Re: [rt-users] Internal authentification only for REST API

2013-10-18 Thread andkulb
Done that. But now REST doesn't require any password at all? Is it also
possible to require RT internal auth in specific folder?

Thanks in advance.



--
View this message in context: 
http://requesttracker.8502.n7.nabble.com/Internal-authentification-only-for-REST-API-tp55512p55535.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.


Re: [rt-users] Error in article history

2013-10-18 Thread Guadagnino Cristiano
Hi Kevin,
it's been quite some time since we migrted to RT 4.
Fortunately, I have a migration procedure I wrote down while migrating our test 
environment, so that I could re-apply the same steps in production.

We migrated to RT 4 while also migrating to new CentOS servers, so this is what 
I did after installing the servers and downbloading all the required components 
(packages):

- I followed RT's README till step 6a
- in step 6a I only did the first part (i.e. I did not do make initialize 
database)
- I restored the backup from our RT 3.x production system (in rt4 db)
- I did make upgrade database from step 6b
- I ran ./etc/upgrade/upgrade-articles from the directory where I uncompressed 
the tarball

I think this is the relevant part.
Then I followed by porting my old Apache/sendmail/Sphinx configurations to the 
new servers, etc.

Is that enough? Or, is there something more I should have done?

Thank you
Cris



Cristiano Guadagnino

Servizio Data Administration
___
Bankadati Servizi Informatici Soc.Cons.P.A.
Gruppo bancario Credito Valtellinese
Via Trento, 22 - 23100 SONDRIO
tel +39 0342522172  - fax +39 0342522992
guadagnino.cristi...@creval.it
www.creval.ithttp://www.creval.it

[Seguici su Facebook]https://www.facebook.com/creval/  [Creval Tube] 
http://www.youtube.com/user/GruppoCreval/   [CrevalApp] 
https://www.creval.it/comunicazione/appICreval/appICreval.html

Il presente messaggio non è di natura personale ma inviato per esigenze 
lavorative; l'eventuale messaggio di risposta potrà essere conosciuto anche da 
altri soggetti diversi dall'originatore di questo messaggio per dette esigenze 
o per controllo aziendale. Questo messaggio, corredato dei relativi allegati, 
contiene informazioni da considerarsi strettamente riservate, ed è destinato 
esclusivamente al destinatario sopra indicato, il quale è l'unico autorizzato 
ad usarlo, copiarlo e, sotto la propria responsabilità, diffonderlo. Chiunque 
ricevesse questo messaggio per errore o comunque lo leggesse senza esserne 
legittimato è avvertito che trattenerlo, copiarlo, divulgarlo, distribuirlo a 
persone diverse dal destinatario è severamente proibito, ed è pregato di 
rinviarlo immediatamente al mittente distruggendone l'originale.


Da: Kevin Falcone falc...@bestpractical.commailto:falc...@bestpractical.com
Inviato: Thu Oct 17 2013 16:40:50 GMT+0200 (CEST)
A: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Oggetto: Re: [rt-users] Error in article history

On Thu, Oct 17, 2013 at 08:33:27AM +, Guadagnino Cristiano wrote:


   How can I verify the ObjectTypes? Would you be so kind to send me a query to 
run against mysql
   to verify that everything is ok with my articles?


You'll need to write your own SQL query - as noted previously, you're
looking for RT::FM::Article in the ObjectType field on Transactions
and ObjectCustomFieldValues.

Also - please confirm which upgrade steps you ran.  There is a
standalone documented and warned about script you must run to upgrade
articles.

-kevin



 You likely still have a Transaction record or ObjectCustomFieldValue
 record with the wrong ObjectType that those scripts should have fixed
 for you.


--
inline: logofacebookfc0712inline: logoyoutube0016afinline: logocreval9143dd

[rt-users] LDAP Groups

2013-10-18 Thread Paul Stead

Hi all,

I've been looking into using our Windows 2008 Active Directory for user 
authentication and group membership.

Ideally I'd like to replicate names of groups that our users are members within 
RT, set up permissions and have the  of then have those users be able to log 
into RT

I've looked at ExternalAuth mainly as this seemed to offer the best integration 
into RT, however by all accounts there is no sort of automatic group assignment.



and LDAPImport
--
Paul Stead
Systems Engineer, Zen Internet
T: 01706 902009


Re: [rt-users] LDAP Groups

2013-10-18 Thread Paul Stead

Apologies..

