Rt ldap

Once more, this time actually headed to the rt-users list. =\

–jFrom: Jim Meyer purp@acm.org
Date: Jun 6, 2006 6:06 PM
Subject: Re: RT LDAP
To: Steve Haché steve.hache@distributel.ca

Hello!

I’m copying the rt-users list because your errors don’t look
particularly LDAP-related – not to say they aren’t, just that I’ve
never seen them before.

First question: did you install my most recent code (~1a last night)
or from earlier? There shouldn’t be a difference (and don’t upgrade
yet if you’re not running last night’s code), it’s just to help figure
out what’s wrong.

Second question: what version of RT?

I also installed the LdapAutocreateAuthCallback file.

Since that’s optional, let’s move that to Auth.bak for now to
decomplicate the issue. Then we’ll test with some LDAP user who
already has an RT account.

However I am not having luck getting that one to work off the bat.
Here is what my logs are showing. fred.smith is not a valid user in our
office, but andre is.

Jun 6 14:21:40 srv01 RT: Transaction->Create couldn’t, as you didn’t
specify an object type and id
(/usr/local/rt3/lib/RT/Record.pm:1441)
Jun 6 14:21:40 srv01 RT: Transaction->Create couldn’t, as you didn’t
specify an object type and id
(/usr/local/rt3/lib/RT/Record.pm:1441)
Jun 6 14:21:40 srv01 RT: FAILED LOGIN for fred.smith from 192.168.255.1
(/usr/local/rt3/share/html/autohandler:191)
Jun 6 14:26:02 srv01 RT: Transaction->Create couldn’t, as you didn’t
specify an object type and id
(/usr/local/rt3/lib/RT/Record.pm:1441)
Jun 6 14:26:02 srv01 RT: Transaction->Create couldn’t, as you didn’t
specify an object type and id
(/usr/local/rt3/lib/RT/Record.pm:1441)
Jun 6 14:26:02 srv01 RT: FAILED LOGIN for andre_belanger from 192.168.255.1
(/usr/local/rt3/share/html/autohandler:191)

These don’t look like errors I’ve seen before. Let’s keep digging.

Set($LdapAttrMap, {‘Name’ => ‘SAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘o’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘SAMAccountName’,
‘Gecos’ => ‘SAMAccountName’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘1’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’}
);
[…]

The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*

Set($LdapServer, ‘LDAP IP HERE’);
Set($LdapBase, ‘ou=users,dc=corp,dc=distributel,dc=ca’);
Set($LdapFilter, “(objectclass=SAMAccountName)”);

I think it’s supposed to be “sAMAccountName”, but I don’t know if
Windows Active Directory is case sensitive or not.

If that doesn’t solve it, please turn logging up to “debug” and send
more output. =]

Thanks!

–j
Jim Meyer, Geek at Large purp@acm.org

Jim Meyer, Geek at Large purp@acm.org

[…]

I think it’s supposed to be “sAMAccountName”, but I don’t know if
Windows Active Directory is case sensitive or not.
[…]

Some quick experimentation with ldapsearch says it’s not, but (based on
some fairly painful experience troubleshooting one of our products that
includes user import from LDAP as an option) I suspect you want
“organizationalPerson” as the object class; “sAMAccountName” is usually
an attribute of an organizationalPerson object.

/Ole Craig
Security Engineer

303-381-3802 (main support hotline)
303-381-3824 (my direct line)
303-381-3801 (fax)

www.stillsecure.com
. . .

Hello!On 6/6/06, Ole Craig ocraig@stillsecure.com wrote:

On Tue, 2006-06-06 at 18:07 -0700, Jim Meyer wrote:
[…]

I think it’s supposed to be “sAMAccountName”, but I don’t know if
Windows Active Directory is case sensitive or not.
[…]

Some quick experimentation with ldapsearch says it’s not, but (based on
some fairly painful experience troubleshooting one of our products that
includes user import from LDAP as an option) I suspect you want
“organizationalPerson” as the object class; “sAMAccountName” is usually
an attribute of an organizationalPerson object.

Can some enterprising WAD user try this and confirm it? I’d like to
update he wiki if it’s true.

Thanks!

–j
Jim Meyer, Geek at Large purp@acm.org

I use a W2K AD server and use “user” as my object class. That works well
for me.

