Re: [rt-users] Internal authentification only for REST API
Done that. But now REST doesn't require any password at all? Is it also possible to require RT internal auth in specific folder? Thanks in advance. -- View this message in context: http://requesttracker.8502.n7.nabble.com/Internal-authentification-only-for-REST-API-tp55512p55535.html Sent from the Request Tracker - User mailing list archive at Nabble.com.
Re: [rt-users] Error in article history
Hi Kevin, it's been quite some time since we migrted to RT 4. Fortunately, I have a migration procedure I wrote down while migrating our test environment, so that I could re-apply the same steps in production. We migrated to RT 4 while also migrating to new CentOS servers, so this is what I did after installing the servers and downbloading all the required components (packages): - I followed RT's README till step 6a - in step 6a I only did the first part (i.e. I did not do make initialize database) - I restored the backup from our RT 3.x production system (in rt4 db) - I did make upgrade database from step 6b - I ran ./etc/upgrade/upgrade-articles from the directory where I uncompressed the tarball I think this is the relevant part. Then I followed by porting my old Apache/sendmail/Sphinx configurations to the new servers, etc. Is that enough? Or, is there something more I should have done? Thank you Cris Cristiano Guadagnino Servizio Data Administration ___ Bankadati Servizi Informatici Soc.Cons.P.A. Gruppo bancario Credito Valtellinese Via Trento, 22 - 23100 SONDRIO tel +39 0342522172 - fax +39 0342522992 guadagnino.cristi...@creval.it www.creval.ithttp://www.creval.it [Seguici su Facebook]https://www.facebook.com/creval/ [Creval Tube] http://www.youtube.com/user/GruppoCreval/ [CrevalApp] https://www.creval.it/comunicazione/appICreval/appICreval.html Il presente messaggio non è di natura personale ma inviato per esigenze lavorative; l'eventuale messaggio di risposta potrà essere conosciuto anche da altri soggetti diversi dall'originatore di questo messaggio per dette esigenze o per controllo aziendale. Questo messaggio, corredato dei relativi allegati, contiene informazioni da considerarsi strettamente riservate, ed è destinato esclusivamente al destinatario sopra indicato, il quale è l'unico autorizzato ad usarlo, copiarlo e, sotto la propria responsabilità, diffonderlo. Chiunque ricevesse questo messaggio per errore o comunque lo leggesse senza esserne legittimato è avvertito che trattenerlo, copiarlo, divulgarlo, distribuirlo a persone diverse dal destinatario è severamente proibito, ed è pregato di rinviarlo immediatamente al mittente distruggendone l'originale. Da: Kevin Falcone falc...@bestpractical.commailto:falc...@bestpractical.com Inviato: Thu Oct 17 2013 16:40:50 GMT+0200 (CEST) A: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com Oggetto: Re: [rt-users] Error in article history On Thu, Oct 17, 2013 at 08:33:27AM +, Guadagnino Cristiano wrote: How can I verify the ObjectTypes? Would you be so kind to send me a query to run against mysql to verify that everything is ok with my articles? You'll need to write your own SQL query - as noted previously, you're looking for RT::FM::Article in the ObjectType field on Transactions and ObjectCustomFieldValues. Also - please confirm which upgrade steps you ran. There is a standalone documented and warned about script you must run to upgrade articles. -kevin You likely still have a Transaction record or ObjectCustomFieldValue record with the wrong ObjectType that those scripts should have fixed for you. -- inline: logofacebookfc0712inline: logoyoutube0016afinline: logocreval9143dd
[rt-users] LDAP Groups
Hi all, I've been looking into using our Windows 2008 Active Directory for user authentication and group membership. Ideally I'd like to replicate names of groups that our users are members within RT, set up permissions and have the of then have those users be able to log into RT I've looked at ExternalAuth mainly as this seemed to offer the best integration into RT, however by all accounts there is no sort of automatic group assignment. and LDAPImport -- Paul Stead Systems Engineer, Zen Internet T: 01706 902009
Re: [rt-users] LDAP Groups
