Re: [rt-users] ACL Troubles with RTFM
2010/8/9 Kevin Falcone falc...@bestpractical.com: On Sat, Aug 07, 2010 at 01:10:27PM +0200, benoit plessis wrote: What happens if you go to Configuration - Custom Fields - custom field name - Group Rights? In this case, it's also working Have you applied the CF to the Classes (using the Applies To link from the Custom Field page)? Yes indeed, this was the way i used There were some bugs with that in 2.4.2 and 3.8.8, so if you haven't done that you may need to test out the 2.4.3rc1 release on Friday. So i'm screwed ? Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] ACL Troubles with RTFM
On Tue, Aug 10, 2010 at 01:07:32PM +0200, benoit plessis wrote: 2010/8/9 Kevin Falcone falc...@bestpractical.com: On Sat, Aug 07, 2010 at 01:10:27PM +0200, benoit plessis wrote: What happens if you go to Configuration - Custom Fields - custom field name - Group Rights? In this case, it's also working Ok, this is probably the best way to give those rights I'm guessing that granting the RTFM global right isn't creating something correctly, but I'd have to go look at the ACL record. Please drop a note into the bugtracker (rtfm-bugs AT bestpractical.com) about that way of assigning rights not working. It sounds like we either need to track down the ACL failure or not let you set that right in that particular screen. Have you applied the CF to the Classes (using the Applies To link from the Custom Field page)? Yes indeed, this was the way i used There were some bugs with that in 2.4.2 and 3.8.8, so if you haven't done that you may need to test out the 2.4.3rc1 release on Friday. So i'm screwed ? No, there are just 2 ways this can get screwed up (rights and applied to) and I wanted to rule out the applied to problem (especially since I knew there was a bug with 3.8.8+2.4.2). -kevin pgpcrOhORc7rN.pgp Description: PGP signature Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT 3.8 Active Directory integration and single sign-on
On Mon, Aug 09, 2010 at 08:38:22PM -0400, Eugene M. Evans wrote: I can telnet to the AD server and I am able to connect to the AD server through an LDAP browser. The browser I happen to be using is jxplorer. I found that Jxplorer requires the user DN to be the full first and last name of the user rather than only the logon name and the 'ou' component must be included in the field named 'base'. Since that nomenclature works in the LDAP browser, I modified RT_SiteConfig.pm to match, as follows, Try using the ldapsearch command line client, I find it is much closer to the way the perl ldap library is connecting. Once you make that connect, the same user should be fine. One thing about AD is that sometimes the AD server responds better to a user of samaccountn...@domain (email address style login) rather than a full DN, but I've never found an explanation for why. -kevin Was 'user' = 'cn=UserLogonName, ou=XX, dc=XX, dc=XX', 'base' = 'dc=XX, dc=XX', 'group' = 'cn=XX, ou=XX, dc=XX, dc=XX', Is now 'user' = 'cn=FullNameOfUserSameAsUsedInJxplorer, dc=XX, dc=XX', 'base' = 'ou=XX, dc=XX, dc=XX', 'group' = 'cn=XX, ou=XX, dc=XX, dc=XX', I also uncommented the 'ssl_version' line as you suggested. However, in spite of all these changes I'm still not able to bind -- Can't bind: LDAP_INVALID_CREDENTIALS 49 -- when I attempt to login to RT with either a simple network username and password or the full form username and password. I've tried logging in with the same account specified as my LDAP bind account and as various other domain accounts, each with the same result. I think my next step is to contact the author of the ExternalAuth extension to see if the directives and attributes that ExternalAuth adds to RT_SiteConfig.pm are documented. Already checked the README but did not find a list. Sincerely, Gene Evans IT Administrator Heapy Engineering 937-224-0861 x1404 -- From: Mike Johnson [mailto:mike.john...