Basic Setup

Set($LdapServer, ‘server.domain.com’); # LDAP server for
authentication
Set($LdapBase, ‘cn=Users,dc=domain,dc=com’); # search
base
Set($LdapFilter, “(objectclass=user)”); # filter
LDAP entries (e.g., only people)

I have also confirmed that SAMAccountName works equally as well as
sAMAccountName in the config.

Eric N. Valor
Sr. Systems Administrator
DaimlerChrysler Research & Technology North America, Inc.
eric.valor@daimlerchrysler.com
1510 Page Mill Road, Palo Alto, CA 94304
CIMS 931-00-00
650-845-2536

: This Space Intentionally Left Blank :

[…]

I think it’s supposed to be “sAMAccountName”, but I don’t know if
Windows Active Directory is case sensitive or not.
[…]

Some quick experimentation with ldapsearch says it’s not, but (based on
some fairly painful experience troubleshooting one of our products that
includes user import from LDAP as an option) I suspect you want
“organizationalPerson” as the object class; “sAMAccountName” is usually
an attribute of an organizationalPerson object.

Hello!

I’m copying in the rt-users mailing list as I’m frequently slower than
they are at puzzling out what’s up.On 7/31/06, Justin Sherrill jsherrill@currentcomm.net wrote:

I’m using your LDAP for RT writeup as of 07/31/2006, for logins. It’s
working, generally.

It’s not autocreating accounts that exist in LDAP but not locally. I’ve
set Set($LdapAutoCreateNonLdapUsers, 1); which should enable this, as I
understand it. It’s not really hurting anything, though.

Actually, that variable means “It’s okay to create accounts for people
you don’t find in LDAP”. Some like to leave it turned off as a spam
preventative.

My first question is: have you installed the callback at
Request Tracker Wiki and
is it loading properly? You can test this by looking at the source of
any RT page, where you should see:

If you don’t see that, the callback isn’t loading and we’ll need to
noodle that out.

Cheers!

–j, at a conference in Boston
Jim Meyer, Geek at Large purp@acm.org

I have implemented Jim Meyer’s LDAP User overlay for RT, and it’s
basically working, except that user info is only pulled from LDAP when
accounts are created, not on subsequent logins. I was assuming that the
module was designed to do this. Here’s the config setting I have in my
RT_SiteConfig.pm:

using WebExternalAuth, not LDAP, for auth

#Set($AuthMethods, [‘LDAP’, ‘Internal’]);
Set($LdapExternalAuth, 0);

just want LDAP for info

Set($LdapExternalInfo, 1);
Set($LdapAutoCreateNonLdapUsers, 0);

Set($LdapAttrMap, {‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘ou’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘uid’,
‘Gecos’ => ‘uid’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘postalAddress’,
‘Address2’ => ‘postOfficeBox’}
);
Set($LdapRTAttrMatchList, [‘Name’, ‘EmailAddress’, ‘RealName’]);
Set($LdapEmailAttrMatchList, [‘mail’]);
Set($LdapEmailAttrMatchPrefix, [’’] );

These are working, so am leaving out

Set($LdapServer, ‘xxx’);
Set($LdapBase, ‘xxx’);
Set($LdapFilter, ‘xxx’);

anonymous

#Set($LdapUser, ‘’);
#Set($LdapPass, ‘’);

don’t need, but left in

Set($LdapDisableFilter, ‘(employmentStatus=Terminated)’);

no group auth

#Set($LdapGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapGroupAttr, ‘uniqueMember’);

not ssl

#Set($LdapTLS, 0);
#Set($LdapSSLVersion, 3);

I am I doing something wrong? I don’t have other User Overlays, just a
default RT installation with the additions called for in the installation
procedure.

Thanks,
David

RT 3.6.1

Hey Jim,

Great work on the LDAP overlay for RT :slight_smile: Ive gotten it talking to eDirectory
nicely now. Just two things though… :-p

The documentation up on wiki.bestpractical.com suggests use the
Set($foo, ‘bar’) style, yet I could only get it to work with $foo=‘bar’;
style directives. Dunno if this is intended or not :slight_smile:

Hmm. Works for me with RT 3.5.x and 3.6.x with Set(…) syntax. What
version of RT are you using?

