Re: [rt-users] REMOTE_USER, external auth, and email mismatching
On 5/15/2013 12:17 AM, Philip Brown wrote: Err.. thanks, but that's not what I'm looking for. For one thing, even if I got permission to do that (which I wont), we have 40,000 users in ldap. I dont actually WANT all of them in the rt database. particularly since we have a 15,000 user/year churn rate. I'm never quite sure why people do that (*import* then-stale data from LDAP/AD which is the dynamic source of truth for the information on the network). There must be some use case that I am just not aware of, but I definitely don't get it. it's kinda odd that I cant seem to google any sample RT_Config.pm files for this Well, here's where I asked the community to share what works: http://lists.bestpractical.com/pipermail/rt-users/2012-February/075085.html And here's 1 (of 2) contributions I got and submitted, still sitting in a github pull request that has not been merged after 1+ years: https://github.com/bestpractical/rt-authen-externalauth/pull/2 That was the water testing and end of my contributions to RT, as a failed experiment. I didn't bother submitting the 2nd config contribution I got based on the above. Here's someone else's code contribution from 1+ years ago to allow secure LDAP: https://github.com/bestpractical/rt-authen-externalauth/pull/1 *crickets* Contributing elsewhere. -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] REMOTE_USER, external auth, and email mismatching
On 05/14/2013 01:41 PM, Philip Brown wrote: I then attempted to do the fallback suggested via CanonicalizeEmailAddressMatch after removing the KrbLocalUser from my apache configs. however, the replace did not seem to have any effect. I'm still getting logged in as u...@kerb.my.com rather than u...@my.com for the record, I'm using a match string of '\@.*\.my.com$' and replace of '\@my.com' You may be mistaking the user *name* for the email address. Without a separate Name, RT often assigns the email address as the name. This may happen before canonicalization in some cases. Can you verify the email addresses aren't being canonicalized? If not, there may be an interaction with existing users, but I wouldn't expect that necessarily. If the email address is canonicalized, but the name is still the uncanonicalized form, I'd suggest looking at this piece from my original mail: You can also do more sophisticated munging by writing your own RT::User::CanonicalizeUserInfo: http://bestpractical.com/rt/docs/latest/RT/User.html#CanonicalizeUserInfo-HASH-of-ARGS -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] REMOTE_USER, external auth, and email mismatching
On 05/15/2013 06:19 AM, Jeff Blaine wrote: Well, here's where I asked the community to share what works: http://lists.bestpractical.com/pipermail/rt-users/2012-February/075085.html And here's 1 (of 2) contributions I got and submitted, still sitting in a github pull request that has not been merged after 1+ years: https://github.com/bestpractical/rt-authen-externalauth/pull/2 That was the water testing and end of my contributions to RT, as a failed experiment. I didn't bother submitting the 2nd config contribution I got based on the above. I just responded to your PR. Thanks for pointing it out again. We manage a lot of repos and only use github for publishing public mirrors and receiving PRs. Sometimes this means PRs slip through the cracks if no one prods us. That is to say: if anyone thinks they're owed a response on a PR or patch or any other contribution, please do pipe up to get our attention again. I'm sorry your contributing experience was lousy. Here's someone else's code contribution from 1+ years ago to allow secure LDAP: https://github.com/bestpractical/rt-authen-externalauth/pull/1 That is an unnecessary change, and should have been closed long ago. I've now done so. The simple solution is specifying a server of ldaps://example.com instead of just example.com. -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] REMOTE_USER, external auth, and email mismatching
On 04/26/13 04:38 PM, Thomas Sibley wrote: On 04/26/2013 02:35 PM, Philip Brown wrote: hi there, We are looking at using kerb auth and mod_auth_kerb as our external auth mechanism for RT. ... I was hoping there was potentially a way to do any of the following: a) automatically drop the @xyz from REMOTE_USER entirely b) autoconvert the @xyz to @real.domain c) (least preferable) have the autocreate routines, atomatically fill in @real.domain as the email address You can accomplish (b) with these options: http://bestpractical.com/rt/docs/latest/RT_Config.html#CanonicalizeEmailAddressMatch-CanonicalizeEmailAddressReplace You can also do more sophisticated munging by writing your own RT::User::CanonicalizeUserInfo: http://bestpractical.com/rt/docs/latest/RT/User.html#CanonicalizeUserInfo-HASH-of-ARGS Or you can take the easy way of (a) by setting the mod_auth_kerb config option that Jok pointed out earlier. Well, I'm back, now that I've had more time to follow up :) I have tried out using the KrbLocalUser tweak, and run into problems. The email field does not get filled out on autocreate of an account. I then attempted to do the fallback suggested via CanonicalizeEmailAddressMatch after removing the KrbLocalUser from my apache configs. however, the replace did not seem to have any effect. I'm still getting logged in as u...@kerb.my.com rather than u...@my.com for the record, I'm using a match string of '\@.*\.my.com$' and replace of '\@my.com' it's kinda odd that I cant seem to google any sample RT_Config.pm files for this' -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] REMOTE_USER, external auth, and email mismatching
