Re: [rt-users] RT mysql / LDAP Auth
-Original Message-
From: Mike Peachey [mailto:mike.peac...@jennic.com]
Sent: 10 May 2010 12:54
To: Julian Grunnell
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT mysql / LDAP Auth
Julian Grunnell wrote:
Hi - hoping someone can help me, I'm trying to get the
RT::Authen::ExternalAuth plugin to work so I can use LDAP for
authentication. Just using mysql at the moment, so want to keep this
as
well. Running RT 3.8.5 on Centos, I'd like mysql auth first and then
LDAP next. I've managed to configure this without any errors and my
mysql authentication still works after a httpd restart. However LDAP
auth never works, I'm not that familiar with LDAP so am hoping if I
provide my config and rt.log below someone might be able to point me
in
the right direction:
Looks like the whole thing is dying during the MySQL check.
1. Provide the whole config
2. Are you sure you're supposed to be using ExternalAuth for MySQL
auth?
Are you actually using it to check against an external MySQL source, or
are you trying to use MySQL to check RT's own database?
[]
The whole config is:
##
## Local settings - overrides RT_Config.pm
##
Set($WebBaseURL, https://xxx.xxx.xxx;);
Set($rtname, 'xxx');
Set($Organization , xxx);
Set($MinimumPasswordLength , 8);
Set($OwnerEmail , 'jul...@xxx.xxx');
Set($SMTPFrom, 'supp...@xxx.xxx');
Set($Timezone , 'GB/London');
Set($UsernameFormat, 'concise');
Set($OldestTransactionsFirst, '0');
Set($SenderMustExistInExternalDatabase);
Set($LogToSyslog, 'debug');
Set($UseFriendlyFromLine, 0);
Set($WebDomain, 'xxx.xxx.xxx');
Set($WebDefaultStylesheet, '3.5-default');
Set($WebPort, 443);
Set($MaxInlineBody, 148000);
## Display Webfusion logo / link
##
Set($WebImagesURL , $WebPath . /NoAuth/images/); # need this for
below
Set($LogoURL, $WebImagesURL . xxx-logo.png);
Set($LogoLinkURL, 'http://xxx.xxx.xxx');
Set($LogoImageURL, $WebImagesURL . xxx.xxx.png);
Set($LogoAltText, xxx);
# {{{ Logging
Set($LogToSyslog,'critical');
Set($LogToScreen, 'error');
Set($LogToFile , 'debug');
Set($LogDir, '/opt/rt3/var/log/rt3');
Set($LogToFileNamed , rt.log);#log to rt.log
#Set(@Plugins,(qw(RT::Extension::SLA)));
#Set( %ServiceAgreements,
#Default = '4h',
#QueueDefault = {
#'General' = '4h',
#},
#Levels = {
#'2h' = {
# StartImmediately = 1,
# Resolve = { RealMinutes = 60*2 } },
#'4h' = {
# StartImmediately = 1,
# Resolve = { RealMinutes = 60*4 } },
#},
#);
#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
## MySQL / LDAP Configuration
#
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority, [ 'My_MySQL',
'My_LDAP'
]
);
# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
#
# Once user info is found, no more services are checked.
#
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority, [ 'My_MySQL',
'My_LDAP'
]
);
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means use Net::SSLeay;
Set($ExternalServiceUsesSSLorTLS,0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,0);
# These are the full settings for each external service as a
HashOfHashes
# Note that you may have as many external services as you wish. They
will
# be checked in the order specified in the Priority directives above.
# e.g.
#
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDA
P','Other-DB']);
#
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
'My_MySQL' = { ## GENERIC
SECTION
# The type of
service (db/ldap/cookie)
'type'
= 'db',
# The server
hosting the service
'server'
= 'resolver-db.xxx.com',
##
SERVICE-SPECIFIC SECTION
# The database
name
'database'
= 'rt3',
# The database
table
Re: [rt-users] Problems with permissions (bug?)
