RT-Authen-ExternalAuth-0.09 a bit too eager?

Iulian_Dragan · December 15, 2011, 2:18pm

Hello,
I am upgrading from 3.8.7 (apache2 + mod_perl) to 4.0.4 (apache2 + mod_fastcgi) and I notice a strange behaviour of RT-Authen-ExternalAuth -0.09.

The authentication works fine, however, the login page gets redirected straight away here:

http://rt.address.com/NoAuth/Login.html?next=xxxxxx&results=xxxxxxx

With the error message: “You are not an authorized user”.
That is, this is what I see instead of the normal login page.
This is what the log says:

[Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)

[Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10)
[Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10)

Is this to be expected? Or am I missing something? Because in the old version there was no redirection and no error messages.
I dug a little bit and found a “fix”, but it seems a bit heavy handed (if not plain wrong).
It involves modifiying …/html/Callbacks/ExternalAuth/autohandler/Session from this:
<%init>

$m->comp(‘/Elements/DoAuth’,%ARGS);
…

to this:

<%init>
if($ARGS{‘user’} || $m->request_comp->path ne ‘/index.html’){
$m->comp(‘/Elements/DoAuth’,%ARGS);
}
…

That is, try to authenticate me only if I provided an username or if I am trying to access something else than the login page(well…).
Here’s the relevant part of RT_SiteConfig:

Set($WebExternalAuth , ‘1’);

Set($WebFallbackToInternalAuth , ‘1’);
Set($WebExternalAuto , ‘1’);
Set($ExternalAuthPriority, [ ‘AD’ ]);
Set($ExternalInfoPriority, [ ‘AD’ ]);
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, { ‘AD’ => {
‘type’ => ‘ldap’,
…
}
});

And httpd.conf:
<VirtualHost *:80>

ServerName xxx
KeepAlive On
AddDefaultCharsetUTF-8

LogLevel debug
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i" %{X-Forwarded-For}i " combined
ErrorLog /opt/rt/var/log/error_log
CustomLog /opt/rt/var/log/access_log common env=!dontlog

Alias /NoAuth/images/ /opt/rt/share/html/NoAuth/images/
ScriptAlias / /opt/rt/sbin/rt-server.fcgi/
DocumentRoot /opt/rt/share/html

Order allow,deny Allow from all Options +ExecCGI AddHandlerfastcgi-script fcgi SetHandler default-handler

Thanks,
Iulian

Kevin_Falcone · December 15, 2011, 11:53pm

Hello,
I am upgrading from 3.8.7 (apache2 + mod_perl) to 4.0.4 (apache2 + mod_fastcgi) and I notice a
strange behaviour of RT-Authen-ExternalAuth -0.09.
The authentication works fine, however, the login page gets redirected straight away here:
http://rt.address.com/NoAuth/Login.html?next=xxxxxx&results=xxxxxxx
With the error message: “You are not an authorized user”.
That is, this is what I see instead of the normal login page.
This is what the log says:
[Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD
(/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting
(/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User)
(/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10)
[Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD
(/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting
(/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User)
(/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10)
Is this to be expected? Or am I missing something? Because in the old version there was no
redirection and no error messages.

RT4 redirects on login attempt (to the login form) and those are the
debug messages you get with RT-Authen-ExternalAuth.

Set($WebExternalAuth , ‘1’);
Set($WebFallbackToInternalAuth , ‘1’);
Set($WebExternalAuto , ‘1’);

I’m not sure why you have those set since you aren’t doing any Apache
authentication.

The message you quote only comes about if you have
WebExteralAuth turned on and either have WebExternalOnly set or have
WebExternalFallbackToInternalAuth set and have a session that’s
invalid.

Try turning off the options you’re not using

-kevin

Iulian_Dragan · December 16, 2011, 12:11pm

Thank you Kevin, I got rid of those parameters and everything is now fine.

Best regards,
Iulian