[rt-users] RT-Extension-SaltedPasswords Not Playing Nice with LDAP

[Kevin Falcone]

On Fri, Jan 21, 2011 at 10:16:33AM -0700, Nick Couchman wrote:
> On Fri, 2011-01-21 at 10:37 -0500, Kevin Falcone wrote:
> > On Fri, Jan 21, 2011 at 07:48:15AM -0700, Nick Couchman wrote:
> > > [Fri Jan 21 03:40:09 2011] [debug]: UPDATED user Nick Couchman from LDAP
> > > (/opt/rt3/local/lib/RT/User_Local.pm:628)
> > 
> > Looks like you're using an old extension that clobbers IsPassword.
> > You're going to need to merge that code with the IsPassword in
> > SaltedPasswords to handle both cases.
> > 
> > -kevin
> 
> Well, I'm getting closer.  I decided to remove the old LDAP method and
> install the RT-Authen-ExternalAuth extension, version 0.05, instead.
> Now the log output looks like this:
> 
> [Fri Jan 21 17:14:07 2011] [debug]: LDAP Search ===  Base: dc=seakr,dc=com == Filter: (&(objectClass=posixAccount)(cn=Nick Couchman)) == Attrs: l,cn,st,mail,cn,co,physicalDeliveryOfficeName,postalCode,telephoneNumber,cn,o,cn (/opt/rt3/local/lib/RT/User_Vendor.pm:850)
> [Fri Jan 21 17:14:07 2011] [debug]: LDAP Search ===  Base: dc=seakr,dc=com == Filter: (&(objectClass=posixAccount)(isDisabled=true)(cn=Nick Couchman)) == Attrs: uid (/opt/rt3/local/lib/RT/User_Vendor.pm:890)
> [Fri Jan 21 17:14:07 2011] [info]: ENABLED user  Nick Couchman per External Service (0, That is already the current value) (/opt/rt3/local/lib/RT/User_Vendor.pm:957)
> [Fri Jan 21 17:14:07 2011] [debug]: RT::User::CanonicalizeUserInfo called by RT::User /opt/rt3/local/lib/RT/User_Vendor.pm 966 with: Name: Nick Couchman (/opt/rt3/local/lib/RT/User_Vendor.pm:400)
> [Fri Jan 21 17:14:07 2011] [debug]: Attempting to get user info using this external service: eDirectory1 (/opt/rt3/local/lib/RT/User_Vendor.pm:408)
> [Fri Jan 21 17:14:07 2011] [debug]: Attempting to use this canonicalization key: Name (/opt/rt3/local/lib/RT/User_Vendor.pm:417)
> [Fri Jan 21 17:14:07 2011] [debug]: LDAP Search ===  Base: dc=seakr,dc=com == Filter: (&(objectClass=posixAccount)(cn=Nick Couchman)) == Attrs: l,cn,st,mail,cn,co,physicalDeliveryOfficeName,postalCode,telephoneNumber,cn,o,cn (/opt/rt3/local/lib/RT/User_Vendor.pm:538)
> [Fri Jan 21 17:14:07 2011] [info]: RT::User::LookupExternalUserInfo : Returning:  Address1: , City: , Country: , EmailAddress: Nick.Couchman at seakr.com, ExternalAuthId: Nick Couchman, Gecos: Nick Couchman, Name: Nick Couchman, Organization: , RealName: Nick Couchman, State: , WorkPhone: , Zip:  (/opt/rt3/local/lib/RT/User_Vendor.pm:703)
> [Fri Jan 21 17:14:07 2011] [info]: RT::User::CanonicalizeUserInfo returning Address1: , City: , Country: , EmailAddress: Nick.Couchman at seakr.com, ExternalAuthId: Nick Couchman, Gecos: Nick Couchman, Name: Nick Couchman, Organization: , RealName: Nick Couchman, State: , WorkPhone: , Zip:  (/opt/rt3/local/lib/RT/User_Vendor.pm:444)
> [Fri Jan 21 17:14:08 2011] [debug]: UPDATED user  Nick Couchman from External Service (/opt/rt3/local/lib/RT/User_Vendor.pm:990)
> [Fri Jan 21 17:14:08 2011] [error]: FAILED LOGIN for Nick Couchman from 192.168.10.71 (/opt/rt3/share/html/autohandler:251)
> 
> So, it looks to me like it successfully pulls all of the information
> from the LDAP service successfully, but for some reason still fails the
> login.  I know I'm typing the correct password - tried that along with
> bogus ones a few times.  Any other hints?

Correct ldap password or correct local password?
RT-Authen-ExternalAuth 0.05 messes with IsPassword, and you'd likely
have to merge the IsPassword from SaltedPasswords with
IsInternalPassword to make it go.

RT-Authen-ExternalAuth 0.08 (the version compatible with 3.8) uses a
different technique that doesn't clobber IsPassword

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110121/3f15b2b7/attachment.sig>