Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
For your ‘server’ try using IP rather than hostname. Second for the ‘user’ field try using the DN name for your AD Binding user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com Hope this helps.. Jeff From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Mathew Snyder Sent: Thursday, October 17, 2013 1:19 PM To: rt-users@lists.bestpractical.com Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please These are the settings I've started with: Set($ExternalSettings, { 'AD' = { 'type' = 'ldap', 'server'= 'domain_controller.example.comhttp://domain_controller.example.com', 'base' = 'dc=example,dc=com', 'user' = 'rtuser', 'pass' = '', 'filter'= '(ObjectClass=*)', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'attr_match_list' = [ 'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', }, They aren't working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged: Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set user info Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102 When initial logins are attempted with either example\username or example.comhttp://example.com\username only the FAILED LOGIN line is displayed. We also have our Openfire Jabber server authenticating successfully. Those settings are ldap.autoFollowAliasReferrals = true ldap.autoFollowReferrals = false ldap.baseDN = dc=example,dc=com ldap.connectionPoolEnabled = true ldap.debugEnabled = false ldap.emailField = mail ldap.encloseDNs = true ldap.groupDescriptionField = description ldap.groupMemberField = member ldap.groupNameField = cn ldap.groupSearchFilter = (objectClass=group) ldap.host = domain_controller.example.comhttp://domain_controller.example.com ldap.ldapDebugEnabled = false ldap.nameField = cn ldap.port = 389 ldap.searchFilter = (objectClass=*) ldap.usernameField = sAMAccountName I know they don't match up exactly in terms of what Openfire calls the settings vs. what RT does, but I'm hoping someone can help me sort out what should be plugged in where on the RT side. For example, I don't know what the group_attr or group_attr_value setting should contain (if anything) in the RT_SiteConfig.pm file. Basically, anything from the group settings. -Mathew When you do things right, people won't be sure you've done anything at all. - God; Futurama We'll get along much better once you accept that you're wrong and neither am I. - Me
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
You shouldn’t need to preface the domain in your username string. Also to enter in an OU with 2 words just simply enter it is “OU=Special Accounts”.. To verify the CN name for your Bind account in AD, do a find/search on your bind user account, right-click on the object and select properties. Choose the Attribute Editor tab and scroll down to “distringuishedName”. This will give you the exact name. Jeff From: Mathew Snyder [mailto:mathew.sny...@gmail.com] Sent: Thursday, October 17, 2013 1:40 PM To: Jeff Solberg Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please I didn't know the OU until a few moments ago so I only entered cn=user,dc=example,dc=com. That did seem to make a difference. However, I'm still not able to log in. Perhaps for other reasons, though: Oct 17 16:33:11 zen-rt RT: [24525] RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 Oct 17 16:33:11 zen-rt RT: [24525] FAILED LOGIN for example\user from 192.168.236.102 I know I'm entering my username and password correctly and have again tried just the username, example\username, and example.comhttp://example.com\username. I'm wondering if the LDAP_INVALID_CREDENTIALS error is because of the missing OU. I do know it now, but how do I enter an OU that has two words? I was told it is example.com/Specialhttp://example.com/Special Accounts. -Mathew When you do things right, people won't be sure you've done anything at all. - God; Futurama We'll get along much better once you accept that you're wrong and neither am I. - Me On Thu, Oct 17, 2013 at 4:27 PM, Jeff Solberg jsolb...@intrepidls.commailto:jsolb...@intrepidls.com wrote: For your ‘server’ try using IP rather than hostname. Second for the ‘user’ field try using the DN name for your AD Binding user…{cn=some_user,ou=some_ou,dc=some_domain,dc=com Hope this helps.. Jeff From: rt-users-boun...