I have just installed RT 3.6.1 on FC6. I have read the WIKI on LDAP Auth
but am not able to get a successful auth. This is the error I get in my
logs:

[error]: FAILED LOGIN for username from xxx.xxx.xxx.xxx
(/opt/rt3/share/html/autohandler:238)

I added the LdapSiteConfigSettings as per the Wiki

I configured my LDAP settings per the Wiki, but to no avail. Any help out
there?

Tim Crouch
Systems Administrator
Campus Computing Services
University of Texas at Tyler
903-566-7476

Tim_Crouch@uttyler.edu wrote:

I have just installed RT 3.6.1 on FC6. I have read the WIKI on LDAP Auth
but am not able to get a successful auth. This is the error I get in my
logs:

[error]: FAILED LOGIN for username from xxx.xxx.xxx.xxx
(/opt/rt3/share/html/autohandler:238)

I added the LdapSiteConfigSettings as per the Wiki

I configured my LDAP settings per the Wiki, but to no avail. Any help out
there?

can you post the lines from SiteConfig.

Chaim Rieger

Here’s my RT_SiteConfig:

Any configuration directives you include here will override

RT’s default configuration file, RT_Config.pm

To include a directive here, just copy the equivalent statement

from RT_Config.pm and change the value. We’ve included a single

sample value below.

This file is actually a perl module, so you can include valid

perl code, as well.

The converse is also true, if this file isn’t valid perl, you’re

going to run into trouble. To check your SiteConfig file, use

this comamnd:

perl -c /path/to/your/etc/RT_SiteConfig.pm

Set( $rtname, ‘helpdesk.uttyler.edu’);
1;

What auth methods do you like and in what order?

#Set($AuthMethods, [‘LDAP’, ‘Internal’]);
Set($AuthMethods, [‘LDAP’]);

LDAP Settings

There are two different branches of this: LdapAuth* and LdapInfo*;

additionally, most of the old Ldap* variables are honored, too.

This means if you only have one LDAP server/config you can just set

“LdapServer”, “LdapUser”, etc. and they will be used for both

authentication and information

Enable/Disable LDAP services

Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);

Common Settings: affecting both auth and info services

Should we create accounts for users who aren’t in LDAP?

Set($LdapAutoCreateNonLdapUsers, 1);

Map RT attributes to LDAP attributes

THE MAPPING BELOW WILL NOT WORK FOR YOU UNLESS YOU CHANGE

IT TO MATCH YOUR LDAP SCHEMA! See

http://wiki.bestpractical.com/?LdapAttrMap

to learn how to set this variable properly for either LDAP or Windows

Active Directory.

Set($LdapAttrMap, {‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘o’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘uid’,
‘Gecos’ => ‘uid’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘ou’,
‘Address2’ => ‘physicalDeliveryOfficeName’}
);

A list of RT attrs which can uniquely identify a user,

ordered from most to least preferred.

Set($LdapRTAttrMatchList, [‘ExternalContactInfoId’, ‘Name’,
‘EmailAddress’, ‘RealName’,
‘WorkPhone’, ‘Address2’]
);

A list of LDAP attrs to examine when canonicalizing email addresses,

ordered from most to least preferred

Set($LdapEmailAttrMatchList, [‘mail’, ‘mailRoutingAddress’,
‘mailAlternateAddress’]
);

A list of prefixes to apply to email address matches.

Windows 2003 AD uses prefixes or smtp: or SMTP:.

If not required just leave ‘’

Set($LdapEmailAttrMatchPrefix, [‘’, ‘smtp:’, ‘SMTP:’] );

The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*

Set($LdapServer, ‘ldap.uttyler.edu’);
Set($LdapBase, ‘ou=People,dc=uttyler,dc=edu’);
Set($LdapFilter, ‘(objectclass=uid)’);

Windows 2003 Active Directory does not allow anonymous LDAP binding

thus you must pass Net::LDAP a username and password that has

access to read the directory.

