[rt-users] Bad AD or is it my config?

Robert Munsch Munsch at phillycarshare.org
Fri Nov 21 11:39:25 EST 2008


Thanks for the info.  I see on the AD server that CNs are in the format
<fname lname>, space and all: but the returned object is checked with
sAMAccountName, the user's "login name" for the domain, so this
shouldn't matter.  But it seems like it does.

I am assuming that at debug level, no news means 'it worked': 

[Fri Nov 21 16:29:25 2008] [error]: Working around bug in RT and
reloading RT::User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:12)
[Fri Nov 21 16:29:25 2008] [debug]: $pass defined (foobar), Running
IsPassword
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:69)
[Fri Nov 21 16:29:25 2008] [debug]: Password Incorrect
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:74)
[Fri Nov 21 16:29:25 2008] [error]: FAILED LOGIN for munsch from
192.168.1.34 (/opt/rt3/share/html/autohandler:265)

The first messages seen after reloading ::User are about the password
check. This means the user lookup happened and the object was found,
doesn't it?  'password incorrect' means that a bind using that info
failed, yah?

ldapsearch -LLL -x -D "CN=Robert Munsch,OU=Member
Services,DC=phillycarshare,DC=loc" -w foobar -h
phillycarshare-dc.phillycarshare.loc -b "dc=phillycarshare,dc=loc"
"(objectClass=person)"

^ That succeeds.  Web login still fails.  Now, I'm using the full
ActiveD DN of CN=blah on ldapsearch, but whatever I enter into the
username field on the web login gets tried as the sAMAccountName,
doesn't it?  Or no?

Is the CN being the <fname lname> of the user causing the issue? Should
it be identical to the sAMAccountName one-word domain login?  And if so,
anyone know a good simple way to do that across the board without
breaking anything....

Thanks,

------------------------
Rob Munsch
IT Administrator
http://www.PhillyCarShare.org
Our wheels.  Your freedom.
215-730-0988 x138
> -----Original Message-----
> From: mpeac at jennic.com [mailto:mpeac at jennic.com] On Behalf Of Mike
Peachey
> Sent: Friday, November 21, 2008 4:32 AM
> To: Robert Munsch
> Cc: rt-users at lists.bestpractical.com
> Subject: Re: [rt-users] Bad AD or is it my config?
> 
> Robert Munsch wrote:
> > Trying to simulate this via ldapsearch but can't figure it out.  All
the
> > docs I see say that 'userpassword is only accepted for auth, and
> > unicodepwd is not readable by ldap.'  I was hoping to run an
ldapsearch
> > to retrieve a given user's password to see where this is breaking,
but
> > I'm not sure how.
> >
> >
> >
> > I'm binding ok and can run all sorts of searches, but nothing that
will
> > list or show me passwords.  How does RT do it..?  My perl-fu is weak
L.
> 
> LDAP authentication is not done the same way as unix authentication.
It
> doesn't check the password you provided against the userPassword in
> LDAP, what it does is attempt to bind to LDAP using the credentials
> provided. If the bind is successful, the authentication is successful.
> 
> 1. User provides username
> 2. username is turned into an LDAP filter using your config like this:
> (&(filter)(usernamefield=$username_provided))
> e.g.
> (&(objectClass=Person)(sAMAccountName=foo))
> 3. LDAP is searched using the filter by binding to the LDAP server and
> performing a search. If 'user' and 'pass' are set in the config then
> those credentials are used to bind to the server, otherwise an
anonymous
> bind is done.
> 4. If the user is not found (after checking all name attributes and
all
> external sources), authentication fails.
> 5. If an object IS found then RT attempts to bind to the LDAP server
> using the full DN of the object returned (i.e.
> saMAccountName=foo,ou=Users,dc=foo,dc=bar) and the password that was
> entered by the user.
> 6. IF bind was successful, user is authenticated. If not, then not.
> 
> That should help understand what you're doing.
> 
> --
> Kind Regards,
> 
> __________________________________________________
> 
> Mike Peachey, IT
> Tel: +44 114 281 2655
> Fax: +44 114 281 2951
> Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
> Comp Reg No: 3191371 - Registered In England
> http://www.jennic.com
> __________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Robert Munsch.vcf
Type: text/x-vcard
Size: 141 bytes
Desc: Robert Munsch.vcf
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20081121/c2274633/attachment.vcf>


More information about the rt-users mailing list