@lists.bestpractical.commailto:rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.commailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Mathew Snyder Sent: Thursday, October 17, 2013 1:19 PM To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please These are the settings I've started with: Set($ExternalSettings, { 'AD' = { 'type' = 'ldap', 'server'= 'domain_controller.example.comhttp://domain_controller.example.com', 'base' = 'dc=example,dc=com', 'user' = 'rtuser', 'pass' = '', 'filter'= '(ObjectClass=*)', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'attr_match_list' = [ 'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', }, They aren't working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged: Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set user info Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102 When initial logins are attempted with either example\username or example.comhttp://example.com\username only the FAILED LOGIN line is displayed. We also have our Openfire Jabber server authenticating successfully. Those settings are ldap.autoFollowAliasReferrals = true ldap.autoFollowReferrals = false ldap.baseDN = dc=example,dc=com ldap.connectionPoolEnabled = true ldap.debugEnabled = false ldap.emailField = mail ldap.encloseDNs = true ldap.groupDescriptionField = description ldap.groupMemberField = member ldap.groupNameField = cn ldap.groupSearchFilter = (objectClass=group) ldap.host = domain_controller.example.comhttp://domain_controller.example.com ldap.ldapDebugEnabled = false ldap.nameField = cn ldap.port = 389 ldap.searchFilter = (objectClass=*) ldap.usernameField = sAMAccountName I know they don't match up exactly in terms of what Openfire calls the settings vs. what RT does, but I'm hoping someone can help me sort out what should be plugged in where on the RT side. For example, I don't know what the group_attr or group_attr_value setting should contain (if anything) in the RT_SiteConfig.pm file. Basically
[rt-users] RTFM and Self Service portal
All, I am getting ready to start publishing some articles to my end user base using Articles. I have set up my class and have created some content for testing purposes. I am following the introduction.pod file in /lib/RT/PM from the RTFM-2.4.5.tar stack. Per this document and other resources on the web state that if I grant the Unprivileged User group the ShowArticle permission on any class I have created the end user should see a search box enabling them to search KB articles we the IT staff have written. This is not the case however. I see a search box to search tickets and when I search for an article it errors out saying it cannot find the ticket it is trying to search for. I am running RT 4.0.7 on Debian 6. Any suggestions? Jeff
Re: [rt-users] ExternalAuth problems
Try removing the extra '(' you have in front of qw in your set@plugin declaration. Jeff From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Brian Haupt brian.s.ha...@ama-inc.com Date: 08/01/2013 7:48 AM (GMT-08:00) To: rt-users@lists.bestpractical.com Subject: [rt-users] ExternalAuth problems I am setting up a new Request Tracker 4.0.16 installation on CentOS 6.4. I am able to log into RT using the RT root password but I receive the following error when trying to login using my AD account [Thu Aug 1 14:37:33 2013] [error]: FAILED LOGIN for $UserName from $IP_Address (/usr/local/rt/sbin/../lib/RT/Interface/Web.pm:753) Below is the relavent part of my RT_SiteConfig Set($WebPort, 443); Set($WebPath, /rt); Set($WebDomain, '$hostname.$PublicDomain'); Set($rtname, '$hostname'); Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE 'My_LDAP' = { 'type' = 'ldap', 'server'= '$DC.$InternalNetwork', 'user' = '$AD_User@$InternalNetwork ', 'pass' = '$Password', 'base' = 'dc=$InternalNetwork', 'filter'= '(objectClass=*)', 'attr_map' = { 'Name' = 'displayName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', }, }, }); # You must install Plugins on your own, this is only an example # of the correct syntax to use when activating them. # There should only be one @Plugins declaration in your config file. Set(@MailPlugins, qw(Auth::MailFrom Filter::TakeAction)); Set(@Plugins,(qw(RT::Extension::CommandByMail RT::Authen::ExternalAuth))); 1;
Re: [rt-users] ExternalAuth problems
When you removed the extra '(' did you also remove the extra ')' from the end of the declaration? Your plug in line should look like this Set(@Plugins, qw(RT::Extension::CommandByMail RT::Authen::ExternalAuth)); Restart Apache.. If this doesn’t work go into RT as root then go into the system configuration Tools-- Configuration -- tools-- System Configuration And see if the plugs are being set. Hope this helps. Jeff -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Brian Haupt Sent: Thursday, August 01, 2013 9:06 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] ExternalAuth problems I have tried removing the extra '(' as recommended but with no success. I have also tried using changing 'user' = $AD_User@$InternalNetwork ', to 'user' = 'cn=$Username,cn=Users,dc=internal,dc=$DomainName,dc=com', I also tried adding Set($LdapServer, 'ldaps://myDomainController.xxx.com'); Set($LdapTLS, 1); Set($LdapSSLVersion, 3); But none of these have yielded any better results. -Original Message- From: Jeff Solberg [mailto:jsolb...