-8-

Hi all,

I've been looking into using our Windows 2008 Active Directory for user 
authentication and group membership.

Ideally I'd like to replicate names of groups that our users are members within 
RT, set up permissions and have the  of then have those users be able to log 
into RT and have the group association automatically assigned.

I've looked at ExternalAuth mainly as this seemed to offer the best integration 
into RT, however by all accounts there is no sort of automatic group assignment.

It seems that LDAPImport is suggested as a solution to this - however I feel I 
would require several runs and different search terms to get everyone into the 
groups I need,

Has anyone used LDAP in this way?

Thanks

Paul
--
Paul Stead
Systems Engineer, Zen Internet
T: 01706 902009


Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

2013-10-18 Thread Parish, Brent
Hi Matthew

It sounds to me like you were authenticating ok initially, but getting an error 
in creating the user.

And to answer your initial question about the group and group_attr settings, I 
don’t use those at all and it works fine for me.

I would recommend putting things back to how you first had them (to generate 
the error your originally posted), turn the log level up to debug, and try 
again.
There are some debug statements within that method that may help identify where 
it is choking.


-  Brent



From: Mathew Snyder 
[mailto:mathew.sny...@gmail.commailto:mathew.sny...@gmail.com]
Sent: Thursday, October 17, 2013 1:50 PM

To: Jeff Solberg
Cc: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP 
settings, please

I found another thread that indicated that the solution to the second problem 
was to add @domain to the end of the username. That just reverted to the 
previous list of errors with a couple new ones.

Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in join or 
string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in hash 
element at 
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 
line 611.
Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq at 
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 
line 613.
Oct 17 16:47:50 zen-rt RT: [24673] 
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , 
EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not set 
user info
Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from 192.168.236.102




From: 
rt-users-boun...@lists.bestpractical.commailto:rt-users-boun...@lists.bestpractical.com
 
[mailto:rt-users-boun...@lists.bestpractical.commailto:rt-users-boun...@lists.bestpractical.com]
 On Behalf Of Mathew Snyder
Sent: Thursday, October 17, 2013 1:19 PM
To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, 
please

These are the settings I've started with:

Set($ExternalSettings, {
'AD'   =  {
'type'  =  'ldap',
'server'=  
'domain_controller.example.comhttp://domain_controller.example.com',
'base'  =  'dc=example,dc=com',
'user'  =  'rtuser',
'pass'  =  '',
'filter'=  '(ObjectClass=*)',
'tls'   =  0,
'ssl_version'   =  3,
'net_ldap_args' = [version =  3   ],
'attr_match_list' = [
'EmailAddress',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
},

They aren't working. Whenever someone attempts an initial login with just their 
username (which should create their RT account) the following error is logged:
Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at 
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 
line 613.
Oct 17 15:02:29 zen-rt RT: [23131] 
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , 
EmailAddress: , Gecos: user, Name: user, Privileged:
Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set 
user info
Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102

When initial logins are attempted with either example\username or 
example.comhttp://example.com\username only the FAILED LOGIN line is 
displayed.

We also have our Openfire Jabber server authenticating successfully. Those 
settings are
ldap.autoFollowAliasReferrals = true
ldap.autoFollowReferrals = false
ldap.baseDN = dc=example,dc=com
ldap.connectionPoolEnabled = true
ldap.debugEnabled = false
ldap.emailField = mail
ldap.encloseDNs = true
ldap.groupDescriptionField = description
ldap.groupMemberField = member
ldap.groupNameField = cn
ldap.groupSearchFilter = (objectClass=group)
ldap.host = domain_controller.example.comhttp://domain_controller.example.com
ldap.ldapDebugEnabled = false
ldap.nameField = cn
ldap.port = 389
ldap.searchFilter = (objectClass=*)
ldap.usernameField = sAMAccountName


I know they don't match up exactly in terms of what Openfire calls the settings 
vs. what RT does, but I'm hoping someone can help me sort out what should be 
plugged in where on the RT side. For example, I don't know what the group_attr 
or group_attr_value setting should contain (if anything) in the 
RT_SiteConfig.pm file. Basically, anything from the group settings.

