If I run the command the way you've formatted it I get "ldapsearch can't contact ldap server (-1)".
However, if I run 'ldapsearch -x -h dc1.example.com -D rtuser -w xxxxxxxx -b "dc=example,dc=com"' "(sAMAccountName=user") I get all kinds of output: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (sAMAccountName=user) # requesting: ALL # # User Name, Information Systems, HQ Users, EXAMPLE Users, Users, ZEN USERS GROUPS and COMPUTERS, Example.com dn: CN=User Name,OU=Information Systems,OU=HQ Users,OU=EXAMPLE Users,OU=Users ,OU=ZEN USERS GROUPS and COMPUTERS,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: User Name sn: Name givenName: User distinguishedName: CN=User Name,OU=Information Systems,OU=HQ Users,OU=EXAMPLE Users,OU=Users,OU=ZEN USERS GROUPS and COMPUTERS,DC=example,DC=com instanceType: 4 whenCreated: 20130930141549.0Z whenChanged: 20131012190321.0Z displayName: User Name uSNCreated: 8802089 uSNChanged: 9320797 name: User Name objectGUID:: f+PyYZ/6lEqKVGVs4/LT1A== userAccountControl: 512 codePage: 0 countryCode: 0 pwdLastSet: 130250241494878224 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAA4MWjpccIJx5IwuT21g4AAA== accountExpires: 9223372036854775807 sAMAccountName: user sAMAccountType: 805306368 userPrincipalName: un...@example.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130260782012929006 # search reference ref: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com # search reference ref: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com # search reference ref: ldap://example.com/CN=Configuration,DC=example,DC=com # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 -Mathew "When you do things right, people won't be sure you've done anything at all." - God; Futurama "We'll get along much better once you accept that you're wrong and neither am I." - Me On Thu, Oct 17, 2013 at 6:54 PM, Jeff Solberg <jsolb...@intrepidls.com>wrote: > That error code 49 is a generic LDAP error returned when the account > your using to bind has invalid creds, usually a bad or expired password..* > *** > > ** ** > > Do you have ldap tools installed on your RT server? If so run this command > to test your bind account:**** > > ** ** > > ldapsearch -x -W -D"bindacco...@domain.com" "(sAMAccountName=some_user)”** > ** > > ** ** > > Enter Password of Bind account.**** > > ** ** > > Let us know the results..**** > > ** ** > > Jeff**** > > ** ** > > *From:* Mathew Snyder [mailto:mathew.sny...@gmail.com] > *Sent:* Thursday, October 17, 2013 3:32 PM > > *To:* Jeff Solberg > *Cc:* rt-users@lists.bestpractical.com > *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth > LDAP settings, please**** > > ** ** > > I've tried both the settings indicated by Jeff (excepting the SSO cookie > settings) and Glenn. I'm still getting the > "RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: > LDAP_INVALID_CREDENTIALS 49" error.**** > > > **** > > -Mathew > > "When you do things right, people won't be sure you've done anything at > all." - God; Futurama**** > > ** ** > > "We'll get along much better once you accept that you're wrong and > neither am I." - Me**** > > ** ** > > On Thu, Oct 17, 2013 at 5:00 PM, Jeff Solberg <jsolb...@intrepidls.com> > wrote:**** > > Here is a copy of my working ExternalAuth Config..Hope this helps..**** > > **** > > #PLUGINS**** > > Set( @Plugins, qw(RT::Authen::ExternalAuth));**** > > **** > > #External Auth Settings**** > > #Set($WebExternalAuth , 1);**** > > #Set($WebFallbackToInternalAuth , 1);**** > > #Set(WebExternalAuto , 1);**** > > Set($ExternalAuthPriority, [ 'My_LDAP',] );**** > > Set($ExternalInfoPriority, [ 'My_LDAP',] );**** > > Set($ExternalServiceUsesSSLorTLS, 0);**** > > Set($AutoCreateNonExternalUsers, 0);**** > > Set($ExternalSettings, {**** > > 'My_LDAP' => {**** > > 'type' => 'ldap',**** > > 'server' => '10.10.x.x',**** > > 'user' => 'cn= Bind > Ldap,ou=User_Logins,dc=xxx,dc=xxx',**** > > 'pass' => 'xxxxx',**** > > 'base' => 'dc=xxx,dc=xxx',**** > > 'filter' => > '(&(ObjectCategory=User)(ObjectClass=Person))',**** > > 'd_filter' => > '(userAccountControl:1.2.840.113556.1.4.803=2)',**** > > # 'group' => 'cn=Domain > Users,ou=Groups_Security,dc=xxx,dc=xxx',**** > > # 'group_attr' => 'member',**** > > 'tls' => 0,**** > > 'ssl_version' => 3,**** > > 'net_ldap_args' => [ version => 3 ],**** > > 'group_scope' => 'base',**** > > # 'group_attr_value' => 'GROUP_ATTR_VALUE',**** > > 'attr_match_list' => [**** > > 'Name',**** > > 'EmailAddress',**** > > ],**** > > 'attr_map' => {**** > > 'Name' => 'sAMAccountName',**** > > 'EmailAddress' => 'mail',**** > > 'Organization' => 'physicalDeliveryOfficeName',**** > > 'RealName' => 'cn',**** > > 'ExternalAuthId' => 'sAMAccountName',**** > > 'Gecos' => 'sAMAccountName',**** > > 'WorkPhone' => 'telephoneNumber',**** > > 'Address1' => 'streetAddress',**** > > 'City' => 'l',**** > > 'State' => 'st',**** > > 'Zip' => 'postalCode',**** > > 'Country' => 'co'**** > > },**** > > },**** > > # An example SSO cookie service**** > > 'My_SSO_Cookie' => {**** > > 'type' => 'cookie',**** > > 'name' => 'loginCookieValue',**** > > 'u_table' => 'users',**** > > 'u_field' => 'username',**** > > 'u_match_key' => 'userID',**** > > 'c_table' => 'login_cookie',**** > > 'c_field' => 'loginCookieValue',**** > > 'c_match_key' => 'loginCookieUserID',**** > > 'db_service_name' => 'My_MySQL'**** > > },**** > > **** > > *From:* Mathew Snyder [mailto:mathew.sny...@gmail.com] > *Sent:* Thursday, October 17, 2013 1:50 PM**** > > > *To:* Jeff Solberg > *Cc:* rt-users@lists.bestpractical.com**** > > *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth > LDAP settings, please**** > > **** > > I found another thread that indicated that the solution to the second > problem was to add @domain to the end of the username. That just reverted > to the previous list of errors with a couple new ones.