Hi Ken ,hi Ruslan, thank you for your advice. I know that my rights config seems to be unlogical, so let me explain why I started like this. At the moment we have two departments working on incident reports in two queues. Both departments cannot see the other departments queue. Sometimes Dep. A needs to give a ticket to dep. B. In this case we follow a special workflow to realize that (Scrips). Dep. A change the status of a ticket in their queue to ext and write a reply. This procedure creates a child ticket in the Queue of dep B. Then Dep B works on that ticket. Some activities in the dep B queue cause a syncronization with the ticket in the queue of dep A. After the ticket is resolved in dep B the status of the parent ticket in queue of dep A is set to fixed and the workflow ends. This workflow causes a lot of confusion for the users. They forget to write a reply after changing the status to ext and so on. To make it more simple we want to merge the two queues and find another way to seperate the tickets of the two departments. What I posted before was the first try. The intention is that the two departments get exactly one requestor for each queue. So they have to log in as those requestors to see all their tickets. If dep A wants to give a ticket to dep B it just change the requestor to the one of dep B. In the second step I want to give rights to the owners of the tickets too. Then the requestor of dep B changes the owner to the one who has to work on that ticket. So if an owner logs in he sees all the tickets he has to work on. Maybe this is the wrong way but I don't know what else to do. Ken wrote: You granted some rights to Privileged and then granted the same rights again to a couple groups. The rights for Privileged I just applied because it was adviced in a post to see the Queue in Quicksearch. Actually I don't want rights for privileged users. Ruslan wrote: Sounds like it, but to be sure clean all sessions in the DB. Same behaviour after cleaning all sessions. Best regards, Markus T-Systems International GmbH SDU Telco NPS Vorgebirgsstr. 49 53119 Bonn Tel: + 49 228 9841 3820 E-Mail: markus.kum...@t-systems.com T-Systems International GmbH Aufsichtsrat: René Obermann (Vorsitzender) Geschäftsführung: Reinhard Clemens (Vorsitzender), Dr. Ferri Abolhassan, Olaf Heyden, Joachim Langmack, Dr. Matthias Schuster, Klaus Werner Handelsregister: Amtsgericht Frankfurt am Main HRB 55933 Sitz der Gesellschaft: Frankfurt am Main WEEE-Reg.-Nr. DE87523644 -Ursprüngliche Nachricht- Von: ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] Im Auftrag von Ruslan Zakirov Gesendet: Dienstag, 11. Mai 2010 21:18 An: Kummer, Markus Cc: rt-users@lists.bestpractical.com Betreff: Re: [rt-users] Problems with permissions (bug?) On Tue, May 11, 2010 at 8:47 PM, markus.kum...@t-systems.com wrote: Dear list, I'm using rt 3.8.8 and facing problems in setting up permissions for a queue. What I want is that users see the tickets they have requested in a certain queue only. So user A cannot see tickets requested by user B and vice versa. So I applied the following rights - Configuration - Queues - Group rights Roles Requestor: - CommentOnTicket Do you really want requestors to comment and see comments? - DeleteTicket - ForwardMessage - ModifyCustomField - ModifyTicket - OwnTicket Requestor can own a ticket? Wierd. - ReplyToTicket - SeeCustomField - ShowOutgoingEmail - ShowTicket - ShowTicketComments - StealTicket - TakeTicket This is wierd as well as OwnTicket. - Watch - WatchAsAdminCc This is something wierd too. User defined groups 1_rt_eval - SeeQueue - CreateTicket 2_rt_eval - SeeQueue - CreateTicket This basically works, but when a user logs in he finds an empty RT at a glance page. But searching for his email address gives the expected results. So my only problem is that the Queue is not displayed in the Quicksearch. After a lot of searching in the mailing list archives I got some hints. I applied the following rights additionally: System groups Privileged: - SeeQueue - CreateTicket - ShowTicket After login the Quicksearch is populated with that queue but all tickets are shown. So I removed the ShowTicket right from Privileged (while the user is still logged in). After a reload of the RT at a glance page the user sees the queue in the quicksearch. Following the link shows the correct tickets (the ticket count is wrong but this doesn't matter). Everything fine so far, but when the user logs out and in again Quicksearch is empty again. This is fully reproducible. Do I miss something here or is this a bug? Sounds like it, but to be sure clean all sessions in the DB. Thanks for any help! -- Best regards, Ruslan. Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] bug or misconfiguration? a requestor with see ticket permission could not add her/his created ticket as a child ticket in another queue
Hi all I'm not sure if this is a bug or miss configuration or ever proper situation in RT: This is the scenario: The Customer Support A who has full access to CS queue, needs to ask NOC staffs (in NOC queue) regarding a specific case. Suppose Ticket #1 has been created in CS queue. Customer Support A has not full access to NOC queue. In NOC queue has been defined Requestor has Show Ticket permission. Customer Support A sends and email to NOC queue and received #2 as his/her ticket number. She/he wants to add #2 as the child of Ticket #1. System says, you don't have permission. Any idea? smime.p7s Description: S/MIME cryptographic signature Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] bug or misconfiguration? a requestor with see ticket permission could not add her/his created ticket as a child ticket in another queue
On Wed, May 12, 2010 at 03:54:25PM +0430, Payam Poursaied wrote: Hi all I'm not sure if this is a bug or miss configuration or ever proper situation in RT: This is the scenario: The Customer Support A who has full access to CS queue, needs to ask NOC staffs (in NOC queue) regarding a specific case. Suppose Ticket #1 has been created in CS queue. Customer Support A has not full access to NOC queue. In NOC queue has been defined Requestor has Show Ticket permission. Customer Support A sends and email to NOC queue and received #2 as his/her ticket number. She/he wants to add #2 as the child of Ticket #1. System says, you don't have permission. RT_Config.pm: =item C$StrictLinkACL When this feature is enabled a user needs IModifyTicket rights on both tickets to link them together, otherwise he can have rights on either of them. =cut Set($StrictLinkACL, 1); Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] Create Transactions without comment text.
