> To be more specific, when i remove the user, at next login RT creates again > the user with the right values ( i.e. Name, ZIP code, etc. ) but fails at > authentication step.
IIRC you are using RT::Authen::ExternalAuth, right? That extension authenticates by attempting to bind to the LDAP server with the credentials entered by the user. But before it tries to bind, it first looks up the user in LDAP anonymously. This is consistent with what you are seeing. Here's what I see in my log when a known user attempts to login and fails: Jul 30 11:09:56 myserv RT: My_LDAP AUTH FAILED myuser (can't bind: LDAP_INVALID_CREDENTIALS 49 ) (/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth/LDAP.pm:90) Jul 30 11:09:56 myserv RT: FAILED LOGIN for myuser from 10.120.5.61 (/usr/lib/perl5/vendor_perl/5.10.0/RT/Interface/Web.pm:753) And this is the log when an unknown (to RT) user attempts to login and fails: Jul 29 13:06:44 myserv RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: myuser, Name: myuser, Privileged: (/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth.pm:665) Jul 29 13:06:45 myserv RT: Autocreated external user myuser ( 988 ) (/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth.pm:254) Jul 29 13:06:48 myserv RT: My_LDAP AUTH FAILED myuser (can't bind: LDAP_INVALID_CREDENTIALS 49 ) (/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth/LDAP.pm:90) Jul 29 13:06:48 myserv RT: FAILED LOGIN for myuser from 10.120.4.148 (/usr/lib/perl5/vendor_perl/5.10.0/RT/Interface/Web.pm:753) Note that it first creates the user in RT. Only then does it attempt to bind. Now, in my case the bind fails because the user's credentials are wrong. But this is not the only possible failure modality. There are any number of reasons why bind might be failing. Can you bind to the LDAP server using the 'ldapsearch' command? If you can get bind to work that way, first, that would be a start. In my case, the successful ldapsearch command looked something like this: ldapsearch -LLL -H ldaps://login.example.com -x \ -D cn=myuser,ou=users,dc=example,dc=com -W \ -b ou=users,dc=example,dc=com uid=myuser (Note that you have to know myuser's password -- and enter it correctly -- for this to work.) Hope this helps. Nathan