RT 4.4.4 and AD ExternalAuth

Hi all,

RT 4.4.4 (new installation)
MariaDB 10.3
CentOS 8 (Perl 5.26.3)
AD server is WS 2016

I’ve been working on this a couple of days but am stuck and hope I can get a few thoughts on where else to look.

Part of my RT_SiteConfig.pm:

Set($ExternalAuthPriority, [‘AD’]);
Set($ExternalInfoPriority, [‘AD’]);
Set($UserAutocreateDefaultsOnLogin, { Privileged => 1 });
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, {
‘AD’ => {
‘type’ => ‘ldap’,
‘server’ => ‘myldap.mydomain.edu’,
‘user’ => ‘myldapauthuser@mydomain.edu’,
‘password’ => ‘mypassword’,
‘base’ => ‘dc=mydomain,dc=edu’,
‘filter’ => ‘(objectCategory=User)’,
‘tls’ => { verify => ‘none’ },
‘net_ldap_args’ => [ version => 3, scheme => ‘ldaps’, port => 636],
‘attr_match_list’ => [
‘attr_map’ => {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
‘group_scope’ => ‘sub’,
} );

This bit is for ldapimport

Set($LDAPOptions, [ port => 636,
scheme => ‘ldaps’,
raw => qr/(;binary)/,
version => 3,
verify => ‘none’]);
Set($LDAPUser,‘CN=Myldapauth User,CN=Users,DC=mydomain,DC=edu’);
Set($LDAPBase, ‘dc=mydomain,dc=edu’);
Set($LDAPFilter, ‘(&(objectCategory=User)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))’);
Set($LDAPMapping, {Name => ‘sAMAccountName’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Address1 => ‘streetAddress’,
City => ‘l’,
State => ‘st’,
Zip => ‘postalCode’,
Country => ‘co’});
Set($LDAPGroupBase, ‘ou=Groups,dc=mydomain,dc=edu’);
Set($LDAPGroupFilter, ‘(|(cn=Staff)(cn=Consultant))’);
Set($LDAPGroupMapping, {Name => ‘cn’,
Member_Attr => ‘member’,
Member_Attr_Value => ‘dn’ });

The importer does seem to work: /opt/rt4/sbin/rt-ldapimport --verbose
and so does: ldapsearch -x -H ldaps://myldap.mydomain.edu:636 -D myldapauthuser@mydomain.edu -w mypassword -b “dc=mydomain,dc=edu” “(&(objectCategory=User)(sAMAccountName=testuser))”
The filter part is copied from the log entries of the failed login on the web gui.

Logging in via the web gui gives:

[19085] [Fri Dec 13 15:42:15 2019] [debug]: Attempting to use external auth service: AD (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:288)
[19085] [Fri Dec 13 15:42:15 2019] [debug]: Calling UserExists with $username (testuser) and $service (AD) (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth.pm:329)
[19085] [Fri Dec 13 15:42:15 2019] [debug]: UserExists params: username: testuser , service: AD (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:486)
[19085] [Fri Dec 13 15:42:15 2019] [debug]: LDAP Search === Base: dc=mydomain,dc=edu == Filter: (&(objectCategory=User)(sAMAccountName=testuser)) == Attrs: postalCode,streetAddress,telephoneNumber,st,co,mail,cn,l,sAMAccountName (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:516)
[19085] [Fri Dec 13 15:42:15 2019] [debug]: User Check Failed :: ( AD ) testuser User not found (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:530)
[19085] [Fri Dec 13 15:42:15 2019] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt4/share/html/Elements/DoAuth:58)
[19085] [Fri Dec 13 15:42:15 2019] [error]: FAILED LOGIN for testuser from (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:827)

Based on other posts, mine doesn’t appear to be a server connectivity issue or an LDAP account problem that I can tell. Sorta stuck on what to try next.


I haven’t done LDAP personally on my RT, since you are trying to login with a username can you confirm that this mapping is correct ‘Name’ => ‘sAMAccountName’,I know that is the default value in the docs

Yeah, I’m taking that mostly on faith from the docs as I’m new to RT but a similar mapping of username to sAMAccountName works on our other perl-based ticket system as well as a few other LDAP/AD authenticated systems.

A few other folks on this forum with the same mappings tried “myname@mydomain” to login which worked for them but doesn’t in my case (same user not found error).

Are you using Active Directory for LDAP?

Yeah, Active Directory on Windows Server 2016

It’s starting to appear like a binding issue. In the Event Viewer on the AD server, the login attempts with the binding credentials throws a substatus code of 0xC000006A which is (according to Google searches) “user name is correct but the password is wrong.” I’ve double-checked the password and have even tried other accounts to bind with (and verifying passwords) but they all end up failing.

Interesting sidenote is if I put in bad bind info, like a non-existent account, no errors about binding show up in the RT log (currently set at debug level)

Ok, I feel dumb… with all the copying and pasting to test configs, somehow ‘password’ => ended up were it should’ve been ‘pass’ =>

I can now log in with AD credentials now!

Thanks for jumping in here knation!

Glad you figured it out !