@nosm.ca] Sent: Monday, August 09, 2010 9:02 AM To: Eugene M. Evans Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT 3.8 Active Directory integration and single sign-on Here is your problem, ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Sat Aug 7 02:26:51 2010] [debug]: UserExists params: username: ldap , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Sat Aug 7 02:26:51 2010] [critical]: RT::Authen::ExternalAuth::LDAP::_GetBoundLdapObj Can't bind: LDAP_INVALID_CREDENTIALS 49 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:467) Something is wrong with your config, ExternalAuth cannot bind with your LDAP, so any ldap calls after that will fail. Looking at your config, you don't have to comment out the ssl_version, that may be throwing the argument list off and messing up your bind. Check to make sure you can connect to your LDAP on port 389, so you know it isn't a firewall issue(you can telnet XXX.XXX.XXX.XXX 389). Download an LDAP browser, and make sure the user you are connecting with works... Once you fix the problem of your LDAP bind not working, your error logs should change, ... hopefully everything works for you after that, but if not... post the new logs and we'll try to help you out! Good luck! Mike. On Fri, Aug 6, 2010 at 11:00 PM, Eugene M. Evans [1]emev...@heapy.com wrote: I've tried many things today and still don't have Auth::ExternalAuth working. Could it be because RT's time is not synched with the Active Directory server? The time RT reports in its log is hours ahead of the system time on the host. The system is running NTP and matches the time on the AD server. I don't know why RT wouldn't be using the system time. The timezone is set correctly in RT_SiteConfig.pm Set($Timezone , 'US/Eastern'); The log lines below were all created before 10pm on Friday, August the 6th. If anyone has any ideas about the time difference or the inability to log into RT using a valid AD account, I'm all ears. ** *** /opt/rt3/var/log/rt.log *** ** [Sat Aug 7 01:42:51 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1
[rt-users] Auto Reply: Re: ACL Troubles with RTFM
I will be out of the office on Tuesday, August 9th. I will not be checking voicemail or email. Please open a ticket with the otm-enginf team or contact Paul Hamill if you have any immediate needs. Otherwise I'll get back to you when I return. Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] 3.2.1 - 3.8.8 any major data schema changes?
Hi all, I'm sitting here with a clean 3.8.8 RT install, and I have our current 3.2.1 that is in use... I want to be kind to my users, and migrate data... but I don't want to spend too much time/resources doing so... Would a backup of the rt database in 3.2.1 and a restore onto 3.8.8 work? -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.2.1 - 3.8.8 any major data schema changes?
Is there anywhere on the wiki that documents which releases can be upgraded to from each? I guess basically what Im looking for is the shortest line from 3.2.1 --- 3.8.8 Is there a general rule of thumb? like every 3.x I should look at the UPGRADING? or would I have to dig into the point point releases? Thanks for the insight. I attempted to search the wiki, but I had a hard time even trying to figure out what that is called Mike. On Tue, Aug 10, 2010 at 9:33 AM, Kevin Falcone falc...@bestpractical.comwrote: On Tue, Aug 10, 2010 at 09:09:21AM -0400, Mike Johnson wrote: I'm sitting here with a clean 3.8.8 RT install, and I have our current 3.2.1 that is in use... I want to be kind to my users, and migrate data... but I don't want to spend too much time/resources doing so... Would a backup of the rt database in 3.2.1 and a restore onto 3.8.8 work? You want to have a look at the UPGRADING files. The database structure is not compatible and you will need to run the various scripts described in UPGRADING. -kevin Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.2.1 - 3.8.8 any major data schema changes?
