Forum OpenACS Q&A: Error using External Authentication

Posted by Nima Mazloumi on 01/20/04 11:36 AM

Hi friends,

I installed the PAM Authentication Driver, created a new Authority and run the Batch Synch. Still I don't see the option at the login page for pam or local.

This is the error log I saw:

[20/Jan/2004:11:07:52][3315.114696][-conn4-] Error: auth::get_register_authority: parameter value for RegisterAuthority is an authority without registration driver, defaulting to local authority

Any idea why goes wrong? Did I forget to set a parameter?

Greetings,
Nima

2: Re: Error using External Authentication (response to 1)

Posted by Lars Pind on 01/20/04 12:00 PM

This error message is about which authority is used to create new user accounts, which is selected on the /acs-admin/auth/ page.

Is the radio button under "Registration" next to your PAM authority selected? If so, select the local authority, and try again.

Also, is the PAM authority enabled? Is the checkbox under "Enabled" next to the PAM authority checked?

/Lars

3: Re: Error using External Authentication (response to 1)

Posted by Nima Mazloumi on 01/20/04 12:22 PM

These are my settings:

Name  Enabled  Registration  Authentication  Password  Registration
rum      yes       N/A            PAM            -         -     
Local    yes       yes            Local         Local       Local

But it doesn't work.

4: Re: Error using External Authentication (response to 1)

Posted by Lars Pind on 01/20/04 01:10 PM

Ah, I have a hunch now.

You need to change a kernel parameter, too, in order for the drop-down to occur:

1. Visit /acs-admin/

2. Under "Service Administration", on the line labeled "Kernel", click the link "Parameters"

3. In the "Security" section, find the parameter named "UseEmailForLoginP".

4. Set it to 0, and click OK.

If you don't do this, it'll ask for email instead of username, and since emails are globally unique, it doesn't need to ask for the authority.

Could this be it?

/Lars

5: Re: Error using External Authentication (response to 1)

Posted by Nima Mazloumi on 01/20/04 01:58 PM

Great it works now!! Tahnks.

But what is strange is that the local login required an email and now I cannot log into the system over the local authority anymore.

6: Re: Error using External Authentication (response to 5)

Posted by Matthias Melcher on 01/20/04 03:41 PM

What did you specify for "username" when adding the local user in dotLRN > Admin > Users > Add A User
http://dotlrn20-test.collaboraid.net/dotlrn/user-add?add_membership_p=f&dotlrn_interactive_p=1&referer=/dotlrn/admin/users ?
This should work now for Login instead of eMail.

7: Re: Error using External Authentication (response to 5)

Posted by Lars Pind on 01/20/04 03:48 PM

Yeah, that's the problem.

When logging in using email, we don't ask for a username, we just generate one. So when you switch from using email to login, to using usernames, you generally don't know what your username is ...

Any good suggestions for how to fix this?

The premise is that when you've set your site to use email, everything should be the way it always was: No mention of usernames, 'cause they're not being used anywhere.

But if you're logging in via username, well, then you need a username. And currently, you also need an email, even though in the future, we'll want to remove the requirement to have an email address with the system.

I guess the solution that others implement is to have a "I forgot my username" link that asks for your email and responds by sending your username to that email?

For now, though, if you have access to your database, you can say 'select email, username from cc_users' to see which emails correspond to which usernames -- and chances are that it'll be identical to your email.

/Lars

8: Re: Error using External Authentication (response to 1)

Posted by Nima Mazloumi on 01/20/04 05:09 PM

Matthias/Lars:

Thank you very much for your help.

Regarding the username two things.

I think OpenACS created the username Administrator for the admin of the site. So this should be enough in the first place to allow at least an admin to login to the site.
Second there could be many ways to generate usernames:
- use of the userid
- use of the email as well for those instances where no username is provided
- use of the text before the @ in case all emails are from the same server...so they must be unique.

Lars:
Regarding the batch synch:

It takes the server 1 minute for 4 actions which seems strange. The first time I did that it took me 12 hours for 20000 user which is 27 actions/minute.

