Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb

[Oliver Weinmann]

Hi,

there are these settings in RT:

# tells RT to use the REMOTE_USER provided by the web server
Set($WebExternalAuth , 1);
 # tells RT to display its normal login screen if REMOTE_USER fails
Set($WebFallbackToInternalAuth , 1);
 # tells RT to create users automatically if no user matching REMOTE_USER is 
found
Set($WebExternalAuto , 1);

I have them all set except the last one as we use LDAPImport. So I would expect 
RT to not drop the REMOTE_USER. Or is this obsolete?

Best Regards,
Oliver
From: ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] On Behalf Of 
Ruslan Zakirov
Sent: Dienstag, 3. September 2013 21:47
To: Oliver Weinmann
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb

Hi,

Why do you expect remote server where you host RT to respect REMOTE_USER and 
not to drop it? If a web server would pass remotely provided REMOTE_USER 
further to an app without additional configuration then we wouldn't use it for 
authentication.

On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann 
mailto:oliver.weinm...@telespazio-vega.de>> 
wrote:
Hi all,

we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we 
need to get the setup running through our reverse proxy.

What we have on our reverse proxy is this:

ProxyPass/rt/ http://hostname.local/rt/ max=100
ProxyPassReverse /rt/ http://hostname.local/rt/

RedirectMatch ^/$ /rt/

# Proxy all locations

AddDefaultCharset off
Order deny,allow
Deny from none




AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms KRB5.LOCAL
Krb5KeyTab /etc/apache2/host.keytab
KrbMethodNegotiate on
KrbAuthoritative on
KrbMethodK5Passwd off
KrbSaveCredentials on
require valid-user

# SSO
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)$
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e



Running tcpdump we can see that REMOTE_USER is set and send to the host hosting 
RT. It looks like RT is not picking it up. As far as I understood is that my 
user gets authenticated at the proxy and RT should trust these credentials and 
log in the user.



--
Best regards, Ruslan.

[rt-users] Mail via ticket ID rather than queue

[Sam Wilson]

Hi rt-users,

I have configured a multiple queue RT instance with mailgate as follows, we
create new tickets in the support queue before moving them to specific
queues to be worked on and closed.

supp...@example.com
que...@example.com
que...@example.com

By itself mailgate is working fine. For example I can raise a ticket
directly in queue1 via email.

The issue is around the process of creating all tickets in the support pool
before moving to a different queue. This means that users who reply to
supp...@example.com after having the ticket moved will actually duplicate a
new ticket with a new ID as their original ticket is now at
que...@example.com.

Has anyone used mailgate where the reply address is actually the ticket ID
like ticket-...@rt.example.com or some other solution to solve the multiple
ticket issue described above?

If it helps the MTA is postfix using /etc/aliases with pipe's to mailgate.

Cheers,

Sam

Re: [rt-users] Re-send a previously attached attachment?

[Kevin Falcone]

On Mon, Sep 02, 2013 at 08:48:20AM +0200, Christian Loos wrote:
> Hi Kevin,
> 
> Am 14.08.2013 16:36, schrieb Kevin Falcone:
> > The alternate (attaching a previously attached attachment to a new
> > reply) is something we've explored in a few branches with clients, but
> > nothing we've written has stuck or been right for mainstream release.
> 
> maybe you can share some informations on the problems with your solutions.
> 
> I created RT::Extension::AddAttachmentsFromTransactions which is based
> on your 4.4/attach-from-transactions branch and this makes your users happy.

I have not worked with your extension yet, but as I recall the two
largest complaints with the branch as-is were:

Display of attachments on the new replies (they aren't true
attachments, and render in a funny way and were otherwise not as
obvious as needed).  Fixed if we better fake-up the attachment record.

Picking attachments from multiple transactions, especially on long
attachment heavy tickets.  This is a desirable feature, but just
providing a list of all attachments is... unusable.  We've played with
a few other UX ideas also.

There's a longer internal writeup of problems with the branch, but it
has some customer-specific things in it.  I do hope we can find a
solution for 4.4 but at this point we've missed the 4.2 window.

As the recent blog posts may make clear, we're getting closer and
closer to 4.2.0rc1.

-kevin


pgpVJXFXd_w2x.pgp
Description: PGP signature

Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb

[Ruslan Zakirov]

Hi,

Why do you expect remote server where you host RT to respect REMOTE_USER
and not to drop it? If a web server would pass remotely provided
REMOTE_USER further to an app without additional configuration then we
wouldn't use it for authentication.