Also, I’m trying to get it to recursively search our directory for the
username that is entered. This is all well and good if I give it an OU to
search in along with the organisation. However, if I leave the OU out and try
to get it to search the entire organisation from the ground up, it fails.

Any thoughts on this? I have users from several parts of the NHS in the
facility here, and only about 75% of them are in the OU for the facility. It
makes it a little troublesome to roll out a fantastic new ticketing system
when some of them can’t access it (although I’d prefer if they couldn’t log
any problems at all :slight_smile:

Hmmm. I’m not an LDAP expert, so I’ve copied this to the list in hopes
we’ll hear from one. My first instinct is to be sure the limitation
isn’t on the directory server’s part (e.g. they’ve limited the depth
of a search to avoid lots of full-depth searches) but that’s probably
not right.

–j
Jim Meyer, Geek at Large purp@acm.org

Hey Jim,

Great work on the LDAP overlay for RT :slight_smile: Ive gotten it talking to
eDirectory nicely now. Just two things though… :-p

The documentation up on wiki.bestpractical.com suggests use the
Set($foo, ‘bar’) style, yet I could only get it to work with $foo=‘bar’;
style directives. Dunno if this is intended or not :slight_smile:

Hmm. Works for me with RT 3.5.x and 3.6.x with Set(…) syntax. What
version of RT are you using?

I’m using version v3.4.4 on Ubuntu Edgy. Not quite upgrade to 3.6 yet. The
rest of the 3.4.4 configuration directives use Set(…), so looks like an
oddity.

Also, I’m trying to get it to recursively search our directory for the
username that is entered. This is all well and good if I give it an OU to
search in along with the organisation. However, if I leave the OU out and
try to get it to search the entire organisation from the ground up, it
fails.

Any thoughts on this? I have users from several parts of the NHS in the
facility here, and only about 75% of them are in the OU for the facility.
It makes it a little troublesome to roll out a fantastic new ticketing
system when some of them can’t access it (although I’d prefer if they
couldn’t log any problems at all :slight_smile:

Hmmm. I’m not an LDAP expert, so I’ve copied this to the list in hopes
we’ll hear from one. My first instinct is to be sure the limitation
isn’t on the directory server’s part (e.g. they’ve limited the depth
of a search to avoid lots of full-depth searches) but that’s probably
not right.

The server at work doesn’t have any recursion/depth limits on it, so I’m not
sure where it’s playing up. I’ve just tested RT on my home eDirectory setup,
and it worked fine when the user was dropped straight into the top level of
the organization, as well as when the the user was several OU’s down the
tree. This is all with the $LdapBase=“o=glasgownet” I’ve tried moving the
object at work into the top level, but it still bailed out.

My object at work is cn=KyleG,ou=Net_Team,ou=CLIFTON,o=SCPMDE, and it’ll only
work with $LdapBase=“ou=CLIFTON,o=SCPMDE”, and my object at home is
cn=kylegordon,ou=Home,ou=lodge,o=glasgownet yet it’ll work with
$LdapBase=“o=glasgownet” This shows that it’s probably something up with our
eDir configuration, but I’m not sure where to start looking. Is it possible
to get more debug output from RT or Perl?

Any thoughts would be appreciated :slight_smile:

–j

Kyle
Kyle Gordon
kyle@lodge.glasgownet.com
http://lodge.glasgownet.com

Hello!

We at New England College are trying to setup RT as our helpdesk ticketing
system and need to get RT up and running pretty soon.

I have followed the LDAP installation instructions found at
Request Tracker Wiki

Log 1 (Below) : When I login as a user who has a user with the same userid
and password in RT and Windows Server 2003 active directory
It seems to find the entry but fails the LDAP authentication. The error
message is in bold .

Log 2 (Below): When I login as a user with user id in Windows Server 2003
active directory only and no account in RT ,
again authentication fails.The error message is in bold

I’m copying this to the RT Users mailing list, where I suspect someone
with Active Directory experience can lend a hand. Unfortunately, I
know nearly nothing about it.

Cheers!

