[rt-users] RT::Authen::ExternalAuth v0.06 Released - Includes 3.8.xCompatibility

Mike Peachey mike.peachey at jennic.com
Mon Nov 3 10:21:30 EST 2008 

Sean McCreadie wrote:
> Mike,
> 
> Thank you for looking at my problem.  I disabled the log stack traces as
> you suggested and attached the new log file.  Now I can see that it is
> indeed authenticating my test user "Joe User" with my AD. The attached
> log file contains the results of first logging in successfully as root
> and then as Joe User. When I try to login as the AD user in the web UI I
> get the following error in the browser:
> 
> 
> Can't call method "SetDisabled" on an undefined value at
> /opt/rt3/bin/../lib/RT/User_Overlay.pm line 1087,  line 514.

It's a bit unusual. It seems that either the Autocreation is trying to
re-use a principleID that already exists for the user, or for some
reason it's creating the principle as a group instead of a user.

Walking through the log:

****************************************************************************
[Mon Nov  3 14:22:48 2008] [debug]: RT::User::IsPassword External auth
SUCCEEDED
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm:360)

ExternalAuth checked your external source and is happy to allow access
as the user provided.
****************************************************************************
[Mon Nov  3 14:22:48 2008] [info]: Autocreated authenticated user juser
( 14 )
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:64)

Because no principle exists with that username, a user is being
autocreated by RT and it has been assigned the principleID (i.e.
userID/groupID) 14.
****************************************************************************
[Mon Nov  3 14:22:48 2008] [debug]: LDAP Search ===  Base:
dc=canyonpartners,dc=local == Filter:
(&(objectClass=*)(sAMAccountName=juser)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm:853)

Information about the user is being looked up in your specified info
database for importing into RT.
****************************************************************************
[Mon Nov  3 14:22:48 2008] [debug]: LDAP Search ===  Base:
dc=canyonpartners,dc=local == Filter:
(&(objectClass=*)(userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=juser))
== Attrs: uid
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm:893)

RT is now looking to see if any results are returned when combining a
search for the user specified and a search for disabled users. If a
result is returned, the user should be set disabled, if not the user
should be set enabled. In both cases, the method SetDisabled is used,
just with different params for enable or disable.
****************************************************************************
[Mon Nov  3 14:22:48 2008] [crit]: User #14 has principal of Group type
(/opt/rt3/bin/../lib/RT/User_Overlay.pm:1123)

Critical failure. RT is trying to use the SetDisabled method to make
sure the user is enabled, but for some reason, the account with
principleID 14 is not a User object, it is a Group object, and you
cannot use RT::User::SetDisabled on a group, therefore RT doesn't know
what to do and bombs out.
****************************************************************************


So, either Autocreate is re-using #14 that already exists as a group
where it shouldn't, or Autocreate is creating a Group object not a User
object.

I would guess the former, but the details of Autocreate are beyond what
I'm familiar with.

Hope that helps.
-- 
Kind Regards,

__________________________________________________

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__________________________________________________

More information about the rt-users mailing list