On Thu, Jan 06, 2011 at 03:22:03PM -0600, Tollefsen, Lyle wrote: > Thanks for the reply. Your suggestions led to finding the problem, but not > the fix. > > As I originally said, the username:password combo would work only if > not testing for group membership, it would fail if it did test for > membership. An ldapearch revealed that the sAMAccountName was fine, > but, as the fullname in our AD is "Last, first", the CN would be > returned as "Last\, First'. If we renamed the account to Last First, > omitting the comma, authentication using group membership succeded. > The comma is breaking something. Have you seen this before, and is a > fix available?
There may be an open bug about this in rt.cpan.org against RT::Authen::ExternalAuth , but I don't know if I've seen a root cause or patch. -kevin > -----Original Message----- > From: rt-users-boun...@lists.bestpractical.com > [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone > Sent: Thursday, January 06, 2011 10:18 AM > To: rt-users@lists.bestpractical.com > Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD... > > On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote: > > We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to > > authenticate against Active > > Directory. Any new AD account I create can logon to RT, and have > > corresponding account created > > in RT, if it is in the necessary security group, but older accounts, > > mine included, pass the > > password test, but fail at the group membership test, and fail to logon. > > The RT account, > > however, does get created. The log entries look like this... > > If you turn on debug logging, you should be able to see the query being run > and you can run it manually from ldapsearch to see what is going wrong. > > -kevin > > > Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name > > > > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA > > uth/LDAP.pm:127) > > > > Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 > > (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) > > > > > > > > As I said above, older accounts (3 years plus) which are members of the > > group being tested > > fail to fully authenticate, while new accounts which are members of the > > same group, > > authenticate properly. In fact, If I comment out the group test from > > RT_SiteConfig.pm, I can > > logon to RT with my old account. > > > > > > > > I don't know if this is pertinent, but we upgraded to Exchange 2007 a > > few months back, and I > > wonder if the AD schema changes could be affecting things? > > > > > > > > Lyle. > > > >
pgpeL2O9GHgKy.pgp
Description: PGP signature