–j

Log:1

[Tue Nov 7 22:53:08 2006] [debug]: RT::User::CanonicalizeUserInfo called
by RT::User /opt/rt3/local/lib/RT/User_Local.pm 613
with: Name: mvaidya
(/opt/rt3/local/lib/RT/User_Local.pm:378)
[Tue Nov 7 22:53:08 2006] [debug]:
RT::User::LookupExternalUserInfo called with baseDN
“ou=AllNecUsers,dc=nec,dc=edu” and fil
ter “sAMAccountName=mvaidya” by RT::User
/opt/rt3/local/lib/RT/User_Local.pm 393
(/opt/rt3/local/lib/RT/User_Local.pm:508)
[Tue Nov 7 22:53:08 2006] [info]:
RT::User::LookupExternalUserInfo :
ou=AllNecUsers,dc=nec,dc=edu sAMAccountName=mvaidya =>
Address1: , City: , Country: , EmailAddress: mvaidya@nec.edu,
ExternalAuthId: mvaidya, ExternalContactInfoId: CN=Vaidya,Mukul
,OU=IT Staff,OU=AllNECUsers,DC=nec,DC=edu, Gecos: mvaidya,
Name: mvaidya, Organization: , RealName: Vaidya,Mukul, State: , Wor
kPhone: , Zip: (/opt/rt3/local/lib/RT/User_Local.pm:563)
[Tue Nov 7 22:53:08 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with
“mvaidya@nec.edu” by RT::User /opt/rt3/lo
cal/lib/RT/User_Local.pm 402
(/opt/rt3/local/lib/RT/User_Local.pm:326)
[Tue Nov 7 22:53:08 2006] [debug]:
RT::User::LookupExternalUserInfo called with baseDN
“ou=AllNecUsers,dc=nec,dc=edu” and fil
ter “mail=mvaidya@nec.edu” by RT::User
/opt/rt3/local/lib/RT/User_Local.pm 332
(/opt/rt3/local/lib/RT/User_Local.pm:508)
[Tue Nov 7 22:53:08 2006] [info]:
RT::User::LookupExternalUserInfo :
ou=AllNecUsers,dc=nec,dc=edu mail=mvaidya@nec.edu => Ad
dress1: , City: , Country: , EmailAddress: mvaidya@nec.edu, ExternalAuthId:
mvaidya, ExternalContactInfoId: CN=Vaidya,Mukul,O
U=IT Staff,OU=AllNECUsers,DC=nec,DC=edu, Gecos: mvaidya,
Name: mvaidya, Organization: , RealName: Vaidya,Mukul, State: , WorkP
hone: , Zip: (/opt/rt3/local/lib/RT/User_Local.pm:563)
[Tue Nov 7 22:53:08 2006] [debug]: FOUND OK
(/opt/rt3/local/lib/RT/User_Local.pm:335)
[Tue Nov 7 22:53:08 2006] [info]:
RT::User::CanonicalizeEmailAddress mvaidya@nec.edu =>
mvaidya@nec.edu (/opt/rt3/local/lib/
RT/User_Local.pm:345)
[Tue Nov 7 22:53:08 2006] [info]: RT::User::CanonicalizeUserInfo returning
Address1: , City: , Country: , EmailAddress: mvaid
ya@nec.edu, ExternalAuthId: mvaidya, ExternalContactInfoId:
CN=Vaidya,Mukul,OU=IT Staff,OU=AllNECUsers,DC=nec,DC=edu,
Gecos:
mvaidya, Name: mvaidya, Organization: , RealName: Vaidya,Mukul, State: ,
WorkPhone: , Zip: (/opt/rt3/local/lib/RT/User_Local.
pm:411)
[Tue Nov 7 22:53:08 2006] [debug]: UPDATED user mvaidya from LDAP
(/opt/rt3/local/lib/RT/User_Local.pm:622)
[Tue Nov 7 22:53:08 2006] [debug]: RT::User::CanonicalizeUserInfo called
by RT::User /opt/rt3/local/lib/RT/User_Local.pm 613
with: Name: mvaidya
(/opt/rt3/local/lib/RT/User_Local.pm:378)
[Tue Nov 7 22:53:08 2006] [debug]:
RT::User::LookupExternalUserInfo called with baseDN
“ou=AllNecUsers,dc=nec,dc=edu” and fil
ter “sAMAccountName=mvaidya” by RT::User
/opt/rt3/local/lib/RT/User_Local.pm 393