@intrepidls.com] Sent: Thursday, August 01, 2013 11:23 AM To: Brian Haupt; rt-users@lists.bestpractical.com Subject: RE: [rt-users] ExternalAuth problems Try removing the extra '(' you have in front of qw in your set@plugin declaration. Jeff From my Android phone on T-Mobile. The first nationwide 4G network. Original message From: Brian Haupt brian.s.ha...@ama-inc.com Date: 08/01/2013 7:48 AM (GMT-08:00) To: rt-users@lists.bestpractical.com Subject: [rt-users] ExternalAuth problems I am setting up a new Request Tracker 4.0.16 installation on CentOS 6.4. I am able to log into RT using the RT root password but I receive the following error when trying to login using my AD account [Thu Aug 1 14:37:33 2013] [error]: FAILED LOGIN for $UserName from $IP_Address (/usr/local/rt/sbin/../lib/RT/Interface/Web.pm:753) Below is the relavent part of my RT_SiteConfig Set($WebPort, 443); Set($WebPath, /rt); Set($WebDomain, '$hostname.$PublicDomain'); Set($rtname, '$hostname'); Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE 'My_LDAP' = { 'type' = 'ldap', 'server'= '$DC.$InternalNetwork', 'user' = '$AD_User@$InternalNetwork', 'pass' = '$Password', 'base' = 'dc=$InternalNetwork', 'filter'= '(objectClass=*)', 'attr_map' = { 'Name' = 'displayName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', }, }, }); # You must install Plugins on your own, this is only an example # of the correct syntax to use when activating them. # There should only be one @Plugins declaration in your config file. Set(@MailPlugins, qw(Auth::MailFrom Filter::TakeAction)); Set(@Plugins,(qw(RT::Extension::CommandByMail RT::Authen::ExternalAuth))); 1;
[rt-users] Changing WebBase RT URL
All, I am in the final stages of standing up my new RT Instance! What a journey it has been. First off I want to say thanks for all the help I have gotten from this user base on getting where I am now. There were a few hurdles that took me for a whirlwind but with your help I got through them! One more request from the IT manager is he wants the Web URL to be something simple like itsupport.{domain name}.com. From what I can see there are lines in the RTSite_Config.pm that contains the following Set ($WebBaseURL , http://hostname;); Set ($WebPath , /rt); Now doing a quick look and changing these to something I wanted did not work at all! I got rid of the /rt and just left the web path as follows Set ($WebPath , ); And changed the $WebBaseURL to Set ($WebBaseURL , http://itsupport.{domainname}.comhttp://itsupport.%7bdomainname%7d.com); Then created a DNS entry for this. So my questions are this; A) Did I even come close to getting this to work? B) Are there apache type configs that also need to be made to get this to work? I am running RT 4.0.7 running on Debian Linux. Thanks again! Jeff
[rt-users] RT-Extension-LDAPImport vs RT External Auth plugin modules
Since I was unable to get the RT External Auth setup working with my Active Directory Environment I have been looking at other solutions in getting my AD users logging into RT. I have seen you can use Apache to handle Authentication but that method really doesn't look all that attractive to me. I have now seen there is an LDAP import tool that can import users in RT. Can this tool import the users from my Active Directory Server and when they go to login will it look to the LDAP server to validate the users password? Or does it store everything local in the MYSQL Database? In a perfect world I would get the External Auth working but I for the life of me cannot pinpoint the disconnect that is in place. Please any advice on this would be grateful . Thanks. Jeff
Re: [rt-users] External Auth config with RT on Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Kevin, In System Configuration in the Web UI I show the following being read in RT. LogToFile 'debug' site config LogToFileNamed 'rt.log'site config LogToScreen 'debug' site config LogToSyslog '' site config Plugins 'RT::Authen::ExternalAuth' site config Then under loaded Perl Modules I see RT::Authen::ExternalAuth0.16 /usr/local/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm I would definably agree with you that the plugin is not being run because I have done TCP Packet dumps as I was logging in and there is no activity being sent to my LDAP Server/DC. Oddly enough one would think that with the debugging set it would be telling me something. As I stated earlier the only