Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
For your ‘server’ try using IP rather than hostname.
Second for the ‘user’ field try using the DN name for your AD Binding
user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com
Hope this helps..
Jeff
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings,
please
These are the settings I've started with:
Set($ExternalSettings, {
'AD' = {
'type' = 'ldap',
'server'=
'domain_controller.example.comhttp://domain_controller.example.com',
'base' = 'dc=example,dc=com',
'user' = 'rtuser',
'pass' = '',
'filter'= '(ObjectClass=*)',
'tls' = 0,
'ssl_version' = 3,
'net_ldap_args' = [version = 3 ],
'attr_match_list' = [
'EmailAddress',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
},
They aren't working. Whenever someone attempts an initial login with just their
username (which should create their RT account) the following error is logged:
Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.
Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set
user info
Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102
When initial logins are attempted with either example\username or
example.comhttp://example.com\username only the FAILED LOGIN line is
displayed.
We also have our Openfire Jabber server authenticating successfully. Those
settings are
ldap.autoFollowAliasReferrals = true
ldap.autoFollowReferrals = false
ldap.baseDN = dc=example,dc=com
ldap.connectionPoolEnabled = true
ldap.debugEnabled = false
ldap.emailField = mail
ldap.encloseDNs = true
ldap.groupDescriptionField = description
ldap.groupMemberField = member
ldap.groupNameField = cn
ldap.groupSearchFilter = (objectClass=group)
ldap.host = domain_controller.example.comhttp://domain_controller.example.com
ldap.ldapDebugEnabled = false
ldap.nameField = cn
ldap.port = 389
ldap.searchFilter = (objectClass=*)
ldap.usernameField = sAMAccountName
I know they don't match up exactly in terms of what Openfire calls the settings
vs. what RT does, but I'm hoping someone can help me sort out what should be
plugged in where on the RT side. For example, I don't know what the group_attr
or group_attr_value setting should contain (if anything) in the
RT_SiteConfig.pm file. Basically, anything from the group settings.
-Mathew
When you do things right, people won't be sure you've done anything at all. -
God; Futurama
We'll get along much better once you accept that you're wrong and neither am
I. - Me
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
You shouldn’t need to preface the domain in your username string. Also to enter
in an OU with 2 words just simply enter it is “OU=Special Accounts”..
To verify the CN name for your Bind account in AD, do a find/search on your
bind user account, right-click on the object and select properties. Choose the
Attribute Editor tab and scroll down to “distringuishedName”. This will give
you the exact name.
Jeff
From: Mathew Snyder [mailto:mathew.sny...@gmail.com]
Sent: Thursday, October 17, 2013 1:40 PM
To: Jeff Solberg
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
settings, please
I didn't know the OU until a few moments ago so I only entered
cn=user,dc=example,dc=com. That did seem to make a difference. However, I'm
still not able to log in. Perhaps for other reasons, though:
Oct 17 16:33:11 zen-rt RT: [24525]
RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind:
LDAP_INVALID_CREDENTIALS 49
Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from
192.168.236.102
I know I'm entering my username and password correctly and have again tried
just the username, example\username, and
example.comhttp://example.com\username. I'm wondering if the
LDAP_INVALID_CREDENTIALS error is because of the missing OU. I do know it now,
but how do I enter an OU that has two words? I was told it is
example.com/Specialhttp://example.com/Special Accounts.
-Mathew
When you do things right, people won't be sure you've done anything at all. -
God; Futurama
We'll get along much better once you accept that you're wrong and neither am
I. - Me
On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg
jsolb...@intrepidls.commailto:jsolb...@intrepidls.com wrote:
For your ‘server’ try using IP rather than hostname.
Second for the ‘user’ field try using the DN name for your AD Binding
user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com
Hope this helps..