-Mathew

When you do things right, people won't be sure you've done 

Re: [rt-users] Question about SLA module

2013-10-18 Thread Alexandre LEPREVOST
Hello Kevin

Thank you for your different answers, unfortunately I was expecting to be
able to change the SLA name field for multiple SLA instance.

Let me explain to you quickly what I'm expecting, I'm probably confusing
something and give me an headach to myself :)

In our firm, we would like 2 queues Support and Development

Support queue should be able to set a list called priority (and not SLA)
with a list of several SLA (P1 to P4 - From important to not important
answer and resolve time). Development queue should be able to see an
another list called internal with a different list of SLA (not defined
yet). What I understand for now is different: I'm able to do a uniq list
SLA with multiple SLA in it.

Do you see the difference ? And I've played with the conf file and multiple
installation of the module to have 2 SLA fields but after that, everything
was dead (nothing work anymore).

Do you think that it's possible ?

I hope that you'll be able to give me a clue - After that I'll be ready to
run the project with this very important step for us !

Thank you in advance for your time
Kind regards / Cordialement

*Alexandre Leprevost*
 Project Engineer / Delivery Team


 4 rue de l´Abreuvoir
92 400 Courbevoie
France
a...@efficientip.com
Tel : +33 (0)1 75 84 88 98
Fax : +33 (0)9 57 88 09 40
www.efficientip.com


2013/10/17 Kevin Falcone falc...@bestpractical.com

 On Thu, Oct 17, 2013 at 02:26:01PM +0200, Alexandre LEPREVOST wrote:
 - When I'm installing the SLA module, a custom field is create
 automatically - called [1]SLA
 I've changed it to something better for us : support SLA. After
 changed the value, the module
 doesn't work anymore. Should I do something in database ? In your
 documentation you say This
 field is created during make initdb step (above) and applied
 globally - Can you have an idea

 The Custom Field name in use by the module is hard coded to SLA.
 To use another name you'll need to provide a patch to make it
 flexible.

 - My second point is about multiple SLA. I would like to have 2
 different SLA - one for
 support, second development. Do you have any clues on how to perform
 this configuration ? To
 be honnest I've played with the configuration file and it was not so
 easy. I've tried to
 install the module 2 times and I see the SLA custom field 2 times,
 does it make sens ?

 It's quite possible to have different SLAs per Queue, we do, it's
 shown in the documentation.

 Also, in the README, where it says
 make initdb (for the first time only)
 you ran in twice, you'll want to disable or delete the second
 extraneous SLA custom field.

 - Do you have an idea to uninstall the plugin ? In my job I need to
 document it (event I won't
 uninstall it for sure ;))

 Remove from @Plugins line, disable Scrips and Custom Fields.

 -kevin



Re: [rt-users] LDAP Groups

2013-10-18 Thread Kevin Falcone
On Fri, Oct 18, 2013 at 11:01:26AM +0100, Paul Stead wrote:
It seems that LDAPImport is suggested as a solution to this - however I 
 feel I would require
several runs and different search terms to get everyone into the groups I 
 need,
 
Has anyone used LDAP in this way?

LDAPImport is the solution for syncing groups.
We have many many customers using RT-Authen-ExternalAuth to
authenticate and LDAPImport to sync groups and user information.

-kevin


pgp0s8YEu7keR.pgp
Description: PGP signature


Re: [rt-users] Internal authentification only for REST API

2013-10-18 Thread Kevin Falcone
On Thu, Oct 17, 2013 at 11:57:12PM -0700, andkulb wrote:
 Done that. But now REST doesn't require any password at all? Is it also
 possible to require RT internal auth in specific folder?

REST requires authentication at the RT level unless you've made some
some pretty drastic changes.

-kevin


pgp4Le0FWi0AV.pgp
Description: PGP signature


Re: [rt-users] LDAP Groups

2013-10-18 Thread dbauman
I am currently unavailable.  You can reach me at +1 312-497-3444 and dbau...@me.com




Re: [rt-users] Question about SLA module

2013-10-18 Thread Kevin Falcone
On Fri, Oct 18, 2013 at 02:00:27PM +0200, Alexandre LEPREVOST wrote:
Thank you for your different answers, unfortunately I was expecting to be 
 able to change the
SLA name field for multiple SLA instance.
 
