Robert Munsch wrote:
Thanks for the info. I see on the AD server that CNs are in the format
, space and all: but the returned object is checked with
sAMAccountName, the user’s “login name” for the domain, so this
shouldn’t matter. But it seems like it does.
I am assuming that at debug level, no news means ‘it worked’:
[Fri Nov 21 16:29:25 2008] [error]: Working around bug in RT and
reloading RT::User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:12)
[Fri Nov 21 16:29:25 2008] [debug]: $pass defined (foobar), Running
IsPassword
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:69)
[Fri Nov 21 16:29:25 2008] [debug]: Password Incorrect
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:74)
[Fri Nov 21 16:29:25 2008] [error]: FAILED LOGIN for munsch from
192.168.1.34 (/opt/rt3/share/html/autohandler:265)
The first messages seen after reloading ::User are about the password
check. This means the user lookup happened and the object was found,
doesn’t it? ‘password incorrect’ means that a bind using that info
failed, yah?
ldapsearch -LLL -x -D “CN=Robert Munsch,OU=Member
Services,DC=phillycarshare,DC=loc” -w foobar -h
phillycarshare-dc.phillycarshare.loc -b “dc=phillycarshare,dc=loc”
“(objectClass=person)”
^ That succeeds. Web login still fails. Now, I’m using the full
ActiveD DN of CN=blah on ldapsearch, but whatever I enter into the
username field on the web login gets tried as the sAMAccountName,
doesn’t it? Or no?
Is the CN being the of the user causing the issue? Should
it be identical to the sAMAccountName one-word domain login? And if so,
anyone know a good simple way to do that across the board without
breaking anything…
It uses sAMAccountName to retrieve the actual full DN (including CN in
your case) and then uses the full DN that was retrieved to try to bind
to the server with the password provided. The space doesn’t matter, it’s
usual to have a space in a CN and usual in AD for the CN to be used as
the node name.
Looking at the log, it doesn’t look like it’s really checking the
password:
If a password was given on the login page, validate it
if (defined($pass)) {
$RT::Logger->debug(“$pass defined ($pass), Running IsPassword”);
$password_validated =
$session{‘CurrentUser’}->UserObj->IsPassword($pass);
}
unless($password_validated) {
$RT::Logger->debug("Password Incorrect");
delete $session{'CurrentUser'};
}
You don’t have one single debug statement between the output “Running
IsPassword” and “Password Incorrect”. I would expect a lot more debug
output between the two as the code passes into “IsPassword()”.
I would recommend adding some debug statements to the IsPassword method
inside local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm and
see if they show up in the log, because I’m guessing the User_Vendor.pm
isn’t getting used and it’s just calling the normal RT “IsPassword”
method instead.
Kind Regards,
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England