Able to login with fake password

I get an error each time I try to login to RT. And even worse, I found
that I can login with a fake password.

------- Start of error message -----
System error

error: Can’t use an undefined value as an ARRAY reference at
/opt/rt3/local/lib/RT/User_Vendor.pm line 56.

context: unable to open file

code stack: /opt/rt3/local/lib/RT/User_Vendor.pm:56
/opt/rt3/local/lib/RT/User_Vendor.pm:359
/opt/rt3/lib/RT/CurrentUser.pm:309
/opt/rt3/share/html/autohandler:247

Can’t use an undefined value as an ARRAY reference at
/opt/rt3/local/lib/RT/User_Vendor.pm line 56.

Trace begun at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Exceptions.pm
line 129
HTML::Mason::Exceptions::rethrow_exception(‘Can’t use an undefined
value as an ARRAY reference at /opt/rt3/local/lib/RT/User_Vendor.pm line
56.^J’) called at /opt/rt3/local/lib/RT/User_Vendor.pm line 56
RT::User::IsExternalPassword(‘RT::User=HASH(0xb9690c0)’,
‘boguspassword’) called at /opt/rt3/local/lib/RT/User_Vendor.pm line 359
RT::User::IsPassword(‘RT::User=HASH(0xb9690c0)’, ‘boguspassword’) called
at /opt/rt3/lib/RT/CurrentUser.pm line 309
RT::CurrentUser::IsPassword(‘RT::CurrentUser=HASH(0xb990af4)’,
‘boguspassword’) called at /opt/rt3/share/html/autohandler line 247
HTML::Mason::Commands::ANON(‘pass’, ‘boguspassword’, ‘user’,
‘fpercynski’) called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Component.pm line 135
HTML::Mason::Component::run(‘HTML::Mason::Component::FileBased=HASH(0xb3
6f2c0)’, ‘pass’, ‘boguspassword’, ‘user’, ‘fpercynski’) called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 1273
eval {…} at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line
1268
HTML::Mason::Request::comp(undef, undef, undef, ‘pass’, ‘boguspassword’,
‘user’, ‘fpercynski’) called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line 467
eval {…} at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line
467
eval {…} at /usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm line
419
HTML::Mason::Request::exec(‘HTML::Mason::Request::ApacheHandler=HASH(0xb
99677c)’) called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm line 168
HTML::Mason::Request::ApacheHandler::exec(‘HTML::Mason::Request::ApacheH
andler=HASH(0xb99677c)’) called at
/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm line 825
HTML::Mason::ApacheHandler::handle_request(‘HTML::Mason::ApacheHandler=H
ASH(0x9f95b18)’, ‘Apache2::RequestRec=SCALAR(0xb9568a0)’) called at
/opt/rt3/bin/webmux.pl line 125
eval {…} at /opt/rt3/bin/webmux.pl line 125
RT::Mason::handler(‘Apache2::RequestRec=SCALAR(0xb9568a0)’) called at -e
line 0
eval {…} at -e line 0
------- End of error message -----

In the above error message the word “boguspassword” is the plain text
representation of the password that I typed in. Which is not my real
password and should not allow me to login. But if I press F5 in my
browser and resubmit the information I am then successfully logged in to
RT under my account.
Obviously I have configured something in a bad way. But I can’t figure
out what.
About two months ago I was trying to get RT to authenticate against
Active Directory. I tried to install RT::Authen::ExternalAuth but it
never finished successfully. Nonetheless part of the installation must
have worked because I have an $RTHOME/local/etc/Authen-ExternalAuth/
directory. Searching the archives makes me believe the error message
above is in some way related to external authentication. I have not
manually modified $RTHOME/etc/RT_SiteConfig.pm in any way to use
external authentication.
RT version is 3.6.6

The information contained in this message is privileged and confidential. It is intended only for the recipient or entity listed above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to the message and promptly deleting it from your computer. Thank you. Health Data Management Solutions.

error: Can’t use an undefined value as an ARRAY reference at /opt/
rt3/local/lib/RT/User_Vendor.pm line 56.

Fred,

Looks like you’ve installed a custom RT extension. What did you install?

The last changes I was making was to get external authentication to
Active Directory working. I tried installing RT::Authen::ExternalAuth
but it never finished successfully. I did install Bundle::Net::LDAP
sucessfully.From: Jesse Vincent [mailto:jesse@bestpractical.com]
Sent: Monday, August 18, 2008 1:59 PM
To: Percynski, Fred
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Able to login with fake password

error:  Can't use an undefined value as an ARRAY reference at

/opt/rt3/local/lib/RT/User_Vendor.pm line 56.

Fred,

Looks like you’ve installed a custom RT extension. What did you install?
The information contained in this message is privileged and confidential. It is intended only for the recipient or entity listed above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to the message and promptly deleting it from your computer. Thank you. Health Data Management Solutions.

The last changes I was making was to get external authentication to
Active Directory working. I tried installing
RT::Authen::ExternalAuth but it never finished successfully. I did
install Bundle::Net::LDAP sucessfully.

It looks like RT::Authen::ExternalAuth left things lying around which
are messing with RT’s authentication process. I’d recommend fully
removing the files it installed and seeing how things look then.
In particular, I’d remove things from /opt/rt3/local

-j

I did as you suggested and that resolved the problem. Thanks for the
help.From: Jesse Vincent [mailto:jesse@bestpractical.com]
Sent: Tuesday, August 19, 2008 1:24 PM
To: Percynski, Fred
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Able to login with fake password

The last changes I was making was to get external authentication

to Active Directory working. I tried installing
RT::Authen::ExternalAuth but it never finished successfully. I did
install Bundle::Net::LDAP sucessfully.

It looks like RT::Authen::ExternalAuth left things lying around which
are messing with RT’s authentication process. I’d recommend fully
removing the files it installed and seeing how things look then.
In particular, I’d remove things from /opt/rt3/local

-j

From: Jesse Vincent [mailto:jesse@bestpractical.com] 
Sent: Monday, August 18, 2008 1:59 PM
To: Percynski, Fred
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Able to login with fake password






	error:  Can't use an undefined value as an ARRAY

reference at /opt/rt3/local/lib/RT/User_Vendor.pm line 56.

Fred,

Looks like you've installed a custom RT extension. What did you

install?

The information contained in this message is privileged and

confidential. It is intended only for the recipient or entity listed
above. If the reader of this message is not the intended recipient, you
are hereby notified that any dissemination, distribution, or copying of
this message is strictly prohibited. If you have received this message
in error, please notify the sender immediately by replying to the
message and promptly deleting it from your computer. Thank you. Health
Data Management Solutions.
The rt-users Archives

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com


Discover RT's hidden secrets with RT Essentials from O'Reilly

Media.
Buy a copy at http://rtbook.bestpractical.com

The information contained in this message is privileged and confidential. It is intended only for the recipient or entity listed above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to the message and promptly deleting it from your computer. Thank you. Health Data Management Solutions.