Let me explain to you quickly what I'm expecting, I'm probably confusing 
 something and give me
an headach to myself :)
 
In our firm, we would like 2 queues Support and Development
 
Support queue should be able to set a list called priority (and not SLA) 
 with a list of
several SLA (P1 to P4 - From important to not important answer and resolve 
 time). Development
queue should be able to see an another list called internal with a 
 different list of SLA
(not defined yet). What I understand for now is different: I'm able to do 
 a uniq list SLA
with multiple SLA in it.
 
Do you see the difference ? And I've played with the conf file and 
 multiple installation of
the module to have 2 SLA fields but after that, everything was dead 
 (nothing work anymore).

You can have two SLA fields, but they must be Queue level, not global.
One applied to each of your queues, each with a different set of
values, then set your configuration appropriately.

You still cannot rename the SLA custom field.

-kevin


pgppDVNDby5ZK.pgp
Description: PGP signature


[rt-users] Writing portlets

2013-10-18 Thread Esdras Neto
Good afternoon,

I need to write a Portlet on my rt 4.0.3.
Does anyone know a documentation that explains how to do that?
I'm trying to follow the wiki below but that does not appear to be working:
http://requesttracker.wikia.com/wiki/WritingPortlets

Thanks,
Esdras

-- 
http://www.borealis-aurora.com
http://www.alvespassos.com
Sharing things that we cannot buy.
Mobile +353 (0)83 4005868


Re: [rt-users] Question about SLA module

2013-10-18 Thread Alexandre LEPREVOST
Thank you Kevin

I see what you mean but do you have a quick example of configuration file
for this ? I'm not asking a full configuration file in detail, but just a
very basic one (pseudo code should be enough for sure).

My probleme is to translate what I would like in this conf file. But I
understand what you mean and it should be enough for us If I succeed to do
that.

Thank you Kevin for your nice support


Re: [rt-users] Question about SLA module

2013-10-18 Thread Alexandre LEPREVOST
Thank you Kevin

I see what you mean but do you have a quick example of configuration file
for this ? I'm not asking a full configuration file in detail, but just a
very basic one (pseudo code should be enough for sure).

My probleme is to translate what I would like in this conf file. But I
understand what you mean and it should be enough for us If I succeed to do
that.

Thank you Kevin for your nice support
Kind regards / Cordialement

*Alexandre Leprevost*
Project Engineer / Delivery Team


 4 rue de l´Abreuvoir
92 400 Courbevoie
France
a...@efficientip.com
Tel : +33 (0)1 75 84 88 98
Fax : +33 (0)9 57 88 09 40
www.efficientip.com


2013/10/18 Kevin Falcone falc...@bestpractical.com

 On Fri, Oct 18, 2013 at 02:00:27PM +0200, Alexandre LEPREVOST wrote:
 Thank you for your different answers, unfortunately I was expecting
 to be able to change the
 SLA name field for multiple SLA instance.
 
 Let me explain to you quickly what I'm expecting, I'm probably
 confusing something and give me
 an headach to myself :)
 
 In our firm, we would like 2 queues Support and Development
 
 Support queue should be able to set a list called priority (and not
 SLA) with a list of
 several SLA (P1 to P4 - From important to not important answer and
 resolve time). Development
 queue should be able to see an another list called internal with a
 different list of SLA
 (not defined yet). What I understand for now is different: I'm able
 to do a uniq list SLA
 with multiple SLA in it.
 
 Do you see the difference ? And I've played with the conf file and
 multiple installation of
 the module to have 2 SLA fields but after that, everything was dead
 (nothing work anymore).

 You can have two SLA fields, but they must be Queue level, not global.
 One applied to each of your queues, each with a different set of
 values, then set your configuration appropriately.

 You still cannot rename the SLA custom field.