Jeff
From:
rt-users-boun...@lists.bestpractical.commailto:rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.commailto:rt-users-boun...@lists.bestpractical.com]
On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings,
please
These are the settings I've started with:
Set($ExternalSettings, {
'AD' = {
'type' = 'ldap',
'server'=
'domain_controller.example.comhttp://domain_controller.example.com',
'base' = 'dc=example,dc=com',
'user' = 'rtuser',
'pass' = '',
'filter'= '(ObjectClass=*)',
'tls' = 0,
'ssl_version' = 3,
'net_ldap_args' = [version = 3 ],
'attr_match_list' = [
'EmailAddress',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
},
They aren't working. Whenever someone attempts an initial login with just their
username (which should create their RT account) the following error is logged:
Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.
Oct 17 15:02:29 zen-rt RT: [23131]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set
user info
Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102
When initial logins are attempted with either example\username or
example.comhttp://example.com\username only the FAILED LOGIN line is
displayed.
We also have our Openfire Jabber server authenticating successfully. Those
settings are
ldap.autoFollowAliasReferrals = true
ldap.autoFollowReferrals = false
ldap.baseDN = dc=example,dc=com
ldap.connectionPoolEnabled = true
ldap.debugEnabled = false
ldap.emailField = mail
ldap.encloseDNs = true
ldap.groupDescriptionField = description
ldap.groupMemberField = member
ldap.groupNameField = cn
ldap.groupSearchFilter = (objectClass=group)
ldap.host = domain_controller.example.comhttp://domain_controller.example.com
ldap.ldapDebugEnabled = false
ldap.nameField = cn
ldap.port = 389
ldap.searchFilter = (objectClass=*)
ldap.usernameField = sAMAccountName
I know they don't match up exactly in terms of what Openfire calls the settings
vs. what RT does, but I'm hoping someone can help me sort out what should be
plugged in where on the RT side. For example, I don't know what the group_attr
or group_attr_value setting should contain (if anything) in the
RT_SiteConfig.pm file. Basically
[rt-users] RTFM and Self Service portal
All, I am getting ready to start publishing some articles to my end user base using Articles. I have set up my class and have created some content for testing purposes. I am following the introduction.pod file in /lib/RT/PM from the RTFM-2.4.5.tar stack. Per this document and other resources on the web state that if I grant the Unprivileged User group the ShowArticle permission on any class I have created the end user should see a search box enabling them to search KB articles we the IT staff have written. This is not the case however. I see a search box to search tickets and when I search for an article it errors out saying it cannot find the ticket it is trying to search for. I am running RT 4.0.7 on Debian 6. Any suggestions? Jeff
Re: [rt-users] ExternalAuth problems
Try removing the extra '(' you have in front of qw in your set@plugin
declaration.
Jeff
From my Android phone on T-Mobile. The first nationwide 4G network.
Original message
From: Brian Haupt brian.s.ha...@ama-inc.com
Date: 08/01/2013 7:48 AM (GMT-08:00)
To: rt-users@lists.bestpractical.com
Subject: [rt-users] ExternalAuth problems
I am setting up a new Request Tracker 4.0.16 installation on CentOS 6.4. I am
able to log into RT using the RT root password but I receive the following
error when trying to login using my AD account
[Thu Aug 1 14:37:33 2013] [error]: FAILED LOGIN for $UserName from $IP_Address
(/usr/local/rt/sbin/../lib/RT/Interface/Web.pm:753)
Below is the relavent part of my RT_SiteConfig
Set($WebPort, 443);
Set($WebPath, /rt);
Set($WebDomain, '$hostname.$PublicDomain');
Set($rtname, '$hostname');
Set($ExternalSettings, {
# AN EXAMPLE LDAP SERVICE
'My_LDAP' = {
'type' = 'ldap',
'server'= '$DC.$InternalNetwork',
'user' = '$AD_User@$InternalNetwork ',
'pass' = '$Password',
'base' = 'dc=$InternalNetwork',
'filter'= '(objectClass=*)',
'attr_map' = {
'Name' = 'displayName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
},
},
});
# You must install Plugins on your own, this is only an example
# of the correct syntax to use when activating them.
# There should only be one @Plugins declaration in your config file.
Set(@MailPlugins, qw(Auth::MailFrom Filter::TakeAction));
Set(@Plugins,(qw(RT::Extension::CommandByMail RT::Authen::ExternalAuth)));
1;
Re: [rt-users] ExternalAuth problems
When you removed the extra '(' did you also remove the extra ')' from the end
of the declaration? Your plug in line should look like this
Set(@Plugins, qw(RT::Extension::CommandByMail RT::Authen::ExternalAuth));
Restart Apache..
