Solved: LDAPimport over TLS?

Hello there…

I’m running RT 4.2 with LDAP auth. It works as expected.

Now, I want to add the LDAPimport extension. I’m confused as to weather some of the LDAP configuration for LDAP auth is shared with LDAPimport? Or, maybe the are completely seperate?

Could someone share a working config for LDAPimport? I can’t seem to find any?


I’m afraid that the configs are not shared, here is a example from one
of my RT instances. Hope it helps?

LDAP import settings

Set($LDAPBase, ‘ou=people,dc=local’);

‘verify’ => ‘require’,
‘cafile’ => ‘/etc/ssl/certs/CACert.pem’, } ); # Path CA

User import

Set($LDAPMapping, {
‘Name’ => ‘mail’, # required
’Organization’ => ‘ukFirmGhITAccOrg’,
‘Name’ => ‘mail’,
‘EmailAddress’ => ‘mail’,
‘RealName’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘MobilePhone’ => ‘mobile’,
‘Address1’ => ‘street’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘UserCF.external_auth’ => sub { return “RT_LDAP”; },

Group import

Set($LDAPGroupBase, ‘ou=groups,ou=people,dc=local’);
Set($LDAPGroupFilter, ‘(cn=*)’ );
Set($LDAPGroupMapping, {
‘Name’ => ‘cn’,
‘Member_Attr’ => ‘member’,
‘Member_Attr_Value’ => ‘dn’, } );

Don’t create “Imported from LDAP” group

Set($LDAPSkipAutogeneratedGroup, 1);
Set($LDAPCreatePrivileged, 1);
Set($LDAPUpdateUsers, 1);
Set($LDAPSizeLimit, 200);


Best Regards


As far as I’m aware (and how my configuration is set), the two are independent.
Mine may be a bit different because I use Apache to do the auth (SSO via Kerberos module) – this is the $WebRemoteUserAuth setting below.

LDAPImport Extension

Set( $LDAPHost,‘’ );
Set( $LDAPUser,‘’ );
Set( $LDAPPassword,‘PASSWORD’ );

Set( $LDAPSizeLimit, 500 );
Set( $LDAPSkipAutogeneratedGroup, 1 ); # 1 = DONT ADD IMPORTED USERS TO DEFAULT ‘Imported from LDAP’ GROUP
Set( $LDAPUpdateUsers, 1 ); # 0 = SKIP EXISTING USERS, 1 = UPDATE THEM

Set( $ExternalAuth, 1 );
Set( $WebRemoteUserAuth, 1 );

Set( $LDAPBase, ‘dc=example,dc=com’ );
# This filter looks for non-disabled users who have an employeeID
Set( $LDAPFilter, ‘(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(employeeID=))’ );
# We also map some custom fields during user sync/import
Set( $LDAPMapping, {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘MobilePhone’ => ‘mobile’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
‘UserCF.Manager’ => ‘manager’,
‘UserCF.Company’ => ‘Company’,
‘UserCF.Department’ => ‘DepartmentNumber’,
‘UserCF.Division’ => ‘Division’,
‘UserCF.Domain’ => ‘Comment’,
‘UserCF.EEID’ => ‘employeeID’
} );
Set( $LDAPGroupBase, ‘dc=example,dc=com’ );
# We only import specific groups from AD, most of the RT ones use a naming convention of RT-SRV- (RT service account)
Set( $LDAPGroupFilter, '(&(objectcategory=group)(|(cn=Admins)(cn=Helpdesk)(cn=ITPeops)(cn=RT-SRV-
)))’ );
Set( $LDAPGroupMapping, {
Name => ‘cn’,
Member_Attr => ‘member’,
Member_Attr_Value => ‘dn’
} );

Very helpful! Much appreciated. Thank you.

I’m trying to enable TLS for ldap import , basing my configuration on this:

Since I use a “snakeoil” certificate, I’d like to turn off verification. This works well with external auth with the setting:
'tls' => 1,

I want to do the samething for LDAPimport. I have tried these with no success:
Set($LDAPTLS, { ‘verify’ => ‘none’, } );
Set($LDAPTLS, 1);

I’m using LDAPimport from here:

I see no mention of TLS support?

This is what I get when running rtldapimport --debug
[350] [Mon Jun 19 09:33:57 2017] [error]: LDAP bind failed confidentiality required (/usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/lib/RT/Extension/
LDAP bind failed confidentiality required

Any suggestions?


Hi Tobias,

Sorry for confusing you, I missed the TLS when I posted the

The currently released LDAPImport modules don’t support TLS, I created a
patch for RT 4.4 to enable TLS functionality.
It’s not found it’s way into the trunk yet, but the changes can be found

I’ve been using it in production for a few months now.

Best Regards


Hello Martin.

So LDAPimport is a part of RT 4.4 correct?

And, since I’m running 4.2 (Ubuntu packages), I can not use TLS with LDAPimport unless I create a patch for the code here:


Hi Tobias,

So LDAPimport is a part of RT 4.4 correct?
Yes, that is correct

And, since I’m running 4.2 (Ubuntu packages), I can not use TLS with
LDAPimport unless I create a patch for the code here:
I’m afraid that is also correct. However the patch to RT4.4 may apply to
the RT4.2 LDAPImport module, I however haven’t examined the RT 4.2
LDAPImport module code.

Best Regards


Hello Martin.

I was able to easly implement your patch in the 0.36 version of LDAPimport. The code (I looked at) looks exactly the same.

I’m contemplating putting the patched version on github.

Thank you for all your help with this.