message being logged in RT.LOG is the FAILED LOGON message. I will look at the permissions on the plugin. Should it be readable by www-data? Thanks again for your help on this. I really need to get this working so I can then move on to the next phase and tailor it to my companies needs. Jeff - -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Tuesday, July 02, 2013 10:05 AM To: rt-users@lists.bestpractical.com Subject: [secure] Re: [rt-users] External Auth config with RT on Debian Sensitivity: Confidential * PGP Signed by an unknown key On Mon, Jul 01, 2013 at 05:59:53PM +, Jeff Solberg wrote: Added the following to my site config: Go back to the System Configuration page and confirm that you see these settings being read by RT. If you have the Plugin installed, and the logging configured, then it isn't being run. The next things to check are permissions. Can the webserver read the callbacks provided by the extension and are they being run. - -kevin #logging Set($LogToSyslog, ''); Set($LogToScreen, 'debug'); Set($LogToFile , 'debug'); Set($LogDir, '/var/log/request-tracker4'); Set($LogToFileNamed , rt.log);#log to rt.log # end /etc/request-tracker4/RT_SiteConfig.d/logging And restarted apache2, I tried to log in with domain account and this is what is being logged to rt.log root@admin-rt4:/var/log/request-tracker4# cat rt.log [Mon Jul 1 17:47:43 2013] [debug]: The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT recieves emails on addresses that are not in the database or config. (/usr/share/request-tracker4/lib/RT/Config.pm:454) [Mon Jul 1 17:47:43 2013] [warning]: The actual HTTP_HOST (admin-rt4) does NOT match the configured WebDomain (localhost). Perhaps you should Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194) [Mon Jul 1 17:47:50 2013] [error]: FAILED LOGIN for jsolberg from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740) [Mon Jul 1 17:49:46 2013] [info]: Successful login for root from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745) [Mon Jul 1 17:53:05 2013] [error]: FAILED LOGIN for jsolb...@x.com from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740) My guess is the debugging options is not telling us much :( Jeff - -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Monday, July 01, 2013 9:29 AM To: rt-users@lists.bestpractical.com Subject: [secure] Re: [rt-users] External Auth config with RT on Debian Sensitivity: Confidential Old Signed by an unknown key On Mon, Jul 01, 2013 at 04:24:51PM +, Jeff Solberg wrote: - -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Monday, July 01, 2013 9:14 AM To: rt-users@lists.bestpractical.com Subject: [secure] Re: [rt-users] External Auth config with RT on Debian Sensitivity: Confidential Old Signed by an unknown key On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote: Default settings till here #PLUGINS Set( @Plugins, qw(RT::Authen::ExternalAuth)); #External Auth Settings Set($ExternalAuthPriority, [ 'My_LDAP',] ); Set($ExternalInfoPriority, [ 'My_LDAP',] ); Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'server'= 'dc2.xx.com', 'user' = 'cn
Re: [rt-users] RT-Extension-LDAPImport vs RT External Auth plugin modules
Thanks Nathan. I apologize for not seeing that these responses were only directed at you and not the list. Sigh. I will try to find time here shortly to sit down and configure the LDAPImport and see if I have any success getting it doing the right thing. I will post my results. Again, thanks for all your help. Jeff -Original Message- From: Nathan Cutler [mailto:presnyprek...@gmail.com] Sent: Tuesday, July 02, 2013 1:30 PM To: Jeff Solberg Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT-Extension-LDAPImport vs RT External Auth plugin modules The RT Server itself is bound by LDAP Authentication using libpam-ldap modules. So Active Directory Authentication is defiantly working as I am logging into this machine with my AD creds. It is binding using the same username and password that I have in my RT External Auth config. I haven’t setup the RT-Extension-LDAP module yet. I just wanted to get some insite on how it worked compared to the other. Will this module work standalone or do you have to use it in conjunction with the RT External Auth plugin? Hi Jeff: (Be sure to reply to the list) As Kevin just wrote, LDAPImport is useless for authentication, so you would only want to use it if you need to get info (not passwords) for a bunch of users into the RT database all at once. The reason why I recommended it was that bind w/password might be more difficult to get working than anonymous bind, which is what LDAPImport uses. So LDAPImport might be a stepping stone to ExternAuth. Just an idea.
