[rt-users] RT-Authen-ExternalAuth-0.09 a bit too eager?
Iulian Dragan
iulian_dragan at yahoo.com
Thu Dec 15 09:18:04 EST 2011
Hello,
I am upgrading from 3.8.7 (apache2 + mod_perl) to 4.0.4 (apache2 + mod_fastcgi) and I notice a strange behaviour of RT-Authen-ExternalAuth -0.09.
The authentication works fine, however, the login page gets redirected straight away here:
http://rt.address.com/NoAuth/Login.html?next=xxxxxx&results=xxxxxxx
With the error message: "You are not an authorized user".
That is, this is what I see instead of the normal login page.
This is what the log says:
[Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10)
[Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10)
Is this to be expected? Or am I missing something? Because in the old version there was no redirection and no error messages.
I dug a little bit and found a "fix", but it seems a bit heavy handed (if not plain wrong).
It involves modifiying .../html/Callbacks/ExternalAuth/autohandler/Session from this:
<%init>
$m->comp('/Elements/DoAuth',%ARGS);
......
to this:
<%init>
if($ARGS{'user'} || $m->request_comp->path ne '/index.html'){
$m->comp('/Elements/DoAuth',%ARGS);
}
....
That is, try to authenticate me only if I provided an username or if I am trying to access something else than the login page(well..).
Here's the relevant part of RT_SiteConfig:
Set($WebExternalAuth , '1');
Set($WebFallbackToInternalAuth , '1');
Set($WebExternalAuto , '1');
Set($ExternalAuthPriority, [ 'AD' ]);
Set($ExternalInfoPriority, [ 'AD' ]);
Set($AutoCreateNonExternalUsers, 1);
Set($ExternalSettings, { 'AD' => {
'type' => 'ldap',
...
}
});
And httpd.conf:
<VirtualHost *:80>
ServerName xxx
KeepAlive On
AddDefaultCharsetUTF-8
LogLevel debug
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{X-Forwarded-For}i " combined
ErrorLog /opt/rt/var/log/error_log
CustomLog /opt/rt/var/log/access_log common env=!dontlog
Alias /NoAuth/images/ /opt/rt/share/html/NoAuth/images/
ScriptAlias / /opt/rt/sbin/rt-server.fcgi/
DocumentRoot /opt/rt/share/html
<Location />
Order allow,deny
Allow from all
Options +ExecCGI
AddHandlerfastcgi-script fcgi
</Location>
<Location /NoAuth/images>
SetHandler default-handler
</Location>
</VirtualHost>
Thanks,
Iulian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20111215/9be46d02/attachment.htm>
More information about the rt-users
mailing list