Bad AD or is it my config?

Ok, narrowing this down.

Have a user “rtbind” with the creative password “tickets.” Running
ldapsearch from the command line with this user’s credentials gets me
results as expected.

Logging in to the web interface using this same user and password gets
me

[Thu Nov 20 18:13:23 2008] [debug]: $pass defined (tickets), Running
IsPassword
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:69)

[Thu Nov 20 18:13:23 2008] [debug]: Password Incorrect
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:74)

[Thu Nov 20 18:13:23 2008] [error]: FAILED LOGIN for rtbind from
192.168.1.34 (/opt/rt3/share/html/autohandler:265)

So now I’m really confused. It’s finding the rtbind user in AD and
accepting that (I tested by entering a bogus user (literally), and I see
the expected

        [debug]: User Check Failed :: ( AD_LDAP ) bogus User not

found

So the user lookup is okay).

Just for laughs, I made rtbind a domain admin. I assumed that would
remove permission to check passwords in AD as a factor. Was I wrong, or
is there still something dumb in my config somewhere?

I’ve been using Softerra’s LDAP Browser (freeware) to check structure.
I’m not sure what I’m missing at this point :-(.

Rob Munsch

IT Administrator

http://www.PhillyCarShare.org http://www.PhillyCarShare.org

Our wheels. Your freedom.

215-730-0988 x138

Robert Munsch.vcf (141 Bytes)

Trying to simulate this via ldapsearch but can’t figure it out. All the
docs I see say that ‘userpassword is only accepted for auth, and
unicodepwd is not readable by ldap.’ I was hoping to run an ldapsearch
to retrieve a given user’s password to see where this is breaking, but
I’m not sure how.

I’m binding ok and can run all sorts of searches, but nothing that will
list or show me passwords. How does RT do it…? My perl-fu is weak
:-(.

Thanks,

Rob

Ok, narrowing this down.

Have a user “rtbind” with the creative password “tickets.” Running
ldapsearch from the command line with this user’s credentials gets me
results as expected.

Logging in to the web interface using this same user and password gets
me

[Thu Nov 20 18:13:23 2008] [debug]: $pass defined (tickets), Running
IsPassword
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:69)

[Thu Nov 20 18:13:23 2008] [debug]: Password Incorrect
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:74)

[Thu Nov 20 18:13:23 2008] [error]: FAILED LOGIN for rtbind from
192.168.1.34 (/opt/rt3/share/html/autohandler:265)

So now I’m really confused. It’s finding the rtbind user in AD and
accepting that (I tested by entering a bogus user (literally), and I see
the expected

        [debug]: User Check Failed :: ( AD_LDAP ) bogus User not

found

So the user lookup is okay).

Just for laughs, I made rtbind a domain admin. I assumed that would
remove permission to check passwords in AD as a factor. Was I wrong, or
is there still something dumb in my config somewhere?

I’ve been using Softerra’s LDAP Browser (freeware) to check structure.
I’m not sure what I’m missing at this point :-(.

Rob Munsch

IT Administrator

http://www.PhillyCarShare.org http://www.PhillyCarShare.org

Our wheels. Your freedom.

215-730-0988 x138

Robert Munsch.vcf (141 Bytes)

Robert Munsch wrote:

Trying to simulate this via ldapsearch but can�t figure it out. All the
docs I see say that �userpassword is only accepted for auth, and
unicodepwd is not readable by ldap.� I was hoping to run an ldapsearch
to retrieve a given user�s password to see where this is breaking, but
I�m not sure how.

I�m binding ok and can run all sorts of searches, but nothing that will
list or show me passwords. How does RT do it…? My perl-fu is weak L.

LDAP authentication is not done the same way as unix authentication. It
doesn’t check the password you provided against the userPassword in
LDAP, what it does is attempt to bind to LDAP using the credentials
provided. If the bind is successful, the authentication is successful.