You can upgrade the whole way. The upgrading scripts will bring you current. Then you just need to hook up your new RT instance to the old database (or, copy the database to your new machine first). My database isn't on the RT machine so it makes it easier. We generally build completely new RT machines for each major version, or when the OS needs an upgrade (RT 3.6.x to 3.8.x, RHEL 4 to RHEL 5, etc). On 8/10/10 8:41 AM, Mike Johnson wrote: Is there anywhere on the wiki that documents which releases can be upgraded to from each? I guess basically what Im looking for is the shortest line from 3.2.1 --- 3.8.8 Is there a general rule of thumb? like every 3.x I should look at the UPGRADING? or would I have to dig into the point point releases? Thanks for the insight. I attempted to search the wiki, but I had a hard time even trying to figure out what that is called Mike. On Tue, Aug 10, 2010 at 9:33 AM, Kevin Falcone falc...@bestpractical.com mailto:falc...@bestpractical.com wrote: On Tue, Aug 10, 2010 at 09:09:21AM -0400, Mike Johnson wrote: I'm sitting here with a clean 3.8.8 RT install, and I have our current 3.2.1 that is in use... I want to be kind to my users, and migrate data... but I don't want to spend too much time/resources doing so... Would a backup of the rt database in 3.2.1 and a restore onto 3.8.8 work? You want to have a look at the UPGRADING files. The database structure is not compatible and you will need to run the various scripts described in UPGRADING. -kevin Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com http://rtbook.bestpractical.com/ -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca mailto:mike.john...@nosm.ca -- John Arends jare...@illinois.edu Network Analyst College of ACES ITCS University of Illinois at Urbana-Champaign Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.2.1 - 3.8.8 any major data schema changes?
The UPGRADING file covers all previous releases. Look at the version in the release to which you are upgrading. Cheers, Ken On Tue, Aug 10, 2010 at 09:41:52AM -0400, Mike Johnson wrote: Is there anywhere on the wiki that documents which releases can be upgraded to from each? I guess basically what Im looking for is the shortest line from 3.2.1 --- 3.8.8 Is there a general rule of thumb? like every 3.x I should look at the UPGRADING? or would I have to dig into the point point releases? Thanks for the insight. I attempted to search the wiki, but I had a hard time even trying to figure out what that is called Mike. Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] 3.2.1 - 3.8.8 any major data schema changes?
On Tue, Aug 10, 2010 at 09:09:21AM -0400, Mike Johnson wrote: I'm sitting here with a clean 3.8.8 RT install, and I have our current 3.2.1 that is in use... I want to be kind to my users, and migrate data... but I don't want to spend too much time/resources doing so... Would a backup of the rt database in 3.2.1 and a restore onto 3.8.8 work? You want to have a look at the UPGRADING files. The database structure is not compatible and you will need to run the various scripts described in UPGRADING. -kevin pgpPf3DUgUc7t.pgp Description: PGP signature Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] ExternalAuth/LDAP.pm line 304, line 273
We have RT 3.8.2. we have successfully installed the ExternalAuth plugin and have configured /rthome/local/plugins/RT-Authen-ExternalAuth/etc/RT_Siteconfig.pm file, which is called by /rthome/etc/RT_SiteConfig.pm On the RT User Interface, I get RT Login window, where I am entering my AD user account and password. It fails with the following error: (Can't call method as_string on an undefined value at /data/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm line 304, line 273.) My RT_SiteConfig.pm file looks like this: I also tried defining group as follows, but same error: 'group'= 'CN=Domain Users,CN=Users,DC=cs,DC=sb,DC=edu', 'group_attr' = 'member', I have tried changing the filter to '((objectCategory=User) (ObjectClass=Person))' as well. #Begin /data/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm in its entirety. # Tell RT to read the plugin for External Authentication. Set(@Plugins,qw(RT::Authen::ExternalAuth)); Set($ExternalAuthPriority, ['My_LDAP']); Set($ExternalInfoPriority, ['My_LDAP']); # Tell RT to trust the webserver to handle authentication. # Set($WebExternalAuth, 3); # If this is set to true, then the relevant packages will be loaded to use SSL/TLS connections. At the moment this just means use Net::SSLeay; Set($ExternalServiceUsesSSLorTLS,1); # If the webserver hands RT a user RT is not familiar with, RT should just go ahead and create an account Set($AutoCreateNonExternalUsers,1); Set($ExternalSettings, { 'My_LDAP' = { ## GENERIC SECTION 'type'= 'ldap', 'server' = ‘ hostname', # 'user' = 'recldap', 'user' = 'CN=LDAP user,OU=Service Accounts,OU=SBC,DC=cs,DC=sb,DC=edu', 'pass' = 'xxx', 'base' = 'ou=SB,dc=cs,dc=sb,DC=edu', 'filter' = '(((objectCategory=Users)))', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'tls' = 1, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'group'= 'users', 'group_attr' = 'member', 'attr_match_list' = [ 'Name', 'EmailAddress' ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail' } } } ); 1; thank you... vm RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
