CALLING EXTERNALAUTH TESTERS - v0.07_01 now available

To all you loving testers out there, I’ve been working my wedding
vegetables off trying to get a new completely refactored (and, more
importantly, working) version of RT::Authen::ExternalAuth out to you and
the first beta is now complete and attached to this e-mail.

It’s also available from the SVN trunk and has been uploaded to CPAN,
but might take time to propagate.

I emplore you to test this out as soon as possible and let me and Kevin
know of any and all problems encountered.

Thanks all.

Bear in mind, given that 99% of people use it for LDAP rather than DBI
authentication, at the moment DBI auth is completely untested and
assuredly broken - but LDAP should work fine now.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

RT-Authen-ExternalAuth-0.07_01.tar.gz (34.8 KB)

wedding vegetables? :smiley:

Mike,
I’ll test it ASAP, can I install over top of the old version or do I need to
remove it? what is the recommended uninstall method?

AaronOn Thu, Nov 6, 2008 at 3:21 PM, Mike Peachey mike.peachey@jennic.comwrote:

To all you loving testers out there, I’ve been working my wedding
vegetables off trying to get a new completely refactored (and, more
importantly, working) version of RT::Authen::ExternalAuth out to you and
the first beta is now complete and attached to this e-mail.

It’s also available from the SVN trunk and has been uploaded to CPAN,
but might take time to propagate.

I emplore you to test this out as soon as possible and let me and Kevin
know of any and all problems encountered.

Thanks all.

Bear in mind, given that 99% of people use it for LDAP rather than DBI
authentication, at the moment DBI auth is completely untested and
assuredly broken - but LDAP should work fine now.

Kind Regards,


Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com



http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Aaron Zuercher wrote:

wedding vegetables? :smiley:

Yes. :slight_smile:

Mike,
I’ll test it ASAP, can I install over top of the old version or do I
need to remove it? what is the recommended uninstall method?

Over the top is fine. User_Vendor.pm is still there, but has been
reduced to almost nothing. All the functionality has been moved out to:
lib/RT/Authen/ExternalAuth.pm
lib/RT/Authen/ExternalAuth/LDAP.pm
lib/RT/Authen/ExternalAuth/DBI.pm

Uninstallation is a manual affar I’m afraid. For RT-3.6.x you basically
need to remove every file detailed in the MANIFEST file, but for
RT-3.8.x you should just be able to remove the
local/plugins/RT-Authen-ExternalAuth directory.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

I’m still getting the same error:
Can’t call method “SetDisabled” on an undefined value at
/opt/rt3/bin/…/lib/RT/User_Overlay.pm line 1087.

I installed over the top and recieved that error. so then I remove the
RT_AUTH dir from the plugins folder and reinstalled again. Same error.
Here is what the rt.log shows (looks promising):