If this doesn’t work go into RT as root then go into the system configuration
Tools-- Configuration -- tools-- System Configuration
And see if the plugs are being set. Hope this helps.
Jeff
-Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Brian Haupt
Sent: Thursday, August 01, 2013 9:06 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] ExternalAuth problems
I have tried removing the extra '(' as recommended but with no success. I have
also tried using changing
'user' = $AD_User@$InternalNetwork ', to
'user' =
'cn=$Username,cn=Users,dc=internal,dc=$DomainName,dc=com',
I also tried adding
Set($LdapServer, 'ldaps://myDomainController.xxx.com');
Set($LdapTLS, 1);
Set($LdapSSLVersion, 3);
But none of these have yielded any better results.
-Original Message-
From: Jeff Solberg [mailto:jsolb...@intrepidls.com]
Sent: Thursday, August 01, 2013 11:23 AM
To: Brian Haupt; rt-users@lists.bestpractical.com
Subject: RE: [rt-users] ExternalAuth problems
Try removing the extra '(' you have in front of qw in your set@plugin
declaration.
Jeff
From my Android phone on T-Mobile. The first nationwide 4G network.
Original message
From: Brian Haupt brian.s.ha...@ama-inc.com
Date: 08/01/2013 7:48 AM (GMT-08:00)
To: rt-users@lists.bestpractical.com
Subject: [rt-users] ExternalAuth problems
I am setting up a new Request Tracker 4.0.16 installation on CentOS 6.4. I am
able to log into RT using the RT root password but I receive the following
error when trying to login using my AD account
[Thu Aug 1 14:37:33 2013] [error]: FAILED LOGIN for $UserName from $IP_Address
(/usr/local/rt/sbin/../lib/RT/Interface/Web.pm:753)
Below is the relavent part of my RT_SiteConfig
Set($WebPort, 443);
Set($WebPath, /rt);
Set($WebDomain, '$hostname.$PublicDomain'); Set($rtname, '$hostname');
Set($ExternalSettings, {
# AN EXAMPLE LDAP SERVICE
'My_LDAP' = {
'type' = 'ldap',
'server'= '$DC.$InternalNetwork',
'user' = '$AD_User@$InternalNetwork',
'pass' = '$Password',
'base' = 'dc=$InternalNetwork',
'filter'= '(objectClass=*)',
'attr_map' = {
'Name' = 'displayName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
},
},
});
# You must install Plugins on your own, this is only an example # of the
correct syntax to use when activating them.
# There should only be one @Plugins declaration in your config file.
Set(@MailPlugins, qw(Auth::MailFrom Filter::TakeAction));
Set(@Plugins,(qw(RT::Extension::CommandByMail RT::Authen::ExternalAuth)));
1;
[rt-users] Changing WebBase RT URL
All,
I am in the final stages of standing up my new RT Instance! What a journey it
has been. First off I want to say thanks for all the help I have gotten from
this user base on getting where I am now. There were a few hurdles that took me
for a whirlwind but with your help I got through them!
One more request from the IT manager is he wants the Web URL to be something
simple like itsupport.{domain name}.com. From what I can see there are lines in
the RTSite_Config.pm that contains the following
Set ($WebBaseURL , http://hostname;);
Set ($WebPath , /rt);
Now doing a quick look and changing these to something I wanted did not work at
all!
I got rid of the /rt and just left the web path as follows
Set ($WebPath , );
And changed the $WebBaseURL to
Set ($WebBaseURL ,
http://itsupport.{domainname}.comhttp://itsupport.%7bdomainname%7d.com);
Then created a DNS entry for this. So my questions are this;
A) Did I even come close to getting this to work?
B) Are there apache type configs that also need to be made to get this to work?
I am running RT 4.0.7 running on Debian Linux.
Thanks again!
