Is a time zone user preference available?

Kevin_Falcone · May 3, 2011, 3:19pm

Thanks once again for all of the input, IE is indeed the primary browser
here, but we do have users using Mozilla Firefox 4 as well. I have tried
logging in within FF4, and I get the same errors as I do in IE. I think
that there is some basic link not taking place between IE(FF4) and RT
(RT::Auth*), which is interesting (or rather odd) since as I mentioned
before, I am able to login using LDAP directly (though unable I may be
of passing the SSO check itself). I read on a previous message that
RT::Auth* was now at 0.08_02 (not sure if this is correct)? Perhaps I
should use this version with RT 3.89 and see if this fixes the issue.

You mentioned mod_auth_kerb, and I actually do have mod_auth_kerb
installed for Apache2, so I’m thinking this could be another likely way
to go (would this work for FF4 as well?). I’ve also used Likewise Open
to physically join the server to our primary domain controller, but this
has not made much of a difference (yet) - although I am sure that a
separate connector has to probably be setup within Likewise for RT (but
I am at the moment not familiar with this option). As another feasible
option for SSO, would it be better to just use an AD synchronized
OpenLDAP server, using something like a DBI Authentication module?

RT::Authen::ExternalAuth does not provide transparent SSO using spnego
What you’re seeing in the logs is the support for cookie based SSO

If you want to tie IE or a kerberized FF to an AD server using windows
SSO, you want mod_auth_kerb

-kevin

Eli_Guzman · May 4, 2011, 4:44pm

Thanks for the information Raphaël. I am using 0.8_01, but I am having some issues getting FF4 to work properly with it (as far as SSO is concerned). I may just wait for the next release of RT::Authen:ExternalAuth, and see if this fixes the issue. Thanks once more for your reply :).

Regards,
–EliFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Raphaël MOUNEYRES
Sent: Tuesday, May 03, 2011 8:25 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Is a time zone user preference available?

In fact it does work with FF4, even if the same “SSO Failed and no user to test with. Nexting” message appears in my logs… i’m just living with it
my version of RT::Authen:ExternalAuth is 0.08 running on a Mandriva 2010
i have not tested with later versions of authen plugin (maybe i should)

Raphaël

“Eli Guzman” eguzman@cvimellesgriot.com

02/05/2011 20:06

A
Raphaël MOUNEYRES raphael.mouneyres@sagemcom.com, rt-users@lists.bestpractical.com
cc

Objet
RE: [rt-users] Is a time zone user preference available?

Thanks for the information Raphaël. I have tried SSO with Firefox 4 as well, and the LDAP authentication piece works but I have been unable to get the SSO piece working properly. Same error gets generated in FF4 as it does in IE8:

[Mon May 2 16:16:37 2011] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-uthen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Mon May 2 16:16:37 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authn-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Mon May 2 16:16:37 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugns/RT-Authen-ExternalAuth/html/Elements/DoAuth:26)

I am running 3.8.9 rather than 3.8.8, so that may be the key difference (besides being on RHEL 5.6). If you don’t mind me asking what version of RT::Authen:ExternalAuth are you currently running (and on what server platform)? Not sure if you are on an earlier/later version, but if you are on a later version this may be useful information, as I may just need to upgrade it.

Thanks,
Eli

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Raphaël MOUNEYRES
Sent: Monday, May 02, 2011 1:31 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Is a time zone user preference available?

Hi,

Just to recap: LDAP authentication works, the SSO piece (the automatic
logon into the interface) fails.

on my RT 3.8.8, the only Way to have SSO working is to use firefox (wich writes the cookie corerctly)
I’ve not been able to have Internet Explorer write the cookie, so i’m using firefox 4.0.

Raphaël

" Ce courriel et les documents qui lui sont joints peuvent contenir des
informations confidentielles ou ayant un caractère privé. S’ils ne vous sont
pas destinés, nous vous signalons qu’il est strictement interdit de les
divulguer, de les reproduire ou d’en utiliser de quelque manière que ce
soit le contenu. Si ce message vous a été transmis par erreur, merci d’en
informer l’expéditeur et de supprimer immédiatement de votre système
informatique ce courriel ainsi que tous les documents qui y sont attachés."

" This e-mail and any attached documents may contain confidential or
proprietary information. If you are not the intended recipient, you are
notified that any dissemination, copying of this e-mail and any attachments
thereto or use of their contents by any means whatsoever is strictly
prohibited. If you have received this e-mail in error, please advise the
sender immediately and delete this e-mail and all attached documents
from your computer system."

Eli_Guzman · May 4, 2011, 4:47pm

[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin
Falcone Sent: Tuesday, May 03, 2011 9:20 AM To:
rt-users@lists.bestpractical.com Subject: Re: [rt-users] Is a time zone
user preference available?

Thanks once again for all of the input, IE is indeed the primary
browser here, but we do have users using Mozilla Firefox 4 as well. I
have tried logging in within FF4, and I get the same errors as I do
in
IE. I think that there is some basic link not taking place between
IE(FF4) and RT (RT::Auth*), which is interesting (or rather odd)
since
as I mentioned before, I am able to login using LDAP directly (though
unable I may be of passing the SSO check itself). I read on a
previous
message that
RT::Auth* was now at 0.08_02 (not sure if this is correct)? Perhaps I
should use this version with RT 3.89 and see if this fixes the issue.

You mentioned mod_auth_kerb, and I actually do have mod_auth_kerb
installed for Apache2, so I’m thinking this could be another likely
way to go (would this work for FF4 as well?). I’ve also used Likewise
Open to physically join the server to our primary domain controller,
but this has not made much of a difference (yet) - although I am sure
that a separate connector has to probably be setup within Likewise
for
RT (but I am at the moment not familiar with this option). As another
feasible option for SSO, would it be better to just use an AD
synchronized OpenLDAP server, using something like a DBI
Authentication module?

RT::Authen::ExternalAuth does not provide transparent SSO using
spnego What you’re seeing in the logs is the support for cookie based
SSO

If you want to tie IE or a kerberized FF to an AD server using
windows SSO, you want mod_auth_kerb

-kevin

Thanks for the reply Kevin, I am looking at configuring mod-auth-kerb.
Should I yield any positive results, I’ll make sure to post a follow up
to the list.

–Eli