RT::Authen::ExternalAuth (?) issue

RT Users
1

Hello all,

Running RT 3.8.2 with RT::Authen::ExternalAuth 0.08. RT was just
upgraded (from 3.6.6) and I have added LDAP authentication (users were
all internal before).

I’m seeing a situation where from time to time the user will be
(apparently) logged out and returned to the login screen. When this
happens I see the following in the rt.log:

[Wed May 6 13:31:14 2009] [debug]: Attempting to use external auth
service: LDAP
(/usr/local/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed May 6 13:31:14 2009] [debug]: SSO Failed and no user to test with.
Nexting
(/usr/local/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed May 6 13:31:14 2009] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/usr/local/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Wed May 6 13:31:16 2009] [debug]: Attempting to use external auth
service: LDAP
(/usr/local/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed May 6 13:31:16 2009] [debug]: SSO Failed and no user to test with.
Nexting
(/usr/local/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed May 6 13:31:16 2009] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/usr/local/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)

Re-authenticating as the same user always succeeds.

From RT_SiteConfig.pm:

Set($LogToSyslog , undef);
Set($LogToScreen , ‘error’);
Set($LogToFile , ‘debug’);
Set($LogDir, ‘/usr/local/rt3/var/log’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

Set(@Plugins, qw(
RT::Authen::ExternalAuth
RT::FM
RT::Extension::ExtractCustomFieldValues
));

see /usr/local/rt3/local/plugins/RT-Authen-ExternalAuth/etc:

Set( $ExternalAuthPriority, [‘LDAP’] );
Set( $ExternalInfoPriority, [‘LDAP’] );
Set( $ExternalServiceUsesSSLorTLS, 0 );
Set(
$ExternalSettings,
{
‘LDAP’ => {
‘type’ => ‘ldap’,
‘server’ => ‘ldap.xxxxx.org’,
‘base’ => ‘ou=people,dc=xxxxx,dc=org’,
‘filter’ => ‘(objectClass=posixAccount)’,
‘d_filter’ => ‘(businessCategory=Inactive)’,
‘attr_match_list’ => [ ‘Name’, ‘EmailAddress’ ],
‘attr_map’ => {
‘Name’ => ‘uid’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘o’,
‘RealName’ => ‘cn’,
‘ExternalAuthId’ => ‘uid’,
‘Gecos’ => ‘cn’,
‘WorkPhone’ => ‘telephoneNumber’,
‘Address1’ => ‘streetAddress’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’
}
}
}
);

1;

The LDAP server is SunOne DS 6.2, btw.

Any thoughts on what’s going on here? Thanks for your assistance.

Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran@mdibl.org

2

Wed 06 May 2009 14:59:22 GMT
Roy McMorran wrote:

Hello all,

Running RT 3.8.2 with RT::Authen::ExternalAuth 0.08. RT was just
upgraded (from 3.6.6) and I have added LDAP authentication (users were
all internal before).

I’m seeing a situation where from time to time the user will be
(apparently) logged out and returned to the login screen. When this
happens I see the following in the rt.log:

Do you find this happening when you go to access a ticket?

I have always had a similar problem, but have never had a chance to sort
it out as it’s only really a niggle to me.

I find that it’s almost like there are two separate sections to RT, one
based around the At a Glance page and one based around display of an
individual ticket, sometimes after logging in and viewing At a Glance, I
have to re-authenticate when going to view a ticket. Also, firefox’s
autocomplete suggestions for the uesrname box are different for one than
they are for the other.

Any of this sounding familiar?
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

3

i have the opposite of accidental-reply-all disease.On Wed, May 6, 2009 at 9:59 AM, Roy McMorran mcmorran@mdibl.org wrote:

Hello all,

I’m seeing a situation where from time to time the user will be
(apparently) logged out and returned to the login screen. When this
happens I see the following in the rt.log:

(/usr/local/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Wed May 6 13:31:14 2009] [debug]: SSO Failed and no user to test with.
Nexting

(/usr/local/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Wed May 6 13:31:14 2009] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)

SSO refers to single sign-on, doesn’t it? I think that’s incidental to
what’s happening.
The rest of it looks like rt forgot who your user was. “No user to test
with” and “0, No User” seems to support this. Is this happening after user
is idle for a while? Do they not have “refresh every blah” set on the page?

