LDAP authentication RTIR 4.4.4

Hello! I’m new to RT, sorry for the beat-up LDAP question.
I’ve installed the latest 4.4.4 version, and trying to set up LDAP authentication and getting error: “Your username or password is incorrect”.

Here is my RT_SiteConfig.pm:

Set( %FullTextSearch,
Enable => 1,
Indexed => 1,
Column => ‘ContentIndex’,
Table => ‘AttachmentsIndex’,
);

Set(%ExternalStorage,
Type => ‘Disk’,
Path => ‘/opt/rt4-atts’,
);

use utf8;

Plugin( “RT::Authen::ExternalAuth” );
Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);
Set($ExternalInfoPriority, [ ‘My_LDAP’,
]
);
Set($AutoCreateNonExternalUsers, 0);

Set($ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldap://corp.com’,
# By not passing ‘user’ and ‘pass’ we are using an anonymous
# bind, which some servers to not allow
‘base’ => ‘ou=my,o=corpcom’,
‘filter’ => ‘(objectClass=corpPerson)’,
# Users are allowed to log in via email address or account
# name
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
# Import the following properties of the user from LDAP upon
# login
‘attr_map’ => {
‘Name’ => ‘NAME’,
‘EmailAddress’ => ‘INTERNET’,
‘WorkPhone’ => ‘XPHONE’,
# ‘Address1’ => ‘streetAddress’,
# ‘City’ => ‘l’,
# ‘State’ => ‘st’,
# ‘Zip’ => ‘postalCode’,
‘Country’ => ‘COUNTRY’,
},
},
} );

Plugin( “RT::IR”);

Set( $CommentAddress, ‘admins@corp.com’ );
Set( $CorrespondAddress, ‘admins@corp.com’ );
Set( $DatabaseHost, ‘localhost’ );
Set( $DatabaseName, ‘rt4’ );
Set( $DatabasePassword, ‘SecretPsw’ );
Set( $DatabasePort, ‘’ );
Set( $DatabaseType, ‘Pg’ );
Set( $DatabaseUser, ‘rt_user’ );
Set( $Organization, ‘tmtickets.corpcom’ );
Set( $OwnerEmail, ‘admins@corp.com’ );
Set( $SendmailPath, ‘/usr/sbin/sendmail’ );
Set( $WebDomain, ‘5.5.22.18’ );
Set( $WebPort, ‘80’ );
Set( $rtname, ‘tmtickets.corpcom’ );
1;