Jeff
[rt-users] RT-Extension-LDAPImport vs RT External Auth plugin modules
Since I was unable to get the RT External Auth setup working with my Active Directory Environment I have been looking at other solutions in getting my AD users logging into RT. I have seen you can use Apache to handle Authentication but that method really doesn't look all that attractive to me. I have now seen there is an LDAP import tool that can import users in RT. Can this tool import the users from my Active Directory Server and when they go to login will it look to the LDAP server to validate the users password? Or does it store everything local in the MYSQL Database? In a perfect world I would get the External Auth working but I for the life of me cannot pinpoint the disconnect that is in place. Please any advice on this would be grateful . Thanks. Jeff
Re: [rt-users] External Auth config with RT on Debian
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Kevin,
In System Configuration in the Web UI I show the following being read in RT.
LogToFile 'debug' site config
LogToFileNamed 'rt.log'site config
LogToScreen 'debug' site config
LogToSyslog '' site config
Plugins 'RT::Authen::ExternalAuth' site config
Then under loaded Perl Modules I see
RT::Authen::ExternalAuth0.16
/usr/local/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
I would definably agree with you that the plugin is not being run because I
have done TCP Packet dumps as I was logging in and there is no activity being
sent to my LDAP Server/DC. Oddly enough one would think that with the debugging
set it would be telling me something. As I stated earlier the only message
being logged in RT.LOG is the FAILED LOGON message. I will look at the
permissions on the plugin. Should it be readable by www-data? Thanks again for
your help on this. I really need to get this working so I can then move on to
the next phase and tailor it to my companies needs.
Jeff
- -Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Tuesday, July 02, 2013 10:05 AM
To: rt-users@lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on Debian
Sensitivity: Confidential
* PGP Signed by an unknown key
On Mon, Jul 01, 2013 at 05:59:53PM +, Jeff Solberg wrote:
Added the following to my site config:
Go back to the System Configuration page and confirm that you see these
settings being read by RT.
If you have the Plugin installed, and the logging configured, then it isn't
being run. The next things to check are permissions. Can the webserver read
the callbacks provided by the extension and are they being run.
- -kevin
#logging
Set($LogToSyslog, '');
Set($LogToScreen, 'debug');
Set($LogToFile , 'debug');
Set($LogDir, '/var/log/request-tracker4');
Set($LogToFileNamed , rt.log);#log to rt.log
# end /etc/request-tracker4/RT_SiteConfig.d/logging
And restarted apache2, I tried to log in with domain account and this
is what is being logged to rt.log
root@admin-rt4:/var/log/request-tracker4# cat rt.log [Mon Jul 1
17:47:43 2013] [debug]: The RTAddressRegexp option is not set in the
config. Not setting this option results in additional SQL queries to
check whether each address belongs to RT or not. It is especially
important to set this option if RT recieves emails on addresses that
are not in the database or config.
(/usr/share/request-tracker4/lib/RT/Config.pm:454)
[Mon Jul 1 17:47:43 2013] [warning]: The actual HTTP_HOST (admin-rt4)
does NOT match the configured WebDomain (localhost). Perhaps you
should Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise
your internal links may be broken.