[Thu Nov 6 22:16:48 2008] [error]: Working around bug in RT and reloading
RT::User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:12)
[Thu Nov 6 22:16:57 2008] [error]: Working around bug in RT and reloading
RT::User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:12)
[Thu Nov 6 22:16:57 2008] [debug]: $pass defined (slinky), Running
IsPassword
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:69)
[Thu Nov 6 22:16:57 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:16:57 2008] [debug]: Trying External Authentication (
mccartyj )
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm:24)
[Thu Nov 6 22:16:57 2008] [debug]: Attempting to use external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:150)
[Thu Nov 6 22:16:57 2008] [debug]: Trying external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:13)
[Thu Nov 6 22:16:57 2008] [debug]: LDAP Search === Base: o=dist86 ==
Filter: (&(cn=mccartyj)(objectclass=Person)) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:40)
[Thu Nov 6 22:16:57 2008] [debug]: Found LDAP DN:
cn=McCartyJ,ou=Users,o=Dist86
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:72)
[Thu Nov 6 22:16:57 2008] [debug]: LDAP Search === Base: o=dist86 ==
Filter: (member=cn=McCartyJ,ou=Users,o=Dist86) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:97)
[Thu Nov 6 22:16:57 2008] [warning]: Use of uninitialized value in join or
string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:136)
[Thu Nov 6 22:16:57 2008] [info]: RT::Authen::ExternalAuth::LDAP::GetAuth
External Auth OK ( My_LDAP ):
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:136)
[Thu Nov 6 22:16:57 2008] [debug]: RT::User::IsPassword EXTERNAL AUTH OKAY
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm:26)
[Thu Nov 6 22:16:57 2008] [debug]: UserExists params:
username: mccartyj , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:271)
[Thu Nov 6 22:16:57 2008] [debug]: LDAP Search === Base: o=dist86 ==
Filter: (&(objectclass=Person)(cn=mccartyj)) == Attrs:
l,givenName,st,mail,uid,co,ou,postalCode,telephoneNumber,cn,o,cn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:301)
[Thu Nov 6 22:16:57 2008] [debug]: UserExists params:
username: mccartyj , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:271)
[Thu Nov 6 22:16:57 2008] [debug]: LDAP Search === Base: o=dist86 ==
Filter: (&(objectclass=Person)(cn=mccartyj)) == Attrs:
l,givenName,st,mail,uid,co,ou,postalCode,telephoneNumber,cn,o,cn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:301)
[Thu Nov 6 22:16:57 2008] [debug]: LDAP Search === Base: o=dist86 ==
Filter: (&(objectclass=Person)(employmentStatus=Terminated)(cn=mccartyj)) ==
Attrs: uid
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:395)
[Thu Nov 6 22:16:57 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:16:58 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:16:58 2008] [error]: Group::HasMember was called with an
argument that isn’t an RT::Principal or id. It’s (undefined)
(/opt/rt3/bin/…/lib/RT/Group_Overlay.pm:1031)
[Thu Nov 6 22:16:58 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:16:58 2008] [error]: Group::HasMember was called with an
argument that isn’t an RT::Principal or id. It’s (undefined)
(/opt/rt3/bin/…/lib/RT/Group_Overlay.pm:1031)
[Thu Nov 6 22:16:58 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:17:16 2008] [error]: Working around bug in RT and reloading
RT::User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:12)
[Thu Nov 6 22:17:16 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:17:16 2008] [error]: Group::HasMember was called with an
argument that isn’t an RT::Principal or id. It’s (undefined)
(/opt/rt3/bin/…/lib/RT/Group_Overlay.pm:1031)
[Thu Nov 6 22:17:19 2008] [error]: Working around bug in RT and reloading
RT::User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:12)
[Thu Nov 6 22:17:19 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:17:19 2008] [error]: Group::HasMember was called with an
argument that isn’t an RT::Principal or id. It’s (undefined)
(/opt/rt3/bin/…/lib/RT/Group_Overlay.pm:1031)
[Thu Nov 6 22:17:20 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:17:20 2008] [error]: Group::HasMember was called with an
argument that isn’t an RT::Principal or id. It’s (undefined)
(/opt/rt3/bin/…/lib/RT/Group_Overlay.pm:1031)
[Thu Nov 6 22:17:20 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:17:23 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:17:23 2008] [error]: Group::HasMember was called with an
argument that isn’t an RT::Principal or id. It’s (undefined)
(/opt/rt3/bin/…/lib/RT/Group_Overlay.pm:1031)
[Thu Nov 6 22:17:23 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:17:23 2008] [error]: Group::HasMember was called with an
argument that isn’t an RT::Principal or id. It’s (undefined)
(/opt/rt3/bin/…/lib/RT/Group_Overlay.pm:1031)
[Thu Nov 6 22:17:23 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:17:40 2008] [error]: Working around bug in RT and reloading
RT::User
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:12)
[Thu Nov 6 22:17:48 2008] [debug]: $pass defined (slinky), Running
IsPassword
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:69)
[Thu Nov 6 22:17:48 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)
[Thu Nov 6 22:17:48 2008] [debug]: Trying External Authentication (
mccartyj )
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm:24)
[Thu Nov 6 22:17:48 2008] [debug]: Attempting to use external auth service:
My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:150)
[Thu Nov 6 22:17:48 2008] [debug]: Trying external auth service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:13)
[Thu Nov 6 22:17:48 2008] [debug]: LDAP Search === Base: o=dist86 ==
Filter: (&(cn=mccartyj)(objectclass=Person)) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:40)
[Thu Nov 6 22:17:48 2008] [debug]: Found LDAP DN:
cn=McCartyJ,ou=Users,o=Dist86
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:72)
[Thu Nov 6 22:17:48 2008] [debug]: LDAP Search === Base: o=dist86 ==
Filter: (member=cn=McCartyJ,ou=Users,o=Dist86) == Attrs: dn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:97)
[Thu Nov 6 22:17:48 2008] [warning]: Use of uninitialized value in join or
string at /usr/lib/perl5/site_perl/5.8.8/Log/Dispatch.pm line 22.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:136)
[Thu Nov 6 22:17:48 2008] [info]: RT::Authen::ExternalAuth::LDAP::GetAuth
External Auth OK ( My_LDAP ):
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:136)
[Thu Nov 6 22:17:48 2008] [debug]: RT::User::IsPassword EXTERNAL AUTH OKAY
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm:26)
[Thu Nov 6 22:17:48 2008] [debug]: UserExists params:
username: mccartyj , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:271)
[Thu Nov 6 22:17:48 2008] [debug]: LDAP Search === Base: o=dist86 ==
Filter: (&(objectclass=Person)(cn=mccartyj)) == Attrs:
l,givenName,st,mail,uid,co,ou,postalCode,telephoneNumber,cn,o,cn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:301)
[Thu Nov 6 22:17:48 2008] [debug]: UserExists params:
username: mccartyj , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:271)
[Thu Nov 6 22:17:48 2008] [debug]: LDAP Search === Base: o=dist86 ==
Filter: (&(objectclass=Person)(cn=mccartyj)) == Attrs:
l,givenName,st,mail,uid,co,ou,postalCode,telephoneNumber,cn,o,cn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:301)
[Thu Nov 6 22:17:48 2008] [debug]: LDAP Search === Base: o=dist86 ==
Filter: (&(objectclass=Person)(employmentStatus=Terminated)(cn=mccartyj)) ==
Attrs: uid
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:395)
[Thu Nov 6 22:17:48 2008] [crit]: User #13 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)On Thu, Nov 6, 2008 at 4:06 PM, Mike Peachey mike.peachey@jennic.comwrote:

