#1888 Change error message when login with inexisting UserExternal (was: No response from iTop if external user does not exist)
See comment create on 2020-07-24 (https://sourceforge.net/p/itop/tickets/1888/#04be)
Hello,
I just upgraded from 2.7.0-1 to 2.7.1-5896 and the loop problem is thankfully solved there! Thank you and your team!
The only problem that remains in 2.7.1-5896 is that if the external user does not exist you get the 'UI:Login:Error:AccessRestricted' message instead of offering an alternative authentication type (form)
First message (but this was fixed in 2.7.1) :
I have successfully setup SSO with Apache2 + Kerberos Auth and external user authentication works fine in iTop as long as the singed on user exists in iTop.
However if the user does not exist, there is no reply and eventually a timeout.
All combinations of allowed_login_types (external|form|basic) have been tried without any difference.
I suppose it is a bug and that the expected behavior hier would be a reply that the external user has not been found and/or the form for an internal user login appears.
Related
Discussion: hangs when external user is unkown
Tickets: #2147
Hello,
What was the iTop version tested ? 2.7.0 as filled in this ticket ?
yes, 2.7.0-1 is installed
We fixed in something similar (external user privisionning) in 2.7.0-2 (Combodo ref : N°2952)
Can you check with this version ?
https://sourceforge.net/projects/itop/files/itop/2.7.0-2/
Tried on 2.7.0-2-5689, behaviour is the same.
Would be willing to debug, but found no way to enable debugging on this.
To complete:
happens on all 3 of my installations, all with apache2 + mod_mellon (desperately waiting for full SAML 2.0 support by the way).
And I confirm to have tried all combinations of allowed_login_types (cas|external|form|basic), without any difference.
In some rare occasions (cache maybe?) I get a fallback to basic followed by a "unauthorized" reply, but it is not repeatable.
Last edit: hans boot 2020-06-30
Thanks.
Can you add a login_debug=true to your iTop config file to have some debug traces ? (see Authentication process [iTop Documentation])
Here is an authentication pass with external, and fail. It hangs and loops quite agressively. I extracted the first couple of lines.
'allowed_login_types' => 'external|cas|form|basic',
Last edit: hans boot 2020-07-01
For reference, here is one with an accepted user.
Is the information I gave enough or do you need more info?
Sorry I should have changed the ticket status !
We need to investigate...
@hans boot and @pgoiffon, thank you for troubleshooting.
This has a potential of a high priority issue, because as I found out today a single non-existing user puts the whole system for all users down. As long as the browser of a non-existing external user is open and the loop is running, all CPU usage is a 100% and no other user can work in iTop.
Could you maybe prioritize this bug accordingly?
Is there a patch/workaround that can be implemented in the meantime?
@pgoiffon Hello Pierre
Have you been able to analyze the problem?
As workaround we created LDAP users and disabled external ath. The users have to provide their password now when authenticating in iTop. The problem is however, that these are totally new iTop users and the old personal shortcuts, dashboards, etc. are not accessable.
We are waiting desperately for a fix of this issue.
Do you have another idea for a workaround, while we are waiting for a fix?
Hello,
I don't have the way to reproduce this myself, so I forwarded this to the dev and product teams.
Hello,
I just upgraded from 2.7.0-1 to 2.7.1-5896 and the loop problem is thankfully solved there! Thank you and your team!
The only problem that remains in 2.7.1-5896 is that if the external user does not exist you get the 'UI:Login:Error:AccessRestricted' message instead of offering an alternative authentication type (form)
Last edit: Switchfoot 2020-07-24
Many thanks for your feedback ! Glad to hear this is fixed - I thought a fix was integrated in 2.7.0-2 but I certainly misunderstood and it was in 2.7.1.
Well noted for the other problem, we will have to reproduce it.
Hello,
The problem was already known by the product team, this is existing in (private) Combodo db under ref N°3229. Not planned yet.
Diff:
New duplicate ticket : [#2147].
Related
Tickets:
#2147