(/opt/rt3/local/lib/RT/User_Local.pm:508)
[Tue Nov 7 22:53:08 2006] [info]:
RT::User::LookupExternalUserInfo :
ou=AllNecUsers,dc=nec,dc=edu sAMAccountName=mvaidya =>
Address1: , City: , Country: , EmailAddress: mvaidya@nec.edu,
ExternalAuthId: mvaidya, ExternalContactInfoId: CN=Vaidya,Mukul
,OU=IT Staff,OU=AllNECUsers,DC=nec,DC=edu, Gecos: mvaidya,
Name: mvaidya, Organization: , RealName: Vaidya,Mukul, State: , Wor
kPhone: , Zip: (/opt/rt3/local/lib/RT/User_Local.pm:563)
[Tue Nov 7 22:53:08 2006] [debug]:
RT::User::CanonicalizeEmailAddress : called with
“mvaidya@nec.edu” by RT::User /opt/rt3/lo
cal/lib/RT/User_Local.pm 402
(/opt/rt3/local/lib/RT/User_Local.pm:326)
[Tue Nov 7 22:53:08 2006] [debug]:
RT::User::LookupExternalUserInfo called with baseDN
“ou=AllNecUsers,dc=nec,dc=edu” and fil
ter “mail=mvaidya@nec.edu” by RT::User
/opt/rt3/local/lib/RT/User_Local.pm 332
(/opt/rt3/local/lib/RT/User_Local.pm:508)
[Tue Nov 7 22:53:08 2006] [info]:
RT::User::LookupExternalUserInfo :
ou=AllNecUsers,dc=nec,dc=edu mail=mvaidya@nec.edu => Ad
dress1: , City: , Country: , EmailAddress: mvaidya@nec.edu, ExternalAuthId:
mvaidya, ExternalContactInfoId: CN=Vaidya,Mukul,O
U=IT Staff,OU=AllNECUsers,DC=nec,DC=edu, Gecos: mvaidya,
Name: mvaidya, Organization: , RealName: Vaidya,Mukul, State: , WorkP
hone: , Zip: (/opt/rt3/local/lib/RT/User_Local.pm:563)
[Tue Nov 7 22:53:08 2006] [debug]: FOUND OK
(/opt/rt3/local/lib/RT/User_Local.pm:335)
[Tue Nov 7 22:53:08 2006] [info]:
RT::User::CanonicalizeEmailAddress mvaidya@nec.edu =>
mvaidya@nec.edu (/opt/rt3/local/lib/
RT/User_Local.pm:345)
[Tue Nov 7 22:53:08 2006] [info]: RT::User::CanonicalizeUserInfo returning
Address1: , City: , Country: , EmailAddress: mvaid
ya@nec.edu, ExternalAuthId: mvaidya, ExternalContactInfoId:
CN=Vaidya,Mukul,OU=IT Staff,OU=AllNECUsers,DC=nec,DC=edu,
Gecos:
mvaidya, Name: mvaidya, Organization: , RealName: Vaidya,Mukul, State: ,
WorkPhone: , Zip: (/opt/rt3/local/lib/RT/User_Local.
pm:411)
[Tue Nov 7 22:53:08 2006] [debug]: UPDATED user mvaidya from LDAP
(/opt/rt3/local/lib/RT/User_Local.pm:622)
[Tue Nov 7 22:53:08 2006] [debug]: Trying LDAP authentication
(/opt/rt3/local/lib/RT/User_Local.pm:153)
[Tue Nov 7 22:53:08 2006] [info]: RT::User::IsLDAPPassword AUTH FAILED:
mvaidya (/opt/rt3/local/lib/RT/User_Local.pm:182)
[Tue Nov 7 22:53:08 2006] [debug]: RT::User::IsPassword auth method
IsLDAPPassword FAILED (/opt/rt3/local/lib/RT/User_Local.p
m:291)
[Tue Nov 7 22:53:08 2006] [info]: RT::User::IsInternalPassword AUTH OKAY:
mvaidya (/opt/rt3/local/lib/RT/User_Local.pm:239)
[Tue Nov 7 22:53:08 2006] [debug]: RT::User::IsPassword auth method
IsInternalPassword SUCCEEDED (/opt/rt3/local/lib/RT/User_
Local.pm:291)
[Tue Nov 7 22:53:08 2006] [info]: Successful login for mvaidya from
172.16.8.66 (/opt/rt3/local/html/Callbacks/LDAP/autohandl
er/Auth:44)

