[rt-users] Bad AD or is it my config?

Mike Peachey mike.peachey at jennic.com
Mon Nov 24 04:08:56 EST 2008

Robert Munsch wrote:
> Thanks for the info.  I see on the AD server that CNs are in the format
> <fname lname>, space and all: but the returned object is checked with
> sAMAccountName, the user's "login name" for the domain, so this
> shouldn't matter.  But it seems like it does.
> I am assuming that at debug level, no news means 'it worked': 
> [Fri Nov 21 16:29:25 2008] [error]: Working around bug in RT and
> reloading RT::User
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
> th/autohandler/Auth:12)
> [Fri Nov 21 16:29:25 2008] [debug]: $pass defined (foobar), Running
> IsPassword
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
> th/autohandler/Auth:69)
> [Fri Nov 21 16:29:25 2008] [debug]: Password Incorrect
> (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
> th/autohandler/Auth:74)
> [Fri Nov 21 16:29:25 2008] [error]: FAILED LOGIN for munsch from
> (/opt/rt3/share/html/autohandler:265)
> The first messages seen after reloading ::User are about the password
> check. This means the user lookup happened and the object was found,
> doesn't it?  'password incorrect' means that a bind using that info
> failed, yah?
> ldapsearch -LLL -x -D "CN=Robert Munsch,OU=Member
> Services,DC=phillycarshare,DC=loc" -w foobar -h
> phillycarshare-dc.phillycarshare.loc -b "dc=phillycarshare,dc=loc"
> "(objectClass=person)"
> ^ That succeeds.  Web login still fails.  Now, I'm using the full
> ActiveD DN of CN=blah on ldapsearch, but whatever I enter into the
> username field on the web login gets tried as the sAMAccountName,
> doesn't it?  Or no?
> Is the CN being the <fname lname> of the user causing the issue? Should
> it be identical to the sAMAccountName one-word domain login?  And if so,
> anyone know a good simple way to do that across the board without
> breaking anything....

It uses sAMAccountName to retrieve the actual full DN (including CN in
your case) and then uses the full DN that was retrieved to try to bind
to the server with the password provided. The space doesn't matter, it's
usual to have a space in a CN and usual in AD for the CN to be used as
the node name.

Looking at the log, it doesn't look like it's *really* checking the

# If a password was given on the login page, validate it
if (defined($pass)) {
    $RT::Logger->debug("\$pass defined ($pass), Running IsPassword");
    $password_validated =

    unless($password_validated) {
        $RT::Logger->debug("Password Incorrect");
	delete $session{'CurrentUser'};

You don't have one single debug statement between the output "Running
IsPassword" and "Password Incorrect". I would expect a lot more debug
output between the two as the code passes into "IsPassword()".

I would recommend adding some debug statements to the IsPassword method
inside local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm and
see if they show up in the log, because I'm guessing the User_Vendor.pm
isn't getting used and it's just calling the normal RT "IsPassword"
method instead.
Kind Regards,


Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

More information about the rt-users mailing list