Need help setting up RT with AD

New to RT and RTIR but so far love it. I need someone to help me get the Authentication to AD set up and also the Sendmail piece. Anyone out there willing to help me out?

Hello ahauber,

I’m running an instance of RT 4.4.0 that uses Active Directory. I’ll take a stab at answering specific questions. Reply on this thread. I’m watching it but don’t login as often to review new threads. I liked the old listserv more since I also had my mail open.

Docs are over here: https://docs.bestpractical.com/rt/4.4.1/RT/Authen/ExternalAuth.html

You have any specific questions?

So here is my AD config piece I masked the user name and password. The Log error after tying to log in is below. I do not get it.

Set( $ExternalAuthPriority, [“My_LDAP”] );
Set( $ExternalInfoPriority, [“My_LDAP”] );

# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);

# Minimal LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples

Set( $ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘.Domain-crp.com’,
‘user’ => '
’,
‘pass’ => '
******’,
‘base’ => ‘dc=exclaim-crp,dc=com’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
# Users are allowed to log in via email address or account
# name
’attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
# Import the following properties of the user from LDAP upon
# login
’attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},

LOG RESULTS

RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind: LDAP_INVALI D_CREDENTIALS 49 (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:678)
[19728] [Wed May 10 10:32:25 2017] [error]: FAILED LOGIN for e_ahauber from 10.140.10.30 (/opt/rt4/sbin/…/lib/RT/Inter face/Web.pm:826)

So here is my AD config piece I masked the user name and password. The Log error after tying to log in is below

Set( $ExternalAuthPriority, [“My_LDAP”] );
Set( $ExternalInfoPriority, [“My_LDAP”] );

# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);

# Minimal LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples

Set( $ExternalSettings, {
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘.Domain-crp.com’,
‘user’ => '
’,
‘pass’ => '
******’,
‘base’ => ‘dc=exclaim-crp,dc=com’,
‘filter’ => ‘(objectClass=inetOrgPerson)’,
# Users are allowed to log in via email address or account
# name
‘attr_match_list’ => [
‘Name’,
‘EmailAddress’,
],
# Import the following properties of the user from LDAP upon
# login
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
},
},

LOG RESULTS

RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind: LDAP_INVALI D_CREDENTIALS 49 (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:678)
[19728] [Wed May 10 10:32:25 2017] [error]: FAILED LOGIN for e_ahauber from 10.140.10.30 (/opt/rt4/sbin/…/lib/RT/Inter face/Web.pm:826)

[Forward Slash]

[Elevate]

[cid:image003.gif@01D2C94F.7778F1E0]

Alex Hauber

Sr. Security Engineer
P: 817-928-1500 x7562 | Elevate.comhttp://www.elevate.com
4150 International Plaza, Suite 300
Fort Worth, TX 76109

Privileged and Confidential. This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain privileged and/or confidential information. If you have received this e-mail in error, please notify me immediately by a return e-mail and delete this e-mail. You are hereby notified that any dissemination, distribution or copying of this e-mail and/or any attachments thereto, is strictly prohibited.

Looks to me like the user or pass are incorrect/invalid.

For easier debugging you can use ldapsearch

My Problem is that it will not connect no matter what. I use the RT Script from the Document and it’s a no go. Is there a specific way to write the RT_SiteConfig?

[Forward Slash]

[Elevate]

[cid:image003.gif@01D2C94C.818992A0]

Alex Hauber

Sr. Security Engineer
P: 817-928-1500 x7562 | Elevate.comhttp://www.elevate.com
4150 International Plaza, Suite 300
Fort Worth, TX 76109

Privileged and Confidential. This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain privileged and/or confidential information. If you have received this e-mail in error, please notify me immediately by a return e-mail and delete this e-mail. You are hereby notified that any dissemination, distribution or copying of this e-mail and/or any attachments thereto, is strictly prohibited.

Vinz,

Wrong in which way/ I took the actual user and pass out and just masked them with *** don’t want to show my user name ans password lol

Yeah, bit misleading quote :smiley: I’m inferring this information from this:

This error is saying that RT couldn’t do an initial login to your LDAP instance because when it tried the LDAP instance told RT that the credentials are invalid.

As @ahauber mentioned, the first step is to use a generic LDAP client, the easiest one to use is the command line tool ldapsearch, to try and bind to the LDAP instance. If that works, it proves the issue is with the RT config and not the credentials you are specifying in the config. That is the first step to troubleshooting this.

1 Like