 -kevin



Re: [rt-users] Errors with new instance on 4.2.0

2013-10-18 Thread Flynn, Timothy
Kevin I found the issue.  The web user could not write to the RT logfile.  I 
now have a happy new instance of RT 4.0.18  RTIR 3.  It took me a bit to 
figure out how to run rt-server.fcgi as the web user since a shell login was 
not allowed for that user (sudo su wouldn't execute command).  I just edited 
vipw quick and gave it a shell, tested the command and found the issue and set 
the shell back to false after.

Thank you,
Tim

-Original Message-
From: rt-users-boun...@lists.bestpractical.com 
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Thursday, October 17, 2013 9:39 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Errors with new instance on 4.2.0

On Wed, Oct 16, 2013 at 07:27:29PM +, Flynn, Timothy wrote:
 I reinstalled perlbrew to /opt/perl5 in case it was a permissions
 issue with perl. Rebuilt rt 4.0.18 and all dependencies under new
 perl. I've verified that RT is configured to use perl at that
 location:

Since your intent is to run 4.2.0 - why are you testing with 4.0.18?
I suggest you install the version you intend to deploy with (4.2.0) and then 
run /opt/rt4/sbin/rt-server.fcgi as the web user and see what permission errors 
or other messages you get.

-kevin


 #!/opt/perl5/perls/perl-5.18.1/bin/perl -w (first line of
 rt-server.fcgi)

 I still get a 500 http error when accessing the page with apache.   I did try 
 the standalone rt server and it works fine.  I had to install Module::Refresh 
 to get it to work.

 I checked and when I start apache (/var/lib/apache2/fcgid/shm) is created and 
 removed when stopped so I believe apache does have write access to this file 
 and location:


 I do have other RT servers with the same configuration aside from perlbrew 
 and they work fine.   Reason I was using perlbrew is that I have plans for RT 
 4.2 and it's perl version requirement exceeds what my SLES 11 server has 
 available.

 This is the only error I really have to go on in apache.  Nothing is being 
 presented in the RT log.

 Apache error file:
 [warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi 
 server error.
  [error] [client X] Premature end of script headers:
 rt-server.fcgi

 Here is my apache vhost config (servername blanked out for security)


 VirtualHost servername here
 ### Optional apache logs for RT
 # Ensure that your log rotation scripts know about these files
 ErrorLog /var/log/apache2/servername-error_log
 CustomLog /var/log/apache2/servername-access_log combined
 LogLevel debug

 AddDefaultCharset UTF-8

 Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
 ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

 DocumentRoot /opt/rt4/share/html
 Location /
 Order allow,deny
 Allow from all

 Options +ExecCGI
 AddHandler fcgid-script fcgi
 /Location
 /VirtualHost


 -Tim

 -Original Message-
 From: rt-users-boun...@lists.bestpractical.com
 [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Flynn,
 Timothy
 Sent: Tuesday, October 15, 2013 3:27 PM
 To: rt-users@lists.bestpractical.com
 Subject: Re: [rt-users] Errors with new instance on 4.2.0

 Ok thank you for the recommendations Kevin.  Apologies for replying to the 
 wrong post.

 Tim

 -Original Message-
 From: rt-users-boun...@lists.bestpractical.com
 [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin
 Falcone
 Sent: Tuesday, October 15, 2013 1:28 PM
 To: rt-users@lists.bestpractical.com
 Subject: Re: [rt-users] Errors with new instance on 4.2.0

 On Tue, Oct 15, 2013 at 05:57:37PM +, Flynn, Timothy wrote:
  I deleted rt 4.2.0 and dropped the database, downloaded and
  installed rt 4.0.18. Appear to have the same errors without doing
  anything with RTIR. I did see some old threads on mod fcgi with
  similar errors and returning exit 255. This is my first time
  installing RT using perlbrew. Could that be the issue?

 Please don't hijack someone else's thread on the mailing list.

 I highly doubt that perlbrew is causing mod_fcgid problems.

 The most common problems are permission related (can apache write into 
 /var/lib/apache2/fcgid ?) and SELinux related (does selinux allow apache to 
 write into /var/lib/apache2/fcgid ?).

 You can also run the standalone RT server /opt/rt4/sbin/rt-server manually as 
 root to ensure that you've installed and configured RT correctly.  After 
 doing so, be sure to clean your mason cache before trying to configure 
 mod_fcgid.

