Review some of your LDAP settings. I think you have CN and DN in places where you may want OU, and your LDAP user should be in a different format, see below.
Hopefully this helps. Use mine(working.. also cleaned..) as example: Set($ExternalSettings, { 'My_LDAP' => { 'type' => 'ldap', 'server' => 'ldap://domain_name.com', 'user' => 'domain_name\ldapreader', 'pass' => 'ldapreader_password', 'base' => 'ou=users,ou=services,dc=domain_name,dc=com', 'filter' => '(objectClass=person)', 'tls' => 0, 'attr_match_list' => [ 'Name', 'EmailAddress', 'RealName', ], 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'Organization' => 'department', 'RealName' => 'cn', 'NickName' => 'givenName', 'ExternalAuthId'=> 'sAMAccountName', 'Gecos' => 'sAMAccountName', 'WorkPhone' => 'telephoneNumber', 'MobilePhone' => 'mobile', 'Address1' => 'streetAddress', 'City' => 'l', 'State' => 'st', 'Zip' => 'postalCode', 'Country' => 'co' }, }, On Tue, Feb 24, 2015 at 9:35 AM, Guillaume Hilt <gh...@shadowprojects.org> wrote: > No one is using LDAPS with Request Tracker ? > > Guillaume Hilt > > Le 18/02/2015 15:43, Guillaume Hilt a écrit : > > Hello, >> >> I'm using a fresh install of RT 4.0.19 on Ubuntu 14.04 AMD64, using .deb >> packages. >> >> I'm trying to make ExternalAuth work with LDAP over SSL (Active Directory >> on 2008 R2 x64), we an internal CA managed under Windows 2008 R2 x64. >> I added the CA cert in /etc/ssl/certs/srv2.lan.domain.com_ca.pem. >> >> I followed a previous discussion on this matter here : >> http://lists.bestpractical.com/pipermail/rt-users/2012-March/075690.html >> I'm facing the same issue. >> >> $ openssl s_client -connect srv2.lan.domain.com:636 -CApath >> /etc/ssl/certs >> Return Verify return code: 21 (unable to verify the first certificate) >> >> $ openssl verify -CAfile /etc/ssl/certs/srv2.lan.domain.com_ca.pem >> /etc/ssl/certs/srv2.lan.domain.com_cert.pem >> /etc/ssl/certs/srv2.lan.domain.com_cert.pem: OK >> >> Running LDP.exe on the domain controllers running in SSL mode works fine. >> >> >> RT's log gives the following : >> >> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: >> LDAP_OPERATIONS_ERROR 1 >> >> >> An ldapsearch gives me this (snipped hex code) : >> >> ldap_initialize( ldaps://srv2.lan.domain.com:636/??base ) >> tls_write: want=117, written=117 >> tls_read: want=3422, got=1443 >> tls_read: want=1979, got=1448 >> tls_read: want=531, got=531 >> tls_write: want=12, written=12 >> tls_write: want=267, written=267 >> tls_write: want=6, written=6 >> tls_write: want=117, written=117 >> tls_read: want=5, got=5 >> tls_read: want=1, got=1 >> tls_read: want=5, got=5 >> tls_read: want=80, got=80 >> TLS: can't connect: (unknown error code). >> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >> >> >> Here's my configuration : >> >> 'AD_LAN' => { >> 'type' => 'ldap', >> 'server' => 'srv2.lan.domain.com', >> 'user' => >> 'CN=r2-d2,CN=Users,DC=lan,DC=domain,DC=com', >> 'pass' => 'XXXXXXX', >> >> 'base' => 'CN=Utilisateurs,DC=lan,DC= >> domain,DC=com', >> 'filter' => '(&(objectClass= >> organizationalPerson)(mail=*))', >> 'd_filter' => >> '(userAccountControl:1.2.840.113556.1.4.803:=2)', >> >> 'group' => '', >> 'group_attr' => '', >> >> 'tls' => 0, >> 'ssl_version' => 3, >> 'net_ldap_args' => [ version => 3, port => >> 636, debug => 8 ], >> >> 'attr_match_list' => [ >> 'Name', >> 'EmailAddress', >> ], >> 'attr_map' => { >> 'Name' => 'sAMAccountName', >> 'EmailAddress' => 'mail', >> 'Organization' => 'physicalDeliveryOfficeName', >> 'RealName' => 'cn', >> 'ExternalAuthId' => 'sAMAccountName', >> 'Gecos' => 'sAMAccountName', >> 'WorkPhone' => 'telephoneNumber', >> 'Address1' => 'streetAddress', >> 'City' => 'l', >> 'State' => 'st', >> 'Zip' => 'postalCode', >> 'Country' => 'co' >> }, >> }, >> >> >> Setting tls to 1 give me his different error : >> >> RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: >> LDAP_SERVER_DOWN 81 >> >> >> Regards, >> >> >