Hello Martin.
In the following I have included: The LDAP configuration, log entries showing a failed attempt at logging in with group feature enabled, the result of looking up the group with ldapsearch.
From RT_SiteConfig.pm
Plugin('RT::Authen::ExternalAuth');
# Use the below LDAP source for both authentication, as well as user
# information
Set($ExternalAuthPriority, ["My_LDAP"]);
Set($ExternalInfoPriority, ["My_LDAP"]);
# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set( $AutoCreateNonExternalUsers, 1 );
# Minimal LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
# https://docs.bestpractical.com/rt/4.4.1/RT/Authen/ExternalAuth/LDAP.html
Set($ExternalSettings, {
'My_LDAP' => {
'type' => 'ldap',
'server' => 'ldap.example.com',
'user' => 'cn=admin,dc=example,dc=com',
'pass' => '******',
'tls' => 1, # TLS with No certificate validation
'base' => 'o=example,dc=example,dc=com',
'filter' => '(objectClass=*)',
#'group_scope' => 'sub',
'group' => 'cn=it,ou=groups,dc=request-tracker,dc=services,o=example,dc=example,dc=com',
'group_attr' => 'memberUid',
'group_attr_value' => 'uid',
# Users are allowed to log in via these RT attributes.
# See LDAP mapping.
'attr_match_list' => [ 'Name', 'EmailAddress', ],
# Import the following properties of the user from LDAP upon
# login
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
'ExternalAuthId' => 'uid',
'RealName' => 'cn',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co',
},
},
} );
From the log when trying to log in as user “tbp”:
[140] [Wed Jun 14 07:58:25 2017] [debug]: Attempting to use external auth service: My_LDAP (/usr/share/request-tracker4/plug
ins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:424)
[140] [Wed Jun 14 07:58:25 2017] [debug]: Calling UserExists with $username (tbp) and $service (My_LDAP) (/usr/share/request
-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:465)
[140] [Wed Jun 14 07:58:25 2017] [debug]: UserExists params:
username: tbp , service: My_LDAP (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP
.pm:439)
[140] [Wed Jun 14 07:58:25 2017] [debug]: LDAP Search === Base: o=example,dc=example,dc=com == Filter: (&(objectCla
ss=*)(uid=tbp)) == Attrs: streetAddress,l,uid,uid,postalCode,st,mail,cn,telephoneNumber,co (/usr/share/request-tracker4/plug
ins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:469)
[140] [Wed Jun 14 07:58:25 2017] [debug]: Password validation required for service - Executing... (/usr/share/request-tracke
r4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:517)
[140] [Wed Jun 14 07:58:25 2017] [debug]: Trying external auth service: My_LDAP (/usr/share/request-tracker4/plugins/RT-Auth
en-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:153)
[140] [Wed Jun 14 07:58:25 2017] [debug]: LDAP Search === Base: o=example,dc=example,dc=com == Filter: (&(uid=tbp)(
objectClass=*)) == Attrs: dn,uid (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP
.pm:186)
[140] [Wed Jun 14 07:58:25 2017] [debug]: Found LDAP DN: uid=tbp,ou=people,c=dk,o=example,dc=example,dc=com (/usr/sh
are/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:220)
[140] [Wed Jun 14 07:58:25 2017] [debug]: LDAP Search === Base: cn=it,ou=groups,dc=request-tracker,dc=services,o=example,
dc=example,dc=com == Scope: base == Filter: (memberUid=tbp) == Attrs: dn (/usr/share/request-tracker4/plugins/RT-Authe
n-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256)
[140] [Wed Jun 14 07:58:25 2017] [critical]: Search for (memberUid=tbp) failed: LDAP_NO_SUCH_OBJECT 32 (/usr/share/request-t
racker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274)
[140] [Wed Jun 14 07:58:25 2017] [debug]: LDAP password validation result: 0 (/usr/share/request-tracker4/plugins/RT-Authen-
ExternalAuth/lib/RT/Authen/ExternalAuth.pm:696)
[140] [Wed Jun 14 07:58:25 2017] [debug]: Password Validation Check Result: 0 (/usr/share/request-tracker4/plugins/RT-Authe
n-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:521)
[140] [Wed Jun 14 07:58:25 2017] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/usr/share/reque
st-tracker4/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[140] [Wed Jun 14 07:58:25 2017] [error]: FAILED LOGIN for tbp from 10.135.10.88 (/usr/share/request-tracker4/lib/RT/Interfa
ce/Web.pm:810)
Looking up the group with ldapsearch:
root@ea8fb0f05ef6:/# ldapsearch -x -h ldap.example.com -b cn=it,ou=groups,dc=request-tracker,dc=services,o=example,dc=example,dc=com -D "cn=admin,dc=example,dc=com" -W -ZZ
Enter LDAP Password: ****
# extended LDIF
#
# LDAPv3
# base <cn=it,ou=groups,dc=request-tracker,dc=services,o=example,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# it, groups, request-tracker, services, example, example.com
dn: cn=it,ou=groups,dc=request-tracker,dc=services,o=example,dc=example,dc=com
cn: it
description: Users of the IT queues in Request Tracker
gidNumber: 1101
memberUid: plj
memberUid: tbp
objectClass: top
objectClass: posixGroup
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1