Aaron Zuercher wrote:

wedding vegetables? :smiley:

Yes. :slight_smile:

Mike,
I’ll test it ASAP, can I install over top of the old version or do I need
to remove it? what is the recommended uninstall method?

Over the top is fine. User_Vendor.pm is still there, but has been reduced
to almost nothing. All the functionality has been moved out to:
lib/RT/Authen/ExternalAuth.pm
lib/RT/Authen/ExternalAuth/LDAP.pm
lib/RT/Authen/ExternalAuth/DBI.pm

Uninstallation is a manual affar I’m afraid. For RT-3.6.x you basically
need to remove every file detailed in the MANIFEST file, but for RT-3.8.x
you should just be able to remove the local/plugins/RT-Authen-ExternalAuth
directory.


Kind Regards,


Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com


Aaron Zuercher wrote:

I’m still getting the same error:
Can’t call method “SetDisabled” on an undefined value at
/opt/rt3/bin/…/lib/RT/User_Overlay.pm line 1087.

I installed over the top and recieved that error. so then I remove the
RT_AUTH dir from the plugins folder and reinstalled again. Same
error. Here is what the rt.log shows (looks promising):

Can you take a look at your databases Users table and keep an eye out
for any users whose principal ID has been set to #13?

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Mike Peachey wrote:

Aaron Zuercher wrote:

I’m still getting the same error:
Can’t call method “SetDisabled” on an undefined value at
/opt/rt3/bin/…/lib/RT/User_Overlay.pm line 1087.

I installed over the top and recieved that error. so then I remove the
RT_AUTH dir from the plugins folder and reinstalled again. Same
error. Here is what the rt.log shows (looks promising):

Can you take a look at your databases Users table and keep an eye out
for any users whose principal ID has been set to #13?

Also, if you can pop in to the rt IRC channel to try to work through it
I think it would help us both a lot as you need your database fixing and
I need to discover exactly what’s happened so I can post instructions
for everyone else for fixing their database.

irc.perl.org
#rt
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

database is empty. this is a fresh install on new server.On Fri, Nov 7, 2008 at 2:19 AM, Mike Peachey mike.peachey@jennic.comwrote:

Aaron Zuercher wrote:

I’m still getting the same error:
Can’t call method “SetDisabled” on an undefined value at
/opt/rt3/bin/…/lib/RT/User_Overlay.pm line 1087.

I installed over the top and recieved that error. so then I remove the
RT_AUTH dir from the plugins folder and reinstalled again. Same error.
Here is what the rt.log shows (looks promising):

Can you take a look at your databases Users table and keep an eye out for
any users whose principal ID has been set to #13?


Kind Regards,


Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com


Mike thank you very much for working so hard on this issue.
I am happy to report that the new version does now work for SelfService
(for me)

Just an FYI for others stuck authenticating against Novell eDir and
using the lame non-password ldap_proxy accounts I had to make the
changes you were thinking about (sorry for the lack of a proper diff file):
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm

455 # Authenticate to ldap server with user name and password if
supplied
456 # If no password supplied to not pass a null or bind anonymously
if noting was supplied
457 if (($ldap_user) and ($ldap_pass)) {
458 $msg = $ldap->bind($ldap_user, password => $ldap_pass);
459 } elsif (($ldap_user) and ( ! $ldap_pass)) {
460 $msg = $ldap->bind($ldap_user);
461 } else {
462 $msg = $ldap->bind;
463 }

