LDAP Authentication is not working

Dear All,

I am using RT 3.2.3 it is working fine now I want users should
authenticate from our existing LDAP server I tried so many options but
still no luck. Can some one guide me on this?

I am attaching my RT_SiteConfig.pm for your reference.

Thanks

Navin

RT_SiteConfig.pm (19 KB)

Navin Chandra Singh wrote:

Dear All,

I am attaching my RT_SiteConfig.pm for your reference.

can you please post the relevant lines of your SiteConfig,

Chaim Rieger wrote:

Navin Chandra Singh wrote:

Dear All,

I am attaching my RT_SiteConfig.pm for your reference.

can you please post the relevant lines of your SiteConfig,

LDAP Settings

There are two different branches of this: LdapAuth* and LdapInfo*;

additionally, most of the old Ldap* variables are honored, too.

This means if you only have one LDAP server/config you can just set

“LdapServer”, “LdapUser”, etc. and they will be used for both

authentication and information

Enable/Disable LDAP services

Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);

Common Settings: affecting both auth and info services

Should we create accounts for users who aren’t in LDAP?

Set($LdapAutoCreateNonLdapUsers, 1);

Map RT attributes to LDAP attributes

THE MAPPING BELOW WILL NOT WORK FOR YOU UNLESS YOU CHANGE

IT TO MATCH YOUR LDAP SCHEMA! See

http://wiki.bestpractical.com/?LdapAttrMap

to learn how to set this variable properly for either LDAP or Windows

Active Directory.

Set($LdapAttrMap, {‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘Address2’ => ‘physicalDeliveryOfficeName’}
);

A list of RT attrs which can uniquely identify a user,

ordered from most to least preferred.

Set($LdapRTAttrMatchList, [‘ExternalContactInfoId’, ‘Name’ ]
);# ordered from most to least preferred
Set($LdapEmailAttrMatchList, [‘mail’, ‘mailRoutingAddress’]
);

A list of prefixes to apply to email address matches.

Windows 2003 AD uses prefixes or smtp: or SMTP:.

If not required just leave ‘’

Set($LdapEmailAttrMatchPrefix, [’’, ‘smtp:’, ‘SMTP:’] );

The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*

Set($LdapServer, ‘mail.bgr.ionidea.com’);
Set($LdapBase, ‘o=ionidea.com’);
Set($LdapFilter, ‘(objectclass=*)’);

Windows 2003 Active Directory does not allow anonymous LDAP binding

thus you must pass Net::LDAP a username and password that has

access to read the directory.

You may also need to specify the full distinguished name instead of

just a username for LdapUser below.

e.g. cn=Username,cn=Users,dc=yourdomain,dc=com

#Set($LdapUser, ‘’);
#Set($LdapPass, ‘’);

This filter is used by RT::User::UpdateFromLdap to test whether an

LDAP user’s RT account should be disabled. Any user whose LDAP record

passes this filter (returns true) will be disabled at login

Set($LdapDisableFilter, ‘(employmentStatus=Terminated)’);

If you set these, only members of this group can auth via LDAP

#Set($LdapGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapGroupAttr, ‘uniqueMember’);

These turn on SSL for LDAP

#Set($LdapTLS, 0);
#Set($LdapSSLVersion, 3);### Authentication settings

These are used only if their $RT::Ldap* analogs are not set;

if you want one of these variables to be honored, you must comment

out the corresponding $RT::Ldap* variable above

#Set($LdapAuthServer, ‘ldap.example.com’);
#Set($LdapAuthBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapAuthFilter, “(objectclass=posixAccount)”);
#Set($LdapAuthUser, ‘’);
#Set($LdapAuthPass, ‘’);

This filter is used by RT::User::UpdateFromLdap to test whether an

LDAP user’s RT account should be disabled. Any user whose LDAP record

passes this filter (returns true) will be disabled at login

Set($LdapAuthDisableFilter, ‘(employmentStatus=Terminated)’);

If you set these, only members of this group can auth via LDAP

#Set($LdapAuthGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapAuthGroupAttr, ‘uniqueMember’);

