Thanks for the reply. Your suggestions led to finding the problem, but not the fix.
As I originally said, the username:password combo would work only if not testing for group membership, it would fail if it did test for membership. An ldapearch revealed that the sAMAccountName was fine, but, as the fullname in our AD is “Last, first”, the CN would be returned as "Last, First’. If we renamed the account to Last First, omitting the comma, authentication using group membership succeded. The comma is breaking something. Have you seen this before, and is a fix available?
114 - 15 Innovation Blvd
Saskatoon, Sk. S7N 2X8
www.innovationplace.comFrom: email@example.com [mailto:firstname.lastname@example.org] On Behalf Of Kevin Falcone
Sent: Thursday, January 06, 2011 10:18 AM
Subject: Re: [rt-users] RT-Authen-ExternalAuth and AD…
We’re running RT 3.8.8 and using RT-Authen-ExternalAuth 0.08 to authenticate against Active
Directory. Any new AD account I create can logon to RT, and have corresponding account created
in RT, if it is in the necessary security group, but older accounts, mine included, pass the
password test, but fail at the group membership test, and fail to logon. The RT account,
however, does get created. The log entries look like this…
If you turn on debug logging, you should be able to see the query being run and you can run it manually from ldapsearch to see what is going wrong.
Jan 5 15:12:29 RT388 RT: AD_GROUP2 AUTH FAILED: my-name
Jan 5 15:12:29 RT388 RT: FAILED LOGIN for my-name from 192.168.1.1
As I said above, older accounts (3 years plus) which are members of the group being tested
fail to fully authenticate, while new accounts which are members of the same group,
authenticate properly. In fact, If I comment out the group test from RT_SiteConfig.pm, I can
logon to RT with my old account.
I don’t know if this is pertinent, but we upgraded to Exchange 2007 a few months back, and I
wonder if the AD schema changes could be affecting things?