On 05/24/2013 02:40 PM, davidneudorfer wrote: > 'attr_match_list' => [ > 'Name', > 'EmailAddress', > 'RealName', > ],
First things first, remove RealName from the config above. It should be removed from the example configs as it's a misleading example. "attr_match_list" are properties that in combination uniquely identify a user; by including RealName, you're telling RT that a user's real name may never change (such as not being provided, or differing slightly). https://metacpan.org/source/TSIBLEY/RT-Authen-ExternalAuth-0.15/etc/RT_SiteConfig.pm#L128 Glenn's suggestions are also good. Second, note these lines: > [Fri May 24 21:31:20 2013] [debug]: LDAP Search === Base: > ou=lb,DC=office,DC=lbox,DC=com == Scope: base == Filter: (member=CN=David > Neudorfer,OU=lb,DC=office,DC=lbox,DC=com) == Attrs: dn > (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:256) > [Fri May 24 21:31:20 2013] [debug]: LDAP group membership check returned 0 > results > (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:285) > [Fri May 24 21:31:20 2013] [info]: My_LDAP AUTH FAILED: david.neudorfer This is why auth fails: RT didn't find the logging in user as a member of the group you specified that users must be a member of. I suspect you're running into the issue that the group check is done as the logging in user rather than the service user (cn=thisisauser in your sample). The group check happens after the rebind to check the provided password. There's an open bug about this because it should be made configurable: https://rt.cpan.org/Ticket/Display.html?id=69500 -- RT Training in Seattle, June 19-20: http://bestpractical.com/training