Apologies.. -8- Hi all, I've been looking into using our Windows 2008 Active Directory for user authentication and group membership. Ideally I'd like to replicate names of groups that our users are members within RT, set up permissions and have the of then have those users be able to log into RT and have the group association automatically assigned. I've looked at ExternalAuth mainly as this seemed to offer the best integration into RT, however by all accounts there is no sort of automatic group assignment. It seems that LDAPImport is suggested as a solution to this - however I feel I would require several runs and different search terms to get everyone into the groups I need, Has anyone used LDAP in this way? Thanks Paul -- Paul Stead Systems Engineer, Zen Internet T: 01706 902009
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
Hi Matthew It sounds to me like you were authenticating ok initially, but getting an error in creating the user. And to answer your initial question about the group and group_attr settings, I don’t use those at all and it works fine for me. I would recommend putting things back to how you first had them (to generate the error your originally posted), turn the log level up to debug, and try again. There are some debug statements within that method that may help identify where it is choking. - Brent From: Mathew Snyder [mailto:mathew.sny...@gmail.commailto:mathew.sny...@gmail.com] Sent: Thursday, October 17, 2013 1:50 PM To: Jeff Solberg Cc: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com Subject: Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please I found another thread that indicated that the solution to the second problem was to add @domain to the end of the username. That just reverted to the previous list of errors with a couple new ones. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in hash element at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 611. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 16:47:50 zen-rt RT: [24673] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not set user info Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from 192.168.236.102 From: rt-users-boun...@lists.bestpractical.commailto:rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.commailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Mathew Snyder Sent: Thursday, October 17, 2013 1:19 PM To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com Subject: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please These are the settings I've started with: Set($ExternalSettings, { 'AD' = { 'type' = 'ldap', 'server'= 'domain_controller.example.comhttp://domain_controller.example.com', 'base' = 'dc=example,dc=com', 'user' = 'rtuser', 'pass' = '', 'filter'= '(ObjectClass=*)', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'attr_match_list' = [ 'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', }, They aren't working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged: Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set user info Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102 When initial logins are attempted with either example\username or example.comhttp://example.com\username only the FAILED LOGIN line is displayed. We also have our Openfire Jabber server authenticating successfully. Those settings are ldap.autoFollowAliasReferrals = true ldap.autoFollowReferrals = false ldap.baseDN = dc=example,dc=com ldap.connectionPoolEnabled = true ldap.debugEnabled = false ldap.emailField = mail ldap.encloseDNs = true ldap.groupDescriptionField = description ldap.groupMemberField = member ldap.groupNameField = cn ldap.groupSearchFilter = (objectClass=group) ldap.host = domain_controller.example.comhttp://domain_controller.example.com ldap.ldapDebugEnabled = false ldap.nameField = cn ldap.port = 389 ldap.searchFilter = (objectClass=*) ldap.usernameField = sAMAccountName I know they don't match up exactly in terms of what Openfire calls the settings vs. what RT does, but I'm hoping someone can help me sort out what should be plugged in where on the RT side. For example, I don't know what the group_attr or group_attr_value setting should contain (if anything) in the RT_SiteConfig.pm file. Basically, anything from the group settings. -Mathew When you do things right, people won't be sure you've done
Re: [rt-users] Question about SLA module