Hi, For me the squelch thingy is not working at all, I need to be able to say at resolve-time that NO email will be sent to everyone (including requestor). the squelch seems only be concerned about cc and admincc's and whatnot, but I never managed to get the requesters email address to be displayed and selectable as well, so I try to do this: I created a customfield MuteResolve (like here: http://wiki.bestpractical.com/view/MuteResolve) Modified the onresolve scrip as well like indicated. Now, The only remaining problem is that setting this value will only be stored when I enter a text in the comment field as well. Without a text in the commentfield the transaction-custom-fields will not get stored. I do not understand why, what has the customfield to do with a comment I enter or not? What If I only want to modify some transaction custom fields without having a comment at all? All I want is the possibility for my users to be able to not send mails to the requestors on resolve ... without much fuss ... any help is greatly appreciated, best Ray - RunSolutions Open Source It Consulting - Email: r...@runsolutions.com Parc Bit - Centro Empresarial Son Espanyol Edificio Estel - Local 3D 07121 - Palma de Mallorca Baleares Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] Upgrade Directory
I need to know where the extracted src 3.8.8 has to be during the upgrade from 3.8.4. Do I have to copy the entire directory to the current 3.8.4 directory before doing the upgrade? I have read the READ ME and there is no where in there that they stated it. Honestly, I will need a step by step instruction to do the upgrade. I have never done the upgrade before. And I am new to the whole RT setup, I just took over a position and they wanted me to upgrade to the latest version. Thanks Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Upgrade Directory
On Wed, May 12, 2010 at 10:29:44AM -0400, borngunn...@aol.com wrote: I need to know where the extracted src 3.8.8 has to be during the upgrade from 3.8.4. Do I have to copy the entire directory to the current 3.8.4 directory before doing the upgrade? I have read the READ ME and there is no where in there that they stated it. just follow GENERAL INSTALLATION in README, upgrade instructions are provided when needed. to quickly answer, you untar RT in another directory than your production one (some kind of src or tmp directory). You follow steps the same as for installation, but: - you read UPGRADING file - you run make upgrade instead of make install but once again, read carefully README file, everything you need is inside. PS: don't forget to backup before upgrade... Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Upgrade Directory
I will try that. Thanks -Original Message- From: Emmanuel Lacour elac...@easter-eggs.com To: rt-users rt-users@lists.bestpractical.com Sent: Wed, May 12, 2010 10:58 am Subject: Re: [rt-users] Upgrade Directory On Wed, May 12, 2010 at 10:29:44AM -0400, borngunn...@aol.com wrote: I need to know where the extracted src 3.8.8 has to be during the upgrade from 3.8.4. Do I have to copy the entire directory to the current 3.8.4 directory before doing the upgrade? I have read the READ ME and there is no where in there that they stated it. just follow GENERAL INSTALLATION in README, upgrade instructions are rovided when needed. to quickly answer, you untar RT in another directory than your roduction one (some kind of src or tmp directory). You follow steps the ame as for installation, but: - you read UPGRADING file you run make upgrade instead of make install but once again, read carefully README file, everything you need is nside. PS: don't forget to backup before upgrade... iscover RT's hidden secrets with RT Essentials from O'Reilly Media. uy a copy at http://rtbook.bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Problems with permissions (bug?)