RHEL5
RT 3.8.1
ExternalAuth 0.0.7_01
CookieAuth
EmailCompletion

John McCoy, Jr
Sr. Systems and Network Administrator
Enterprise Technology Services
Golden Gate University
415-442-6560

John McCoy wrote:

Mike thank you very much for working so hard on this issue.
I am happy to report that the new version does now work for SelfService
(for me)

Just an FYI for others stuck authenticating against Novell eDir and
using the lame non-password ldap_proxy accounts I had to make the
changes you were thinking about (sorry for the lack of a proper diff file):
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm

455 # Authenticate to ldap server with user name and password if
supplied
456 # If no password supplied to not pass a null or bind anonymously
if noting was supplied
457 if (($ldap_user) and ($ldap_pass)) {
458 $msg = $ldap->bind($ldap_user, password => $ldap_pass);
459 } elsif (($ldap_user) and ( ! $ldap_pass)) {
460 $msg = $ldap->bind($ldap_user);
461 } else {
462 $msg = $ldap->bind;
463 }

I have committed this change to trunk. When 0.07 comes out as a ratified
version, this will be included.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

I do have an additional issue now that I have had a few more testers try
this:
Most of our non-privileged users do already exist in RT as they have
been auto added when the were added as requesters on a ticket, this has
created their accounts as such:

Username: user@ggu.edu
Email: user@ggu.edu
Real Name: user@ggu.edu

I think this is causing a problem for ExternalAuth as it tries to create
a new user with Username: user but then fails as the email address is
already in use. I did a query and I have several hundred uses like this,
I am upgrading from 3.6.6 FYI.

I’m thinking it might be best to create some sql to remove the
"@ggu.edu" from all user names rather then try to modify the add user
code to look for both user and user@ggu.edu

Thoughts anyone?

LOG:

[Fri Nov 7 18:16:35 2008] [debug]: UserExists params:
username: fmulder , service: camstr
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:271)
[Fri Nov 7 18:16:35 2008] [debug]: LDAP Search === Base: o=ggu ==
Filter: (&(objectClass=Person)(cn=fmulder)) == Attrs:
,fullName,mail,cn,telephoneNumber,cn,ou,cn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:301)
[Fri Nov 7 18:16:35 2008] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 87
with: Disabled: 0, EmailAddress: , Gecos: fmulder, Name: fmulder,
Privileged: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:257)
[Fri Nov 7 18:16:35 2008] [debug]: Attempting to get user info using
this external service: camstr
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:265)
[Fri Nov 7 18:16:35 2008] [debug]: Attempting to use this
canonicalization key: Name
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:274)
[Fri Nov 7 18:16:35 2008] [debug]: LDAP Search === Base: o=ggu ==
Filter: (&(objectClass=Person)(cn=fmulder)) == Attrs:
,fullName,mail,cn,telephoneNumber,cn,ou,cn
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:192)
[Fri Nov 7 18:16:35 2008] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Country: , Disabled: 0, EmailAddress: fmulder@ggu.edu,
ExternalAuthId: fmulder, Gecos: fmulder, Name: fmulder, Organization:
Enterprise Technology Services, Privileged: 0, RealName: Fox Mulder,
State: , WorkPhone: 415-442-7231, Zip:
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:338)
[Fri Nov 7 18:16:35 2008] [error]: Couldn’t create user fmulder: Email
address in use
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:47)
[Fri Nov 7 18:16:35 2008] [error]: FAILED LOGIN for fmulder from
10.3.32.51 (/opt/rt3/share/html/autohandler:265)

John McCoy, Jr
Sr. Systems and Network Administrator
Enterprise Technology Services
Golden Gate University
415-442-6560

John McCoy wrote:

I do have an additional issue now that I have had a few more testers try
this:
Most of our non-privileged users do already exist in RT as they have
been auto added when the were added as requesters on a ticket, this has
created their accounts as such:

Username: user@ggu.edu
Email: user@ggu.edu
Real Name: user@ggu.edu

I think this is causing a problem for ExternalAuth as it tries to create
a new user with Username: user but then fails as the email address is
already in use. I did a query and I have several hundred uses like this,
I am upgrading from 3.6.6 FYI.

I’m thinking it might be best to create some sql to remove the
"@ggu.edu" from all user names rather then try to modify the add user
code to look for both user and user@ggu.edu

Thoughts anyone?

This has always been a difficult one.

I could have it like this: Lookup user, load user info, check e-mail
address, if address in use, overwrite previous user with new details -
but this could cause some serious issues.

