[rt-users] managing ldap users / RT-Authen-ExternalAuth question
Hi,
My RT-Authen-ExternalAuth works - as in, I can login to RT using my active
directory username/password.
however, when I login using my AD account I don't see many things. I only
see open tickets / closed tickets / new ticket on the left side there..
how can I give the ability to view all queues to authenticated users, for
instance? I tried doing this in config - global - group rights:
SeeQueue to Everyone
but that didn't seem to help..
also, another question:
if I go to configuration - users I only see root there. I don't see the
LDAP account that I successfully logged in with previously. Why?
My RT_SiteConfig.pm and externalauth's RT_SiteConfig.pm are attached# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a perl module, so you can include valid
# perl code, as well.
#
# The converse is also true, if this file isn't valid perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this comamnd:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
Set( $rtname, 'rt.mydomain.org');
Set( $Organization, 'rt.mydomain.org');
Set($MinimumPasswordLength , 5);
Set($Timezone , 'US/Eastern');
Set(@Plugins, qw(
RT::Authen::ExternalAuth
));
Set($HomepageComponents, [qw(
QuickCreate
Quicksearch
MyAdminQueues
MySupportQueues
MyReminders
RefreshHomepage
Dashboards
)]);
Set( $DatabaseType, 'mysql');
Set( $DatabaseHost, 'localhost');
Set( $DatabaseRTHost , 'localhost');
Set( $DatabaseName , 'rt3');
Set( $DatabasePort , '');
Set( $DatabaseUser , 'rtuser');
Set( $DatabasePassword , 'mypassword');
Set($OwnerEmail , 'root');
Set($LoopsToRTOwner , 1);
Set($SendmailArguments , -oi -t -f vpolya...@mydomain.org);
Set($MaxAttachmentSize , 1000);
Set($RTAddressRegexp , '^...@rt.mydomain.org$');
Set($CorrespondAddress , 'no-re...@rt.mydomain.org');
Set($CommentAddress , 'no-re...@rt.mydomain.org');
Set($UseFriendlyFromLine , 1);
Set($FriendlyFromLineFormat , \%s\ %s);
Set($UseFriendlyToLine , 1);
Set($FriendlyToLineFormat , \%s Ticket #%s\:;);
Set($NotifyActor , 0);
Set($RecordOutgoingEmail , 1);
Set($WebPath , /ticket);
Set($WebPort , 80);
Set($WebBaseURL , http://rt;);
Set($WebURL , $WebBaseURL . $WebPath . /);
Set($WebImagesURL , $WebURL . /NoAuth/images);
Set($MessageBoxWidth , 72);
Set($MessageBoxWrap, HARD);
Set($MaxInlineBody, 13456);
Set($DefaultSummaryRows, 10);
Set($OldestTransactionsFirst, '1');
Set($DateDayBeforeMonth , 0);
Set($AmbiguousDayInPast , 1);
require /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm;
Set($Autocreate, {Privileged = 1});
#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
1;
RT_SiteConfig.pm.externalauth
Description: Binary data
RT Training in Washington DC, USA on Oct 25 26 2010
Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
Can you log in as root? If so you should be able to search for the ldap user you logged in as and then grant them access. I think the page you are talking about is only showing privledged users. Also, you will only be able to search for ldap users that have logged in, unless you also use the ldap import plugin http://search.cpan.org/~falcone/RT-Extension-LDAPImport-0.07/lib/RT/Extension/LDAPImport.pm For the permissions problem, it sounds like you granted permissions, but didn't make the user a priveledge user. If you search for your user like I mentioned above, when you look at their property sheet you will see a check box called make this user priveledged (something like that), checking that should give the user access. From: rt-users-boun...@lists.bestpractical.com [rt-users-boun...@lists.bestpractical.com] On Behalf Of Val Polyakov [...@polyakov.me] Sent: Wednesday, September 29, 2010 11:46 AM To: rt-users@lists.bestpractical.com Subject: [rt-users] managing ldap users / RT-Authen-ExternalAuth question Hi, My RT-Authen-ExternalAuth works - as in, I can login to RT using my active directory username/password. however, when I login using my AD account I don't see many things. I only see open tickets / closed tickets / new ticket on the left side there.. how can I give the ability to view all queues to authenticated users, for instance? I tried doing this in config - global - group rights: SeeQueue to Everyone but that didn't seem to help.. also, another question: if I go to configuration - users I only see root there. I don't see the LDAP account that I successfully logged in with previously. Why? My RT_SiteConfig.pm and externalauth's RT_SiteConfig.pm are attached RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
Val, First of all, SeeQueue doesn't really have anything to do with seeing tickets. It merely gives user the ability to see a Queue they might want to create a ticket in, and then, they still have to have CreateTicket. To SeeTickets, there s few rights you can grant. 1) grant the ShowTicket right to see general info on a ticket. 2) grant ShowTicketComments to allow the user to see any comments made on the ticket. ShowTicket doesn't include this ability. 3) grant SeeOutgoingEmail to allow the user to see the email that is in a ticket and 4) grant SeeCustomField (usually at the group level) to see any Custom Fields in the TIcket. We usually grant all these to user-defined groups of user with the same interest in a particular Queue. Further, if you don't want everyone to see everyone else's business, grant these rights to the Requestor's role instead of a Users group. Of course, you're going to want Owners or a User-defined group of support users (those that can take, own and modify a ticket in a Queue) all of those rights as well. Hope this helps. Kenn LBNL On Wed, Sep 29, 2010 at 8:46 AM, Val Polyakov v...@polyakov.me wrote: Hi, My RT-Authen-ExternalAuth works - as in, I can login to RT using my active directory username/password. however, when I login using my AD account I don't see many things. I only see open tickets / closed tickets / new ticket on the left side there.. how can I give the ability to view all queues to authenticated users, for instance? I tried doing this in config - global - group rights: SeeQueue to Everyone but that didn't seem to help.. also, another question: if I go to configuration - users I only see root there. I don't see the LDAP account that I successfully logged in with previously. Why? My RT_SiteConfig.pm and externalauth's RT_SiteConfig.pm are attached RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