[rt-users] Email notification question
To List, I have a question about a situation that occurred just recently in my (3.8.7) RT session. I have a scrip that notifies CC watchers on Correspondence along with one that notifies AdminCC and the Requestor. When I went to the Reply page to enter my text I saw the check boxes at the bottom of the screen that indicated who would get a notification due to what scrip. I checked the boxes for the CC watchers and yet they *still* got an email. Has anyone else had this problem? I checked that those recipients were not in any other group or role that was also to get a notification for that Queue/Ticket (*no other* Queue watchers or Ticket CC's) They were not. I'm stumped. Kenn LBNL RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
[rt-users] Quick is it possible to do this question
Hi Folks We are moving our rt web server (not database) to a different machine. Leaving the DB where it is. In the process of moving our rt to a new machine, I want to know if it is possible to have two different RT servers connect in to the same database and serve the same files/data. That is, can we have two completely different web servers handle the rt web site bits, and serve all the same data? This is just to aide in migrating/testing, not a permanent scenario. Thanks Joe -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com http://scalableinformatics.com/jackrabbit phone: +1 734 786 8423 x121 fax : +1 866 888 3112 cell : +1 734 612 4615 RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] Email notification question
After you checked the box, did you hit save at the VERY bottom of the page? That will refresh the page, and move those that you checked to the This message will not be sent to box. I forget to do that the odd time... makes for some interesting communication back... especially when I'm not so politically correct when I am not sending the end-users :P but they get it hahahaha. HTH Mike. On Tue, Aug 10, 2010 at 3:54 PM, Kenneth Crocker kfcroc...@lbl.gov wrote: To List, I have a question about a situation that occurred just recently in my (3.8.7) RT session. I have a scrip that notifies CC watchers on Correspondence along with one that notifies AdminCC and the Requestor. When I went to the Reply page to enter my text I saw the check boxes at the bottom of the screen that indicated who would get a notification due to what scrip. I checked the boxes for the CC watchers and yet they *still* got an email. Has anyone else had this problem? I checked that those recipients were not in any other group or role that was also to get a notification for that Queue/Ticket (*no other* Queue watchers or Ticket CC's) They were not. I'm stumped. Kenn LBNL RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] RT 3.8 Active Directory integration and single
Mike, Thank you very much for the advice. I am now able to authenticate using LDAP when I log a new user into the RT web interface. I followed your suggestion to use the full DN in the value for both the 'user' and 'group' attributes. eg. 'user' = 'cn=John Doe,ou=Some_Ou,dc=example,dc=local', 'group' = 'cn=Some_Group,ou=Some_Ou,dc=example,dc=local', instead of 'user' = 'cn=jdoe,ou=Some_Ou,dc=example,dc=local', 'group' = 'cn=Some_Group,ou=Some_Ou,dc=example,dc=local', Another question would be, did you attempt the telnet from the RT box? Yes, I did and was able to. Thanks again, Gene Evans RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] RT 3.8 Active Directory integration and single sign-on
Kevin, Thank you for your suggestions. Try using the ldapsearch command line client, I find it is much closer to the way the perl ldap library is connecting. Once you make that connect, the same user should be fine. One thing about AD is that sometimes the AD server responds better to a user of samaccountn...@domain (email address style login) rather than a full DN, but I've never found an explanation for why. yes, I had been trying to use ldapsearch but was getting bogged down in getting it configured to work. First had to install OpenLdap which also depended on BerkeleyDB, then ran out of HDD space and finally gave up. I was able to get it to run but never did get it to return anything at the command line. Ended up I was able to to get things working without that and without resorting to the samaccountn...@domain format (see my reply today to Mike Johnson), but may try it as a test anyway just to have an alternative in case something down the road requires it. I appreciate the help. Sincerely, Gene Evans RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] RT 3.8 Active Directory integration and singlesign-on
