[rt-users] RT-Authen-ExternalAuth and AD...

Kevin Falcone falcone at bestpractical.com
Thu Jan 6 16:53:03 EST 2011 

On Thu, Jan 06, 2011 at 03:22:03PM -0600, Tollefsen, Lyle wrote:
> Thanks for the reply. Your suggestions led to finding the problem, but not the fix. 
> 
> As I originally said, the username:password combo would work only if
> not testing for group membership, it would fail if it did test for
> membership. An ldapearch revealed that the sAMAccountName was fine,
> but, as the fullname in our AD is "Last, first", the CN would be
> returned as "Last\, First'. If we renamed the account to Last First,
> omitting the comma, authentication using group membership succeded.
> The comma is breaking something. Have you seen this before, and is a
> fix available?

There may be an open bug about this in rt.cpan.org against
RT::Authen::ExternalAuth , but I don't know if I've seen a root cause
or patch.

-kevin

> -----Original Message-----
> From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin Falcone
> Sent: Thursday, January 06, 2011 10:18 AM
> To: rt-users at lists.bestpractical.com
> Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD...
> 
> On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote:
> >    We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active
> >    Directory. Any new AD account I create can logon to RT, and have corresponding account created
> >    in RT, if it is in the necessary security group, but older accounts, mine included, pass the
> >    password test, but fail at the group membership test, and fail to logon. The RT account,
> >    however, does get created. The log entries look like this...
> 
> If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong.
> 
> -kevin
> 
> >    Jan  5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name
> >    
> > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
> > uth/LDAP.pm:127)
> > 
> >    Jan  5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1
> >    (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
> > 
> > 
> > 
> >    As I said above, older accounts (3 years plus) which are members of the group being tested
> >    fail to fully authenticate, while new accounts which are members of the same group,
> >    authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can
> >    logon to RT with my old account.
> > 
> > 
> > 
> >    I don't know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I
> >    wonder if the AD schema changes could be affecting things?
> > 
> > 
> > 
> >    Lyle.
> > 
> > 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110106/a49b6c5b/attachment.sig>

More information about the rt-users mailing list