Markus, Not wanting to sound critical or anything, it sounds like you're going the long way around the barn on this workflow. First, why do you want two different groups working on basically the same ticket? Second, if these two groups must work in sync with each other on the same ticket, why create a child? why not a dependsOn or ReferrsTo ticket. Third, if people are forgetting to write replies, why not send a notification template based on the same condition you use when you create that other ticket? Forth, if these two groups do NOT have to work on the same ticket *at the same time*, but follow a *consecutive* ownership type flow, then just change the Queue after one group is finished with their work and while doing that, change the owner to Nobody and the status and anything else you need when you change the Queue? Anyway, to be able to really assist, I would need to understand your workflow; the why's and wherefores. There's always more than one way to skin the cat. Hope this helps. Kenn LBNL On Wed, May 12, 2010 at 2:38 AM, markus.kum...@t-systems.com wrote: Hi Ken ,hi Ruslan, thank you for your advice. I know that my rights config seems to be unlogical, so let me explain why I started like this. At the moment we have two departments working on incident reports in two queues. Both departments cannot see the other departments queue. Sometimes Dep. A needs to give a ticket to dep. B. In this case we follow a special workflow to realize that (Scrips). Dep. A change the status of a ticket in their queue to ext and write a reply. This procedure creates a child ticket in the Queue of dep B. Then Dep B works on that ticket. Some activities in the dep B queue cause a syncronization with the ticket in the queue of dep A. After the ticket is resolved in dep B the status of the parent ticket in queue of dep A is set to fixed and the workflow ends. This workflow causes a lot of confusion for the users. They forget to write a reply after changing the status to ext and so on. To make it more simple we want to merge the two queues and find another way to seperate the tickets of the two departments. What I posted before was the first try. The intention is that the two departments get exactly one requestor for each queue. So they have to log in as those requestors to see all their tickets. If dep A wants to give a ticket to dep B it just change the requestor to the one of dep B. In the second step I want to give rights to the owners of the tickets too. Then the requestor of dep B changes the owner to the one who has to work on that ticket. So if an owner logs in he sees all the tickets he has to work on. Maybe this is the wrong way but I don't know what else to do. Ken wrote: You granted some rights to Privileged and then granted the same rights again to a couple groups. The rights for Privileged I just applied because it was adviced in a post to see the Queue in Quicksearch. Actually I don't want rights for privileged users. Ruslan wrote: Sounds like it, but to be sure clean all sessions in the DB. Same behaviour after cleaning all sessions. Best regards, Markus T-Systems International GmbH SDU Telco NPS Vorgebirgsstr. 49 53119 Bonn Tel: + 49 228 9841 3820 E-Mail: markus.kum...@t-systems.com T-Systems International GmbH Aufsichtsrat: René Obermann (Vorsitzender) Geschäftsführung: Reinhard Clemens (Vorsitzender), Dr. Ferri Abolhassan, Olaf Heyden, Joachim Langmack, Dr. Matthias Schuster, Klaus Werner Handelsregister: Amtsgericht Frankfurt am Main HRB 55933 Sitz der Gesellschaft: Frankfurt am Main WEEE-Reg.-Nr. DE87523644 -Ursprüngliche Nachricht- Von: ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] Im Auftrag von Ruslan Zakirov Gesendet: Dienstag, 11. Mai 2010 21:18 An: Kummer, Markus Cc: rt-users@lists.bestpractical.com Betreff: Re: [rt-users] Problems with permissions (bug?) On Tue, May 11, 2010 at 8:47 PM, markus.kum...@t-systems.com wrote: Dear list, I'm using rt 3.8.8 and facing problems in setting up permissions for a queue. What I want is that users see the tickets they have requested in a certain queue only. So user A cannot see tickets requested by user B and vice versa. So I applied the following rights - Configuration - Queues - Group rights Roles Requestor: - CommentOnTicket Do you really want requestors to comment and see comments? - DeleteTicket - ForwardMessage - ModifyCustomField - ModifyTicket - OwnTicket Requestor can own a ticket? Wierd. - ReplyToTicket - SeeCustomField - ShowOutgoingEmail - ShowTicket - ShowTicketComments - StealTicket - TakeTicket This is wierd as well as OwnTicket. - Watch - WatchAsAdminCc This is something wierd too. User defined groups 1_rt_eval - SeeQueue - CreateTicket 2_rt_eval - SeeQueue - CreateTicket This basically
[rt-users] DBD::mysql::st execute failed: Error on rename of './cerb_rt3/Attachments' to './cerb_rt3/#sql2-6f9-1395' (errno: -1)
Trying to populate the rt3 database: [r...@ambitaa4 rt]# make initialize-database /usr/local/bin/perl -I/home/cerb/www/rt3/local/lib -I/home/cerb/www/rt3/lib sbin/rt-setup-database --action init --dba root --prompt-for-dba-password In order to create or update your RT database, this script needs to connect to your mysql instance on localhost as root Please specify that user's database password below. If the user has no database password, just press return. Password: Working with: Type: mysql Host: localhost Name: cerb_rt3 User: cerb_cerb DBA:root Now creating a mysql database cerb_rt3 for RT. Done. Now populating database schema. DBD::mysql::st execute failed: Error on rename of './cerb_rt3/Attachments' to './cerb_rt3/#sql2-6f9-13a7' (errno: -1) at /home/cerb/public_html/rt/sbin/../lib/RT/Handle.pm line 506. make: *** [initialize-database] Error 255 Any ideas? This message has been scanned for viruses by MailController - www.MailController.altohiway.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
