RT-Authen-ExternalAuth and AD

Tollefsen_Lyle · January 5, 2011, 9:29pm

Hi,

We’re running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active Directory. Any new AD account I create can logon to RT, and have corresponding account created in RT, if it is in the necessary security group, but older accounts, mine included, pass the password test, but fail at the group membership test, and fail to logon. The RT account, however, does get created. The log entries look like this…

Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127)
Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1 (/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

As I said above, older accounts (3 years plus) which are members of the group being tested fail to fully authenticate, while new accounts which are members of the same group, authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can logon to RT with my old account.

I don’t know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I wonder if the AD schema changes could be affecting things?

Lyle.

Kevin_Falcone · January 6, 2011, 4:17pm

We’re running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active
Directory. Any new AD account I create can logon to RT, and have corresponding account created
in RT, if it is in the necessary security group, but older accounts, mine included, pass the
password test, but fail at the group membership test, and fail to logon. The RT account,
however, does get created. The log entries look like this…

If you turn on debug logging, you should be able to see the query
being run and you can run it manually from ldapsearch to see what is
going wrong.

-kevin

Tollefsen_Lyle · January 6, 2011, 9:22pm

Hi Kevin,

Thanks for the reply. Your suggestions led to finding the problem, but not the fix.

As I originally said, the username:password combo would work only if not testing for group membership, it would fail if it did test for membership. An ldapearch revealed that the sAMAccountName was fine, but, as the fullname in our AD is “Last, first”, the CN would be returned as "Last, First’. If we renamed the account to Last First, omitting the comma, authentication using group membership succeded. The comma is breaking something. Have you seen this before, and is a fix available?

Thanks.

Lyle Tollefsen
Network Administrator
Innovation Place
114 - 15 Innovation Blvd
Saskatoon, Sk. S7N 2X8

(P) 306-933-7243
(F) 306.933.8200
ltollefsen@innovationplace.com
www.innovationplace.comFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Thursday, January 06, 2011 10:18 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD…

We’re running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active
Directory. Any new AD account I create can logon to RT, and have corresponding account created
in RT, if it is in the necessary security group, but older accounts, mine included, pass the
password test, but fail at the group membership test, and fail to logon. The RT account,
however, does get created. The log entries look like this…

If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong.

-kevin

Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalA
uth/LDAP.pm:127)

Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1
(/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

As I said above, older accounts (3 years plus) which are members of the group being tested
fail to fully authenticate, while new accounts which are members of the same group,
authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can
logon to RT with my old account.

I don’t know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I
wonder if the AD schema changes could be affecting things?

Lyle.

Kevin_Falcone · January 6, 2011, 9:53pm

Thanks for the reply. Your suggestions led to finding the problem, but not the fix.

As I originally said, the username:password combo would work only if
not testing for group membership, it would fail if it did test for
membership. An ldapearch revealed that the sAMAccountName was fine,
but, as the fullname in our AD is “Last, first”, the CN would be
returned as "Last, First’. If we renamed the account to Last First,
omitting the comma, authentication using group membership succeded.
The comma is breaking something. Have you seen this before, and is a
fix available?

There may be an open bug about this in rt.cpan.org against
RT::Authen::ExternalAuth , but I don’t know if I’ve seen a root cause
or patch.

-kevin

Tollefsen_Lyle · January 7, 2011, 7:03pm

Hi Kevin,

I found a work-around on CPAN. Thanks for the redirect!

Lyle.From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Thursday, January 06, 2011 3:53 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD…

Thanks for the reply. Your suggestions led to finding the problem, but not the fix.

As I originally said, the username:password combo would work only if
not testing for group membership, it would fail if it did test for
membership. An ldapearch revealed that the sAMAccountName was fine,
but, as the fullname in our AD is “Last, first”, the CN would be
returned as "Last, First’. If we renamed the account to Last First,
omitting the comma, authentication using group membership succeded.
The comma is breaking something. Have you seen this before, and is a
fix available?

There may be an open bug about this in rt.cpan.org against RT::Authen::ExternalAuth , but I don’t know if I’ve seen a root cause or patch.

-kevin

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin
Falcone
Sent: Thursday, January 06, 2011 10:18 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD…

We’re running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active
Directory. Any new AD account I create can logon to RT, and have corresponding account created
in RT, if it is in the necessary security group, but older accounts, mine included, pass the
password test, but fail at the group membership test, and fail to logon. The RT account,
however, does get created. The log entries look like this…

If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong.

-kevin

Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name

(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/Externa
lA
uth/LDAP.pm:127)

Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1
(/opt/rt3/bin/…/lib/RT/Interface/Web.pm:424)

As I said above, older accounts (3 years plus) which are members of the group being tested
fail to fully authenticate, while new accounts which are members of the same group,
authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can
logon to RT with my old account.

I don’t know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I
wonder if the AD schema changes could be affecting things?

Lyle.