Re: [rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
Good points Mike, I did not think about the fact that future users can still get added as [EMAIL PROTECTED] if they first are just a requester, this would mean I either need a constant process to fix these or as you suggest: Since ExternalAuth has been refactored, I could add an Overlay to have ExternalAuth checked for info when a user is auto-created by e-mail and have the info loaded then. It wouldn't help past users, but would help future users that start by e-mail and then login. I am thinking this might be best, I have a few more days before my next major project kicks off, meaning I have some time to give back to RT. Would you like to do this as part of LDAP.pm or externally? Give me some guide lines and I will see what I can come up with. Mike Peachey wrote: John McCoy wrote: I do have an additional issue now that I have had a few more testers try this: Most of our non-privileged users do already exist in RT as they have been auto added when the were added as requesters on a ticket, this has created their accounts as such: Username: [EMAIL PROTECTED] Email: [EMAIL PROTECTED] Real Name: [EMAIL PROTECTED] I think this is causing a problem for ExternalAuth as it tries to create a new user with Username: user but then fails as the email address is already in use. I did a query and I have several hundred uses like this, I am upgrading from 3.6.6 FYI. I'm thinking it might be best to create some sql to remove the @ggu.edu from all user names rather then try to modify the add user code to look for both user and [EMAIL PROTECTED] Thoughts anyone? This has always been a difficult one. I *could* have it like this: Lookup user, load user info, check e-mail address, if address in use, overwrite previous user with new details - but this could cause some serious issues. As you suggest, it may simply be better to leave it to the individual administrator to decide whether to clean up the users database as each one comes up or via a scripted change. Since ExternalAuth has been refactored, I could add an Overlay to have ExternalAuth checked for info when a user is auto-created by e-mail and have the info loaded then. It wouldn't help past users, but would help future users that start by e-mail and then login. I could have it periodically do a complete pull from LDAP and create users in RT for all users in LDAP, but that could complicate things later on for certain users. As I said, I'm really not sure how best to deal with it. -- * John McCoy, Jr Sr. Systems and Network Administrator Enterprise Technology Services Golden Gate University 415-442-6560 * ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
John McCoy wrote: Good points Mike, I did not think about the fact that future users can still get added as [EMAIL PROTECTED] if they first are just a requester, this would mean I either need a constant process to fix these or as you suggest: Since ExternalAuth has been refactored, I could add an Overlay to have ExternalAuth checked for info when a user is auto-created by e-mail and have the info loaded then. It wouldn't help past users, but would help future users that start by e-mail and then login. I am thinking this might be best, I have a few more days before my next major project kicks off, meaning I have some time to give back to RT. Would you like to do this as part of LDAP.pm or externally? Give me some guide lines and I will see what I can come up with. Having thought about this (and had some sleep) since.. I realised that, as far as I know, ExternalAuth *already* looks up external user info when a user is autocreated by email because when the user is created CanonicalizeUserInfo is called which is overridden by ExternalAuth and so goes off to find the users info based on their email address.. Can you confirm this? -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
Mike Peachey wrote: John McCoy wrote: Good points Mike, I did not think about the fact that future users can still get added as [EMAIL PROTECTED] if they first are just a requester, this would mean I either need a constant process to fix these or as you suggest: Since ExternalAuth has been refactored, I could add an Overlay to have ExternalAuth checked for info when a user is auto-created by e-mail and have the info loaded then. It wouldn't help past users, but would help future users that start by e-mail and then login. I am thinking this might be best, I have a few more days before my next major project kicks off, meaning I have some time to give back to RT. Would you like to do this as part of LDAP.pm or externally? Give me some guide lines and I will see what I can come up with. Having thought about this (and had some sleep) since.. I realised that, as far as I know, ExternalAuth *already* looks up external user info when a user is autocreated by email because when the user is created CanonicalizeUserInfo is called which is overridden by ExternalAuth and so goes off to find the users info based on their email address.. Can you confirm this? I would look into this deeper myself, but right now I'm back to barely having enough time to wipe my own nose. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
