Request Tracker: set up external authentication via LDAPS

This is a description of how I set up my Request Tracker instance to use external authentication via LDAPS (LDAP over SSL on port 636).

1. In the previous installment, I already added the devel:languages:perl repository. Now I install the package containing the RT::Authen::ExternAuth RT extension that will provide the external-authentication-against-LDAP functionality.
   

   # zypper ref
   # zypper in perl-RT-Authen-ExternalAuth
   # zypper in perl-Net-SSLeay
   # zypper in perl-ldap-ssl
   

2. I set up SSL on my system (beyond the scope of this blog entry). At the very least, the openssl package should be installed and configured, and my LDAP server's certificates should be present in the /etc/ssl/certs directory.
3. I tweak my openldap configuration for CA CERT as per this blog entry
4. I read up on the RT::Authen::ExternalAuth extension (plugin). Here are the principal documentation resources I was able to find:
   
   • the README file
   • the sample configuration file, which I installed on my system in step 1, above, at the following location:
     

     /usr/share/request-tracker/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
     

     I read it using less.
     
   • And then there is the RT::Authen::ExternAuth page on MetaCPAN and, in particular, this subpage of that page.
     
   • Thanks to Thomas Sibley (Tsibley) over at the Request Tracker Wiki, I now know that the RT::Authen::ExternalAuth extension supports LDAPS out of the box by simply specifying the LDAP server with a ldaps:// prefix -- see the Net::LDAPS documentation for more details on this.
     
5. After reading the documentation and protracted trial and error, I finally came up with the following working configuration (in RT_SiteConfig.pm):
   

   Set($ExternalServiceUsesSSLorTLS,    1);
   Set($ExternalSettings, { 
                            'MY_LDAP' =>  {
                               'type'            =>  'ldap',
                               'server'          =>  'ldaps://ldap.example.com',
                               'tls'             =>  0,
                               'ssl_version'     =>  3,
                               ...
   

6. At this point, I fire up request-tracker and am able to log in with my LDAP credentials!