Hello Kevin Thank you for your different answers, unfortunately I was expecting to be able to change the SLA name field for multiple SLA instance. Let me explain to you quickly what I'm expecting, I'm probably confusing something and give me an headach to myself :) In our firm, we would like 2 queues Support and Development Support queue should be able to set a list called priority (and not SLA) with a list of several SLA (P1 to P4 - From important to not important answer and resolve time). Development queue should be able to see an another list called internal with a different list of SLA (not defined yet). What I understand for now is different: I'm able to do a uniq list SLA with multiple SLA in it. Do you see the difference ? And I've played with the conf file and multiple installation of the module to have 2 SLA fields but after that, everything was dead (nothing work anymore). Do you think that it's possible ? I hope that you'll be able to give me a clue - After that I'll be ready to run the project with this very important step for us ! Thank you in advance for your time Kind regards / Cordialement *Alexandre Leprevost* Project Engineer / Delivery Team 4 rue de l´Abreuvoir 92 400 Courbevoie France a...@efficientip.com Tel : +33 (0)1 75 84 88 98 Fax : +33 (0)9 57 88 09 40 www.efficientip.com 2013/10/17 Kevin Falcone falc...@bestpractical.com On Thu, Oct 17, 2013 at 02:26:01PM +0200, Alexandre LEPREVOST wrote: - When I'm installing the SLA module, a custom field is create automatically - called [1]SLA I've changed it to something better for us : support SLA. After changed the value, the module doesn't work anymore. Should I do something in database ? In your documentation you say This field is created during make initdb step (above) and applied globally - Can you have an idea The Custom Field name in use by the module is hard coded to SLA. To use another name you'll need to provide a patch to make it flexible. - My second point is about multiple SLA. I would like to have 2 different SLA - one for support, second development. Do you have any clues on how to perform this configuration ? To be honnest I've played with the configuration file and it was not so easy. I've tried to install the module 2 times and I see the SLA custom field 2 times, does it make sens ? It's quite possible to have different SLAs per Queue, we do, it's shown in the documentation. Also, in the README, where it says make initdb (for the first time only) you ran in twice, you'll want to disable or delete the second extraneous SLA custom field. - Do you have an idea to uninstall the plugin ? In my job I need to document it (event I won't uninstall it for sure ;)) Remove from @Plugins line, disable Scrips and Custom Fields. -kevin
Re: [rt-users] LDAP Groups
On Fri, Oct 18, 2013 at 11:01:26AM +0100, Paul Stead wrote: It seems that LDAPImport is suggested as a solution to this - however I feel I would require several runs and different search terms to get everyone into the groups I need, Has anyone used LDAP in this way? LDAPImport is the solution for syncing groups. We have many many customers using RT-Authen-ExternalAuth to authenticate and LDAPImport to sync groups and user information. -kevin pgp0s8YEu7keR.pgp Description: PGP signature
Re: [rt-users] Internal authentification only for REST API
On Thu, Oct 17, 2013 at 11:57:12PM -0700, andkulb wrote: Done that. But now REST doesn't require any password at all? Is it also possible to require RT internal auth in specific folder? REST requires authentication at the RT level unless you've made some some pretty drastic changes. -kevin pgp4Le0FWi0AV.pgp Description: PGP signature
Re: [rt-users] LDAP Groups
I am currently unavailable. You can reach me at +1 312-497-3444 and dbau...@me.com
Re: [rt-users] Question about SLA module
On Fri, Oct 18, 2013 at 02:00:27PM +0200, Alexandre LEPREVOST wrote: Thank you for your different answers, unfortunately I was expecting to be able to change the SLA name field for multiple SLA instance. Let me explain to you quickly what I'm expecting, I'm probably confusing something and give me an headach to myself :) In our firm, we would like 2 queues Support and Development Support queue should be able to set a list called priority (and not SLA) with a list of several SLA (P1 to P4 - From important to not important answer and resolve time). Development queue should be able to see an another list called internal with a different list of SLA (not defined yet). What I understand for now is different: I'm able to do a uniq list SLA with multiple SLA in it. Do you see the difference ? And I've played with the conf file and multiple installation of the module to have 2 SLA fields but after that, everything was dead (nothing work anymore). You can have two SLA fields, but they must be Queue level, not global. One applied to each of your queues, each with a different set of values, then set your configuration appropriately. You still cannot rename the SLA custom field. -kevin pgppDVNDby5ZK.pgp Description: PGP signature
[rt-users] Writing portlets