On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann <
oliver.weinm...@telespazio-vega.de> wrote:

>  Hi all,
>
> ** **
>
> we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb.
> Now we need to get the setup running through our reverse proxy.
>
> ** **
>
> What we have on our reverse proxy is this:
>
> ** **
>
> ProxyPass/rt/ http://hostname.local/rt/ max=100
>
> ProxyPassReverse /rt/ http://hostname.local/rt/
>
> ** **
>
> RedirectMatch ^/$ /rt/
>
> ** **
>
> # Proxy all locations
>
> 
>
> AddDefaultCharset off
>
> Order deny,allow
>
> Deny from none
>
> 
>
> ** **
>
> ** **
>
> 
>
> AuthType Kerberos
>
> AuthName "Kerberos Login"
>
> KrbAuthRealms KRB5.LOCAL
>
> Krb5KeyTab /etc/apache2/host.keytab
>
> KrbMethodNegotiate on
>
> KrbAuthoritative on
>
> KrbMethodK5Passwd off
>
> KrbSaveCredentials on
>
> require valid-user
>
> ** **
>
> # SSO
>
> RewriteEngine On
>
> RewriteCond %{LA-U:REMOTE_USER} (.+)$
>
> RewriteRule . - [E=RU:%1]
>
> RequestHeader set REMOTE_USER %{RU}e
>
> ** **
>
> 
>
> ** **
>
> Running tcpdump we can see that REMOTE_USER is set and send to the host
> hosting RT. It looks like RT is not picking it up. As far as I understood
> is that my user gets authenticated at the proxy and RT should trust these
> credentials and log in the user.
>



-- 
Best regards, Ruslan.

Re: [rt-users] pbcat.something tables

[Ruslan Zakirov]

Hi,

These are not RT tables, these are not mysql special tables. Google says
that pbc* are from Power Builder app. Ask on power builder forums.


On Mon, Sep 2, 2013 at 4:30 PM, Alex Decalli wrote:

> Hi RT-players
>
> Does anybody know what are these tables in RT database starting with
> pbcat, like pbcatcol, pbcatedt and ...? Someone says:
>
> "As far as I know, those are tables PB uses and are not to be directly
> modfied by a user. I'm in PB 9 but from the help using PBCatalogOwner
> DBParm
> parameter:
>
> "Specifies a nondefault owner for the extended attribute system tables.
> These five tables contain default extended attribute information for your
> database. "
>
> When you set up attributes for your tables, that's when these tables are
> populated."
> I like to know more about this. I am not very good in mysql and I need to
> know how is the impact on these tables?
>
> And by the way, what are "some-rt-table-FTSI"?? Does database makes them
> automatically too??
>
> Thanks...
>



-- 
Best regards, Ruslan.

Re: [rt-users] Fwd: How to list all enabled users in Perl script?

[Nathan Cutler]

> Find `sub Next` in lib/RT/Extension/MergeUsers.pm, put logging or printing
> debug statements there to check what is going on.

OK, I'll try that. I ran some more tests on my testing RT instance.
Here's what I just found out:

When no users are merged, the script produces the same output (same
users, same number of users) as the SELECT statement. When I then go
and merge a single user into another user, the number of users
produced by the script decreases by *two* -- the merged user *plus*
the alphabetically last user.

For example: with no users merged, the SELECT and the script both
return 63 rows (users). After user X is merged into user Y, the script
returns 61 rows (users), instead of 62 that would be expected. The two
missing users are user X and user Z (the last user in the alphabetical
listing produced by SELECT).

In my production instance, I have 8 merged users and the number of
users produced by the script is 16 less than the SELECT listing. In
addition to the 8 merged users, the 8 users at the end of the alphabet
are missing.

So it looks like an "off-by-one" bug.

Nathan

Re: [rt-users] Fwd: How to list all enabled users in Perl script?

[Ruslan Zakirov]

Find `sub Next` in lib/RT/Extension/MergeUsers.pm, put logging or printing
debug statements there to check what is going on.