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Mon Jul 1 17:47:50 2013] [error]: FAILED LOGIN for jsolberg from
10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Mon Jul 1 17:49:46 2013] [info]: Successful login for root from
10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
[Mon Jul 1 17:53:05 2013] [error]: FAILED LOGIN for
jsolb...@x.com from 10.10.30.63
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
My guess is the debugging options is not telling us much :(
Jeff
- -Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin
Falcone
Sent: Monday, July 01, 2013 9:29 AM
To: rt-users@lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on
Debian
Sensitivity: Confidential
Old Signed by an unknown key
On Mon, Jul 01, 2013 at 04:24:51PM +, Jeff Solberg wrote:
- -Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of
Kevin Falcone
Sent: Monday, July 01, 2013 9:14 AM
To: rt-users@lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on
Debian
Sensitivity: Confidential
Old Signed by an unknown key
On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote:
Default settings till here
#PLUGINS
Set( @Plugins, qw(RT::Authen::ExternalAuth));
#External Auth Settings
Set($ExternalAuthPriority, [ 'My_LDAP',] );
Set($ExternalInfoPriority, [ 'My_LDAP',] );
Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers,
0); Set($ExternalSettings, {
'My_LDAP' = {
'type' = 'ldap',
'server'= 'dc2.xx.com',
'user' = 'cn
Re: [rt-users] RT-Extension-LDAPImport vs RT External Auth plugin modules
Thanks Nathan. I apologize for not seeing that these responses were only directed at you and not the list. Sigh. I will try to find time here shortly to sit down and configure the LDAPImport and see if I have any success getting it doing the right thing. I will post my results. Again, thanks for all your help. Jeff -Original Message- From: Nathan Cutler [mailto:presnyprek...@gmail.com] Sent: Tuesday, July 02, 2013 1:30 PM To: Jeff Solberg Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Extension-LDAPImport vs RT External Auth plugin modules The RT Server itself is bound by LDAP Authentication using libpam-ldap modules. So Active Directory Authentication is defiantly working as I am logging into this machine with my AD creds. It is binding using the same username and password that I have in my RT External Auth config. I haven’t setup the RT-Extension-LDAP module yet. I just wanted to get some insite on how it worked compared to the other. Will this module work standalone or do you have to use it in conjunction with the RT External Auth plugin? Hi Jeff: (Be sure to reply to the list) As Kevin just wrote, LDAPImport is useless for authentication, so you would only want to use it if you need to get info (not passwords) for a bunch of users into the RT database all at once. The reason why I recommended it was that bind w/password might be more difficult to get working than anonymous bind, which is what LDAPImport uses. So LDAPImport might be a stepping stone to ExternAuth. Just an idea.
Re: [rt-users] External Auth config with RT on Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 After opening up the permissions on the directory where the External Auth Plugin lives (/usr/local/share/request-tracker4/) to my apache user I am now able to get logged into RT with a AD user! Prior to doing this root owned all these directories with only read permissions.. And looking at the logs I am now seeing a ton of chatter relating to this. Thanks for all your help. Jeff - -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Tuesday, July 02, 2013 1:24 PM To: rt-users@lists.bestpractical.com Subject: [secure] Re: [rt-users] External Auth config with RT on Debian Sensitivity: Confidential * PGP Signed by an unknown key On Tue, Jul 02, 2013 at 05:22:32PM +, Jeff Solberg wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Kevin, In System Configuration in the Web UI I show the following being read in RT. LogToFile 'debug' site config LogToFileNamed'rt.log'site config LogToScreen 'debug' site config LogToSyslog '' site config Plugins 'RT::Authen::ExternalAuth' site config Then under loaded Perl Modules I see RT::Authen::ExternalAuth 0.16 /usr/local/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm I would definably agree with you that the plugin is not being run because I have done TCP Packet dumps as I was logging in and there is no activity being sent to my LDAP Server/DC. Oddly enough one would think that with the