Mailing Lists: Apple Mailing Lists
 Image of Mac OS face in stamp
SOLVED: Re: Authentication error against Active Directory
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SOLVED: Re: Authentication error against Active Directory

Folks,

FYI -- the problem occurs when you have the AD server in the Authentication search path in Directory Utility, but not in the Contacts search path. The text of the bug I filed follows:

Summary:

When integrating the Wiki server with an external directory server (such as a separate Open Directory master or Active Directory), the directory server needs to be in the Contacts search path in Directory Utility (on the wikid server) or users will get an error dialog in the browser when they try to log in that says, "Error from server: 'NoneType' object has no attribute 'shortName' (8002)".

Steps to Reproduce:

1) Set up Leopard Server 10.5.1 in advanced mode.

2) In Server Admin, promote the server to be an OD master.

3) In Directory Utility, bind the server to an outside directory server (OD master or AD master). Make sure that the outside master is in the Authentication search path but not the Contacts search path.

4) Create a group wiki using Server Admin and Workgroup Manager. Make sure that at least one of the users in the group is from the outside master.

5) Try to log in to the group wiki using the user account from the outside master.

Expected Results:

The user should be able to log in.

Actual Results:

Browser displays error dialog with message: "Error from server: 'NoneType' object has no attribute 'shortName' (8002)". User is not logged in.

Regression:
Problem exists in 10.5.0 server as well.

Notes:
Workaround is to put the outside directory server into the Contacts search path as well as the Authentication search path. Note that the usage of the search nodes is inconsistent here. Authentication does in fact occur, based on the wikid error logs that show that the error occurs at line 78 of SessionHandler.py, which can only be reached once the user is authenticated. This is confirmed by doing USR1 debug logging on the DirectoryService process.

I have only verified this against an outside AD master, but I believe it will act the same against an outside OD master.

Given that wikid is authenticating a user, I would recommend that the search be done on the Authentication search path, not the Contacts search path. Alternatively, search both paths.


--Paul



Paul Suh http://www.ps-enable.com/
email@hidden (240) 672-4212



On Dec 11, 2007, at 2:40 PM, Paul Suh wrote:

Josh,

I forgot to mention that I already did that.


--Paul


Paul Suh http://www.ps-enable.com/
email@hidden (240) 672-4212



On Dec 11, 2007, at 2:35 PM, Josh Budde wrote:

Follow this Apple howto
http://docs.info.apple.com/article.html?artnum=306750

Josh

On Dec 11, 2007, at 2:09 PM, Paul Suh wrote:

Folks,

I have a Leopard Server bound to an AD server for authentication. I set up a local OD master as required by wikid. OD users can auth and use the wiki just find. AD users fail at the authentication stage with the error:

2007-12-11 10:26:41-0800 [HTTPChannel,34,127.0.0.1] Unhandled Error
Traceback (most recent call last):
File "/usr/share/caldavd/lib/python/twisted/web/http.py", line 598, in requestReceived
self.process()
File "/usr/share/caldavd/lib/python/twisted/web/server.py", line 150, in process
self.render(resrc)
File "/usr/share/caldavd/lib/python/twisted/web/server.py", line 157, in render
body = resrc.render(self)
File "/usr/share/wikid/lib/python/apple_xmlrpc_server/ WebAppServer.py", line 67, in render
d = defer.maybeDeferred(function, request, *args)
--- <exception caught here> ---
File "/usr/share/caldavd/lib/python/twisted/internet/defer.py", line 107, in maybeDeferred
result = f(*args, **kw)
File "/usr/share/wikid/lib/python/apple_xmlrpc_server/ WebAppServer.py", line 85, in xmlrpc_login
success, session_id = SessionHandler.sessionHandler.login (username, password)
File "/usr/share/wikid/lib/python/apple_utilities/ SessionHandler.py", line 78, in login
aSession = self._authProvider.sessionFactory.vendSession(user)
File "/usr/share/wikid/lib/python/apple_utilities/ Authentication.py", line 197, in vendSession
appleauth.ResetMemberCache(user.shortName)
exceptions.AttributeError: 'NoneType' object has no attribute 'shortName'

From reading the Python code it appears that the authentication was in fact successful, but something is not setting up the shortName attribute correctly in ds.userNamed(username).

I ran into this once before and corrected it by blowing away and reinstalling Leopard server, since it was a testbed and I had done many things to it already. However, this time it's a fresh install and I'm getting annoyed. Anyone have any ideas?


--Paul


Paul Suh http://www.ps-enable.com/
email@hidden (240) 672-4212



_______________________________________________
Do not post admin requests to the list. They will be ignored.
Wiki-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40med.umich.edu

This email sent to email@hidden


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Wiki-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
enable.com

This email sent to email@hidden

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Wiki-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Authentication error against Active Directory (From: Paul Suh <email@hidden>)
 >Re: Authentication error against Active Directory (From: Paul Suh <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.