Good afternoon, I need to write a Portlet on my rt 4.0.3. Does anyone know a documentation that explains how to do that? I'm trying to follow the wiki below but that does not appear to be working: http://requesttracker.wikia.com/wiki/WritingPortlets Thanks, Esdras -- http://www.borealis-aurora.com http://www.alvespassos.com Sharing things that we cannot buy. Mobile +353 (0)83 4005868
Re: [rt-users] Question about SLA module
Thank you Kevin I see what you mean but do you have a quick example of configuration file for this ? I'm not asking a full configuration file in detail, but just a very basic one (pseudo code should be enough for sure). My probleme is to translate what I would like in this conf file. But I understand what you mean and it should be enough for us If I succeed to do that. Thank you Kevin for your nice support
Re: [rt-users] Question about SLA module
Thank you Kevin I see what you mean but do you have a quick example of configuration file for this ? I'm not asking a full configuration file in detail, but just a very basic one (pseudo code should be enough for sure). My probleme is to translate what I would like in this conf file. But I understand what you mean and it should be enough for us If I succeed to do that. Thank you Kevin for your nice support Kind regards / Cordialement *Alexandre Leprevost* Project Engineer / Delivery Team 4 rue de l´Abreuvoir 92 400 Courbevoie France a...@efficientip.com Tel : +33 (0)1 75 84 88 98 Fax : +33 (0)9 57 88 09 40 www.efficientip.com 2013/10/18 Kevin Falcone falc...@bestpractical.com On Fri, Oct 18, 2013 at 02:00:27PM +0200, Alexandre LEPREVOST wrote: Thank you for your different answers, unfortunately I was expecting to be able to change the SLA name field for multiple SLA instance. Let me explain to you quickly what I'm expecting, I'm probably confusing something and give me an headach to myself :) In our firm, we would like 2 queues Support and Development Support queue should be able to set a list called priority (and not SLA) with a list of several SLA (P1 to P4 - From important to not important answer and resolve time). Development queue should be able to see an another list called internal with a different list of SLA (not defined yet). What I understand for now is different: I'm able to do a uniq list SLA with multiple SLA in it. Do you see the difference ? And I've played with the conf file and multiple installation of the module to have 2 SLA fields but after that, everything was dead (nothing work anymore). You can have two SLA fields, but they must be Queue level, not global. One applied to each of your queues, each with a different set of values, then set your configuration appropriately. You still cannot rename the SLA custom field. -kevin
Re: [rt-users] Errors with new instance on 4.2.0
Kevin I found the issue. The web user could not write to the RT logfile. I now have a happy new instance of RT 4.0.18 RTIR 3. It took me a bit to figure out how to run rt-server.fcgi as the web user since a shell login was not allowed for that user (sudo su wouldn't execute command). I just edited vipw quick and gave it a shell, tested the command and found the issue and set the shell back to false after. Thank you, Tim -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Thursday, October 17, 2013 9:39 AM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] Errors with new instance on 4.2.0 On Wed, Oct 16, 2013 at 07:27:29PM +, Flynn, Timothy wrote: I reinstalled perlbrew to /opt/perl5 in case it was a permissions issue with perl. Rebuilt rt 4.0.18 and all dependencies under new perl. I've verified that RT is configured to use perl at that location: Since your intent is to run 4.2.0 - why are you testing with 4.0.18? I suggest you install the version you intend to deploy with (4.2.0) and then run /opt/rt4/sbin/rt-server.fcgi as the web user and see what permission errors or other messages you get. -kevin #!/opt/perl5/perls/perl-5.18.1/bin/perl -w (first line of rt-server.fcgi) I still get a 500 http error when accessing the page with apache. I did try the standalone rt server and it works fine. I had to install Module::Refresh to get it to work. I checked and when I start apache (/var/lib/apache2/fcgid/shm) is created and removed when stopped so I believe apache does have write access to this file and location: I do have other RT servers with the same configuration aside from perlbrew and they work fine. Reason I was using perlbrew is that I have plans for RT 4.2 and it's perl version requirement exceeds what my SLES 11 server has available. This is the only error I really have to go on in apache. Nothing is being presented in the RT log. Apache error file: [warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi server error. [error] [client X] Premature end of script headers: rt-server.fcgi Here is my apache vhost config (servername blanked out for security) VirtualHost servername here ### Optional apache logs for RT # Ensure that your log rotation scripts know about these files ErrorLog /var/log/apache2/servername-error_log CustomLog /var/log/apache2/servername-access_log combined LogLevel debug AddDefaultCharset UTF-8 Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/ ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ DocumentRoot /opt/rt4/share/html Location / Order allow,deny Allow from all Options +ExecCGI AddHandler fcgid-script fcgi /Location /VirtualHost -Tim -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Flynn, Timothy Sent: Tuesday, October 15, 2013 3:27 PM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] Errors with new instance on 4.2.0 Ok thank you for the recommendations Kevin. Apologies for replying to the wrong post. Tim -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kevin Falcone Sent: Tuesday, October 15, 2013 1:28 PM To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] Errors with new instance on 4.2.0 On Tue, Oct 15, 2013 at 05:57:37PM +, Flynn, Timothy wrote: I deleted rt 4.2.0 and dropped the database, downloaded and installed rt 4.0.18. Appear to have the same errors without doing anything with RTIR. I did see some old threads on mod fcgi with similar errors and returning exit 255. This is my first time installing RT using perlbrew. Could that be the issue? Please don't hijack someone else's thread on the mailing list. I highly doubt that perlbrew is causing mod_fcgid problems. The most common problems are permission related (can apache write into /var/lib/apache2/fcgid ?) and SELinux related (does selinux allow apache to write into /var/lib/apache2/fcgid ?). You can also run the standalone RT server /opt/rt4/sbin/rt-server manually as root to ensure that you've installed and configured RT correctly. After doing so, be sure to clean your mason cache before trying to configure mod_fcgid. -kevin On Tue, Oct 15, 2013 at 05:07:20PM +, Flynn, Timothy wrote: I am trying an install on a new server with Perlbrew 0.66, perl-5.18.1, fast cgi , RT 4.2.0, and RTIR 3.0. Pretty much vanilla install right now with freshly initialized db. When I access webpage I get the following errors in the logfile. [warn] (104)Connection reset by peer:
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
I've actually been trying to get debugging turned on for a few days now. I've set all of the variables: Set( $LogToSTDERR, 'debug' ); Set( $LogToFile, 'debug' ); Set( $LogDir, '/var/log/' ); Set( $LogToFileNamed, 'rt.log' ); Set( $LogToSyslog, 'debug' ); I'm not getting any detailed information at all. In fact, the rt.log file isn't even being created. I had tried to set the directory to /opt/rt4/log, but the file wasn't being created there, either. -Mathew When you do things right, people won't be sure you've done anything at all. - God; Futurama We'll get along much better once you accept that you're wrong and neither am I. - Me On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent bpar...@cognex.com wrote: Hi Matthew ** ** It sounds to me like you were authenticating ok initially, but getting an error in creating the user. ** ** And to answer your initial question about the group and group_attr settings, I don’t use those at all and it works fine for me. ** ** I would recommend putting things back to how you first had them (to generate the error your originally posted), turn the log level up to debug, and try again. There are some debug statements within that method that may help identify where it is choking. ** ** **- **Brent ** ** ** ** *From:* Mathew Snyder [mailto:mathew.sny...@gmail.com] *Sent:* Thursday, October 17, 2013 1:50 PM *To:* Jeff Solberg *Cc:* rt-users@lists.bestpractical.com *Subject:* Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please I found another thread that indicated that the solution to the second problem was to add @domain to the end of the username. That just reverted to the previous list of errors with a couple new ones. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value $service in hash element at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 611. Oct 17 16:47:50 zen-rt RT: [24673] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 16:47:50 zen-rt RT: [24673] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:47:50 zen-rt RT: [24673] Couldn't create user user: Could not set user info Oct 17 16:47:50 zen-rt RT: [24673] FAILED LOGIN for user from 192.168.236.102 *From:* rt-users-boun...