Re: [rt-users] External Auth config with RT on Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 After opening up the permissions on the directory where the External Auth Plugin lives (/usr/local/share/request-tracker4/) to my apache user I am now able to get logged into RT with a AD user! Prior to doing this root owned all these directories with only read permissions.. And looking at the logs I am now seeing a ton of chatter relating to this. Thanks for all your help. Jeff - -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Tuesday, July 02, 2013 1:24 PM To: rt-users@lists.bestpractical.com Subject: [secure] Re: [rt-users] External Auth config with RT on Debian Sensitivity: Confidential * PGP Signed by an unknown key On Tue, Jul 02, 2013 at 05:22:32PM +, Jeff Solberg wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Kevin, In System Configuration in the Web UI I show the following being read in RT. LogToFile 'debug' site config LogToFileNamed'rt.log'site config LogToScreen 'debug' site config LogToSyslog '' site config Plugins 'RT::Authen::ExternalAuth' site config Then under loaded Perl Modules I see RT::Authen::ExternalAuth 0.16 /usr/local/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm I would definably agree with you that the plugin is not being run because I have done TCP Packet dumps as I was logging in and there is no activity being sent to my LDAP Server/DC. Oddly enough one would think that with the debugging set it would be telling me something. As I stated earlier the only message being logged in RT.LOG is the FAILED LOGON message. I will look at the permissions on the plugin. Should it be readable by www-data? Thanks again for your help on this. I really need to get this working so I can then move on to the next phase and tailor it to my companies needs. It should be readable by the user your webserver runs as. Clearly the perl module loads, but the Mason components (under the html directory in the plugin) don't seem to be running. There will be no extra debugging unless the plugin is running. - -kevin * Unknown Key * 0x9E42250A -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.1 (Build 4940) Charset: us-ascii wsBVAwUBUdNNrU8vfChWkpdqAQh4uAf/e7E9F1DV7qYLOSj2Giqv3UiI8cGBom/f LUMInMyCjUlPnZOlXDRvcweRlYS/yFOPMJvOUvabzGm3R/WvKJ96X6MpowxVTYLU KifS8SZ+RdpnZkGikWr4z8Omnlj+UkpsIrnTpC+EhTBIZmLTWGLr+Xzg0WO7WdpK EushxB0HWGjdE0e1bj/UxVJD+Arr7S279Wi/VUF4/RF7iaNZlkC5/pHnga0oJV7w +J5XcPSoDxo0eDfd62XkuAA5+38WqqSnIguz1TFmehEWCwx6zjh/862VWxyMjtzT MdiF/qw2VjHBXXfnObhwSi9f62H7WwakUdoGFTo0ecp5xCRKh3e1HA== =mU2I -END PGP SIGNATURE-
Re: [rt-users] External Auth config with RT on Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thanks for your reply. In the sys config it shows the following under PLUGINS: Plugins [ 'RT::Authen::ExternalAuth' ] Jeff - -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Monday, July 01, 2013 9:14 AM To: rt-users@lists.bestpractical.com Subject: [secure] Re: [rt-users] External Auth config with RT on Debian Sensitivity: Confidential * PGP Signed by an unknown key On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote: Default settings till here #PLUGINS Set( @Plugins, qw(RT::Authen::ExternalAuth)); #External Auth Settings Set($ExternalAuthPriority, [ 'My_LDAP',] ); Set($ExternalInfoPriority, [ 'My_LDAP',] ); Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'server'= 'dc2.xx.com', 'user' = 'cn=Bind Ldap,ou=User,Logins,dc=intrepidls,dc=com', 'pass'= 'xxx', 'base' = 'dc=,dc=com', 'filter'= '((ObjectCategory=User)(ObjectClass=Person))', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803=2)', 'group' = 'cn=Domain Users,ou=Groups_Security,dc=x,dc=com', 'group_attr'= 'member', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3, port = 3268 ], 'group_scope' = 'base', 'group_attr_value' = 'GROUP_ATTR_VALUE', 'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' }, }, # An example SSO cookie service 'My_SSO_Cookie' = { 'type' = 'cookie', 'name' = 'loginCookieValue', 'u_table' = 'users', 'u_field' = 'username', 'u_match_key' = 'userID', 'c_table' = 'login_cookie', 'c_field' = 'loginCookieValue', 'c_match_key' = 'loginCookieUserID', 'db_service_name' = 'My_MySQL' }, } ); 1; I then use update-rt-siteconfig to merge these settings into RT_SiteConfig.pm. From what I read this is all correct and Should allow AD accounts to log in. Here is what is logging in the apache2 error log: [Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST (admin-rt4) does NOT match the configured WebDomain (localhost). Perhaps you should Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194) [Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for jsolb...