You may also need to specify the full distinguished name instead of

just a username for LdapUser below.

e.g. cn=Username,cn=Users,dc=yourdomain,dc=com

Set($LdapUser, ‘uid=,ou=,dc=uttyler,dc=edu’);
Set($LdapPass, ‘********’);

This filter is used by RT::User::UpdateFromLdap to test whether an

LDAP user’s RT account should be disabled. Any user whose LDAP record

passes this filter (returns true) will be disabled at login

Set($LdapDisableFilter, ‘(employmentStatus=Terminated)’);

If you set these, only members of this group can auth via LDAP

#Set($LdapGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapGroupAttr, ‘uniqueMember’);

These turn on SSL for LDAP

#Set($LdapTLS, 0);
#Set($LdapSSLVersion, 3);

IF YOU USE THE SAME LDAP SERVER FOR AUTH AND INFO STOP HERE

Authentication settings

These are used only if their $RT::Ldap* analogs are not set;

if you want one of these variables to be honored, you must comment

out the corresponding $RT::Ldap* variable above

#Set($LdapAuthServer, ‘ldap.example.com’);
#Set($LdapAuthBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapAuthFilter, “(objectclass=posixAccount)”);
#Set($LdapAuthUser, ‘’);
#Set($LdapAuthPass, ‘’);

This filter is used by RT::User::UpdateFromLdap to test whether an

LDAP user’s RT account should be disabled. Any user whose LDAP record

passes this filter (returns true) will be disabled at login

Set($LdapAuthDisableFilter, ‘(employmentStatus=Terminated)’);

If you set these, only members of this group can auth via LDAP

#Set($LdapAuthGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapAuthGroupAttr, ‘uniqueMember’);

These turn on SSL for LDAP

#Set($LdapAuthTLS, 0);
#Set($LdapAuthSSLVersion, 3);

Information settings

These are used only if their $RT::Ldap* analogs are not set;

if you want one of these variables to be honored, you must comment

out the corresponding $RT::Ldap* variable above

#Set($LdapAuthServer, ‘ldap.example.com’);
#Set($LdapAuthBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapAuthFilter, “(objectclass=posixAccount)”);
#Set($LdapAuthUser, ‘’);
#Set($LdapAuthPass, ‘’);

This filter is used by RT::User::UpdateFromLdap to test whether an

LDAP user’s RT account should be disabled. Any user whose LDAP record

passes this filter (returns true) will be disabled at login

Set($LdapAuthDisableFilter, ‘(employmentStatus=Terminated)’);

If you set these, only members of this group can auth via LDAP

#Set($LdapAuthGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapAuthGroupAttr, ‘uniqueMember’);

These turn on SSL for LDAP

#Set($LdapAuthTLS, 0);
#Set($LdapAuthSSLVersion, 3);

Information settings

These are used only if their $RT::Ldap* analogs are not set;

if you want one of these variables to be honored, you must comment

out the corresponding $RT::Ldap* variable above

#Set($LdapInfoServer, ‘ldap.example.com’);
#Set($LdapInfoBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapInfoFilter, “(objectclass=posixAccount)”);
#Set($LdapInfoUser, ‘’);
#Set($LdapInfoPass, ‘’);

This filter is used by RT::User::UpdateFromLdap to test whether an

LDAP user’s RT account should be disabled. Any user whose LDAP record

passes this filter (returns true) will be disabled at login

Set($LdapInfoDisableFilter, ‘(employmentStatus=Terminated)’);

These turn on SSL for LDAP

#Set($LdapInfoTLS, 0);
#Set($LdapInfoSSLVersion, 3);

Tim Crouch
Systems Administrator
Campus Computing Services
University of Texas at Tyler
903-566-7476

chaim rieger chaim.rieger@gmail.com
03/20/07 05:10 PM

To
Tim_Crouch@uttyler.edu
cc
rt-users@lists.bestpractical.com
Subject
Re: [rt-users] LDAP auth failing

Tim_Crouch@uttyler.edu wrote:

I have just installed RT 3.6.1 on FC6. I have read the WIKI on LDAP
Auth
but am not able to get a successful auth. This is the error I get in my

logs:

[error]: FAILED LOGIN for username from xxx.xxx.xxx.xxx
(/opt/rt3/share/html/autohandler:238)

I added the LdapSiteConfigSettings as per the Wiki

I configured my LDAP settings per the Wiki, but to no avail. Any help
out
there?

can you post the lines from SiteConfig.

Chaim Rieger

can you change

Set($LdapUser, ‘uid=,ou=,dc=uttyler,dc=edu’);
Set($LdapPass, ‘********’);

to

Set($LdapUser, ‘cn=tim_crouch,ou=People,dc=uttyler,dc=edu’);
Set($LdapPass, ‘********’);

for testing purposes only ?