Can you log in as root? yes If so you should be able to search for the ldap user you logged in as and then grant them access. how? where do I search? the only 'users' that I see is in configuration - users, and you're saying thats the wrong place.. RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
Val, At the bottom of the COnfig-Users display page is a box you can check to include disabled users in the search. Check that you should see everyone. Kenn LBNL On Wed, Sep 29, 2010 at 9:11 AM, Val Polyakov v...@polyakov.me wrote: Can you log in as root? yes If so you should be able to search for the ldap user you logged in as and then grant them access. how? where do I search? the only 'users' that I see is in configuration - users, and you're saying thats the wrong place.. RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
perfect, that worked! few more questions: I downloaded rtldapimport and took a look at the readme, and here's the thing: my users are spread out across 5 OUs - there's no single OU to point rtldapimpoirt to and have it import all of my users. is there a way for me to specify the 5 bases to search in? and another: what would be the easiest/quickest way to make all my ldap users priveleged, after they are imported through rtldapimport? thanks again for all your help --Val Val, At the bottom of the COnfig-Users display page is a box you can check to include disabled users in the search. Check that you should see everyone. Kenn LBNL On Wed, Sep 29, 2010 at 9:11 AM, Val Polyakov v...@polyakov.me wrote: Can you log in as root? yes If so you should be able to search for the ldap user you logged in as and then grant them access. how? where do I search? the only 'users' that I see is in configuration - users, and you're saying thats the wrong place.. RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
Val, You could set your RT_SiteConfigure.pm file with these settings: *Set($AutoCreate, ‘Privileged’=1);* This would ensure any additions would all be privileged. As to those that are already Users, I have no idea how to make them all Privileged. Perhaps someone has written a program that uses the API that will do that. Did you check the wiki? Kenn LBNL ** On Wed, Sep 29, 2010 at 9:37 AM, Val Polyakov v...@polyakov.me wrote: perfect, that worked! few more questions: I downloaded rtldapimport and took a look at the readme, and here's the thing: my users are spread out across 5 OUs - there's no single OU to point rtldapimpoirt to and have it import all of my users. is there a way for me to specify the 5 bases to search in? and another: what would be the easiest/quickest way to make all my ldap users priveleged, after they are imported through rtldapimport? thanks again for all your help --Val Val, At the bottom of the COnfig-Users display page is a box you can check to include disabled users in the search. Check that you should see everyone. Kenn LBNL On Wed, Sep 29, 2010 at 9:11 AM, Val Polyakov v...@polyakov.me wrote: Can you log in as root? yes If so you should be able to search for the ldap user you logged in as and then grant them access. how? where do I search? the only 'users' that I see is in configuration - users, and you're saying thats the wrong place.. RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
Val, You could set your RT_SiteConfigure.pm file with these settings: *Set($AutoCreate, Privileged=1);* This would ensure any additions would all be privileged. awesome, thanks As to those that are already Users, I have no idea how to make them all Privileged. it's a fresh install with no users, so far I was the only one who logged in to this thing with my AD account.. and I already made that one priveleged manually. so looks like I'm all set for now :) I've asked this before on the list, but didnt get any replies.. I'll try my luck again here, if you don't mind: My users are spread across 5 OUs: ou=users,ou=city,dc=mydomain,dc=org where city is the city that they reside in. there's no catchall OU with all of these users. how can I set up RT-Authen-ExternalAuth to look in all 5 OUs for the user? I have this now: ... 'base' = 'ou=Users,ou=Yonkers,dc=mydomain,dc=org', ... Feel like I'm overlooking something simple. perhaps I need to set up 5 ldap sections inside /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm (My_LDAP, My_LDAP1, MY_LDAP2, etc), with them being absolutely identical aside for the city OU? Not sure RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
On Wed, Sep 29, 2010 at 01:39:16PM -0400, Val Polyakov wrote: Feel like I'm overlooking something simple. perhaps I need to set up 5 ldap sections inside /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm (My_LDAP, My_LDAP1, MY_LDAP2, etc), with them being absolutely identical aside for the city OU? If you can't express your base with a different OU, then you'll need 5 stanzas. Please note that since RT-Extension-LDAPImport does not yet support a multi-source config, you can only use it for RT-Authen-ExternalAuth. For the importer, you can write a few site configs and run them using environment variables. There are a few patches in rt.cpan.org for LDAPImporter that aren't going to make it into master, but you may find them interesting. -kevin pgp23b3Llem93.pgp Description: PGP signature RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