@xx.com from 10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740) [Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from 10.10.30.62 ( /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740) [Fri Jun 28 19:02:52 2013] [info]: Successful login for root from 10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745) root@admin-rt4:/usr/share/request-tracker4/lib# Navigate to Tools - Configuration - System Configuration and check that Plugins contains RT::Authen::ExternalAuth. - -kevin * Unknown Key * 0x9E42250A -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.1 (Build 4940) Charset: us-ascii wsBVAwUBUdGtV08vfChWkpdqAQh9BQf/V16SlfqUkTqq86o9O0awLXboBVSQ17Pz SdErERPzir0sDxK6gxHbC0OYiVg8+3jLvyWEyNg8/1am68/5XCzFUezQOkYHaz07 1Tm7SCejhLNE0hmeLW7GL+Q74YK+wzyJkWZqIrMkq0+tnpFk+cs7R6g0m+Rrn0x6 W1xQYVKUyM9DQYLHXaGN6FU3scUZJEV1If1KdTxHOX3IDl6yYCI5XXYYwj/XqokH AyhYXhmihEhq/zWD657SNjO6CYJ8pH5GbXlgKeixDxO5anZ6rnjGSkFE/ekAqXip m60hYh5h/UNztNl2urdFp6SQZhewCoE3mVNvtGiG4W32we7dzXTHVw== =21Dv -END PGP SIGNATURE-
Re: [rt-users] External Auth config with RT on Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Do I just add the $SetToLog options anywhere in the RT_SiteConfig.pm? - -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Monday, July 01, 2013 9:29 AM To: rt-users@lists.bestpractical.com Subject: [secure] Re: [rt-users] External Auth config with RT on Debian Sensitivity: Confidential * PGP Signed by an unknown key On Mon, Jul 01, 2013 at 04:24:51PM +, Jeff Solberg wrote: - -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Monday, July 01, 2013 9:14 AM To: rt-users@lists.bestpractical.com Subject: [secure] Re: [rt-users] External Auth config with RT on Debian Sensitivity: Confidential Old Signed by an unknown key On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote: Default settings till here #PLUGINS Set( @Plugins, qw(RT::Authen::ExternalAuth)); #External Auth Settings Set($ExternalAuthPriority, [ 'My_LDAP',] ); Set($ExternalInfoPriority, [ 'My_LDAP',] ); Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'server'= 'dc2.xx.com', 'user' = 'cn=Bind Ldap,ou=User,Logins,dc=intrepidls,dc=com', 'pass'= 'xxx', 'base' = 'dc=,dc=com', 'filter'= '((ObjectCategory=User)(ObjectClass=Person))', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803=2)', 'group' = 'cn=Domain Users,ou=Groups_Security,dc=x,dc=com', 'group_attr'= 'member', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3, port = 3268 ], 'group_scope' = 'base', 'group_attr_value' = 'GROUP_ATTR_VALUE', 'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' }, }, # An example SSO cookie service 'My_SSO_Cookie' = { 'type' = 'cookie', 'name' = 'loginCookieValue', 'u_table' = 'users', 'u_field' = 'username', 'u_match_key' = 'userID', 'c_table' = 'login_cookie', 'c_field' = 'loginCookieValue', 'c_match_key' = 'loginCookieUserID', 'db_service_name' = 'My_MySQL' }, } ); 1; I then use update-rt-siteconfig to merge these settings into RT_SiteConfig.pm. From what I read this is all correct and Should allow AD accounts to log in. Here is what is logging in the apache2 error log: [Fri Jun 28 19:01:58 2013] [warning]: The actual HTTP_HOST (admin-rt4) does NOT match the configured WebDomain (localhost). Perhaps you should Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194) [Fri Jun 28 19:02:09 2013] [error]: FAILED LOGIN for jsolb...@xx.com from 10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740) [Fri Jun 28 19:02:40 2013] [error]: FAILED LOGIN for jsolberg from 10.10.30.62 ( /usr/share/request-tracker4/lib/RT/Interface/Web.pm:740) [Fri Jun 28 19:02:52 2013] [info]: Successful login for root from 10.10.30.62 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745) root@admin-rt4:/usr/share/request-tracker4/lib# Navigate to Tools - Configuration - System Configuration and check that Plugins contains RT::Authen::ExternalAuth. Thanks for your reply. In the sys config it shows the following under PLUGINS: Plugins [ 'RT::Authen::ExternalAuth' ] Great - now go make sure your $LogToScreen is set to 'debug' and log in again. root will always be able to log in because