debugging set it would be telling me something. As I stated earlier the only message being logged in RT.LOG is the FAILED LOGON message. I will look at the permissions on the plugin. Should it be readable by www-data? Thanks again for your help on this. I really need to get this working so I can then move on to the next phase and tailor it to my companies needs. It should be readable by the user your webserver runs as. Clearly the perl module loads, but the Mason components (under the html directory in the plugin) don't seem to be running. There will be no extra debugging unless the plugin is running. - -kevin * Unknown Key * 0x9E42250A -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.1 (Build 4940) Charset: us-ascii wsBVAwUBUdNNrU8vfChWkpdqAQh4uAf/e7E9F1DV7qYLOSj2Giqv3UiI8cGBom/f LUMInMyCjUlPnZOlXDRvcweRlYS/yFOPMJvOUvabzGm3R/WvKJ96X6MpowxVTYLU KifS8SZ+RdpnZkGikWr4z8Omnlj+UkpsIrnTpC+EhTBIZmLTWGLr+Xzg0WO7WdpK EushxB0HWGjdE0e1bj/UxVJD+Arr7S279Wi/VUF4/RF7iaNZlkC5/pHnga0oJV7w +J5XcPSoDxo0eDfd62XkuAA5+38WqqSnIguz1TFmehEWCwx6zjh/862VWxyMjtzT MdiF/qw2VjHBXXfnObhwSi9f62H7WwakUdoGFTo0ecp5xCRKh3e1HA== =mU2I -END PGP SIGNATURE-
Re: [rt-users] External Auth config with RT on Debian
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Thanks for your reply. In the sys config it shows the following under PLUGINS:
Plugins [
'RT::Authen::ExternalAuth'
]
Jeff
- -Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Monday, July 01, 2013 9:14 AM
To: rt-users@lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on Debian
Sensitivity: Confidential
* PGP Signed by an unknown key
On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote:
Default settings till here
#PLUGINS
Set( @Plugins, qw(RT::Authen::ExternalAuth));
#External Auth Settings
Set($ExternalAuthPriority, [ 'My_LDAP',] ); Set($ExternalInfoPriority,
[ 'My_LDAP',] ); Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, {
'My_LDAP' = {
'type' = 'ldap',
'server'= 'dc2.xx.com',
'user' = 'cn=Bind
Ldap,ou=User,Logins,dc=intrepidls,dc=com',
'pass'= 'xxx',
'base' = 'dc=,dc=com',
'filter'=
'((ObjectCategory=User)(ObjectClass=Person))',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803=2)',
'group' = 'cn=Domain
Users,ou=Groups_Security,dc=x,dc=com',
'group_attr'= 'member',
'tls' = 0,
'ssl_version' = 3,
'net_ldap_args' = [version = 3, port = 3268 ],
'group_scope' = 'base',
'group_attr_value' = 'GROUP_ATTR_VALUE',
'attr_match_list' = [
'Name',
'EmailAddress',
'RealName',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'Organization' = 'physicalDeliveryOfficeName',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip' = 'postalCode',
'Country' = 'co'
},
},
# An example SSO cookie service
'My_SSO_Cookie' = {
'type' = 'cookie',
'name' = 'loginCookieValue',
'u_table' = 'users',
'u_field' = 'username',
'u_match_key' = 'userID',
'c_table' = 'login_cookie',
'c_field' = 'loginCookieValue',
'c_match_key' = 'loginCookieUserID',
'db_service_name' = 'My_MySQL'
},
} );
1;
I then use update-rt-siteconfig to merge these settings into
RT_SiteConfig.pm. From what I read this is all correct and Should
allow AD accounts to log in. Here is what is logging in the apache2 error log:
[Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST (admin-rt4)
does NOT match the configured WebDomain (localhost). Perhaps you
should Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise
your internal links may be broken.
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for
jsolb...@xx.com from 10.10.30.62
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
10.10.30.62 ( /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
root@admin-rt4:/usr/share/request-tracker4/lib#
Navigate to Tools - Configuration - System Configuration and check that
Plugins contains RT::Authen::ExternalAuth.
- -kevin
* Unknown Key
* 0x9E42250A
-BEGIN PGP SIGNATURE-
Version: PGP Universal 3.2.1 (Build 4940)
Charset: us-ascii
wsBVAwUBUdGtV08vfChWkpdqAQh9BQf/V16SlfqUkTqq86o9O0awLXboBVSQ17Pz
SdErERPzir0sDxK6gxHbC0OYiVg8+3jLvyWEyNg8/1am68/5XCzFUezQOkYHaz07
1Tm7SCejhLNE0hmeLW7GL+Q74YK+wzyJkWZqIrMkq0+tnpFk+cs7R6g0m+Rrn0x6
W1xQYVKUyM9DQYLHXaGN6FU3scUZJEV1If1KdTxHOX3IDl6yYCI5XXYYwj/XqokH
AyhYXhmihEhq/zWD657SNjO6CYJ8pH5GbXlgKeixDxO5anZ6rnjGSkFE/ekAqXip
m60hYh5h/UNztNl2urdFp6SQZhewCoE3mVNvtGiG4W32we7dzXTHVw==
=21Dv
-END PGP SIGNATURE-
Re: [rt-users] External Auth config with RT on Debian
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Do I just add the $SetToLog options anywhere in the RT_SiteConfig.pm?
