[rt-users] Bad AD or is it my config?

Mike Peachey mike.peachey at jennic.com
Fri Nov 21 04:32:15 EST 2008

Robert Munsch wrote:
> Trying to simulate this via ldapsearch but can’t figure it out.  All the
> docs I see say that ‘userpassword is only accepted for auth, and
> unicodepwd is not readable by ldap.’  I was hoping to run an ldapsearch
> to retrieve a given user’s password to see where this is breaking, but
> I’m not sure how.
> I’m binding ok and can run all sorts of searches, but nothing that will
> list or show me passwords.  How does RT do it..?  My perl-fu is weak L.

LDAP authentication is not done the same way as unix authentication. It
doesn't check the password you provided against the userPassword in
LDAP, what it does is attempt to bind to LDAP using the credentials
provided. If the bind is successful, the authentication is successful.

1. User provides username
2. username is turned into an LDAP filter using your config like this:
3. LDAP is searched using the filter by binding to the LDAP server and
performing a search. If 'user' and 'pass' are set in the config then
those credentials are used to bind to the server, otherwise an anonymous
bind is done.
4. If the user is not found (after checking all name attributes and all
external sources), authentication fails.
5. If an object IS found then RT attempts to bind to the LDAP server
using the full DN of the object returned (i.e.
saMAccountName=foo,ou=Users,dc=foo,dc=bar) and the password that was
entered by the user.
6. IF bind was successful, user is authenticated. If not, then not.

That should help understand what you're doing.

Kind Regards,


Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

More information about the rt-users mailing list