Re: [rt-users] RT-Authen-ExternalAuth and AD...
Hi Kevin, I found a work-around on CPAN. Thanks for the redirect! Lyle. -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Thursday, January 06, 2011 3:53 PM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD... On Thu, Jan 06, 2011 at 03:22:03PM -0600, Tollefsen, Lyle wrote: > Thanks for the reply. Your suggestions led to finding the problem, but not > the fix. > > As I originally said, the username:password combo would work only if > not testing for group membership, it would fail if it did test for > membership. An ldapearch revealed that the sAMAccountName was fine, > but, as the fullname in our AD is "Last, first", the CN would be > returned as "Last\, First'. If we renamed the account to Last First, > omitting the comma, authentication using group membership succeded. > The comma is breaking something. Have you seen this before, and is a > fix available? There may be an open bug about this in rt.cpan.org against RT::Authen::ExternalAuth , but I don't know if I've seen a root cause or patch. -kevin > -Original Message- > From: rt-users-boun...@lists.bestpractical.com > [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin > Falcone > Sent: Thursday, January 06, 2011 10:18 AM > To: rt-users@lists.bestpractical.com > Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD... > > On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote: > >We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to > > authenticate against Active > >Directory. Any new AD account I create can logon to RT, and have > > corresponding account created > >in RT, if it is in the necessary security group, but older accounts, > > mine included, pass the > >password test, but fail at the group membership test, and fail to logon. > > The RT account, > >however, does get created. The log entries look like this... > > If you turn on debug logging, you should be able to see the query being run > and you can run it manually from ldapsearch to see what is going wrong. > > -kevin > > >Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name > > > > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa > > lA > > uth/LDAP.pm:127) > > > >Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 > >(/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) > > > > > > > >As I said above, older accounts (3 years plus) which are members of the > > group being tested > >fail to fully authenticate, while new accounts which are members of the > > same group, > >authenticate properly. In fact, If I comment out the group test from > > RT_SiteConfig.pm, I can > >logon to RT with my old account. > > > > > > > >I don't know if this is pertinent, but we upgraded to Exchange 2007 a > > few months back, and I > >wonder if the AD schema changes could be affecting things? > > > > > > > >Lyle. > > > >
Re: [rt-users] RT-Authen-ExternalAuth and AD...
On Thu, Jan 06, 2011 at 03:22:03PM -0600, Tollefsen, Lyle wrote: > Thanks for the reply. Your suggestions led to finding the problem, but not > the fix. > > As I originally said, the username:password combo would work only if > not testing for group membership, it would fail if it did test for > membership. An ldapearch revealed that the sAMAccountName was fine, > but, as the fullname in our AD is "Last, first", the CN would be > returned as "Last\, First'. If we renamed the account to Last First, > omitting the comma, authentication using group membership succeded. > The comma is breaking something. Have you seen this before, and is a > fix available? There may be an open bug about this in rt.cpan.org against RT::Authen::ExternalAuth , but I don't know if I've seen a root cause or patch. -kevin > -Original Message- > From: rt-users-boun...@lists.bestpractical.com > [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone > Sent: Thursday, January 06, 2011 10:18 AM > To: rt-users@lists.bestpractical.com > Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD... > > On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote: > >We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to > > authenticate against Active > >Directory. Any new AD account I create can logon to RT, and have > > corresponding account created > >in RT, if it is in the necessary security group, but older accounts, > > mine included, pass the > >password test, but fail at the group membership test, and fail to logon. > > The RT account, > >however, does get created. The log entries look like this... > > If you turn on debug logging, you should be able to see the query being run > and you can run it manually from ldapsearch to see what is going wrong. > > -kevin > > >Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name > > > > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA > > uth/LDAP.pm:127) > > > >Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 > >(/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) > > > > > > > >As I said above, older accounts (3 years plus) which are members of the > > group being tested > >fail to fully authenticate, while new accounts which are members of the > > same group, > >authenticate properly. In fact, If I comment out the group test from > > RT_SiteConfig.pm, I can > >logon to RT with my old account. > > > > > > > >I don't know if this is pertinent, but we upgraded to Exchange 2007 a > > few months back, and I > >wonder if the AD schema changes could be affecting things? > > > > > > > >Lyle. > > > > pgpeL2O9GHgKy.pgp Description: PGP signature
Re: [rt-users] RT-Authen-ExternalAuth and AD...
Hi Kevin, Thanks for the reply. Your suggestions led to finding the problem, but not the fix. As I originally said, the username:password combo would work only if not testing for group membership, it would fail if it did test for membership. An ldapearch revealed that the sAMAccountName was fine, but, as the fullname in our AD is "Last, first", the CN would be returned as "Last\, First'. If we renamed the account to Last First, omitting the comma, authentication using group membership succeded. The comma is breaking something. Have you seen this before, and is a fix available? Thanks. Lyle Tollefsen Network Administrator Innovation Place 114 - 15 Innovation Blvd Saskatoon, Sk. S7N 2X8 (P) 306-933-7243 (F) 306.933.8200 ltollef...@innovationplace.com www.innovationplace.com -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Thursday, January 06, 2011 10:18 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD... On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote: >We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to > authenticate against Active >Directory. Any new AD account I create can logon to RT, and have > corresponding account created >in RT, if it is in the necessary security group, but older accounts, mine > included, pass the >password test, but fail at the group membership test, and fail to logon. > The RT account, >however, does get created. The log entries look like this... If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong. -kevin >Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name > > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA > uth/LDAP.pm:127) > >Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 >(/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) > > > >As I said above, older accounts (3 years plus) which are members of the > group being tested >fail to fully authenticate, while new accounts which are members of the > same group, >authenticate properly. In fact, If I comment out the group test from > RT_SiteConfig.pm, I can >logon to RT with my old account. > > > >I don't know if this is pertinent, but we upgraded to Exchange 2007 a few > months back, and I >wonder if the AD schema changes could be affecting things? > > > >Lyle. > >
Re: [rt-users] RT-Authen-ExternalAuth and AD...
On Wed, Jan 05, 2011 at 03:29:01PM -0600, Tollefsen, Lyle wrote: >We're running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to > authenticate against Active >Directory. Any new AD account I create can logon to RT, and have > corresponding account created >in RT, if it is in the necessary security group, but older accounts, mine > included, pass the >password test, but fail at the group membership test, and fail to logon. > The RT account, >however, does get created. The log entries look like this... If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong. -kevin >Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name > > (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) > >Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 >(/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) > > > >As I said above, older accounts (3 years plus) which are members of the > group being tested >fail to fully authenticate, while new accounts which are members of the > same group, >authenticate properly. In fact, If I comment out the group test from > RT_SiteConfig.pm, I can >logon to RT with my old account. > > > >I don't know if this is pertinent, but we upgraded to Exchange 2007 a few > months back, and I >wonder if the AD schema changes could be affecting things? > > > >Lyle. > > pgpWvL0eGiaak.pgp Description: PGP signature
