Thanks for the info. I see on the AD server that CNs are in the format <fname lname>, space and all: but the returned object is checked with sAMAccountName, the user's "login name" for the domain, so this shouldn't matter. But it seems like it does.
I am assuming that at debug level, no news means 'it worked': [Fri Nov 21 16:29:25 2008] [error]: Working around bug in RT and reloading RT::User (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu th/autohandler/Auth:12) [Fri Nov 21 16:29:25 2008] [debug]: $pass defined (foobar), Running IsPassword (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu th/autohandler/Auth:69) [Fri Nov 21 16:29:25 2008] [debug]: Password Incorrect (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu th/autohandler/Auth:74) [Fri Nov 21 16:29:25 2008] [error]: FAILED LOGIN for munsch from 192.168.1.34 (/opt/rt3/share/html/autohandler:265) The first messages seen after reloading ::User are about the password check. This means the user lookup happened and the object was found, doesn't it? 'password incorrect' means that a bind using that info failed, yah? ldapsearch -LLL -x -D "CN=Robert Munsch,OU=Member Services,DC=phillycarshare,DC=loc" -w foobar -h phillycarshare-dc.phillycarshare.loc -b "dc=phillycarshare,dc=loc" "(objectClass=person)" ^ That succeeds. Web login still fails. Now, I'm using the full ActiveD DN of CN=blah on ldapsearch, but whatever I enter into the username field on the web login gets tried as the sAMAccountName, doesn't it? Or no? Is the CN being the <fname lname> of the user causing the issue? Should it be identical to the sAMAccountName one-word domain login? And if so, anyone know a good simple way to do that across the board without breaking anything.... Thanks, ------------------------ Rob Munsch IT Administrator http://www.PhillyCarShare.org Our wheels. Your freedom. 215-730-0988 x138 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Peachey > Sent: Friday, November 21, 2008 4:32 AM > To: Robert Munsch > Cc: [email protected] > Subject: Re: [rt-users] Bad AD or is it my config? > > Robert Munsch wrote: > > Trying to simulate this via ldapsearch but can't figure it out. All the > > docs I see say that 'userpassword is only accepted for auth, and > > unicodepwd is not readable by ldap.' I was hoping to run an ldapsearch > > to retrieve a given user's password to see where this is breaking, but > > I'm not sure how. > > > > > > > > I'm binding ok and can run all sorts of searches, but nothing that will > > list or show me passwords. How does RT do it..? My perl-fu is weak L. > > LDAP authentication is not done the same way as unix authentication. It > doesn't check the password you provided against the userPassword in > LDAP, what it does is attempt to bind to LDAP using the credentials > provided. If the bind is successful, the authentication is successful. > > 1. User provides username > 2. username is turned into an LDAP filter using your config like this: > (&(filter)(usernamefield=$username_provided)) > e.g. > (&(objectClass=Person)(sAMAccountName=foo)) > 3. LDAP is searched using the filter by binding to the LDAP server and > performing a search. If 'user' and 'pass' are set in the config then > those credentials are used to bind to the server, otherwise an anonymous > bind is done. > 4. If the user is not found (after checking all name attributes and all > external sources), authentication fails. > 5. If an object IS found then RT attempts to bind to the LDAP server > using the full DN of the object returned (i.e. > saMAccountName=foo,ou=Users,dc=foo,dc=bar) and the password that was > entered by the user. > 6. IF bind was successful, user is authenticated. If not, then not. > > That should help understand what you're doing. > > -- > Kind Regards, > > __________________________________________________ > > Mike Peachey, IT > Tel: +44 114 281 2655 > Fax: +44 114 281 2951 > Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK > Comp Reg No: 3191371 - Registered In England > http://www.jennic.com > __________________________________________________
BEGIN:VCARD VERSION:2.1 N:Munsch;Robert FN:Robert Munsch EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20080605T213203Z END:VCARD
_______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
