RT::Authen::ExternalAuth v0.06 Released - Includes 3.8.xCompatibility

Bad link: it seems to be at
http://search.cpan.org/~zordrak/RT-Authen-ExternalAuth-0.06_03/

and is marked “Developer Release,” if that matters.-----Original Message-----
or find it here:
http://search.cpan.org/~zordrak/RT-Authen-ExternalAuth-0.06/

Robert Munsch wrote:

Bad link: it seems to be at
http://search.cpan.org/~zordrak/RT-Authen-ExternalAuth-0.06_03/

and is marked “Developer Release,” if that matters.

Please re-read carefully:

Mike Peachey wrote:

it may take some time for it to
become available and propagate to the mirrors.
Once done, you should be able to install it directly
through the CPAN shell or find it here:
http://search.cpan.org/~zordrak/RT-Authen-ExternalAuth-0.06/

Until then, you can install directly from the BPS SVN server’s trunk

0.06_03 is the most recent devel release and when 0.06 is fully inserted
into CPAN, it will show up as the latest release.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Hello Mike,

Thank you and Kevin for working hard on this release, I am excited to
hopefully get it working on my RT 3.8.1 server. I have installed the
v0.06 release but I am running into difficulty getting it going. I have
drilled over the lists trying to get info regarding the errors I am
seeing but so far I have been unable to get users to authenticate with
AD. I am running a Windows Server 2003 Active Directory, pretty sure
anonymous binding is disabled. I have attached my SiteConfig file, as
well as the logging in rt.log when I try to authenticate. I have tried
many different ways of entering the ‘user’ value to no avail. I have no
problem authenticating with the local root account. Im not sure how or
where to look to see if the RT server is even attempting to authenticate
users to AD, when I look through the rt.log file it doesn’t appear to
be. Thanks in advance for any insight.

Sean-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Mike
Peachey
Sent: Saturday, November 01, 2008 11:46 AM
To: RT Users; RT Devel
Subject: [rt-users] RT::Authen::ExternalAuth v0.06 Released - Includes
3.8.xCompatibility

Evening All,

I am proud to announce the official release of

RT::Authen::ExternalAuth
v0.06 - the first release to be out-of-the-box compatible with RT 3.8.x.
Thanks to everyone for being so patient in waiting for this, I know it
has been a long time since 3.8.0 came out, but as many know I have been
ridiculously busy.

I want to extend MASSIVE thanks to Kevin Falcone for the work he put
into this, it wouldn’t have happened without him - at least not for some
time.

I have uploaded the release to CPAN, but it may take some time for it to
become available and propagate to the mirrors. Once done, you should be
able to install it directly through the CPAN shell or find it here:
http://search.cpan.org/~zordrak/RT-Authen-ExternalAuth-0.06/

Until then, you can install directly from the BPS SVN server’s trunk, I
don’t expect trunk to be changed at least until mid next week, so you
can trust it to be the same as the release at least until it’s available
on CPAN. To get and install it from the SVN server:

$ svn co http://code.bestpractical.com/bps-public/RT-Authen-ExternalAuth
$ cd RT-Authen-ExternalAuth/trunk
$ perl Makefile.PL
$ make
$ make install

Have fun :slight_smile:

BTW, any bugs or feature requests should be submitted through the CPAN
RT system at http://rt.cpan.org.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

RT_SiteConfig.txt (7.99 KB)

rt.log.txt (19 KB)

Sean McCreadie wrote:

Hello Mike,

Thank you and Kevin for working hard on this release, I am excited to
hopefully get it working on my RT 3.8.1 server. I have installed the
v0.06 release but I am running into difficulty getting it going. I have
drilled over the lists trying to get info regarding the errors I am
seeing but so far I have been unable to get users to authenticate with
AD. I am running a Windows Server 2003 Active Directory, pretty sure
anonymous binding is disabled. I have attached my SiteConfig file, as
well as the logging in rt.log when I try to authenticate. I have tried
many different ways of entering the ‘user’ value to no avail. I have no
problem authenticating with the local root account. Im not sure how or
where to look to see if the RT server is even attempting to authenticate
users to AD, when I look through the rt.log file it doesn’t appear to
be. Thanks in advance for any insight.

Can you turn off log stack traces and repost an rt.log? I’m having
difficulty reading through the one you sent quickly and don’t have a lot
of time for reading v. slowly.