Log:2

[Tue Nov 7 22:55:27 2006] [warning]: prepare_cached(
SELECT a_session FROM sessions WHERE id = ?) statement
handle DBI::st=HASH(0xbfc12b4) still Active at /usr/lib
/perl5/site_perl/5.8.8/Apache/Session/Store/DBI.pm line 80
(/usr/lib/perl5/5.8.8/Carp.pm:271)
[Tue Nov 7 22:55:38 2006] [warning]: Transaction->Create couldn’t, as you
didn’t specify an object type and id (/opt/rt3/lib/
RT/Record.pm:1467)
[Tue Nov 7 22:55:38 2006] [debug]: Trying LDAP authentication
(/opt/rt3/local/lib/RT/User_Local.pm:153)
[Tue Nov 7 22:55:38 2006] [info]: RT::User::IsLDAPPassword AUTH FAILED:
reports (/opt/rt3/local/lib/RT/User_Local.pm:182)
[Tue Nov 7 22:55:38 2006] [debug]: RT::User::IsPassword auth method
IsLDAPPassword FAILED (/opt/rt3/local/lib/RT/User_Local.p
m:291)
[Tue Nov 7 22:55:38 2006] [info]: RT::User::IsInternalPassword AUTH FAILED
(no passwd): reports (/opt/rt3/local/lib/RT/User_L
ocal.pm:232)
[Tue Nov 7 22:55:38 2006] [debug]: RT::User::IsPassword auth method
IsInternalPassword FAILED (/opt/rt3/local/lib/RT/User_Loc
al.pm:291)
[Tue Nov 7 22:55:38 2006] [error]: FAILED LOGIN for reports from
172.16.8.66 (/opt/rt3/share/html/autohandler:238)

Any help in resolving this issue is much appreciated.

Thank you,
Mukul Vaidya

IT Department
New England College.

Jim Meyer, Geek at Large purp@acm.org

Log 1 (Below) : When I login as a user who has a user with the same
userid
and password in RT and Windows Server 2003 active directory
It seems to find the entry but fails the LDAP authentication. The
error
message is in bold .

How were these RT accounts created ?

I found if the accounts were Auto-Created via Email their Username:
would be username@example.com I never found a way for Active Directory
to Authenticate users with that type of username. Trim the @domain.com
off the Username, that worked for me.

If the usernames are short, does their old RT password work ? (ie is the
fall though turned on)

Log 2 (Below): When I login as a user with user id in Windows Server
2003
active directory only and no account in RT ,
again authentication fails.The error message is in bold

To be honest it looks like the error is before the LDAP part, but for
what its worth did you put in place the Auto Create account via LDAP
option ?
http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback
I used that and its been working on AD / Windows 2003 Server.

  • Scott

Thanks for your feedback. I finally got LDAP working.

I had to change Set($LdapFilter, ‘(objectclass=posixAccount)’) in
RT_SiteConfig.pm (as found in
Request Tracker Wiki) to
Set($LdapFilter, ‘(objectclass=user)’);

Thanks,
MukulFrom: Scott Golby [mailto:sgolby@freshdirect.com]
Sent: Monday, November 13, 2006 5:33 PM
To: Jim Meyer; Vaidya,Mukul; RT Users Mailing List
Subject: RE: [rt-users] Re: RT LDAP

Log 1 (Below) : When I login as a user who has a user with the same
userid
and password in RT and Windows Server 2003 active directory It seems
to find the entry but fails the LDAP authentication. The
error
message is in bold .

How were these RT accounts created ?

I found if the accounts were Auto-Created via Email their Username:
would be username@example.com I never found a way for Active Directory
to Authenticate users with that type of username. Trim the @domain.com
off the Username, that worked for me.

If the usernames are short, does their old RT password work ? (ie is the
fall though turned on)

Log 2 (Below): When I login as a user with user id in Windows Server
2003
active directory only and no account in RT ,
again authentication fails.The error message is in bold

To be honest it looks like the error is before the LDAP part, but for
what its worth did you put in place the Auto Create account via LDAP
option ?
http://wiki.bestpractical.com/index.cgi?LdapAutocreateAuthCallback
I used that and its been working on AD / Windows 2003 Server.

  • Scott