I have use the LDAPImport extension to pull all my users out of AD into RT. I even submitted a patch on the cpan bug tracker to add a feature to automatically grant rights to some groups based on LDAP queries. (and you'll probably need to merge the users that you have now into their imported equivalent) Thanks, Jok -- | Joachim Thuau | IT Systems Engineer - Linux / SpaceX | On 5/14/13 1:41 PM, Philip Brown p...@usc.edu wrote: On 04/26/13 04:38 PM, Thomas Sibley wrote: On 04/26/2013 02:35 PM, Philip Brown wrote: hi there, We are looking at using kerb auth and mod_auth_kerb as our external auth mechanism for RT. ... I was hoping there was potentially a way to do any of the following: a) automatically drop the @xyz from REMOTE_USER entirely b) autoconvert the @xyz to @real.domain c) (least preferable) have the autocreate routines, atomatically fill in @real.domain as the email address You can accomplish (b) with these options: http://bestpractical.com/rt/docs/latest/RT_Config.html#CanonicalizeEmailA ddressMatch-CanonicalizeEmailAddressReplace You can also do more sophisticated munging by writing your own RT::User::CanonicalizeUserInfo: http://bestpractical.com/rt/docs/latest/RT/User.html#CanonicalizeUserInfo -HASH-of-ARGS Or you can take the easy way of (a) by setting the mod_auth_kerb config option that Jok pointed out earlier. Well, I'm back, now that I've had more time to follow up :) I have tried out using the KrbLocalUser tweak, and run into problems. The email field does not get filled out on autocreate of an account. I then attempted to do the fallback suggested via CanonicalizeEmailAddressMatch after removing the KrbLocalUser from my apache configs. however, the replace did not seem to have any effect. I'm still getting logged in as u...@kerb.my.com rather than u...@my.com for the record, I'm using a match string of '\@.*\.my.com$' and replace of '\@my.com' it's kinda odd that I cant seem to google any sample RT_Config.pm files for this' -- RT Training in Seattle, June 19-20: http://bestpractical.com/training -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] REMOTE_USER, external auth, and email mismatching
Err.. thanks, but that's not what I'm looking for. For one thing, even if I got permission to do that (which I wont), we have 40,000 users in ldap. I dont actually WANT all of them in the rt database. particularly since we have a 15,000 user/year churn rate. From: Jok Thuau [jth...@spacex.com] Sent: Tuesday, May 14, 2013 05:36 PM To: Philip Brown; rt-users@lists.bestpractical.com Subject: Re: [rt-users] REMOTE_USER, external auth, and email mismatching I have use the LDAPImport extension to pull all my users out of AD into RT. I even submitted a patch on the cpan bug tracker to add a feature to automatically grant rights to some groups based on LDAP queries. (and you'll probably need to merge the users that you have now into their imported equivalent) Thanks, Jok -- | Joachim Thuau | IT Systems Engineer - Linux / SpaceX | On 5/14/13 1:41 PM, Philip Brown p...@usc.edu wrote: On 04/26/13 04:38 PM, Thomas Sibley wrote: On 04/26/2013 02:35 PM, Philip Brown wrote: hi there, We are looking at using kerb auth and mod_auth_kerb as our external auth mechanism for RT. ... I was hoping there was potentially a way to do any of the following: a) automatically drop the @xyz from REMOTE_USER entirely b) autoconvert the @xyz to @real.domain c) (least preferable) have the autocreate routines, atomatically fill in @real.domain as the email address You can accomplish (b) with these options: http://bestpractical.com/rt/docs/latest/RT_Config.html#CanonicalizeEmailA ddressMatch-CanonicalizeEmailAddressReplace You can also do more sophisticated munging by writing your own RT::User::CanonicalizeUserInfo: http://bestpractical.com/rt/docs/latest/RT/User.html#CanonicalizeUserInfo -HASH-of-ARGS Or you can take the easy way of (a) by setting the mod_auth_kerb config option that Jok pointed out earlier. Well, I'm back, now that I've had more time to follow up :) I have tried out using the KrbLocalUser tweak, and run into problems. The email field does not get filled out on autocreate of an account. I then attempted to do the fallback suggested via CanonicalizeEmailAddressMatch after removing the KrbLocalUser from my apache configs. however, the replace did not seem to have any effect. I'm still getting logged in as u...@kerb.my.com rather than u...@my.com for the record, I'm using a match string of '\@.*\.my.com$' and replace of '\@my.com' it's kinda odd that I cant seem to google any sample RT_Config.pm files for this' -- RT Training in Seattle, June 19-20: http://bestpractical.com/training -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
