[rt-users] RT-Authen-ExternalAuth and AD...
Tollefsen, Lyle
LTollefsen at innovationplace.com
Fri Jan 7 14:03:33 EST 2011
Hi Kevin,
I found a work-around on CPAN. Thanks for the redirect!
Lyle.
-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Thursday, January 06, 2011 3:53 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD...
On Thu, Jan 06, 2011 at 03:22:03PM -0600, Tollefsen, Lyle wrote:
> Thanks for the reply. Your suggestions led to finding the problem, but not the fix.
>
> As I originally said, the username:password combo would work only if
> not testing for group membership, it would fail if it did test for
> membership. An ldapearch revealed that the sAMAccountName was fine,
> but, as the fullname in our AD is "Last, first", the CN would be
> returned as "Last\, First'. If we renamed the account to Last First,
> omitting the comma, authentication using group membership succeded.
> The comma is breaking something. Have you seen this before, and is a
> fix available?
There may be an open bug about this in rt.cpan.org against RT::Authen::ExternalAuth , but I don't know if I've seen a root cause or patch.
-kevin
> -----Original Message-----
> From: rt-users-bounces at lists.bestpractical.com
> [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Kevin
> Falcone
> Sent: Thursday, January 06, 2011 10:18 AM
> To: rt-users at lists.bestpractical.com
> Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD...
>
> On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote:
> > We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active
> > Directory. Any new AD account I create can logon to RT, and have corresponding account created
> > in RT, if it is in the necessary security group, but older accounts, mine included, pass the
> > password test, but fail at the group membership test, and fail to logon. The RT account,
> > however, does get created. The log entries look like this...
>
> If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong.
>
> -kevin
>
> > Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name
> >
> > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
> > lA
> > uth/LDAP.pm:127)
> >
> > Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1
> > (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424)
> >
> >
> >
> > As I said above, older accounts (3 years plus) which are members of the group being tested
> > fail to fully authenticate, while new accounts which are members of the same group,
> > authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can
> > logon to RT with my old account.
> >
> >
> >
> > I don't know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I
> > wonder if the AD schema changes could be affecting things?
> >
> >
> >
> > Lyle.
> >
> >
More information about the rt-users
mailing list