I always have the 2-minutes refresh on, and this seems to infinitely
postpone my auth timing out.

/chown -R us:us /yourbase

4

Mike Peachey wrote:

Do you find this happening when you go to access a ticket?

I have always had a similar problem, but have never had a chance to sort
it out as it’s only really a niggle to me.

I’ve yet to establish a definitive pattern, but I seem to be able to get
it to happen by doing a search on the “Tickets” page. After I log back
in I get the search results :wink:

Also going to “Tickets” and then back to “Home” will trigger it.

Any of this sounding familiar?

There are similarities.

Rob Munsch wrote:

SSO refers to single sign-on, doesn’t it? I think that’s incidental
to what’s happening.

Probably so. I’m not (knowingly) using the SSO feature.

The rest of it looks like rt forgot who your user was. “No user to
test with” and “0, No User” seems to support this. Is this happening
after user is idle for a while? Do they not have “refresh every blah”
set on the page?

It does look like that. The idle time isn’t the issue though, unless
I’ve somehow inadvertently set an idle timeout of less than five
seconds :wink:

Thanks for the feedback so far. I’m thinking of watching the LDAP
traffic with Wireshark next.

Cheers,
-r

Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran@mdibl.org

5

Wed 06 May 2009 16:06:28 GMT
Roy McMorran wrote:

Rob Munsch wrote:

SSO refers to single sign-on, doesn’t it? I think that’s incidental
to what’s happening.

Probably so. I’m not (knowingly) using the SSO feature.

SSO is the cookie stuff integrated from RT::Authen::CookieAuth. I
haven’t had time to double-check, but you can probably ignore the output
as it should just be a debug message advising it entered the loop to
check for SSO and dropped out without finding it.

The rest of it looks like rt forgot who your user was. “No user to
test with” and “0, No User” seems to support this. Is this happening
after user is idle for a while? Do they not have “refresh every blah”
set on the page?

It does look like that. The idle time isn’t the issue though, unless
I’ve somehow inadvertently set an idle timeout of less than five
seconds :wink:

Yeah, I think idle time would be a red herring.

Thanks for the feedback so far. I’m thinking of watching the LDAP
traffic with Wireshark next.

You can give it a whirl, but I think all you’ll find is a lack of
traffic, if it was trying to check LDAP it would succeed. The problem
will be that somewhere, somehow either:

  1. The session cookie is dying
  2. Somehow there are two fighting session cookies

Will look into it when I can myself, but I’m up to my eyeballs in work atm.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

6

Wed 06 May 2009 16:06:28 GMT
Roy McMorran wrote:

Stuff…

Just one thing Roy, when you did your upgrade to 3.8.2 can you confirm
for absolute certainty that you ran the 4.0->4.1 schema upgrade bit from
UPGRADING.mysql ? (It’s a common bit people don’t do because it looks
like it’s only meant for MySQL4.0 users, but it’s actually meant for
EVERYONE).

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

7

Mike Peachey wrote:

Just one thing Roy, when you did your upgrade to 3.8.2 can you confirm
for absolute certainty that you ran the 4.0->4.1 schema upgrade bit from
UPGRADING.mysql ?

Interesting. I did follow the schema upgrade process, but I have
subsequently had to re-import the RT data. There are no "drop table"s
in the dump, but still, I’d better take a closer look at that.

Thanks,
-r

Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran@mdibl.org

8

Roy McMorran wrote:

Mike Peachey wrote:

Just one thing Roy, when you did your upgrade to 3.8.2 can you confirm
for absolute certainty that you ran the 4.0->4.1 schema upgrade bit from
UPGRADING.mysql ?

Interesting. I did follow the schema upgrade process, but I have
subsequently had to re-import the RT data. There are no "drop table"s
in the dump, but still, I’d better take a closer look at that.

Thanks,
-r

Mike, I think you hit the nail right on the head. I had to re-run the
schema upgrade (i.e. all the ALTER TABLE statements that updated the
character sets). Since then I haven’t seen any spurious login requests.

Nothing at all to do with LDAP authentication then…that was a red
herring. Thanks for your help!

Cheers,
-r

Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran@mdibl.org