 -kevin

 On Tue, Oct 15, 2013 at 05:07:20PM +, Flynn, Timothy wrote:
 I am trying an install on a new server with Perlbrew 0.66, perl-5.18.1, 
  fast cgi , RT 4.2.0,
 and RTIR 3.0.  Pretty much vanilla install right now with freshly 
  initialized db.
 
 When I access webpage I get the following errors in the logfile.
 
 [warn] (104)Connection reset by peer: 

Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

2013-10-18 Thread Mathew Snyder
I've actually been trying to get debugging turned on for a few days now.
I've set all of the variables:

Set( $LogToSTDERR, 'debug' );
Set( $LogToFile, 'debug' );
Set( $LogDir, '/var/log/' );
Set( $LogToFileNamed, 'rt.log' );
Set( $LogToSyslog, 'debug' );

I'm not getting any detailed information at all. In fact, the rt.log file
isn't even being created. I had tried to set the directory to /opt/rt4/log,
but the file wasn't being created there, either.




-Mathew

When you do things right, people won't be sure you've done anything at
all. - God; Futurama

We'll get along much better once you accept that you're wrong and neither
am I. - Me


On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent bpar...@cognex.com wrote:

 Hi Matthew

 ** **

 It sounds to me like you were authenticating ok initially, but getting an
 error in creating the user.

 ** **

 And to answer your initial question about the group and group_attr
 settings, I don’t use those at all and it works fine for me.

 ** **

 I would recommend putting things back to how you first had them (to
 generate the error your originally posted), turn the log level up to debug,
 and try again.

 There are some debug statements within that method that may help identify
 where it is choking.

 ** **

 **-  **Brent

 ** **

 ** **

  

 *From:* Mathew Snyder [mailto:mathew.sny...@gmail.com]
 *Sent:* Thursday, October 17, 2013 1:50 PM


 *To:* Jeff Solberg
 *Cc:* rt-users@lists.bestpractical.com

 *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth
 LDAP settings, please

  

 I found another thread that indicated that the solution to the second
 problem was to add @domain to the end of the username. That just reverted
 to the previous list of errors with a couple new ones.

  

 Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in
 join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.

 Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in
 hash element at
 /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
 line 611.

 Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq
 at
 /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
 line 613.

 Oct 17 16:47:50 zen-rt RT: [24673]
 RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
 EmailAddress: , Gecos: user, Name: user, Privileged: 

 Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not
 set user info

 Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from
 192.168.236.102

  


  

  

 *From:* rt-users-boun...@lists.bestpractical.com [mailto:
 rt-users-boun...@lists.bestpractical.com] *On Behalf Of *Mathew Snyder

 *Sent:* Thursday, October 17, 2013 1:19 PM
 *To:* rt-users@lists.bestpractical.com
 *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP
 settings, please
 

  

 These are the settings I've started with:

  

 Set($ExternalSettings, {

 'AD'   =  {

 'type'  =  'ldap',

 'server'=  'domain_controller.example.com',**
 **

 'base'  =  'dc=example,dc=com',

 'user'  =  'rtuser',

 'pass'  =  '',

 'filter'=  '(ObjectClass=*)',

 'tls'   =  0,

 'ssl_version'   =  3,

 'net_ldap_args' = [version =  3   ],

 'attr_match_list' = [

 'EmailAddress',

 ],

 'attr_map' = {

 'Name' = 'sAMAccountName',

 'EmailAddress' = 'mail',

 'RealName' = 'cn',

 },

  

 They aren't working. Whenever someone attempts an initial login with just
 their username (which should create their RT account) the following error
 is logged:

 Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq
 at
 /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
 line 613.

 Oct 17 15:02:29 zen-rt RT: [23131]
 RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
 EmailAddress: , Gecos: user, Name: user, Privileged:

 Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not
 set user info

 Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from
 192.168.236.102

  

 When initial logins are attempted with either example\username or
 example.com\username only the FAILED LOGIN line is displayed.