On Tue, Sep 3, 2013 at 2:29 PM, Nathan Cutler wrote:

> > Call `print $RT_enabled_users->BuildSelectQuery, "\n";`, check SQL
> manually
> > and it is correct then move to Next function.
>
> Thanks, Ruslan. I tried your suggestion. It outputs the following
> SELECT statement:
>
> SELECT DISTINCT main.* FROM Users main JOIN Principals Principals_1
> ON ( Principals_1.id = main.id )  WHERE (Principals_1.Disabled = '0')
> AND (Principals_1.PrincipalType = 'User')  ORDER BY main.Name ASC
>
> which I cut-and-pasted into the mysql prompt. This gives me 167 rows
> in alphabetical order. The Perl script's output, however, shows only
> 151 rows.
>
> I changed the SELECT statement to output just main.Name (into a file).
> Then, I modified my script to output just the Name of each enabled
> user (also to a file). And then I diffed the two resulting files. The
> SELECT statement yields 16 more users than the Perl script does.
>
> Here's my guess at what's happening: I'm using the MergeUsers
> extension. The SELECT statement ignores the fact that some of the
> users have been merged, and simply grabs them all. The Perl script, by
> contrast, attempts to get only those users that have not been merged
> into other users. But for some reason it fails to do this correctly,
> leaving out more users than it should. Significantly, it leaves out 8
> users at the end of the list. This would indicate that it's getting a
> wrong count of the number of non-merged users. Once it reaches the end
> of the count, it simply ignores the remaining users, even though they
> are non-merged.
>
> It's quite possible that I have merged 8 users. These 8 are not in the
> list generated by the Perl script. In addition to these 8, another 8
> (at the end of the alphabet) are also missing. It's very weird and it
> definitely smells like a bug.
>
> Any ideas appreciated.
>
> Nathan
>



-- 
Best regards, Ruslan.

[rt-users] Fwd: How to list all enabled users in Perl script?

[Nathan Cutler]

> Call `print $RT_enabled_users->BuildSelectQuery, "\n";`, check SQL manually
> and it is correct then move to Next function.

Thanks, Ruslan. I tried your suggestion. It outputs the following
SELECT statement:

SELECT DISTINCT main.* FROM Users main JOIN Principals Principals_1
ON ( Principals_1.id = main.id )  WHERE (Principals_1.Disabled = '0')
AND (Principals_1.PrincipalType = 'User')  ORDER BY main.Name ASC

which I cut-and-pasted into the mysql prompt. This gives me 167 rows
in alphabetical order. The Perl script's output, however, shows only
151 rows.

I changed the SELECT statement to output just main.Name (into a file).
Then, I modified my script to output just the Name of each enabled
user (also to a file). And then I diffed the two resulting files. The
SELECT statement yields 16 more users than the Perl script does.

Here's my guess at what's happening: I'm using the MergeUsers
extension. The SELECT statement ignores the fact that some of the
users have been merged, and simply grabs them all. The Perl script, by
contrast, attempts to get only those users that have not been merged
into other users. But for some reason it fails to do this correctly,
leaving out more users than it should. Significantly, it leaves out 8
users at the end of the list. This would indicate that it's getting a
wrong count of the number of non-merged users. Once it reaches the end
of the count, it simply ignores the remaining users, even though they
are non-merged.

It's quite possible that I have merged 8 users. These 8 are not in the
list generated by the Perl script. In addition to these 8, another 8
(at the end of the alphabet) are also missing. It's very weird and it
definitely smells like a bug.

Any ideas appreciated.

Nathan

Re: [rt-users] How to list all enabled users in Perl script?

[Ruslan Zakirov]

Call `print $RT_enabled_users->BuildSelectQuery, "\n";`, check SQL manually
and it is correct then move to Next function.


On Mon, Sep 2, 2013 at 6:04 PM, Nathan Cutler wrote:

> Greetings:
>
> RT 4.0.17.  In the web UI, when I list all enabled users by selecting
> '%' I get a list of about 152 users (approximately). Now, I have
> written a Perl script that is supposed to list all enabled RT users.
> When I run it, it finds 147 users and lists them in alphabetical
> order. But approximately 5 users at the end of the alphabet ('Name'
> starting with 'v', 'w', 'x', 'y', or 'z') are missing. For the life of
> me I can't figure out why. Any ideas?
>
> use strict;
> use warnings;
>
> use RT;
> use RT::User;
> use RT::Users;
>
> BEGIN {
> RT->LoadConfig;
> RT->Init;
> }
>
> my $RT_enabled_users = RT::Users->new($RT::SystemUser);
> $RT_enabled_users->LimitToEnabled;
>
> my $loop_count = 0;
> while (my $current_user = $RT_enabled_users->Next) {
>
>$loop_count += 1;
>
>my $uid = $current_user->Name;
>my $real_name = $current_user->RealName;
>my $rt_email = $current_user->EmailAddress;
>
>print "$loop_count: '$uid' -- $real_name -- $rt_email\n";
>
> }
>
> print "Loop count: $loop_count\n";
>
> Thanks alot,
> Nathan
>



-- 
Best regards, Ruslan.