I use LdapBrowser to validate my ldap credentials and look inside of AD when needed. From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Eugene M. Evans Sent: Tuesday, August 10, 2010 7:33 PM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT 3.8 Active Directory integration and singlesign-on Kevin, Thank you for your suggestions. Try using the ldapsearch command line client, I find it is much closer to the way the perl ldap library is connecting. Once you make that connect, the same user should be fine. One thing about AD is that sometimes the AD server responds better to a user of samaccountn...@domain (email address style login) rather than a full DN, but I've never found an explanation for why. yes, I had been trying to use ldapsearch but was getting bogged down in getting it configured to work. First had to install OpenLdap which also depended on BerkeleyDB, then ran out of HDD space and finally gave up. I was able to get it to run but never did get it to return anything at the command line. Ended up I was able to to get things working without that and without resorting to the samaccountn...@domain format (see my reply today to Mike Johnson), but may try it as a test anyway just to have an alternative in case something down the road requires it. I appreciate the help. Sincerely, Gene Evans CONFIDENTIALITY NOTICE: The information contained in this email message, including any attachments, may be privileged, confidential and otherwise protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this message, including any attachments, is strictly prohibited. If you have received this email message in error, please notify the sender by reply email and delete/destroy the email message, including attachments, and any copies thereof. Although we have taken precautions to minimize the risk of transmitting viruses via email and attachments thereto, we do not guarantee that either is virus-free, and we accept no liability for any damages sustained as a result of any such viruses. RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
[rt-users] ExternalAuth/LDAP.pm line 304, line 273
We have RT 3.8.2. we have successfully installed the ExternalAuth plugin and have configured /rthome/local/plugins/RT-Authen-ExternalAuth/etc/RT_Siteconfig.pm file, which is called by /rthome/etc/RT_SiteConfig.pm On the RT User Interface, I get RT Login window, where I am entering my AD user account and password. It fails with the following error: (Can't call method as_string on an undefined value at /data/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm line 304, line 273.) My RT_SiteConfig.pm file looks like this: I also tried defining group as follows, but same error: 'group'= 'CN=Domain Users,CN=Users,DC=cs,DC=sb,DC=edu', 'group_attr' = 'member', I have tried changing the filter to '((objectCategory=User) (ObjectClass=Person))' as well. #Begin /data/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm in its entirety. # Tell RT to read the plugin for External Authentication. Set(@Plugins,qw(RT::Authen::ExternalAuth)); Set($ExternalAuthPriority, ['My_LDAP']); Set($ExternalInfoPriority, ['My_LDAP']); # Tell RT to trust the webserver to handle authentication. # Set($WebExternalAuth, 3); # If this is set to true, then the relevant packages will be loaded to use SSL/TLS connections. At the moment this just means use Net::SSLeay; Set($ExternalServiceUsesSSLorTLS,1); # If the webserver hands RT a user RT is not familiar with, RT should just go ahead and create an account Set($AutoCreateNonExternalUsers,1); Set($ExternalSettings, { 'My_LDAP' = { ## GENERIC SECTION 'type'= 'ldap', 'server' = ‘ hostname', # 'user' = 'recldap', 'user' = 'CN=LDAP user,OU=Service Accounts,OU=SBC,DC=cs,DC=sb,DC=edu', 'pass' = 'xxx', 'base' = 'ou=SB,dc=cs,dc=sb,DC=edu', 'filter' = '(((objectCategory=Users)))', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'tls' = 1, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'group'= 'users', 'group_attr' = 'member', 'attr_match_list' = [ 'Name', 'EmailAddress' ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail' } } } ); 1; thank you... vm RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!