  

 We also have our Openfire Jabber server authenticating successfully. Those
 settings are

 ldap.autoFollowAliasReferrals = true

 ldap.autoFollowReferrals = false

 ldap.baseDN = dc=example,dc=com

 

Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

2013-10-18 Thread Mathew Snyder
I seem to be getting closer. I'm down to only the FAILED LOGIN for user
from... error.

I've found that in order to get down to just that I have to include the
domain in the username either as

   - domain\user
   - domain.local\user
   - user@domain
   - user@domain.local

However, if I use just the username I get

[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
$_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607)
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
$service in hash element at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 611.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:611)
[3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value in
string eq at
/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
line 613.
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:613)
[3221] [Sat Oct 19 00:44:37 2013] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: , Gecos: user, Name: user, Privileged:
 
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:685)
[3221] [Sat Oct 19 00:44:37 2013] [error]: Couldn't create user user: Could
not set user info
(/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:278)
[3221] [Sat Oct 19 00:44:37 2013] [error]: FAILED LOGIN for user from
192.168.236.119 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:814)

The domain does not seem to be getting passed as part of the username when
I attempt to log in. Interestingly, though, when I don't use the domain, I
do get the info line in the log which contains bits of information that
wouldn't otherwise be returned from AD. If I do use the domain that doesn't
get returned, but I'm still unable to log in.

I know my credentials are accurate because they are the same as I use to
log into our VPN and that is tied to AD.

My current settings:

Set($ExternalAuthPriority,  [ 'AD' ] );
Set($ExternalServiceUsesSSLorTLS,0);
Set($AutoCreateNonExternalUsers,0);
Set($ExternalSettings, {
'AD'   =  {
'type'  =  'ldap',
'server'=  'dc1.domain.local',
'base'  =  'dc=domain,dc=local',
'user'  =  'rtuser',
'pass'  =  '',
'filter'=  '(ObjectClass=*)',
'd_filter'  =
 '(userAccountControl:1.2.840.113556.1.4.803=2)',
'group_scope'   =  'base',
'tls'   =  0,
'ssl_version'   =  3,
'net_ldap_args' = [version =  3   ],
'attr_match_list' = [
'Name',
],
'attr_map' = {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'Organization' = 'physicalDeliveryOfficeName',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip' = 'postalCode',
'Country' = 'co'
},
},
} );

Further assistance will be appreciated.

-Mathew

When you do things right, people won't be sure you've done anything at
all. - God; Futurama

We'll get along much better once you accept that you're wrong and neither
am I. - Me


On Fri, Oct 18, 2013 at 8:08 PM, Mathew Snyder mathew.sny...@gmail.comwrote:

 I've actually been trying to get debugging turned on for a few days now.
 I've set all of the variables:

 Set( $LogToSTDERR, 'debug' );
 Set( $LogToFile, 'debug' );
 Set( $LogDir, '/var/log/' );
 Set( $LogToFileNamed, 'rt.log' );
 Set( $LogToSyslog, 'debug' );

 I'm not getting any detailed information at all. In fact, the rt.log file
 isn't even being created. I had tried to set the directory to /opt/rt4/log,
 but the file wasn't being created there, either.




 -Mathew

 When you do things right, people won't be sure you've done anything at
 all. - God; Futurama

 We'll get along much better once you accept that you're wrong and
 neither am I. - Me


 On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent bpar...@cognex.com wrote:

 Hi Matthew

 ** **

 It sounds to me like you were authenticating ok initially, but getting an
 error in creating the user.

 ** **

 And to answer your initial question about the group and group_attr
 settings, I don’t use those at all and it works fine for me.

 ** **

 I would recommend putting things back to how you first had them (to
 generate the error your originally posted), turn the log level up to debug,
 and try again.

 There are some debug statements within that 

Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please

2013-10-18 Thread Mathew Snyder
I have solved this problem!

I had the $AutoCreateNonExternalUsers set to 0. I changed it to 1.

I completely misinterpreted this setting. I have an AD account which I
thought would be considered internal and therefore be created when I first
logged in.

Frankly, I'm still confused about what I was thinking. Either way, it works.


-Mathew

When you do things right, people won't be sure you've done anything at
all. - God; Futurama

We'll get along much better once you accept that you're wrong and neither
am I. - Me


On Fri, Oct 18, 2013 at 8:57 PM, Mathew Snyder mathew.sny...@gmail.comwrote:

 I seem to be getting closer. I'm down to only the FAILED LOGIN for user
 from... error.