These turn on SSL for LDAP

#Set($LdapAuthTLS, 0);
#Set($LdapAuthSSLVersion, 3);

Information settings

These are used only if their $RT::Ldap* analogs are not set;

if you want one of these variables to be honored, you must comment

out the corresponding $RT::Ldap* variable above

#Set($LdapInfoServer, ‘ldap.example.com’);
#Set($LdapInfoBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapInfoFilter, “(objectclass=posixAccount)”);
#Set($LdapInfoUser, ‘’);
#Set($LdapInfoPass, ‘’);

This filter is used by RT::User::UpdateFromLdap to test whether an

LDAP user’s RT account should be disabled. Any user whose LDAP record

passes this filter (returns true) will be disabled at login

Set($LdapInfoDisableFilter, ‘(employmentStatus=Terminated)’);

These turn on SSL for LDAP

#Set($LdapInfoTLS, 0);
#Set($LdapInfoSSLVersion, 3);

IF YOU USE THE SAME LDAP SERVER FOR AUTH AND INFO STOP HERE

A list of LDAP attrs to examine when canonicalizing email addresses,

No virus found in this outgoing message.
Checked by ClamAV 0.88/2035/Mon Oct 16 02:12:30 2006
WARNING: Version mismatch. See http://www.clamav.net/faq.html
Tool version: 0.88, Engine version: 0.88.5
Build time: 16 Aug 2006 20-46 +0200

of signatures: 64138

Navin Chandra Singh wrote:

did it ever work,

if not, can ldap do anonymous binding ?

eats the blues for breakfast,
does unix for rent,
plays harp for food,
will play the flute for kicks
rides for the freedom

www.up-south.com

Chaim Rieger wrote:

Navin Chandra Singh wrote:

did it ever work,

if not, can ldap do anonymous binding ?

no never worked . I am installing new server. yes anonymous binding is
works.

No virus found in this outgoing message.
Checked by ClamAV 0.88/2035/Mon Oct 16 02:12:30 2006
WARNING: Version mismatch. See http://www.clamav.net/faq.html
Tool version: 0.88, Engine version: 0.88.5
Build time: 16 Aug 2006 20-46 +0200

of signatures: 64138

Navin Chandra Singh wrote:

Chaim Rieger wrote:

Navin Chandra Singh wrote:

did it ever work,

if not, can ldap do anonymous binding ?

no never worked . I am installing new server. yes anonymous binding is
works.

Hello All,

Can someone please help me on this

Thanks
Navin

No virus found in this outgoing message.
Checked by ClamAV 0.88/2035/Mon Oct 16 02:12:30 2006
WARNING: Version mismatch. See http://www.clamav.net/faq.html
Tool version: 0.88, Engine version: 0.88.5
Build time: 16 Aug 2006 20-46 +0200

of signatures: 64138

Navin Chandra Singh wrote:

Navin Chandra Singh wrote:

Chaim Rieger wrote:

Navin Chandra Singh wrote:

did it ever work,

if not, can ldap do anonymous binding ?

no never worked . I am installing new server. yes anonymous binding
is works.

Hello All,

Can someone please help me on this

Thanks
Navin

Dear All,

Can anyone find any solution for me ?

Please help

Navin

No virus found in this outgoing message.
Checked by ClamAV 0.88/2035/Mon Oct 16 02:12:30 2006
WARNING: Version mismatch. See http://www.clamav.net/faq.html
Tool version: 0.88, Engine version: 0.88.5
Build time: 16 Aug 2006 20-46 +0200

of signatures: 64138

Dear All,

Can anyone find any solution for me ?

Please help

Navin
Good grief, mate, this is an international mailing list, not
your local helpdesk; take your time, even if it’s obviously
important to you. Two “reminders” within 19 hours is over
the top.

Dear All,

I am using RT 3.2.3 it is working fine now I want users should authenticate
from our existing LDAP server I tried so many options but still no luck.
Can some one guide me on this?

If you are indeed using RT 3.2.3, the LDAP extension isn’t supported
and very likely won’t function at all. It was authored for 3.5x and
greater.

–j
Jim Meyer, Geek at Large purp@acm.org