I get different error messages from the batch synch page:

Start time        End time          Run time    Actions  Problems  Actions/Minute  Message                 Interactive  
18.01.2004 16:04  19.01.2004 15:12  23h 7m 57s  8870      9        6                Error processing sync docum...  No  
19.01.2004 16:21  19.01.2004 17:02  40m 53s     168       0        4                Error processing sync docum...  No  
20.01.2004 01:00  20.01.2004 01:00  1s          0         0                         Error processing sync docum...  No

Here are the corresponding error messages:

Batch 1

Error processing sync document: Transaction aborted: Database operation "dml" failed ERROR: auth_batch_job_entries_user_fk referential integrity violation - key referenced from auth_batch_job_entries not found in users SQL: insert into auth_batch_job_entries (entry_id, job_id, operation, username, user_id, success_p, message, element_messages) values ('13904', '3', 'insert', 'hremle', '604671', 'f', 'Database operation "0or1row" failed (exception NSDB, "Query was not a statement returning rows.") ERROR: deadlock detected SQL: select dotlrn_student_profile_rel__new(NULL,''604671'',''604673'',NULL,''hremle@rumms.uni-mannheim.de'',''dotlrn_student_profile_rel'',NULL,''1420'',''134.155.53.42'') while executing "ns_pg_bind 0or1row nsdb0 { select dotlrn_student_profile_rel__new(NULL,:user_id,:portal_id,NULL,:id,''dotlrn_student_profile_rel'',NULL,:creation_user..." ("uplevel" body line 1) invoked from within "uplevel $ulevel [list ns_pg_bind $type $db $sql" ("postgresql" arm line 2) invoked from within "switch $driverkey { oracle { return [uplevel $ulevel [list ns_ora $type $db $sql] $args] } ..." invoked from within "db_exec 0or1row $db $full_statement_name $sql" invoked from within "if {[regexp -nocase -- {^\\s*select} $test_sql match]} { ns_log Debug "PLPGSQL: bypassed anon function" set selection [..." ("uplevel" body line 6) invoked from within "uplevel 1 $code_block " invoked from within "db_with_handle -dbn $dbn db { # plsql calls that are simple selects bypass the plpgsql # mechanism for creating anonymous fun..." (procedure "db_exec_plsql" line 57) invoked from within "db_exec_plsql create_object " BEGIN :1 := ${package_name}.new([plsql_utility::generate_attribute_parameter_call -prepend ":" -indent [expr..." (procedure "package_instantiate_object" line 106) invoked from within "package_instantiate_object -creation_user $creation_user -creation_ip $creation_ip -start_with "relationship" -form_id $form_id -extra_vars $extr..." invoked from within "set rel_id [package_instantiate_object -creation_user $creation_user -creation_ip $creation_ip -start_with "relationship" -form_id $form_id -extr..." ("uplevel" body line 3) invoked from within "uplevel 1 $transaction_code " (procedure "db_transaction" line 1) invoked from within "db_transaction { set rel_id [package_instantiate_object -creation_user $creation_user -creation_ip $creation_ip -start_with "relationship" -form..." (procedure "relation_add" line 16) invoked from within "relation_add -extra_vars $extra_vars -member_state approved [get_rel_type_from_user_type -type $type] "" $user_id " invoked from within "set rel_id [relation_add -extra_vars $extra_vars -member_state approved [get_rel_type_from_user_type -type $type] "" $user_id ]" ("uplevel" body line 10) invoked from within "uplevel 1 $transaction_code " (procedure "db_transaction" line 39) invoked from within "db_transaction { set_can_browse -user_id $user_id -can_browse\\=$can_browse_p set portal_id [portal::create -template_id $tem..." (procedure "dotlrn::user_add" line 20) invoked from within "dotlrn::user_add -id $user_info(email) -type $type -can_browse=$can_browse_p -user_id $user_id" ("insert" arm line 25) invoked from within "switch $operation { "insert" { # We set email_verified_p to ''t'', because we trust the email we get from th..." ("uplevel" body line 2) invoked from within "uplevel $body "', NULL)

Batch 2

Error processing sync document: Transaction aborted: Database operation "0or1row" failed (exception NSDB, "Query was not a statement returning rows.") ERROR: current transaction is aborted, queries ignored until end of transaction block SQL: select nextval('auth_batch_job_entry_id_seq') as nextval where (select relkind from pg_class where relname = 'auth_batch_job_entry_id_seq') = 'S'

Batch 3

Error processing sync document: Transaction aborted: 14073

Greetings and thank you very much,
Nima

9: Re: Error using External Authentication (response to 1)

Posted by Nima Mazloumi on 01/22/04 01:03 AM

Hi Lars,

finally I got the batch synch running. The server was so slow with 20000 users in the system. Then I decided to make my external university account to become site admin and then disabled the local authority. The site is now 10 times faster than before when two authorities were enabled.

The only problem is that I want to get rid of the enabled registration mode of the local authority. At the moment people can register to the local authority but won't ever have access anyway. Is there a way disable registration for the local authority?

I changed the parameters (Recover password URL, Change password URL,Account registration URL) of the local authority to link account.htm but still the Password Recovery Link and the Registration Link are shown on the login page.

On the other hand the the URLs I added for the external authority (pam) authority never show as well as the Help contact text I added.

Can you tell me what I do wrong?

Greetings,
Nima