Mike Peachey wrote: Aaron Zuercher wrote: I'm still getting the same error: Can't call method SetDisabled on an undefined value at /opt/rt3/bin/../lib/RT/User_Overlay.pm line 1087. I installed over the top and recieved that error. so then I remove the RT_AUTH dir from the plugins folder and reinstalled again. Same error. Here is what the rt.log shows (looks promising): Can you take a look at your databases Users table and keep an eye out for any users whose principal ID has been set to #13? Also, if you can pop in to the rt IRC channel to try to work through it I think it would help us both a lot as you need your database fixing and I need to discover exactly what's happened so I can post instructions for everyone else for fixing their database. irc.perl.org #rt -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
Mike thank you very much for working so hard on this issue. I am happy to report that the new version does now work for SelfService (for me) Just an FYI for others stuck authenticating against Novell eDir and using the lame non-password ldap_proxy accounts I had to make the changes you were thinking about (sorry for the lack of a proper diff file): /opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm 455 # Authenticate to ldap server with user name and password if supplied 456 # If no password supplied to not pass a null or bind anonymously if noting was supplied 457 if (($ldap_user) and ($ldap_pass)) { 458 $msg = $ldap-bind($ldap_user, password = $ldap_pass); 459 } elsif (($ldap_user) and ( ! $ldap_pass)) { 460 $msg = $ldap-bind($ldap_user); 461 } else { 462 $msg = $ldap-bind; 463 } RHEL5 RT 3.8.1 ExternalAuth 0.0.7_01 CookieAuth EmailCompletion -- * John McCoy, Jr Sr. Systems and Network Administrator Enterprise Technology Services Golden Gate University 415-442-6560 * ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
John McCoy wrote: Mike thank you very much for working so hard on this issue. I am happy to report that the new version does now work for SelfService (for me) Just an FYI for others stuck authenticating against Novell eDir and using the lame non-password ldap_proxy accounts I had to make the changes you were thinking about (sorry for the lack of a proper diff file): /opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm 455 # Authenticate to ldap server with user name and password if supplied 456 # If no password supplied to not pass a null or bind anonymously if noting was supplied 457 if (($ldap_user) and ($ldap_pass)) { 458 $msg = $ldap-bind($ldap_user, password = $ldap_pass); 459 } elsif (($ldap_user) and ( ! $ldap_pass)) { 460 $msg = $ldap-bind($ldap_user); 461 } else { 462 $msg = $ldap-bind; 463 } I have committed this change to trunk. When 0.07 comes out as a ratified version, this will be included. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
I do have an additional issue now that I have had a few more testers try this: Most of our non-privileged users do already exist in RT as they have been auto added when the were added as requesters on a ticket, this has created their accounts as such: Username: [EMAIL PROTECTED] Email: [EMAIL PROTECTED] Real Name: [EMAIL PROTECTED] I think this is causing a problem for ExternalAuth as it tries to create a new user with Username: user but then fails as the email address is already in use. I did a query and I have several hundred uses like this, I am upgrading from 3.6.6 FYI. I'm thinking it might be best to create some sql to remove the @ggu.edu from all user names rather then try to modify the add user code to look for both user and [EMAIL PROTECTED] Thoughts anyone? LOG: [Fri Nov 7 18:16:35 2008] [debug]: UserExists params: username: fmulder , service: camstr (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:271) [Fri Nov 7 18:16:35 2008] [debug]: LDAP Search === Base: o=ggu == Filter: ((objectClass=Person)(cn=fmulder)) == Attrs: ,fullName,,mail,cntelephoneNumber,cn,ou,cn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:301) [Fri Nov 7 18:16:35 2008] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 87 with: Disabled: 0, EmailAddress: , Gecos: fmulder, Name: fmulder, Privileged: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:257) [Fri Nov 7 18:16:35 2008] [debug]: Attempting to get user info using this external service: camstr (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:265) [Fri Nov 7 18:16:35 2008] [debug]: Attempting to use this canonicalization key: Name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:274) [Fri Nov 7 18:16:35 2008] [debug]: LDAP Search === Base: o=ggu == Filter: ((objectClass=Person)(cn=fmulder)) == Attrs: ,fullName,,mail,cntelephoneNumber,cn,ou,cn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:192) [Fri Nov 7 18:16:35 2008] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City: , Country: , Disabled: 0, EmailAddress: [EMAIL PROTECTED], ExternalAuthId: fmulder, Gecos: fmulder, Name: fmulder, Organization: Enterprise Technology Services, Privileged: 0, RealName: Fox Mulder, State: , WorkPhone: 415-442-7231, Zip: (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:338) [Fri Nov 7 18:16:35 2008] [error]: Couldn't create user fmulder: Email address in use (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:47) [Fri Nov 7 18:16:35 2008] [error]: FAILED LOGIN for fmulder from 10.3.32.51 (/opt/rt3/share/html/autohandler:265) -- * John McCoy, Jr Sr. Systems and Network Administrator Enterprise Technology Services Golden Gate University 415-442-6560 * ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