@lists.bestpractical.com [mailto: rt-users-boun...@lists.bestpractical.com] *On Behalf Of *Mathew Snyder *Sent:* Thursday, October 17, 2013 1:19 PM *To:* rt-users@lists.bestpractical.com *Subject:* [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please These are the settings I've started with: Set($ExternalSettings, { 'AD' = { 'type' = 'ldap', 'server'= 'domain_controller.example.com',** ** 'base' = 'dc=example,dc=com', 'user' = 'rtuser', 'pass' = '', 'filter'= '(ObjectClass=*)', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'attr_match_list' = [ 'EmailAddress', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', }, They aren't working. Whenever someone attempts an initial login with just their username (which should create their RT account) the following error is logged: Oct 17 15:02:29 zen-rt RT: [23131] Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. Oct 17 15:02:29 zen-rt RT: [23131] RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: Oct 17 16:14:01 zen-rt RT: [24382] Couldn't create user user: Could not set user info Oct 17 16:14:01 zen-rt RT: [24382] FAILED LOGIN for user from 192.168.236.102 When initial logins are attempted with either example\username or example.com\username only the FAILED LOGIN line is displayed. We also have our Openfire Jabber server authenticating successfully. Those settings are ldap.autoFollowAliasReferrals = true ldap.autoFollowReferrals = false ldap.baseDN = dc=example,dc=com
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
I seem to be getting closer. I'm down to only the FAILED LOGIN for user from... error. I've found that in order to get down to just that I have to include the domain in the username either as - domain\user - domain.local\user - user@domain - user@domain.local However, if I use just the username I get [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value $_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42. (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607) [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value $service in hash element at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 611. (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:611) [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:613) [3221] [Sat Oct 19 00:44:37 2013] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:685) [3221] [Sat Oct 19 00:44:37 2013] [error]: Couldn't create user user: Could not set user info (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:278) [3221] [Sat Oct 19 00:44:37 2013] [error]: FAILED LOGIN for user from 192.168.236.119 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:814) The domain does not seem to be getting passed as part of the username when I attempt to log in. Interestingly, though, when I don't use the domain, I do get the info line in the log which contains bits of information that wouldn't otherwise be returned from AD. If I do use the domain that doesn't get returned, but I'm still unable to log in. I know my credentials are accurate because they are the same as I use to log into our VPN and that is tied to AD. My current settings: Set($ExternalAuthPriority, [ 'AD' ] ); Set($ExternalServiceUsesSSLorTLS,0); Set($AutoCreateNonExternalUsers,0); Set($ExternalSettings, { 'AD' = { 'type' = 'ldap', 'server'= 'dc1.domain.local', 'base' = 'dc=domain,dc=local', 'user' = 'rtuser', 'pass' = '', 'filter'= '(ObjectClass=*)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803=2)', 'group_scope' = 'base', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'attr_match_list' = [ 'Name', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' }, }, } ); Further assistance will be appreciated. -Mathew When you do things right, people won't be sure you've done anything at all. - God; Futurama We'll get along much better once you accept that you're wrong and neither am I. - Me On Fri, Oct 18, 2013 at 8:08 PM, Mathew Snyder mathew.sny...@gmail.comwrote: I've actually been trying to get debugging turned on for a few days now. I've set all of the variables: Set( $LogToSTDERR, 'debug' ); Set( $LogToFile, 'debug' ); Set( $LogDir, '/var/log/' ); Set( $LogToFileNamed, 'rt.log' ); Set( $LogToSyslog, 'debug' ); I'm not getting any detailed information at all. In fact, the rt.log file isn't even being created. I had tried to set the directory to /opt/rt4/log, but the file wasn't being created there, either. -Mathew When you do things right, people won't be sure you've done anything at all. - God; Futurama We'll get along much better once you accept that you're wrong and neither am I. - Me On Fri, Oct 18, 2013 at 7:51 AM, Parish, Brent bpar...@cognex.com wrote: Hi Matthew ** ** It sounds to me like you were authenticating ok initially, but getting an error in creating the user. ** ** And to answer your initial question about the group and group_attr settings, I don’t use those at all and it works fine for me. ** ** I would recommend putting things back to how you first had them (to generate the error your originally posted), turn the log level up to debug, and try again. There are some debug statements within that
