Can't login to RT using Active Directory

fleon · September 14, 2016, 2:25pm

I have been able to use Active Directory as authentication with the
ExternalAuth plugin, both before and after it was integrated in RT 4.4.

But today it isn’t allowing anyone in, and this is shown in the error logs:

[8629] [Wed Sep 14 15:28:49 2016] [error]: FAILED LOGIN for fleon from
192.168.3.57 (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:826)
[8629] [Wed Sep 14 15:29:31 2016] [critical]:
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can’t bind:
LDAP_INVALID_CREDENTIALS 49
(/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:678)

I’m 100% sure i am using the correct password, i even tried other test
accounts i have and know they can authenticate against AD just fine.

I am also sure nothing has changed on AD itself or in RT’s configuration,
however this is my current ExternalAuth configuration:
Set($ExternalAuth, 1);
Set($ExternalAuthPriority, [ ‘My_LDAP’]);
Set($ExternalInfoPriority, [ ‘My_LDAP’]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 1);
Set($UserAutocreateDefaultsOnLogin, {Privileged => 0 });

Set($ExternalSettings,
{
‘My_LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘192.168.100.5’,
‘user’ => ‘MYUSER’,
‘pass’ => ‘MYPASS’,
‘base’ => ‘dc=mycompany,dc=com’,
‘filter’ => ‘(objectClass=person)’,
‘d_filter’ => ‘(objectClass=FooBarBaz)’,
‘tls’ => 0,
‘ssl_version’ => 3,
‘net_ldap_args’ => [ version => 3 ],
‘attr_match_list’ => [ ‘Name’,
‘EmailAddress’
],
‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘displayName’,
‘Gecos’ => ‘sAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘description’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);

I am using debian 8 jessie with RT 4.4.1. Thanks

View this message in context: http://requesttracker.8502.n7.nabble.com/Can-t-login-to-RT-using-Active-Directory-tp62539.html

Daniel_Schwager · September 14, 2016, 3:55pm

Hi,

I’m 100% sure i am using the correct password, i even tried other test
accounts i have and know they can authenticate against AD just fine.

try ldapsearch to connect to your AD like

ldapsearch -x -H ldap://192.168.100.5:389 -D MYUSER -w MYPASS -b "dc=yourdomain,dc=com" "cn=Administrator"

Best regards
Daniel

smime.p7s (3.91 KB)

fleon · September 14, 2016, 3:39pm

It works, with the caveat that i have to put the full username
(user@mycompany.com) for it to work.

I tried to use the same tactic in RT but still same error.

MYUSER in RT’s configuration is without the domain name. Should i edit and
try? I have never needed to do that before

View this message in context: http://requesttracker.8502.n7.nabble.com/Can-t-login-to-RT-using-Active-Directory-tp62539p62541.html

fleon · September 14, 2016, 3:45pm

I added the domain to the username in RT’s configuration, restarted apache
and now it works. Don’t know if it’s because it’s needed or just because i
restarted apache, though i did that earlier and didn’t work.

I don’t think anything changed in AD for it to require the full username,
maybe a windows update changed that, i don’t know. Thanks

View this message in context: http://requesttracker.8502.n7.nabble.com/Can-t-login-to-RT-using-Active-Directory-tp62539p62542.html