Problem with RT-Authen-ExternalAuth when a CN name has a comma in it

I am not sure what is happening here. All I know is that if a user in AD
is created without a comma in the container name they log in just fine.
When someone that does have a comma in their CN name tries to
authenticate this is what happens.

[Fri Jun 26 20:29:58 2009] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)

[Fri Jun 26 20:29:58 2009] [debug]: Calling UserExists with $username
(smellring) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:105)

[Fri Jun 26 20:29:58 2009] [debug]: UserExists params:

username: smellring , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:274)

[Fri Jun 26 20:29:58 2009] [debug]: LDAP Search === Base:
DC=starkbrosfulfillment,DC=com == Filter:
(&(objectClass=*)(sAMAccountName=smellring)) == Attrs:
l,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAM
AccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:304)

[Fri Jun 26 20:29:58 2009] [debug]: Password validation required for
service - Executing…
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:155)

[Fri Jun 26 20:29:58 2009] [debug]: Trying external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:16)

[Fri Jun 26 20:29:58 2009] [debug]: LDAP Search === Base:
DC=starkbrosfulfillment,DC=com == Filter:
(&(sAMAccountName=smellring)(objectClass=*)) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:43)

[Fri Jun 26 20:29:58 2009] [debug]: Found LDAP DN: CN=Mellring, Scott
A.,OU=IS,OU=Users,OU=HQ,DC=starkbrosfulfillment,DC=com
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:75)

[Fri Jun 26 20:29:58 2009] [debug]: LDAP Search === Base:
DC=starkbrosfulfillment,DC=com == Filter: (member=CN=Mellring, Scott
A.,OU=IS,OU=Users,OU=HQ,DC=starkbrosfulfillment,DC=com) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:100)

[Fri Jun 26 20:29:58 2009] [info]: My_LDAP AUTH FAILED: smellring
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:127)

[Fri Jun 26 20:29:58 2009] [debug]: LDAP password validation result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:334)

[Fri Jun 26 20:29:58 2009] [debug]: Password Validation Check Result: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:159)

[Fri Jun 26 20:29:58 2009] [debug]: Autohandler called ExternalAuth.
Response: (0, Password Invalid)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:26)

[Fri Jun 26 20:29:58 2009] [error]: FAILED LOGIN for smellring from
10.31.4.90 (/opt/rt3/share/html/autohandler:268)

The password is valid.

Even though the authentication fails the user is created in RT.

Any ideas would be greatly appreciated.

Wes Topping
Director of Enterprise Technology

317.713.8687

317.631.6585 fax
wtopping@sigma-micro.com mailto:email@sigma-micro.com

www.sigma-micro.com http://www.sigma-micro.com/

Sigma Micro LLC, 6720 Parkdale Place, Indianapolis, IN 46254

Confidentiality Notice
http://www.sigma-micro.com/emailconfidentialitynotice.shtml

I am not sure what is happening here. All I know is that if a user
in AD is created without a comma in the container name they log in
just fine. When someone that does have a comma in their CN name
tries to authenticate this is what happens.

I’d be curious to see the group/group_attr part of your configuration
(and
to know if you’re trying to enforce group membership to log in to RT)

It appears Net::LDAP::Filter is throwing away \s, so it may be worth
trying to forcibly
escape the , on line 98ish before passing to new(), but without a
system exhibiting
this problem, its hard to test a change like that.

-kevin