Shibboleth: Cannot convert a builtin account to shib, does not accept password.

[kcondon]

Logging in via Shib using either Harvard or testshib on internal I can log in if there is no preexisting local account with the same email address. If there is a preexisting email, I need to convert the account on log in and that is currently failing with a bad password message, though the password is correct.

@pdurbin
This functionality was working when tested on internal during the QA phase. However, some minor tweaks were made during UX phase and there were some resolved merge conflicts.

[pdurbin]

@kcondon I just tried this on https://shibtest.dataverse.org running v. 4.3.1 build develop-7fe7040 (the latest code in "develop" as of this writing) and converting a builtin account worked fine. Here are some screenshots:

Here's what it showed in server.log (I must have it cranked up to fine):

[2016-05-13T16:32:15.365-0400] [glassfish 4.1] [FINE] [] [edu.harvard.iq.dataverse.Shib] [tid: _ThreadID=51 _ThreadName=jk-connector(2)] [timeMillis: 1463171535365] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.Shib] [METHODNAME: confirmAndConvertAccount] [[
  builtin username: philip_durbin]]

[2016-05-13T16:32:15.475-0400] [glassfish 4.1] [INFO] [] [edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean] [tid: _ThreadID=51 _ThreadName=jk-connector(2)] [timeMillis: 1463171535475] [levelValue: 800] [[
  converting user 8 from builtin to shib]]

[2016-05-13T16:32:15.476-0400] [glassfish 4.1] [INFO] [] [edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean] [tid: _ThreadID=51 _ThreadName=jk-connector(2)] [timeMillis: 1463171535476] [levelValue: 800] [[
  builtin user identifier: @philip_durbin]]

[2016-05-13T16:32:15.478-0400] [glassfish 4.1] [INFO] [] [edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean] [tid: _ThreadID=51 _ThreadName=jk-connector(2)] [timeMillis: 1463171535478] [levelValue: 800] [[
  we expect this to be 'builtin': builtin]]

[2016-05-13T16:32:15.478-0400] [glassfish 4.1] [INFO] [] [edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean] [tid: _ThreadID=51 _ThreadName=jk-connector(2)] [timeMillis: 1463171535478] [levelValue: 800] [[
  this should be 'pete' or whatever the old builtin username was: philip_durbin]]

[2016-05-13T16:32:15.487-0400] [glassfish 4.1] [FINE] [] [edu.harvard.iq.dataverse.Shib] [tid: _ThreadID=51 _ThreadName=jk-connector(2)] [timeMillis: 1463171535487] [levelValue: 500] [CLASSNAME: edu.harvard.iq.dataverse.Shib] [METHODNAME: logInUserAndSetShibAttributes] [[
  Groups for user 8 (@philip_durbin): [All Users (:AllUsers), Authenticated Users (:authenticated-users)]]]

I'm heading out for the day, but I'm passing it back to you for consideration, @kcondon

[kcondon]

OK, thanks. We need to get this working on the test box before we can mark this as resolved.

[pdurbin]

On dataverse-internal running v. 4.3.1 build 95-68c7239 (latest from 2469-widgets branch), I'm able to replicate the problem of not being prompted to convert my account from local to shib. My first guess is that the leading spaces persisted in the database for my email address (see #2945 and #3044) are the problem:

[root@dvn-vm4 ~]# curl -s -H "X-Dataverse-key: $API_TOKEN" http://localhost:8080/api/admin/authenticatedUsers | jq . | grep durbin@
      "email": "  philip_durbin@harvard.edu",

[pdurbin]

Sure enough, after I eliminated the leading whitespace from my " philip_durbin@harvard.edu" (which I was able to do as my own user through the GUI on the account page), I was able to successfully convert my account on dataverse-internal running v. 4.3.1 build 95-68c7239:

@kcondon I'm going to pass this back to you for consideration. #2945 was already closed as a duplicate of #3044. Perhaps #3044 should be worked on before we release 4.4.

[kcondon]

Was no longer able to reproduce, closing.