[rt-users] RT-Authen-ExternalAuth-0.09 a bit too eager?

Iulian Dragan iulian_dragan at yahoo.com
Thu Dec 15 09:18:04 EST 2011 

Hello,
I am upgrading from 3.8.7 (apache2 + mod_perl) to 4.0.4 (apache2 + mod_fastcgi) and I notice a strange behaviour of RT-Authen-ExternalAuth -0.09.

The authentication works fine, however, the login page gets redirected straight away here:


http://rt.address.com/NoAuth/Login.html?next=xxxxxx&results=xxxxxxx

With the error message: "You are not an authorized user".
That is, this is what I see instead of the normal login page.
This is what the log says:

[Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)

[Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10)
[Thu Dec 15 13:20:08 2011] [debug]: Attempting to use external auth service: AD (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Thu Dec 15 13:20:08 2011] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Thu Dec 15 13:20:08 2011] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:10)

Is this to be expected? Or am I missing something? Because in the old version there was no redirection and no error messages.
I dug a little bit and found a "fix", but it seems a bit heavy handed (if not plain wrong). 
It involves modifiying  .../html/Callbacks/ExternalAuth/autohandler/Session from this:
<%init>

$m->comp('/Elements/DoAuth',%ARGS);
......

to this:

<%init>
if($ARGS{'user'} || $m->request_comp->path ne '/index.html'){
        $m->comp('/Elements/DoAuth',%ARGS);
}
....

That is, try to authenticate me only if I provided an username or if I am trying to access something else than the login page(well..).
Here's the relevant part of RT_SiteConfig:

Set($WebExternalAuth , '1');

Set($WebFallbackToInternalAuth , '1');
Set($WebExternalAuto , '1');
Set($ExternalAuthPriority,  [   'AD'   ]);
Set($ExternalInfoPriority,  [   'AD'   ]);
Set($AutoCreateNonExternalUsers,    1);
Set($ExternalSettings,      { 'AD'       =>  {
        'type'              =>  'ldap',
        ...
    }
});


And httpd.conf:
<VirtualHost *:80>

 ServerName xxx
 KeepAlive      On
 AddDefaultCharsetUTF-8

 LogLevel debug
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{X-Forwarded-For}i " combined
 ErrorLog /opt/rt/var/log/error_log
 CustomLog /opt/rt/var/log/access_log common env=!dontlog


 Alias /NoAuth/images/ /opt/rt/share/html/NoAuth/images/
 ScriptAlias / /opt/rt/sbin/rt-server.fcgi/
 DocumentRoot /opt/rt/share/html


 <Location />
            Order allow,deny
            Allow from all
            Options +ExecCGI
            AddHandlerfastcgi-script fcgi
 </Location>
 <Location /NoAuth/images>
        SetHandler default-handler
 </Location>
</VirtualHost>


Thanks,
Iulian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20111215/9be46d02/attachment.htm>

More information about the rt-users mailing list