- -Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Monday, July 01, 2013 9:29 AM
To: rt-users@lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on Debian
Sensitivity: Confidential
* PGP Signed by an unknown key
On Mon, Jul 01, 2013 at 04:24:51PM +, Jeff Solberg wrote:
- -Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin
Falcone
Sent: Monday, July 01, 2013 9:14 AM
To: rt-users@lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on
Debian
Sensitivity: Confidential
Old Signed by an unknown key
On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote:
Default settings till here
#PLUGINS
Set( @Plugins, qw(RT::Authen::ExternalAuth));
#External Auth Settings
Set($ExternalAuthPriority, [ 'My_LDAP',] );
Set($ExternalInfoPriority, [ 'My_LDAP',] );
Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers,
0); Set($ExternalSettings, {
'My_LDAP' = {
'type' = 'ldap',
'server'= 'dc2.xx.com',
'user' = 'cn=Bind
Ldap,ou=User,Logins,dc=intrepidls,dc=com',
'pass'= 'xxx',
'base' = 'dc=,dc=com',
'filter'=
'((ObjectCategory=User)(ObjectClass=Person))',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803=2)',
'group' = 'cn=Domain
Users,ou=Groups_Security,dc=x,dc=com',
'group_attr'= 'member',
'tls' = 0,
'ssl_version' = 3,
'net_ldap_args' = [version = 3, port = 3268
],
'group_scope' = 'base',
'group_attr_value' = 'GROUP_ATTR_VALUE',
'attr_match_list' = [
'Name',
'EmailAddress',
'RealName',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'Organization' = 'physicalDeliveryOfficeName',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip' = 'postalCode',
'Country' = 'co'
},
},
# An example SSO cookie service
'My_SSO_Cookie' = {
'type' = 'cookie',
'name' = 'loginCookieValue',
'u_table' = 'users',
'u_field' = 'username',
'u_match_key' = 'userID',
'c_table' = 'login_cookie',
'c_field' = 'loginCookieValue',
'c_match_key' = 'loginCookieUserID',
'db_service_name' = 'My_MySQL'
},
} );
1;
I then use update-rt-siteconfig to merge these settings into
RT_SiteConfig.pm. From what I read this is all correct and Should
allow AD accounts to log in. Here is what is logging in the apache2 error
log:
[Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST
(admin-rt4) does NOT match the configured WebDomain (localhost).
Perhaps you should Set($WebDomain, 'admin-rt4'); in
RT_SiteConfig.pm, otherwise your internal links may be broken.
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for
jsolb...@xx.com from 10.10.30.62
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from
10.10.30.62 (
/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Fri Jun 28 19:02:52 2013] [info]: Successful login for root from
10.10.30.62
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
root@admin-rt4:/usr/share/request-tracker4/lib#
Navigate to Tools - Configuration - System Configuration and check that
Plugins contains RT::Authen::ExternalAuth.
Thanks for your reply. In the sys config it shows the following under PLUGINS:
Plugins [
'RT::Authen::ExternalAuth'
]
Great - now go make sure your $LogToScreen is set to 'debug' and log in again.
root will always be able to log in because
Re: [rt-users] External Auth config with RT on Debian
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Added the following to my site config:
#logging
Set($LogToSyslog, '');
Set($LogToScreen, 'debug');
Set($LogToFile , 'debug');
Set($LogDir, '/var/log/request-tracker4');
Set($LogToFileNamed , rt.log);#log to rt.log
# end /etc/request-tracker4/RT_SiteConfig.d/logging
And restarted apache2, I tried to log in with domain account and this is what
is being logged to rt.log
root@admin-rt4:/var/log/request-tracker4# cat rt.log
[Mon Jul 1 17:47:43 2013] [debug]: The RTAddressRegexp option is not set in
the config. Not setting this option results in additional SQL queries to check
whether each address belongs to RT or not. It is especially important to set
this option if RT recieves emails on addresses that are not in the database or
config. (/usr/share/request-tracker4/lib/RT/Config.pm:454)
[Mon Jul 1 17:47:43 2013] [warning]: The actual HTTP_HOST (admin-rt4) does NOT
match the configured WebDomain (localhost). Perhaps you should Set($WebDomain,
'admin-rt4'); in RT_SiteConfig.pm, otherwise your internal links may be broken.