John McCoy wrote: I do have an additional issue now that I have had a few more testers try this: Most of our non-privileged users do already exist in RT as they have been auto added when the were added as requesters on a ticket, this has created their accounts as such: Username: [EMAIL PROTECTED] Email: [EMAIL PROTECTED] Real Name: [EMAIL PROTECTED] I think this is causing a problem for ExternalAuth as it tries to create a new user with Username: user but then fails as the email address is already in use. I did a query and I have several hundred uses like this, I am upgrading from 3.6.6 FYI. I'm thinking it might be best to create some sql to remove the @ggu.edu from all user names rather then try to modify the add user code to look for both user and [EMAIL PROTECTED] Thoughts anyone? This has always been a difficult one. I *could* have it like this: Lookup user, load user info, check e-mail address, if address in use, overwrite previous user with new details - but this could cause some serious issues. As you suggest, it may simply be better to leave it to the individual administrator to decide whether to clean up the users database as each one comes up or via a scripted change. Since ExternalAuth has been refactored, I could add an Overlay to have ExternalAuth checked for info when a user is auto-created by e-mail and have the info loaded then. It wouldn't help past users, but would help future users that start by e-mail and then login. I could have it periodically do a complete pull from LDAP and create users in RT for all users in LDAP, but that could complicate things later on for certain users. As I said, I'm really not sure how best to deal with it. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
To all you loving testers out there, I've been working my wedding vegetables off trying to get a new completely refactored (and, more importantly, working) version of RT::Authen::ExternalAuth out to you and the first beta is now complete and attached to this e-mail. It's also available from the SVN trunk and has been uploaded to CPAN, but might take time to propagate. I emplore you to test this out as soon as possible and let me and Kevin know of any and all problems encountered. Thanks all. Bear in mind, given that 99% of people use it for LDAP rather than DBI authentication, at the moment DBI auth is *completely* untested and assuredly broken - but LDAP should work fine now. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ RT-Authen-ExternalAuth-0.07_01.tar.gz Description: GNU Zip compressed data ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
wedding vegetables? :D Mike, I'll test it ASAP, can I install over top of the old version or do I need to remove it? what is the recommended uninstall method? Aaron On Thu, Nov 6, 2008 at 3:21 PM, Mike Peachey [EMAIL PROTECTED]wrote: To all you loving testers out there, I've been working my wedding vegetables off trying to get a new completely refactored (and, more importantly, working) version of RT::Authen::ExternalAuth out to you and the first beta is now complete and attached to this e-mail. It's also available from the SVN trunk and has been uploaded to CPAN, but might take time to propagate. I emplore you to test this out as soon as possible and let me and Kevin know of any and all problems encountered. Thanks all. Bear in mind, given that 99% of people use it for LDAP rather than DBI authentication, at the moment DBI auth is *completely* untested and assuredly broken - but LDAP should work fine now. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] CALLING EXTERNALAUTH TESTERS - v0.07_01 now available.
Aaron Zuercher wrote: wedding vegetables? :D Yes. :) Mike, I'll test it ASAP, can I install over top of the old version or do I need to remove it? what is the recommended uninstall method? Over the top is fine. User_Vendor.pm is still there, but has been reduced to almost nothing. All the functionality has been moved out to: lib/RT/Authen/ExternalAuth.pm lib/RT/Authen/ExternalAuth/LDAP.pm lib/RT/Authen/ExternalAuth/DBI.pm Uninstallation is a manual affar I'm afraid. For RT-3.6.x you basically need to remove every file detailed in the MANIFEST file, but for RT-3.8.x you should just be able to remove the local/plugins/RT-Authen-ExternalAuth directory. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com