[rt-users] LDAP External Auth intermittent failure

Paul Rushing prushing at gmail.com
Thu Sep 25 13:37:50 EDT 2014 

I'm using RT-4.2.7 installed from source, on ubuntu 14.04LTS.  I've been
trying to get the External Auth (0.23) extension working properly with AD.
I can login to RT using the local admin account root.  I can login to RT
using my AD account with the ExternalAuth config I have.  But, when I
return to login again, I get an error.  And the AD login fails.   I can
then restart the RT process and it will work again.

Below is a snippet from logs I'm having problems with.

Sep 25 16:42:19 b890cf44e25f RT: [526] Configuration option AutoCreate is
deprecated, and will be removed in RT 4.4.  You should use
UserAutocreateDefaultsOnLogin instead.
Sep 25 16:42:19 b890cf44e25f RT: [526]
RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP ):
myusername
Sep 25 16:42:19 b890cf44e25f RT: [526] Successful login for myusername from
172.17.0.75
Sep 25 16:42:55 b890cf44e25f RT: [526] Successful login for root from
172.17.0.75
Sep 25 16:47:47 b890cf44e25f RT: [526]
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_INVALID_CREDENTIALS 49
Sep 25 16:47:47 b890cf44e25f RT: [526] FAILED LOGIN for myusername from
172.17.0.75
Sep 25 16:47:52 b890cf44e25f RT: [526]
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_INVALID_CREDENTIALS 49
Sep 25 16:47:52 b890cf44e25f RT: [526] FAILED LOGIN for myusername from
172.17.0.75


Restart the RT process and it works again:
Sep 25 16:50:30 b890cf44e25f RT: [547] Configuration option AutoCreate is
deprecated, and will be removed in RT 4.4.  You should use
UserAutocreateDefaultsOnLogin instead.
Sep 25 16:50:30 b890cf44e25f RT: [547]
RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( My_LDAP ):
myusername
Sep 25 16:50:30 b890cf44e25f RT: [547] Successful login for myusername from
172.17.0.75


Testing, I deliberately used the wrong password for my account.
Sep 25 16:53:55 b890cf44e25f RT: [547] My_LDAP AUTH FAILED myusername
(can't bind: LDAP_INVALID_CREDENTIALS 49 )


I don't understand the _GetBoundLdapObj error message, The bind username
and password are correct as we can see from the 1st login attempt being
successful.  It's not the error message from an invalid password being
entered for the user account.   Is this related to a bug (
https://rt.cpan.org/Public/Bug/Display.html?id=69500 ) where different
credentials are being used to bind to the ldap server for a query?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140925/746dec2e/attachment.htm>

More information about the rt-users mailing list