FWIW, your RT_SiteConfig.pm looks right on the money.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

Mike,

Thank you for looking at my problem. I disabled the log stack traces as
you suggested and attached the new log file. Now I can see that it is
indeed authenticating my test user “Joe User” with my AD. The attached
log file contains the results of first logging in successfully as root
and then as Joe User. When I try to login as the AD user in the web UI I
get the following error in the browser:

Can’t call method “SetDisabled” on an undefined value at
/opt/rt3/bin/…/lib/RT/User_Overlay.pm line 1087, line 514.

Thanks again for all the help.

Sean

PeacheySent: Monday, November 03, 2008 1:28 AM
To: Sean McCreadie
Cc: RT Users
Subject: Re: [rt-users] RT::Authen::ExternalAuth v0.06 Released -
Includes 3.8.xCompatibility

Sean McCreadie wrote:

Hello Mike,

Thank you and Kevin for working hard on this release, I am excited to
hopefully get it working on my RT 3.8.1 server. I have installed the
v0.06 release but I am running into difficulty getting it going. I
have
drilled over the lists trying to get info regarding the errors I am
seeing but so far I have been unable to get users to authenticate with
AD. I am running a Windows Server 2003 Active Directory, pretty sure
anonymous binding is disabled. I have attached my SiteConfig file, as
well as the logging in rt.log when I try to authenticate. I have tried
many different ways of entering the ‘user’ value to no avail. I have
no
problem authenticating with the local root account. Im not sure how or
where to look to see if the RT server is even attempting to
authenticate
users to AD, when I look through the rt.log file it doesn’t appear to
be. Thanks in advance for any insight.

Can you turn off log stack traces and repost an rt.log? I’m having
difficulty reading through the one you sent quickly and don’t have a lot
of time for reading v. slowly.

FWIW, your RT_SiteConfig.pm looks right on the money.

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com

rt.log.txt (6.38 KB)

Sean McCreadie wrote:

Mike,

Thank you for looking at my problem. I disabled the log stack traces as
you suggested and attached the new log file. Now I can see that it is
indeed authenticating my test user “Joe User” with my AD. The attached
log file contains the results of first logging in successfully as root
and then as Joe User. When I try to login as the AD user in the web UI I
get the following error in the browser:

Can’t call method “SetDisabled” on an undefined value at
/opt/rt3/bin/…/lib/RT/User_Overlay.pm line 1087, line 514.

It’s a bit unusual. It seems that either the Autocreation is trying to
re-use a principleID that already exists for the user, or for some
reason it’s creating the principle as a group instead of a user.

Walking through the log:

[Mon Nov 3 14:22:48 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm:360)

ExternalAuth checked your external source and is happy to allow access
as the user provided.
[Mon Nov 3 14:22:48 2008] [info]: Autocreated authenticated user juser
( 14 )
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:64)

Because no principle exists with that username, a user is being
autocreated by RT and it has been assigned the principleID (i.e.
userID/groupID) 14.
[Mon Nov 3 14:22:48 2008] [debug]: LDAP Search === Base:
dc=canyonpartners,dc=local == Filter:
(&(objectClass=*)(sAMAccountName=juser)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm:853)

Information about the user is being looked up in your specified info
database for importing into RT.
[Mon Nov 3 14:22:48 2008] [debug]: LDAP Search === Base:
dc=canyonpartners,dc=local == Filter:
(&(objectClass=*)(userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=juser))
== Attrs: uid
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm:893)

RT is now looking to see if any results are returned when combining a
search for the user specified and a search for disabled users. If a
result is returned, the user should be set disabled, if not the user
should be set enabled. In both cases, the method SetDisabled is used,
just with different params for enable or disable.
[Mon Nov 3 14:22:48 2008] [crit]: User #14 has principal of Group type
(/opt/rt3/bin/…/lib/RT/User_Overlay.pm:1123)

Critical failure. RT is trying to use the SetDisabled method to make
sure the user is enabled, but for some reason, the account with
principleID 14 is not a User object, it is a Group object, and you
cannot use RT::User::SetDisabled on a group, therefore RT doesn’t know
what to do and bombs out.

So, either Autocreate is re-using #14 that already exists as a group
where it shouldn’t, or Autocreate is creating a Group object not a User
object.

I would guess the former, but the details of Autocreate are beyond what
I’m familiar with.

Hope that helps.
Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com