The httpd error.log file has this:
[Fri Jul 19 17:26:20.405388 2019] [fcgid:warn] [pid 5862] (104)Connection reset by peer: [client 9.85.194.208:49808] mod_fcgid: error reading data from FastCGI server
[Fri Jul 19 17:26:20.405476 2019] [core:error] [pid 5862] [client 9.85.194.208:49808] End of script output before headers: rt-server.fcgi
[Fri Jul 19 17:35:10.843166 2019] [mpm_prefork:notice] [pid 5860] AH00170: caught SIGWINCH, shutting down gracefully
[Fri Jul 19 17:35:12.051675 2019] [suexec:notice] [pid 6491] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Jul 19 17:35:12.072062 2019] [alias:warn] [pid 6491] AH00671: The Alias directive in /etc/httpd/conf.d/welcome.conf at line 18 will probably never match because it overlaps an earlier ScriptAlias.
[Fri Jul 19 17:35:12.072097 2019] [alias:warn] [pid 6491] AH00671: The Alias directive in /etc/httpd/conf.d/welcome.conf at line 19 will probably never match because it overlaps an earlier ScriptAlias.
[Fri Jul 19 17:35:12.072101 2019] [alias:warn] [pid 6491] AH00671: The Alias directive in /etc/httpd/conf.d/welcome.conf at line 20 will probably never match because it overlaps an earlier ScriptAlias.
[Fri Jul 19 17:35:12.072104 2019] [alias:warn] [pid 6491] AH00671: The Alias directive in /etc/httpd/conf.d/welcome.conf at line 21 will probably never match because it overlaps an earlier ScriptAlias.
[Fri Jul 19 17:35:12.072107 2019] [alias:warn] [pid 6491] AH00671: The Alias directive in /etc/httpd/conf.d/welcome.conf at line 22 will probably never match because it overlaps an earlier ScriptAlias.
AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using fe80::922d:fc9c:91aa:1bf1. Set the ‘ServerName’ directive globally to suppress this message
[Fri Jul 19 17:35:12.173334 2019] [auth_digest:notice] [pid 6491] AH01757: generating secret for digest authentication …
[Fri Jul 19 17:35:12.173965 2019] [lbmethod_heartbeat:notice] [pid 6491] AH02282: No slotmem from mod_heartmonitor
[Fri Jul 19 17:35:12.179308 2019] [mpm_prefork:notice] [pid 6491] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 configured – resuming normal operations
[Fri Jul 19 17:35:12.179357 2019] [core:notice] [pid 6491] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’
[6502] [Fri Jul 19 21:35:18 2019] [warning]: RT::Authen::ExternalAuth has been cored since RT 4.4, please check the upgrade document for more details (/opt/rt4/sbin/…/lib/RT.pm:772)
[6502] [Fri Jul 19 21:35:19 2019] [warning]: RT::Authen::ExternalAuth has been cored since RT 4.4, please check the upgrade document for more details (/opt/rt4/sbin/…/lib/RT.pm:772)
[6502] [Fri Jul 19 21:35:36 2019] [error]: FAILED LOGIN for myuser@corpcom from 9.85.194.208 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:827)
[Fri Jul 19 17:38:50.451363 2019] [mpm_prefork:notice] [pid 6491] AH00170: caught SIGWINCH, shutting down gracefully
[Fri Jul 19 17:38:51.676889 2019] [suexec:notice] [pid 6701] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Jul 19 17:38:51.703112 2019] [alias:warn] [pid 6701] AH00671: The Alias directive in /etc/httpd/conf.d/welcome.conf at line 18 will probably never match because it overlaps an earlier ScriptAlias.
[Fri Jul 19 17:38:51.703151 2019] [alias:warn] [pid 6701] AH00671: The Alias directive in /etc/httpd/conf.d/welcome.conf at line 19 will probably never match because it overlaps an earlier ScriptAlias.
[Fri Jul 19 17:38:51.703154 2019] [alias:warn] [pid 6701] AH00671: The Alias directive in /etc/httpd/conf.d/welcome.conf at line 20 will probably never match because it overlaps an earlier ScriptAlias.
[Fri Jul 19 17:38:51.703158 2019] [alias:warn] [pid 6701] AH00671: The Alias directive in /etc/httpd/conf.d/welcome.conf at line 21 will probably never match because it overlaps an earlier ScriptAlias.
[Fri Jul 19 17:38:51.703161 2019] [alias:warn] [pid 6701] AH00671: The Alias directive in /etc/httpd/conf.d/welcome.conf at line 22 will probably never match because it overlaps an earlier ScriptAlias.
AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using fe80::922d:fc9c:91aa:1bf1. Set the ‘ServerName’ directive globally to suppress this message
[Fri Jul 19 17:38:51.814181 2019] [auth_digest:notice] [pid 6701] AH01757: generating secret for digest authentication …
[Fri Jul 19 17:38:51.814836 2019] [lbmethod_heartbeat:notice] [pid 6701] AH02282: No slotmem from mod_heartmonitor
[Fri Jul 19 17:38:51.819618 2019] [mpm_prefork:notice] [pid 6701] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 configured – resuming normal operations
[Fri Jul 19 17:38:51.819646 2019] [core:notice] [pid 6701] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’
[6748] [Fri Jul 19 21:39:40 2019] [warning]: RT::Authen::ExternalAuth has been cored since RT 4.4, please check the upgrade document for more details (/opt/rt4/sbin/…/lib/RT.pm:772)
[6748] [Fri Jul 19 21:39:40 2019] [warning]: RT::Authen::ExternalAuth has been cored since RT 4.4, please check the upgrade document for more details (/opt/rt4/sbin/…/lib/RT.pm:772)
[6748] [Fri Jul 19 21:39:55 2019] [error]: FAILED LOGIN for myuser@corpcom from 9.85.194.208 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:827)

Hi Larry

You probably need to supply valid bind credentials in your LDAP settings

regards
Garry

LDAP server supports anonymous binding.

Just noticed those last three lines on your log output. Do you have an old, pre-4.4 RT::Authen::ExternalAuth extension loaded? If so, you might want to uninstall that and use the LDAP external auth stuff that comes in 4.4.x versions of RT.

Also can you do an external LDAP search (using ldapsearch command) using the base and filter given with an anonymous bind?

Hi GreenJimll!
Thanks for the tip - the ldapsearch helped me to sort out and select the correct mapping (that was the problem).
I didn’t install “RT::Authen::ExternalAuth” extension - it came with the RT 4.4.4. I think I’m using the correct option.