[rt-users] (RT::Authen::ExternalAuth) "email exists" problem authenticating trough AD
Nathan Cutler
presnypreklad at gmail.com
Wed Jul 31 06:50:20 EDT 2013
> To be more specific, when i remove the user, at next login RT creates again
> the user with the right values ( i.e. Name, ZIP code, etc. ) but fails at
> authentication step.
IIRC you are using RT::Authen::ExternalAuth, right? That extension
authenticates by attempting to bind to the LDAP server with the
credentials entered by the user. But before it tries to bind, it first
looks up the user in LDAP anonymously. This is consistent with what
you are seeing. Here's what I see in my log when a known user attempts
to login and fails:
Jul 30 11:09:56 myserv RT: My_LDAP AUTH FAILED myuser (can't bind:
LDAP_INVALID_CREDENTIALS 49 )
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth/LDAP.pm:90)
Jul 30 11:09:56 myserv RT: FAILED LOGIN for myuser from 10.120.5.61
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Interface/Web.pm:753)
And this is the log when an unknown (to RT) user attempts to login and fails:
Jul 29 13:06:44 myserv RT:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: myuser, Name: myuser, Privileged:
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth.pm:665)
Jul 29 13:06:45 myserv RT: Autocreated external user myuser ( 988 )
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth.pm:254)
Jul 29 13:06:48 myserv RT: My_LDAP AUTH FAILED myuser (can't bind:
LDAP_INVALID_CREDENTIALS 49 )
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Authen/ExternalAuth/LDAP.pm:90)
Jul 29 13:06:48 myserv RT: FAILED LOGIN for myuser from 10.120.4.148
(/usr/lib/perl5/vendor_perl/5.10.0/RT/Interface/Web.pm:753)
Note that it first creates the user in RT. Only then does it attempt to bind.
Now, in my case the bind fails because the user's credentials are
wrong. But this is not the only possible failure modality. There are
any number of reasons why bind might be failing.
Can you bind to the LDAP server using the 'ldapsearch' command? If you
can get bind to work that way, first, that would be a start. In my
case, the successful ldapsearch command looked something like this:
ldapsearch -LLL -H ldaps://login.example.com -x \
-D cn=myuser,ou=users,dc=example,dc=com -W \
-b ou=users,dc=example,dc=com uid=myuser
(Note that you have to know myuser's password -- and enter it
correctly -- for this to work.)
Hope this helps.
Nathan
More information about the rt-users
mailing list