 I've found that in order to get down to just that I have to include the
 domain in the username either as

- domain\user
- domain.local\user
- user@domain
- user@domain.local

 However, if I use just the username I get

 [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
 $_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42.
 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607)
 [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value
 $service in hash element at
 /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
 line 611.
 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:611)
 [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value in
 string eq at
 /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
 line 613.
 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:613)
 [3221] [Sat Oct 19 00:44:37 2013] [info]:
 RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
 EmailAddress: , Gecos: user, Name: user, Privileged:
  
 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:685)
 [3221] [Sat Oct 19 00:44:37 2013] [error]: Couldn't create user user:
 Could not set user info
 (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:278)
 [3221] [Sat Oct 19 00:44:37 2013] [error]: FAILED LOGIN for user from
 192.168.236.119 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:814)

 The domain does not seem to be getting passed as part of the username when
 I attempt to log in. Interestingly, though, when I don't use the domain, I
 do get the info line in the log which contains bits of information that
 wouldn't otherwise be returned from AD. If I do use the domain that doesn't
 get returned, but I'm still unable to log in.

 I know my credentials are accurate because they are the same as I use to
 log into our VPN and that is tied to AD.

 My current settings:

 Set($ExternalAuthPriority,  [ 'AD' ] );
 Set($ExternalServiceUsesSSLorTLS,0);
 Set($AutoCreateNonExternalUsers,0);
 Set($ExternalSettings, {
 'AD'   =  {
 'type'  =  'ldap',
 'server'=  'dc1.domain.local',
 'base'  =  'dc=domain,dc=local',
 'user'  =  'rtuser',
 'pass'  =  '',
 'filter'=  '(ObjectClass=*)',
 'd_filter'  =
  '(userAccountControl:1.2.840.113556.1.4.803=2)',
 'group_scope'   =  'base',
 'tls'   =  0,
 'ssl_version'   =  3,
 'net_ldap_args' = [version =  3   ],
 'attr_match_list' = [
 'Name',
 ],
 'attr_map' = {
 'Name' = 'sAMAccountName',
 'EmailAddress' = 'mail',
 'Organization' = 'physicalDeliveryOfficeName',
 'RealName' = 'cn',
  'ExternalAuthId' = 'sAMAccountName',
 'Gecos' = 'sAMAccountName',
 'WorkPhone' = 'telephoneNumber',
 'Address1' = 'streetAddress',
 'City' = 'l',
 'State' = 'st',
 'Zip' = 'postalCode',
 'Country' = 'co'
 },
 },
 } );

 Further assistance will be appreciated.

 -Mathew

 When you do things right, people won't be sure you've done anything at
 all. - God; Futurama

 We'll get along much better once you accept that you're wrong and
 neither am I. - Me


 On Fri, Oct 18, 2013 at 8:08 PM, Mathew Snyder mathew.sny...@gmail.comwrote:

 I've actually been trying to get debugging turned on for a few days now.
 I've set all of the variables:

 Set( $LogToSTDERR, 'debug' );
 Set( $LogToFile, 'debug' );
 Set( $LogDir, '/var/log/' );
 Set( $LogToFileNamed, 'rt.log' );
 Set( $LogToSyslog, 'debug' );

 I'm not getting any detailed information at all. In fact, the rt.log file
 isn't even being created. I had tried to set the directory to /opt/rt4/log,
 but the file wasn't being created there, either.




 -Mathew

 When you do things right, people won't be sure you've done anything at
 

[rt-users] Using $AutoCreate

2013-10-18 Thread Mathew Snyder
Where can I get a list of all of the options that can be passed by
$AutoCreate? Are all of the Create hash params in Users.pm what I'm looking
for? It doesn't seem like they would be because I have Privileged set,
but according to the documentation the Create Privileged hash param
returns a value rather than sets it whereas the SetPrivileged param
actually sets the value.

-Mathew

When you do things right, people won't be sure you've done anything at
all. - God; Futurama

We'll get along much better once you accept that you're wrong and neither
am I. - Me