  1. User provides username
  2. username is turned into an LDAP filter using your config like this:
    (&(filter)(usernamefield=$username_provided))
    e.g.
    (&(objectClass=Person)(sAMAccountName=foo))
  3. LDAP is searched using the filter by binding to the LDAP server and
    performing a search. If ‘user’ and ‘pass’ are set in the config then
    those credentials are used to bind to the server, otherwise an anonymous
    bind is done.
  4. If the user is not found (after checking all name attributes and all
    external sources), authentication fails.
  5. If an object IS found then RT attempts to bind to the LDAP server
    using the full DN of the object returned (i.e.
    saMAccountName=foo,ou=Users,dc=foo,dc=bar) and the password that was
    entered by the user.
  6. IF bind was successful, user is authenticated. If not, then not.

That should help understand what you’re doing.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Thanks for the info. I see on the AD server that CNs are in the format
, space and all: but the returned object is checked with
sAMAccountName, the user’s “login name” for the domain, so this
shouldn’t matter. But it seems like it does.

I am assuming that at debug level, no news means ‘it worked’:

[Fri Nov 21 16:29:25 2008] [error]: Working around bug in RT and
reloading RT::User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:12)
[Fri Nov 21 16:29:25 2008] [debug]: $pass defined (foobar), Running
IsPassword
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:69)
[Fri Nov 21 16:29:25 2008] [debug]: Password Incorrect
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:74)
[Fri Nov 21 16:29:25 2008] [error]: FAILED LOGIN for munsch from
192.168.1.34 (/opt/rt3/share/html/autohandler:265)

The first messages seen after reloading ::User are about the password
check. This means the user lookup happened and the object was found,
doesn’t it? ‘password incorrect’ means that a bind using that info
failed, yah?

ldapsearch -LLL -x -D “CN=Robert Munsch,OU=Member
Services,DC=phillycarshare,DC=loc” -w foobar -h
phillycarshare-dc.phillycarshare.loc -b “dc=phillycarshare,dc=loc”
"(objectClass=person)"

^ That succeeds. Web login still fails. Now, I’m using the full
ActiveD DN of CN=blah on ldapsearch, but whatever I enter into the
username field on the web login gets tried as the sAMAccountName,
doesn’t it? Or no?

Is the CN being the of the user causing the issue? Should
it be identical to the sAMAccountName one-word domain login? And if so,
anyone know a good simple way to do that across the board without
breaking anything…

Thanks,

Rob Munsch
IT Administrator
http://www.PhillyCarShare.org
Our wheels. Your freedom.
215-730-0988 x138

-----Original Message-----
From: mpeac@jennic.com [mailto:mpeac@jennic.com] On Behalf Of Mike
Peachey
Sent: Friday, November 21, 2008 4:32 AM
To: Robert Munsch
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Bad AD or is it my config?

Robert Munsch wrote:

Trying to simulate this via ldapsearch but can’t figure it out. All
the

docs I see say that ‘userpassword is only accepted for auth, and
unicodepwd is not readable by ldap.’ I was hoping to run an
ldapsearch

to retrieve a given user’s password to see where this is breaking,
but

I’m not sure how.

I’m binding ok and can run all sorts of searches, but nothing that
will

list or show me passwords. How does RT do it…? My perl-fu is weak
L.

LDAP authentication is not done the same way as unix authentication.
It
doesn’t check the password you provided against the userPassword in
LDAP, what it does is attempt to bind to LDAP using the credentials
provided. If the bind is successful, the authentication is successful.

  1. User provides username
  2. username is turned into an LDAP filter using your config like this:
    (&(filter)(usernamefield=$username_provided))
    e.g.
    (&(objectClass=Person)(sAMAccountName=foo))
  3. LDAP is searched using the filter by binding to the LDAP server and
    performing a search. If ‘user’ and ‘pass’ are set in the config then
    those credentials are used to bind to the server, otherwise an
    anonymous
    bind is done.
  4. If the user is not found (after checking all name attributes and
    all

Robert Munsch.vcf (141 Bytes)

Robert Munsch wrote:

Thanks for the info. I see on the AD server that CNs are in the format
, space and all: but the returned object is checked with
sAMAccountName, the user’s “login name” for the domain, so this
shouldn’t matter. But it seems like it does.