As you suggest, it may simply be better to leave it to the individual
administrator to decide whether to clean up the users database as each
one comes up or via a scripted change.

Since ExternalAuth has been refactored, I could add an Overlay to have
ExternalAuth checked for info when a user is auto-created by e-mail and
have the info loaded then. It wouldn’t help past users, but would help
future users that start by e-mail and then login.

I could have it periodically do a complete pull from LDAP and create
users in RT for all users in LDAP, but that could complicate things
later on for certain users.

As I said, I’m really not sure how best to deal with it.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Good points Mike, I did not think about the fact that future users can
still get added as user@ggu.edu if they first are just a requester, this
would mean I either need a constant process to “fix” these or as you
suggest:

Since ExternalAuth has been refactored, I could add an Overlay to have
ExternalAuth checked for info when a user is auto-created by e-mail and
have the info loaded then. It wouldn’t help past users, but would help
future users that start by e-mail and then login.

I am thinking this might be best, I have a few more days before my next
major project kicks off, meaning I have some time to give back to RT.
Would you like to do this as part of LDAP.pm or externally? Give me some
guide lines and I will see what I can come up with.

Mike Peachey wrote:

John McCoy wrote:

I do have an additional issue now that I have had a few more testers try
this:
Most of our non-privileged users do already exist in RT as they have
been auto added when the were added as requesters on a ticket, this has
created their accounts as such:

Username: user@ggu.edu
Email: user@ggu.edu
Real Name: user@ggu.edu

I think this is causing a problem for ExternalAuth as it tries to create
a new user with Username: user but then fails as the email address is
already in use. I did a query and I have several hundred uses like this,
I am upgrading from 3.6.6 FYI.

I’m thinking it might be best to create some sql to remove the
"@ggu.edu" from all user names rather then try to modify the add user
code to look for both user and user@ggu.edu

Thoughts anyone?

This has always been a difficult one.

I could have it like this: Lookup user, load user info, check e-mail
address, if address in use, overwrite previous user with new details -
but this could cause some serious issues.

As you suggest, it may simply be better to leave it to the individual
administrator to decide whether to clean up the users database as each
one comes up or via a scripted change.

Since ExternalAuth has been refactored, I could add an Overlay to have
ExternalAuth checked for info when a user is auto-created by e-mail and
have the info loaded then. It wouldn’t help past users, but would help
future users that start by e-mail and then login.

I could have it periodically do a complete pull from LDAP and create
users in RT for all users in LDAP, but that could complicate things
later on for certain users.

As I said, I’m really not sure how best to deal with it.

John McCoy, Jr
Sr. Systems and Network Administrator
Enterprise Technology Services
Golden Gate University
415-442-6560

John McCoy wrote:

Good points Mike, I did not think about the fact that future users can
still get added as user@ggu.edu if they first are just a requester, this
would mean I either need a constant process to “fix” these or as you
suggest:

Since ExternalAuth has been refactored, I could add an Overlay to have
ExternalAuth checked for info when a user is auto-created by e-mail and
have the info loaded then. It wouldn’t help past users, but would help
future users that start by e-mail and then login.

I am thinking this might be best, I have a few more days before my next
major project kicks off, meaning I have some time to give back to RT.
Would you like to do this as part of LDAP.pm or externally? Give me some
guide lines and I will see what I can come up with.

Having thought about this (and had some sleep) since… I realised that,
as far as I know, ExternalAuth already looks up external user info
when a user is autocreated by email because when the user is created
CanonicalizeUserInfo is called which is overridden by ExternalAuth and
so goes off to find the users info based on their email address… Can
you confirm this?
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Mike Peachey wrote:

John McCoy wrote:

Good points Mike, I did not think about the fact that future users can
still get added as user@ggu.edu if they first are just a requester, this
would mean I either need a constant process to “fix” these or as you
suggest:

Since ExternalAuth has been refactored, I could add an Overlay to have
ExternalAuth checked for info when a user is auto-created by e-mail and
have the info loaded then. It wouldn’t help past users, but would help
future users that start by e-mail and then login.

I am thinking this might be best, I have a few more days before my next
major project kicks off, meaning I have some time to give back to RT.
Would you like to do this as part of LDAP.pm or externally? Give me some
guide lines and I will see what I can come up with.

Having thought about this (and had some sleep) since… I realised that,
as far as I know, ExternalAuth already looks up external user info
when a user is autocreated by email because when the user is created
CanonicalizeUserInfo is called which is overridden by ExternalAuth and
so goes off to find the users info based on their email address… Can
you confirm this?

I would look into this deeper myself, but right now I’m back to barely
having enough time to wipe my own nose.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com