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194)
[Mon Jul 1 17:47:50 2013] [error]: FAILED LOGIN for jsolberg from 10.10.30.63
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
[Mon Jul 1 17:49:46 2013] [info]: Successful login for root from 10.10.30.63
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745)
[Mon Jul 1 17:53:05 2013] [error]: FAILED LOGIN for jsolb...@x.com from
10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)
My guess is the debugging options is not telling us much :(
Jeff
- -Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Monday, July 01, 2013 9:29 AM
To: rt-users@lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on Debian
Sensitivity: Confidential
* PGP Signed by an unknown key
On Mon, Jul 01, 2013 at 04:24:51PM +, Jeff Solberg wrote:
- -Original Message-
From: rt-users-boun...@lists.bestpractical.com
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin
Falcone
Sent: Monday, July 01, 2013 9:14 AM
To: rt-users@lists.bestpractical.com
Subject: [secure] Re: [rt-users] External Auth config with RT on
Debian
Sensitivity: Confidential
Old Signed by an unknown key
On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote:
Default settings till here
#PLUGINS
Set( @Plugins, qw(RT::Authen::ExternalAuth));
#External Auth Settings
Set($ExternalAuthPriority, [ 'My_LDAP',] );
Set($ExternalInfoPriority, [ 'My_LDAP',] );
Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers,
0); Set($ExternalSettings, {
'My_LDAP' = {
'type' = 'ldap',
'server'= 'dc2.xx.com',
'user' = 'cn=Bind
Ldap,ou=User,Logins,dc=intrepidls,dc=com',
'pass'= 'xxx',
'base' = 'dc=,dc=com',
'filter'=
'((ObjectCategory=User)(ObjectClass=Person))',
'd_filter' =
'(userAccountControl:1.2.840.113556.1.4.803=2)',
'group' = 'cn=Domain
Users,ou=Groups_Security,dc=x,dc=com',
'group_attr'= 'member',
'tls' = 0,
'ssl_version' = 3,
'net_ldap_args' = [version = 3, port = 3268
],
'group_scope' = 'base',
'group_attr_value' = 'GROUP_ATTR_VALUE',
'attr_match_list' = [
'Name',
'EmailAddress',
'RealName',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'Organization' = 'physicalDeliveryOfficeName',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip' = 'postalCode',
'Country' = 'co'
},
},
# An example SSO cookie service
'My_SSO_Cookie' = {
'type' = 'cookie',
'name' = 'loginCookieValue',
'u_table' = 'users',
'u_field' = 'username',
'u_match_key' = 'userID',
'c_table' = 'login_cookie',
'c_field' = 'loginCookieValue',
'c_match_key
[rt-users] Setting up requestor access to Self Service Web UI
Hello, I have been tasked in rolling out RT to our organization. So far so good. I was able to get RT 4.0.7 up and running on Debian Linux 7.0 (Wheezy). Now its down to the nuts and bolt tightening of this product to tailor it to our environment. One thing that I am contemplating is how other than email my end users will be able to track their own tickets without giving them access to all of the ticket queues I will be setting up. The email notifications are working ok as in the end user will receive updates and will be able to see any comments the owner put into the tickets. Now onto setting up the self service part of the Web UI. I have looked through many articles on this and really haven't found anything that actually stated how to enable and setup the Self Service feature on a new installation of RT. My goal is to have the end user click on a URL in the auto reply email that will direct them to the Self Service UI and also iauto log them in without being prompted for a userna me and password (if possible). With that being said I guess I have 2 questions: 1) How to setup Self Service and 2) How to (if possible) make it so an end user can click on a URL in the auto reply and auto log them in without Username and Password. Thanks in advance for any help in regards to this issue! Jeff -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