Re: [rt-users] External Auth config with RT on Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Added the following to my site config: #logging Set($LogToSyslog, ''); Set($LogToScreen, 'debug'); Set($LogToFile , 'debug'); Set($LogDir, '/var/log/request-tracker4'); Set($LogToFileNamed , rt.log);#log to rt.log # end /etc/request-tracker4/RT_SiteConfig.d/logging And restarted apache2, I tried to log in with domain account and this is what is being logged to rt.log root@admin-rt4:/var/log/request-tracker4# cat rt.log [Mon Jul 1 17:47:43 2013] [debug]: The RTAddressRegexp option is not set in the config. Not setting this option results in additional SQL queries to check whether each address belongs to RT or not. It is especially important to set this option if RT recieves emails on addresses that are not in the database or config. (/usr/share/request-tracker4/lib/RT/Config.pm:454) [Mon Jul 1 17:47:43 2013] [warning]: The actual HTTP_HOST (admin-rt4) does NOT match the configured WebDomain (localhost). Perhaps you should Set($WebDomain, 'admin-rt4'); in RT_SiteConfig.pm, otherwise your internal links may be broken. (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:1194) [Mon Jul 1 17:47:50 2013] [error]: FAILED LOGIN for jsolberg from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740) [Mon Jul 1 17:49:46 2013] [info]: Successful login for root from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:745) [Mon Jul 1 17:53:05 2013] [error]: FAILED LOGIN for jsolb...@x.com from 10.10.30.63 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740) My guess is the debugging options is not telling us much :( Jeff - -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Monday, July 01, 2013 9:29 AM To: rt-users@lists.bestpractical.com Subject: [secure] Re: [rt-users] External Auth config with RT on Debian Sensitivity: Confidential * PGP Signed by an unknown key On Mon, Jul 01, 2013 at 04:24:51PM +, Jeff Solberg wrote: - -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Monday, July 01, 2013 9:14 AM To: rt-users@lists.bestpractical.com Subject: [secure] Re: [rt-users] External Auth config with RT on Debian Sensitivity: Confidential Old Signed by an unknown key On Fri, Jun 28, 2013 at 12:29:22PM -0700, jsolberg wrote: Default settings till here #PLUGINS Set( @Plugins, qw(RT::Authen::ExternalAuth)); #External Auth Settings Set($ExternalAuthPriority, [ 'My_LDAP',] ); Set($ExternalInfoPriority, [ 'My_LDAP',] ); Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set($ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'server'= 'dc2.xx.com', 'user' = 'cn=Bind Ldap,ou=User,Logins,dc=intrepidls,dc=com', 'pass'= 'xxx', 'base' = 'dc=,dc=com', 'filter'= '((ObjectCategory=User)(ObjectClass=Person))', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803=2)', 'group' = 'cn=Domain Users,ou=Groups_Security,dc=x,dc=com', 'group_attr'= 'member', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3, port = 3268 ], 'group_scope' = 'base', 'group_attr_value' = 'GROUP_ATTR_VALUE', 'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' }, }, # An example SSO cookie service 'My_SSO_Cookie' = { 'type' = 'cookie', 'name' = 'loginCookieValue', 'u_table' = 'users', 'u_field' = 'username', 'u_match_key' = 'userID', 'c_table' = 'login_cookie', 'c_field' = 'loginCookieValue', 'c_match_key
[rt-users] Setting up requestor access to Self Service Web UI
Hello, I have been tasked in rolling out RT to our organization. So far so good. I was able to get RT 4.0.7 up and running on Debian Linux 7.0 (Wheezy). Now its down to the nuts and bolt tightening of this product to tailor it to our environment. One thing that I am contemplating is how other than email my end users will be able to track their own tickets without giving them access to all of the ticket queues I will be setting up. The email notifications are working ok as in the end user will receive updates and will be able to see any comments the owner put into the tickets. Now onto setting up the self service part of the Web UI. I have looked through many articles on this and really haven't found anything that actually stated how to enable and setup the Self Service feature on a new installation of RT. My goal is to have the end user click on a URL in the auto reply email that will direct them to the Self Service UI and also iauto log them in without being prompted for a userna me and password (if possible). With that being said I guess I have 2 questions: 1) How to setup Self Service and 2) How to (if possible) make it so an end user can click on a URL in the auto reply and auto log them in without Username and Password. Thanks in advance for any help in regards to this issue! Jeff -- RT Training in Seattle, June 19-20: http://bestpractical.com/training