sbin/../lib/RT.pm line 313
Log::Dispatch::__ANON__('Log::Dispatch=HASH(0x3338edba78)', 'FAILED LOGIN for athompson from') called at /var/www/rt/sbin/../lib/RT/Interface/Web.pm line 827
RT::Interface::Web::AttemptPasswordAuthentication('HASH(0x32d2e22028)') called at /var/www/rt/share/html/NoAuth/Login.html line 49
HTML::Mason::Commands::__ANON__('user', 'athompson', 'next', 'd59eeede8a37d57070a5e3e5cd6164b0', 'pass', 'XXXXX') called at /usr/local/libdata/perl5/site_perl/HTML/Mason/Component.pm line 135
HTML::Mason::Component::run('HTML::Mason::Component::FileBased=HASH(0x334ffcddf0)', 'user', 'athompson', 'next', 'd59eeede8a37d57070a5e3e5cd6164b0', 'pass', 'XXXXX') called at /usr/local/libdata/perl5/site_perl/HTML/Mason/Request.pm line 1302
eval {...} at /usr/local/libdata/perl5/site_perl/HTML/Mason/Request.pm line 1292
HTML::Mason::Request::comp(undef, undef, undef, 'user', 'athompson', 'next', 'd59eeede8a37d57070a5e3e5cd6164b0', 'pass', 'XXXXX') called at /var/www/rt/sbin/../lib/RT/Interface/Web.pm line 606
RT::Interface::Web::MaybeShowNoAuthPage('HASH(0x332a995448)') called at /var/www/rt/sbin/../lib/RT/Interface/Web.pm line 317
RT::Interface::Web::HandleRequest('HASH(0x332a995448)') called at /var/www/rt/share/html/autohandler line 53
HTML::Mason::Commands::__ANON__('pass', 'XXXXX', 'next', 'd59eeede8a37d57070a5e3e5cd6164b0', 'user', 'athompson') called at /usr/local/libdata/perl5/site_perl/HTML/Mason/Component.pm line 135
HTML::Mason::Component::run('HTML::Mason::Component::FileBased=HASH(0x332a995730)', 'pass', 'XXXXX', 'next', 'd59eeede8a37d57070a5e3e5cd6164b0', 'user', 'athompson') called at /usr/local/libdata/perl5/site_perl/HTML/Mason/Request.pm line 1300
eval {...} at /usr/local/libdata/perl5/site_perl/HTML/Mason/Request.pm line 1292
HTML::Mason::Request::comp(undef, undef, undef, 'pass', 'XXXXX', 'next', 'd59eeede8a37d57070a5e3e5cd6164b0', 'user', 'athompson') called at /usr/local/libdata/perl5/site_perl/HTML/Mason/Request.pm line 481
eval {...} at /usr/local/libdata/perl5/site_perl/HTML/Mason/Request.pm line 481
eval {...} at /usr/local/libdata/perl5/site_perl/HTML/Mason/Request.pm line 433
HTML::Mason::Request::exec('RT::Interface::Web::Request=HASH(0x338c598dd8)') called at /usr/local/libdata/perl5/site_perl/HTML/Mason/PSGIHandler.pm line 96
eval {...} at /usr/local/libdata/perl5/site_perl/HTML/Mason/PSGIHandler.pm line 96
HTML::Mason::Request::PSGI::exec('RT::Interface::Web::Request=HASH(0x338c598dd8)') called at /usr/local/libdata/perl5/site_perl/HTML/Mason/Interp.pm line 342
HTML::Mason::Interp::exec(undef, undef, 'pass', 'XXXXX', 'next', 'd59eeede8a37d57070a5e3e5cd6164b0', 'user', 'athompson') called at /usr/local/libdata/perl5/site_perl/HTML/Mason/PSGIHandler.pm line 59
eval {...} at /usr/local/libdata/perl5/site_perl/HTML/Mason/PSGIHandler.pm line 59
HTML::Mason::PSGIHandler::invoke_mason('HTML::Mason::PSGIHandler::Streamy=HASH(0x337cf6b850)', 'HASH(0x32cdaac280)', 'HASH(0x333f5a1460)') called at /usr/local/libdata/perl5/site_perl/HTML/Mason/PSGIHandler/Streamy.pm line 52
HTML::Mason::PSGIHandler::Streamy::__ANON__('CODE(0x334ffcd730)') called at /usr/local/libdata/perl5/site_perl/Plack/Util.pm line 339
Plack::Util::__ANON__('CODE(0x32d3904ce8)') called at /usr/local/libdata/perl5/site_perl/Starlet/Server.pm line 377
Starlet::Server::handle_connection('Plack::Handler::Starlet=HASH(0x334ac41f70)', 'HASH(0x32d3904868)', 'IO::Socket::INET=GLOB(0x32d39043b8)', 'CODE(0x330f85ffa0)', '', '', '') called at /usr/local/libdata/perl5/site_perl/Starlet/Server.pm line 190
Starlet::Server::accept_loop('Plack::Handler::Starlet=HASH(0x334ac41f70)', 'CODE(0x330f85ffa0)', 100) called at /usr/local/libdata/perl5/site_perl/Plack/Handler/Starlet.pm line 80
Plack::Handler::Starlet::run('Plack::Handler::Starlet=HASH(0x334ac41f70)', 'CODE(0x330f85ffa0)') called at /usr/local/libdata/perl5/site_perl/Plack/Loader.pm line 84
Plack::Loader::run('Plack::Loader=HASH(0x3386742a78)', 'Plack::Handler::Starlet=HASH(0x334ac41f70)') called at /usr/local/libdata/perl5/site_perl/Plack/Runner.pm line 277
Plack::Runner::run('RT::PlackRunner=HASH(0x33970c3748)') called at /var/www/rt/sbin/../lib/RT/PlackRunner.pm line 150
eval {...} at /var/www/rt/sbin/../lib/RT/PlackRunner.pm line 150
RT::PlackRunner::run('RT::PlackRunner=HASH(0x33970c3748)') called at /var/www/rt/sbin/rt-server line 162

Can anyone spot what on earth I’ve missed?
Thanks in advance,

Do you have SELinux turned on? That can interfere with web server scripts being able to open new out going sockets (so in this case no socket to the LDAP server).

Nope. Using BSD, not Linux. The rest of RT itself appears to work normally, so I’m assuming I’ve made an “invisible” typo somewhere in the config related to ExternalAuth.

I don’t know if it is important but on our set up (which uses Web server for auth via Shibboleth, with LDAP for info lookups to our AD so somewhat different to you) we’ve got:

'filter' => '(&(ObjectCategory=User)(ObjectClass=Person))',


'net_ldap_args' => [ version => 3 ],

in our MyLDAP structure. Also have you tried without tls set? Our attr_map is different, but then I don’t know what attributes you’ve got in your AD! :wink:

This is actually starting to look like a bug.
If I don’t set the “tls” attribute at all, and “server” is just a bare server name, RT::Authen::ExternalAuth::LDAP is invoked correctly, attempts to authenticate me, and gives back (surprise!):

[36493] [Tue Jan 29 19:27:57 2019] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind: LDAP_STRONG_AUTH_REQUIRED 8 (/var/www/rt/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:678)

However, if I either:
a) set the “tls” value to anything at all, or
b) set the “server” value to “ldaps://merlinoffice.local” (which should work, assuming it just passes it to Net::LDAP)
then RT::Authen::ExternalAuth::LDAP never gets called in the first place… but also doesn’t log any errors during initialization, either.