RT::Authen::ExternalAuth setup

I’m trying to set up a basic LDAP auth using RT::Authen::ExternalAuth in RT 4.4.3.

I have used the documentation as a guide, and also added Plugin( "RT::Authen::ExternalAuth" ); to enable the extension.

But it just doesnt work, just saying invalid creds. Is there some way I can enable logging to see what the ldap error is?

For what its worth, i tried using the rt-ldapimport test with the ldapimport code and this worked perfectly. I just cant get the externalauth to work.

RT::Authen::ExternalAuth was cored RT 4.4 so you shouldn’t have the Plugin line in your RT_SiteConfig file:


Users of the existing RT::Authen::ExternalAuth extension should remove RT::Authen::ExternalAuth from the plugins list, and add Set($ExternalAuth, 1); to the RT_SiteConfig.pm file. Please also remove local/plugins/RT-Authen-ExternalAuth from your RT installation.

Awesome! thanks heaps. That was my problem.

This was a fresh install, so I hadnt read the upgrade documentation you pointed out. Would be great if the RT:Authen::ExternalAuth documentation could be updated to include the step for enabling external auth using the $ExternalAuth, 1 setting.

Heres another question -

Is it possible to do LDAPS over port 636 using RT::Authen::ExternalAuth?

I see theres an option for specifying TLS certificate, but is that TLS over 389? Can you specify the port somehow?

RT uses Net::LDAP to connect to LDAP:

You can provide the port value in the RT net_ldap_args values.

legend, thanks again!

Got it to work with ldaps, but it took me a while of reading the net::ldap cpan help to work it out. Would be excellent if you could include the scheme and port options in the RT documentation as it would have saved me a bit of time. You also need to install the Net::LDAP cpan dependency as it is not included by default. Install with cpan -i Net::LDAP (Case sensitive)

Heres my config incase someone else needs it -

Set( $ExternalAuth, 1);
Set( $ExternalAuthPriority, ["My_LDAP"] );
Set( $ExternalInfoPriority, ["My_LDAP"] );
        Set( $ExternalSettings, {
                'My_LDAP'       =>  {
                        'type'                      =>  'ldap',
                        'server'                    =>  'ldap hostname.com',
                        'user'                      =>  'ldap auth username',
                        'pass'                      =>  'ldap auth password',
                        'base'                      =>  'CN=Users,DC=domain,DC=com',
                        'filter'                    =>  '(objectClass=*)',
                        'tls'                       =>  { verify => "require", capath => "/path/to/cert" },
                        'net_ldap_args'             => [    version => 3,
                                                            scheme  => ldaps,
                                                            port    => 636
                        'attr_match_list' => [
                        'attr_map' => {
                        'Name' => 'sAMAccountName',
                        'EmailAddress' => 'mail',
                        'Organization' => 'physicalDeliveryOfficeName',
                        'RealName' => 'cn',
                        'Gecos' => 'sAMAccountName',
                        'WorkPhone' => 'telephoneNumber',
                        'Address1' => 'streetAddress',
                        'City' => 'l',
                        'State' => 'st',
                        'Zip' => 'postalCode',
                        'Country' => 'co'
} );