Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi, there are these settings in RT: # tells RT to use the REMOTE_USER provided by the web server Set($WebExternalAuth , 1); # tells RT to display its normal login screen if REMOTE_USER fails Set($WebFallbackToInternalAuth , 1); # tells RT to create users automatically if no user matching REMOTE_USER is found Set($WebExternalAuto , 1); I have them all set except the last one as we use LDAPImport. So I would expect RT to not drop the REMOTE_USER. Or is this obsolete? Best Regards, Oliver From: ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] On Behalf Of Ruslan Zakirov Sent: Dienstag, 3. September 2013 21:47 To: Oliver Weinmann Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb Hi, Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn't use it for authentication. On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann mailto:oliver.weinm...@telespazio-vega.de>> wrote: Hi all, we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy. What we have on our reverse proxy is this: ProxyPass/rt/ http://hostname.local/rt/ max=100 ProxyPassReverse /rt/ http://hostname.local/rt/ RedirectMatch ^/$ /rt/ # Proxy all locations AddDefaultCharset off Order deny,allow Deny from none AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealms KRB5.LOCAL Krb5KeyTab /etc/apache2/host.keytab KrbMethodNegotiate on KrbAuthoritative on KrbMethodK5Passwd off KrbSaveCredentials on require valid-user # SSO RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+)$ RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e Running tcpdump we can see that REMOTE_USER is set and send to the host hosting RT. It looks like RT is not picking it up. As far as I understood is that my user gets authenticated at the proxy and RT should trust these credentials and log in the user. -- Best regards, Ruslan.
[rt-users] Mail via ticket ID rather than queue
Hi rt-users, I have configured a multiple queue RT instance with mailgate as follows, we create new tickets in the support queue before moving them to specific queues to be worked on and closed. supp...@example.com que...@example.com que...@example.com By itself mailgate is working fine. For example I can raise a ticket directly in queue1 via email. The issue is around the process of creating all tickets in the support pool before moving to a different queue. This means that users who reply to supp...@example.com after having the ticket moved will actually duplicate a new ticket with a new ID as their original ticket is now at que...@example.com. Has anyone used mailgate where the reply address is actually the ticket ID like ticket-...@rt.example.com or some other solution to solve the multiple ticket issue described above? If it helps the MTA is postfix using /etc/aliases with pipe's to mailgate. Cheers, Sam
Re: [rt-users] Re-send a previously attached attachment?
On Mon, Sep 02, 2013 at 08:48:20AM +0200, Christian Loos wrote: > Hi Kevin, > > Am 14.08.2013 16:36, schrieb Kevin Falcone: > > The alternate (attaching a previously attached attachment to a new > > reply) is something we've explored in a few branches with clients, but > > nothing we've written has stuck or been right for mainstream release. > > maybe you can share some informations on the problems with your solutions. > > I created RT::Extension::AddAttachmentsFromTransactions which is based > on your 4.4/attach-from-transactions branch and this makes your users happy. I have not worked with your extension yet, but as I recall the two largest complaints with the branch as-is were: Display of attachments on the new replies (they aren't true attachments, and render in a funny way and were otherwise not as obvious as needed). Fixed if we better fake-up the attachment record. Picking attachments from multiple transactions, especially on long attachment heavy tickets. This is a desirable feature, but just providing a list of all attachments is... unusable. We've played with a few other UX ideas also. There's a longer internal writeup of problems with the branch, but it has some customer-specific things in it. I do hope we can find a solution for 4.4 but at this point we've missed the 4.2 window. As the recent blog posts may make clear, we're getting closer and closer to 4.2.0rc1. -kevin pgpVJXFXd_w2x.pgp Description: PGP signature
Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi, Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn't use it for authentication. On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann < oliver.weinm...@telespazio-vega.de> wrote: > Hi all, > > ** ** > > we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. > Now we need to get the setup running through our reverse proxy. > > ** ** > > What we have on our reverse proxy is this: > > ** ** > > ProxyPass/rt/ http://hostname.local/rt/ max=100 > > ProxyPassReverse /rt/ http://hostname.local/rt/ > > ** ** > > RedirectMatch ^/$ /rt/ > > ** ** > > # Proxy all locations > > > > AddDefaultCharset off > > Order deny,allow > > Deny from none > > > > ** ** > > ** ** > > > > AuthType Kerberos > > AuthName "Kerberos Login" > > KrbAuthRealms KRB5.LOCAL > > Krb5KeyTab /etc/apache2/host.keytab > > KrbMethodNegotiate on > > KrbAuthoritative on > > KrbMethodK5Passwd off > > KrbSaveCredentials on > > require valid-user > > ** ** > > # SSO > > RewriteEngine On > > RewriteCond %{LA-U:REMOTE_USER} (.+)$ > > RewriteRule . - [E=RU:%1] > > RequestHeader set REMOTE_USER %{RU}e > > ** ** > > > > ** ** > > Running tcpdump we can see that REMOTE_USER is set and send to the host > hosting RT. It looks like RT is not picking it up. As far as I understood > is that my user gets authenticated at the proxy and RT should trust these > credentials and log in the user. > -- Best regards, Ruslan.