[rt-users] REMOTE_USER, external auth, and email mismatching
hi there, We are looking at using kerb auth and mod_auth_kerb as our external auth mechanism for RT. Trouble is.. our kerb domain is not the same as people's email address domain. We have mumble-thousand users. Hand-populating things is not an option. So, I was hoping there was potentially a way to do any of the following: a) automatically drop the @xyz from REMOTE_USER entirely b) autoconvert the @xyz to @real.domain c) (least preferable) have the autocreate routines, atomatically fill in @real.domain as the email address
Re: [rt-users] REMOTE_USER, external auth, and email mismatching
Philip, We are in the same boat. Your kerb config can drop the realm part by using the option in your kerb auth section of the apache config with KrbLocalUserMapping set to ON. In combination with that, we have ldap-import (to pull all the users from AD), as well as the proper mapping (sAMAccountName - username) when we import users. We've had instances where someone has managed to send email in from another system with a different email address, and we just merge those new accounts in with the ldap imported accounts on a regular basis (doesn't happen often). Thanks,Jok -- | Joachim Thuau | IT Systems Engineer - Linux / SpaceX | On 4/26/13 2:35 PM, Philip Brown p...@usc.edu wrote: hi there, We are looking at using kerb auth and mod_auth_kerb as our external auth mechanism for RT. Trouble is.. our kerb domain is not the same as people's email address domain. We have mumble-thousand users. Hand-populating things is not an option. So, I was hoping there was potentially a way to do any of the following: a) automatically drop the @xyz from REMOTE_USER entirely b) autoconvert the @xyz to @real.domain c) (least preferable) have the autocreate routines, atomatically fill in @real.domain as the email address
Re: [rt-users] REMOTE_USER, external auth, and email mismatching
On 04/26/2013 02:35 PM, Philip Brown wrote: hi there, We are looking at using kerb auth and mod_auth_kerb as our external auth mechanism for RT. Trouble is.. our kerb domain is not the same as people's email address domain. We have mumble-thousand users. Hand-populating things is not an option. So, I was hoping there was potentially a way to do any of the following: a) automatically drop the @xyz from REMOTE_USER entirely b) autoconvert the @xyz to @real.domain c) (least preferable) have the autocreate routines, atomatically fill in @real.domain as the email address You can accomplish (b) with these options: http://bestpractical.com/rt/docs/latest/RT_Config.html#CanonicalizeEmailAddressMatch-CanonicalizeEmailAddressReplace You can also do more sophisticated munging by writing your own RT::User::CanonicalizeUserInfo: http://bestpractical.com/rt/docs/latest/RT/User.html#CanonicalizeUserInfo-HASH-of-ARGS Or you can take the easy way of (a) by setting the mod_auth_kerb config option that Jok pointed out earlier.
Re: [rt-users] REMOTE_USER, external auth, and email mismatching
(arg, outlook.com...) From: rt-users-boun...@lists.bestpractical.com [rt-users-boun...@lists.bestpractical.com] on behalf of Thomas Sibley [t...@bestpractical.com] Sent: Friday, April 26, 2013 04:38 PM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] REMOTE_USER, external auth, and email mismatching On 04/26/2013 02:35 PM, Philip Brown wrote: So, I was hoping there was potentially a way to do any of the following: a) automatically drop the @xyz from REMOTE_USER entirely b) autoconvert the @xyz to @real.domain You can accomplish (b) with these options: http://bestpractical.com/rt/docs/latest/RT_Config.html#CanonicalizeEmailAddressMatch-CanonicalizeEmailAddressReplace Thanks for the tip. I followed the link, but it didnt explicitly give an answer to the following question. For posterity and the list archive's sake: does it also work for extern auth? In other words, when it auto-creates an account, will it rewrite the *account name*? Or will it just get triggered on actual email that comes in?
Re: [rt-users] REMOTE_USER, external auth, and email mismatching
On 04/26/2013 05:09 PM, Philip Brown wrote: a) automatically drop the @xyz from REMOTE_USER entirely b) autoconvert the @xyz to @real.domain You can accomplish (b) with these options: http://bestpractical.com/rt/docs/latest/RT_Config.html#CanonicalizeEmailAddressMatch-CanonicalizeEmailAddressReplace Thanks for the tip. I followed the link, but it didnt explicitly give an answer to the following question. For posterity and the list archive's sake: does it also work for extern auth? In other words, when it auto-creates an account, will it rewrite the *account name*? Or will it just get triggered on actual email that comes in? It is used during account creation, as well as many other places that handle email addresses. It doesn't affect the account Name, just the account's Email Address. If you want to change the name, use one of the two other options I offered.