**** > > **** > > Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in > join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.**** > > Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in > hash element at > /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm > line 611.**** > > Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq > at > /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm > line 613.**** > > Oct 17 16:47:50 zen-rt RT: [24673] > RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , > EmailAddress: , Gecos: user, Name: user, Privileged: **** > > Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not > set user info**** > > Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from > 192.168.236.102**** > > **** > > > **** > > -Mathew > > "When you do things right, people won't be sure you've done anything at > all." - God; Futurama**** > > **** > > "We'll get along much better once you accept that you're wrong and > neither am I." - Me**** > > **** > > On Thu, Oct 17, 2013 at 4:39 PM, Mathew Snyder <mathew.sny...@gmail.com> > wrote:**** > > I didn't know the OU until a few moments ago so I only entered > "cn=user,dc=example,dc=com". That did seem to make a difference. However, > I'm still not able to log in. Perhaps for other reasons, though:**** > > **** > > Oct 17 16:33:11 zen-rt RT: [24525] > RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: > LDAP_INVALID_CREDENTIALS 49**** > > Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from > 192.168.236.102**** > > **** > > I know I'm entering my username and password correctly and have again > tried just the username, example\username, and example.com\username. I'm > wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing > OU. I do know it now, but how do I enter an OU that has two words? I was > told it is example.com/Special Accounts.**** > > > **** > > -Mathew > > "When you do things right, people won't be sure you've done anything at > all." - God; Futurama**** > > **** > > "We'll get along much better once you accept that you're wrong and > neither am I." - Me**** > > **** > > On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg <jsolb...@intrepidls.com> > wrote:**** > > For your ‘server’ try using IP rather than hostname.**** > > Second for the ‘user’ field try using the DN name for your AD Binding > user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com**** > > **** > > Hope this helps..**** > > **** > > Jeff**** > > **** > > **** > > **** > > *From:* rt-users-boun...@lists.bestpractical.com [mailto: > rt-users-boun...@lists.bestpractical.com] *On Behalf Of *Mathew Snyder > *Sent:* Thursday, October 17, 2013 1:19 PM > *To:* rt-users@lists.bestpractical.com > *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP > settings, please**** > > **** > > These are the settings I've started with:**** > > **** > > Set($ExternalSettings, {**** > > 'AD' => {**** > > 'type' => 'ldap',**** > > 'server' => 'domain_controller.example.com',** > ** > > 'base' => 'dc=example,dc=com',**** > > 'user' => 'rtuser',**** > > 'pass' => '********',**** > > 'filter' => '(ObjectClass=*)',**** > > 'tls' => 0,**** > > 'ssl_version' => 3,**** > > 'net_ldap_args' => [ version => 3 ],**** > > 'attr_match_list' => [**** > > 'EmailAddress',**** > > ],**** > > 'attr_map' => {**** > > 'Name' => 'sAMAccountName',**** > > 'EmailAddress' => 'mail',**** > > 'RealName' => 'cn',**** > > },**** > > **** > > They aren't working. Whenever someone attempts an initial login with just > their username (which should create their RT account) the following error > is logged:**** > > Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq > at > /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm > line 613.**** > > Oct 17 15:02:29 zen-rt RT: [23131] > RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , > EmailAddress: , Gecos: user, Name: user, Privileged:**** > > Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not > set user info**** > > Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from > 192.168.236.102**** > > **** > > When initial logins are attempted with either example\username or > example.com\username only the FAILED LOGIN line is displayed.**** > > **** > > We also have our Openfire Jabber server authenticating successfully. Those > settings are**** > > ldap.autoFollowAliasReferrals = true**** > > ldap.autoFollowReferrals = false**** > > ldap.baseDN = dc=example,dc=com**** > > ldap.connectionPoolEnabled = true**** > > ldap.debugEnabled = false**** > > ldap.emailField = mail**** > > ldap.encloseDNs = true**** > > ldap.groupDescriptionField = description**** > > ldap.groupMemberField = member**** > > ldap.groupNameField = cn**** > > ldap.groupSearchFilter = (objectClass=group)**** > > ldap.host = domain_controller.example.com**** > > ldap.ldapDebugEnabled = false**** > > ldap.nameField = cn**** > > ldap.port = 389**** > > ldap.searchFilter = (objectClass=*)**** > > ldap.usernameField = sAMAccountName**** > > **** > > **** > > I know they don't match up exactly in terms of what Openfire calls the > settings vs. what RT does, but I'm hoping someone can help me sort out what > should be plugged in where on the RT side. For example, I don't know what > the group_attr or group_attr_value setting should contain (if anything) in > the RT_SiteConfig.pm file. Basically, anything from the "group" settings.* > *** > > **** > > -Mathew > > "When you do things right, people won't be sure you've done anything at > all." - God; Futurama**** > > **** > > "We'll get along much better once you accept that you're wrong and > neither am I." - Me**** > > **** > > **** > > ** ** >