Re: [rt-users] pbcat.something tables
Hi, These are not RT tables, these are not mysql special tables. Google says that pbc* are from Power Builder app. Ask on power builder forums. On Mon, Sep 2, 2013 at 4:30 PM, Alex Decalli wrote: > Hi RT-players > > Does anybody know what are these tables in RT database starting with > pbcat, like pbcatcol, pbcatedt and ...? Someone says: > > "As far as I know, those are tables PB uses and are not to be directly > modfied by a user. I'm in PB 9 but from the help using PBCatalogOwner > DBParm > parameter: > > "Specifies a nondefault owner for the extended attribute system tables. > These five tables contain default extended attribute information for your > database. " > > When you set up attributes for your tables, that's when these tables are > populated." > I like to know more about this. I am not very good in mysql and I need to > know how is the impact on these tables? > > And by the way, what are "some-rt-table-FTSI"?? Does database makes them > automatically too?? > > Thanks... > -- Best regards, Ruslan.
Re: [rt-users] Fwd: How to list all enabled users in Perl script?
> Find `sub Next` in lib/RT/Extension/MergeUsers.pm, put logging or printing > debug statements there to check what is going on. OK, I'll try that. I ran some more tests on my testing RT instance. Here's what I just found out: When no users are merged, the script produces the same output (same users, same number of users) as the SELECT statement. When I then go and merge a single user into another user, the number of users produced by the script decreases by *two* -- the merged user *plus* the alphabetically last user. For example: with no users merged, the SELECT and the script both return 63 rows (users). After user X is merged into user Y, the script returns 61 rows (users), instead of 62 that would be expected. The two missing users are user X and user Z (the last user in the alphabetical listing produced by SELECT). In my production instance, I have 8 merged users and the number of users produced by the script is 16 less than the SELECT listing. In addition to the 8 merged users, the 8 users at the end of the alphabet are missing. So it looks like an "off-by-one" bug. Nathan
Re: [rt-users] Fwd: How to list all enabled users in Perl script?
