[rt-users] RT-Authen-ExternalAuth and AD...

Tollefsen, Lyle LTollefsen at innovationplace.com
Fri Jan 7 14:03:33 EST 2011


Hi Kevin,

I found a work-around on CPAN. Thanks for the redirect!

Lyle.

-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Thursday, January 06, 2011 3:53 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD...

On Thu, Jan 06, 2011 at 03:22:03PM -0600, Tollefsen, Lyle wrote:
> Thanks for the reply. Your suggestions led to finding the problem, but not the fix. 
> 
> As I originally said, the username:password combo would work only if 
> not testing for group membership, it would fail if it did test for 
> membership. An ldapearch revealed that the sAMAccountName was fine, 
> but, as the fullname in our AD is "Last, first", the CN would be 
> returned as "Last\, First'. If we renamed the account to Last First, 
> omitting the comma, authentication using group membership succeded.
> The comma is breaking something. Have you seen this before, and is a 
> fix available?

There may be an open bug about this in rt.cpan.org against RT::Authen::ExternalAuth , but I don't know if I've seen a root cause or patch.

-kevin

> -----Original Message-----
> From: rt-users-bounces at lists.bestpractical.com 
> [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin 
> Falcone
> Sent: Thursday, January 06, 2011 10:18 AM
> To: rt-users at lists.bestpractical.com
> Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD...
> 
> On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote:
> >    We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active
> >    Directory. Any new AD account I create can logon to RT, and have corresponding account created
> >    in RT, if it is in the necessary security group, but older accounts, mine included, pass the
> >    password test, but fail at the group membership test, and fail to logon. The RT account,
> >    however, does get created. The log entries look like this...
> 
> If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong.
> 
> -kevin
> 
> >    Jan  5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name
> >    
> > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
> > lA
> > uth/LDAP.pm:127)
> > 
> >    Jan  5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1
> >    (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
> > 
> > 
> > 
> >    As I said above, older accounts (3 years plus) which are members of the group being tested
> >    fail to fully authenticate, while new accounts which are members of the same group,
> >    authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can
> >    logon to RT with my old account.
> > 
> > 
> > 
> >    I don't know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I
> >    wonder if the AD schema changes could be affecting things?
> > 
> > 
> > 
> >    Lyle.
> > 
> > 



More information about the rt-users mailing list