I am assuming that at debug level, no news means ‘it worked’:

[Fri Nov 21 16:29:25 2008] [error]: Working around bug in RT and
reloading RT::User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:12)
[Fri Nov 21 16:29:25 2008] [debug]: $pass defined (foobar), Running
IsPassword
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:69)
[Fri Nov 21 16:29:25 2008] [debug]: Password Incorrect
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:74)
[Fri Nov 21 16:29:25 2008] [error]: FAILED LOGIN for munsch from
192.168.1.34 (/opt/rt3/share/html/autohandler:265)

The first messages seen after reloading ::User are about the password
check. This means the user lookup happened and the object was found,
doesn’t it? ‘password incorrect’ means that a bind using that info
failed, yah?

ldapsearch -LLL -x -D “CN=Robert Munsch,OU=Member
Services,DC=phillycarshare,DC=loc” -w foobar -h
phillycarshare-dc.phillycarshare.loc -b “dc=phillycarshare,dc=loc”
"(objectClass=person)"

^ That succeeds. Web login still fails. Now, I’m using the full
ActiveD DN of CN=blah on ldapsearch, but whatever I enter into the
username field on the web login gets tried as the sAMAccountName,
doesn’t it? Or no?

Is the CN being the of the user causing the issue? Should
it be identical to the sAMAccountName one-word domain login? And if so,
anyone know a good simple way to do that across the board without
breaking anything…

It uses sAMAccountName to retrieve the actual full DN (including CN in
your case) and then uses the full DN that was retrieved to try to bind
to the server with the password provided. The space doesn’t matter, it’s
usual to have a space in a CN and usual in AD for the CN to be used as
the node name.

Looking at the log, it doesn’t look like it’s really checking the
password:

If a password was given on the login page, validate it

if (defined($pass)) {
$RT::Logger->debug("$pass defined ($pass), Running IsPassword");
$password_validated =
$session{‘CurrentUser’}->UserObj->IsPassword($pass);
}

unless($password_validated) {
    $RT::Logger->debug("Password Incorrect");
delete $session{'CurrentUser'};
}

You don’t have one single debug statement between the output “Running
IsPassword” and “Password Incorrect”. I would expect a lot more debug
output between the two as the code passes into “IsPassword()”.

I would recommend adding some debug statements to the IsPassword method
inside local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm and
see if they show up in the log, because I’m guessing the User_Vendor.pm
isn’t getting used and it’s just calling the normal RT "IsPassword"
method instead.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

[Fri Nov 21 16:29:25 2008] [error]: Working around bug in RT and
reloading RT::User

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu

th/autohandler/Auth:12)
[Fri Nov 21 16:29:25 2008] [debug]: $pass defined (foobar), Running
IsPassword

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu

th/autohandler/Auth:69)
[Fri Nov 21 16:29:25 2008] [debug]: Password Incorrect

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu

th/autohandler/Auth:74)
[Fri Nov 21 16:29:25 2008] [error]: FAILED LOGIN for munsch from
192.168.1.34 (/opt/rt3/share/html/autohandler:265)

Looking at the log, it doesn’t look like it’s really checking the
password:


If a password was given on the login page, validate it

if (defined($pass)) {
$RT::Logger->debug("$pass defined ($pass), Running IsPassword");
$password_validated =
$session{‘CurrentUser’}->UserObj->IsPassword($pass);
}

unless($password_validated) {
    $RT::Logger->debug("Password Incorrect");

delete $session{‘CurrentUser’};
}


You don’t have one single debug statement between the output “Running
IsPassword” and “Password Incorrect”. I would expect a lot more debug
output between the two as the code passes into “IsPassword()”.

I would recommend adding some debug statements to the IsPassword
method
inside local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm and
see if they show up in the log, because I’m guessing the
User_Vendor.pm
isn’t getting used and it’s just calling the normal RT "IsPassword"
method instead.

It’s looking that way. Went to add debug statements to IsPassword, and
they’re already there. This should be showing up in the logs either
way, yes?

$RT::Logger->debug("Trying External Authentication

(",$self->Name,")");
if(RT::Authen::ExternalAuth::GetAuth($self->Name,$value)) {
$RT::Logger->debug( (caller(0))[3],
“EXTERNAL AUTH OKAY”);
return(1);
} else {
$RT::Logger->debug( (caller(0))[3],
“EXTERNAL AUTH FAILED”);

So it’s not happening. I rechecked file permissions: www-data has r to
all of 'em. So, this file is not being used. What’s back a step?
What’s failing to call this properly on my system…?

Thanks again.

Robert Munsch.vcf (141 Bytes)