Find `sub Next` in lib/RT/Extension/MergeUsers.pm, put logging or printing debug statements there to check what is going on. On Tue, Sep 3, 2013 at 2:29 PM, Nathan Cutler wrote: > > Call `print $RT_enabled_users->BuildSelectQuery, "\n";`, check SQL > manually > > and it is correct then move to Next function. > > Thanks, Ruslan. I tried your suggestion. It outputs the following > SELECT statement: > > SELECT DISTINCT main.* FROM Users main JOIN Principals Principals_1 > ON ( Principals_1.id = main.id ) WHERE (Principals_1.Disabled = '0') > AND (Principals_1.PrincipalType = 'User') ORDER BY main.Name ASC > > which I cut-and-pasted into the mysql prompt. This gives me 167 rows > in alphabetical order. The Perl script's output, however, shows only > 151 rows. > > I changed the SELECT statement to output just main.Name (into a file). > Then, I modified my script to output just the Name of each enabled > user (also to a file). And then I diffed the two resulting files. The > SELECT statement yields 16 more users than the Perl script does. > > Here's my guess at what's happening: I'm using the MergeUsers > extension. The SELECT statement ignores the fact that some of the > users have been merged, and simply grabs them all. The Perl script, by > contrast, attempts to get only those users that have not been merged > into other users. But for some reason it fails to do this correctly, > leaving out more users than it should. Significantly, it leaves out 8 > users at the end of the list. This would indicate that it's getting a > wrong count of the number of non-merged users. Once it reaches the end > of the count, it simply ignores the remaining users, even though they > are non-merged. > > It's quite possible that I have merged 8 users. These 8 are not in the > list generated by the Perl script. In addition to these 8, another 8 > (at the end of the alphabet) are also missing. It's very weird and it > definitely smells like a bug. > > Any ideas appreciated. > > Nathan > -- Best regards, Ruslan.
[rt-users] Fwd: How to list all enabled users in Perl script?
> Call `print $RT_enabled_users->BuildSelectQuery, "\n";`, check SQL manually > and it is correct then move to Next function. Thanks, Ruslan. I tried your suggestion. It outputs the following SELECT statement: SELECT DISTINCT main.* FROM Users main JOIN Principals Principals_1 ON ( Principals_1.id = main.id ) WHERE (Principals_1.Disabled = '0') AND (Principals_1.PrincipalType = 'User') ORDER BY main.Name ASC which I cut-and-pasted into the mysql prompt. This gives me 167 rows in alphabetical order. The Perl script's output, however, shows only 151 rows. I changed the SELECT statement to output just main.Name (into a file). Then, I modified my script to output just the Name of each enabled user (also to a file). And then I diffed the two resulting files. The SELECT statement yields 16 more users than the Perl script does. Here's my guess at what's happening: I'm using the MergeUsers extension. The SELECT statement ignores the fact that some of the users have been merged, and simply grabs them all. The Perl script, by contrast, attempts to get only those users that have not been merged into other users. But for some reason it fails to do this correctly, leaving out more users than it should. Significantly, it leaves out 8 users at the end of the list. This would indicate that it's getting a wrong count of the number of non-merged users. Once it reaches the end of the count, it simply ignores the remaining users, even though they are non-merged. It's quite possible that I have merged 8 users. These 8 are not in the list generated by the Perl script. In addition to these 8, another 8 (at the end of the alphabet) are also missing. It's very weird and it definitely smells like a bug. Any ideas appreciated. Nathan
Re: [rt-users] How to list all enabled users in Perl script?
Call `print $RT_enabled_users->BuildSelectQuery, "\n";`, check SQL manually and it is correct then move to Next function. On Mon, Sep 2, 2013 at 6:04 PM, Nathan Cutler wrote: > Greetings: > > RT 4.0.17. In the web UI, when I list all enabled users by selecting > '%' I get a list of about 152 users (approximately). Now, I have > written a Perl script that is supposed to list all enabled RT users. > When I run it, it finds 147 users and lists them in alphabetical > order. But approximately 5 users at the end of the alphabet ('Name' > starting with 'v', 'w', 'x', 'y', or 'z') are missing. For the life of > me I can't figure out why. Any ideas? > > use strict; > use warnings; > > use RT; > use RT::User; > use RT::Users; > > BEGIN { > RT->LoadConfig; > RT->Init; > } > > my $RT_enabled_users = RT::Users->new($RT::SystemUser); > $RT_enabled_users->LimitToEnabled; > > my $loop_count = 0; > while (my $current_user = $RT_enabled_users->Next) { > >$loop_count += 1; > >my $uid = $current_user->Name; >my $real_name = $current_user->RealName; >my $rt_email = $current_user->EmailAddress; > >print "$loop_count: '$uid' -- $real_name -- $rt_email\n"; > > } > > print "Loop count: $loop_count\n"; > > Thanks alot, > Nathan > -- Best regards, Ruslan.