Re: [rt-users] I need help with the RT-Authen-ExternalAuth LDAP settings, please
I have solved this problem! I had the $AutoCreateNonExternalUsers set to 0. I changed it to 1. I completely misinterpreted this setting. I have an AD account which I thought would be considered internal and therefore be created when I first logged in. Frankly, I'm still confused about what I was thinking. Either way, it works. -Mathew When you do things right, people won't be sure you've done anything at all. - God; Futurama We'll get along much better once you accept that you're wrong and neither am I. - Me On Fri, Oct 18, 2013 at 8:57 PM, Mathew Snyder mathew.sny...@gmail.comwrote: I seem to be getting closer. I'm down to only the FAILED LOGIN for user from... error. I've found that in order to get down to just that I have to include the domain in the username either as - domain\user - domain.local\user - user@domain - user@domain.local However, if I use just the username I get [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value $_[1] in join or string at /usr/local/share/perl5/Log/Dispatch.pm line 42. (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:607) [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value $service in hash element at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 611. (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:611) [3221] [Sat Oct 19 00:44:37 2013] [warning]: Use of uninitialized value in string eq at /opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm line 613. (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:613) [3221] [Sat Oct 19 00:44:37 2013] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: , EmailAddress: , Gecos: user, Name: user, Privileged: (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:685) [3221] [Sat Oct 19 00:44:37 2013] [error]: Couldn't create user user: Could not set user info (/opt/rt4/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:278) [3221] [Sat Oct 19 00:44:37 2013] [error]: FAILED LOGIN for user from 192.168.236.119 (/opt/rt4/sbin/../lib/RT/Interface/Web.pm:814) The domain does not seem to be getting passed as part of the username when I attempt to log in. Interestingly, though, when I don't use the domain, I do get the info line in the log which contains bits of information that wouldn't otherwise be returned from AD. If I do use the domain that doesn't get returned, but I'm still unable to log in. I know my credentials are accurate because they are the same as I use to log into our VPN and that is tied to AD. My current settings: Set($ExternalAuthPriority, [ 'AD' ] ); Set($ExternalServiceUsesSSLorTLS,0); Set($AutoCreateNonExternalUsers,0); Set($ExternalSettings, { 'AD' = { 'type' = 'ldap', 'server'= 'dc1.domain.local', 'base' = 'dc=domain,dc=local', 'user' = 'rtuser', 'pass' = '', 'filter'= '(ObjectClass=*)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803=2)', 'group_scope' = 'base', 'tls' = 0, 'ssl_version' = 3, 'net_ldap_args' = [version = 3 ], 'attr_match_list' = [ 'Name', ], 'attr_map' = { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'Organization' = 'physicalDeliveryOfficeName', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip' = 'postalCode', 'Country' = 'co' }, }, } ); Further assistance will be appreciated. -Mathew When you do things right, people won't be sure you've done anything at all. - God; Futurama We'll get along much better once you accept that you're wrong and neither am I. - Me On Fri, Oct 18, 2013 at 8:08 PM, Mathew Snyder mathew.sny...@gmail.comwrote: I've actually been trying to get debugging turned on for a few days now. I've set all of the variables: Set( $LogToSTDERR, 'debug' ); Set( $LogToFile, 'debug' ); Set( $LogDir, '/var/log/' ); Set( $LogToFileNamed, 'rt.log' ); Set( $LogToSyslog, 'debug' ); I'm not getting any detailed information at all. In fact, the rt.log file isn't even being created. I had tried to set the directory to /opt/rt4/log, but the file wasn't being created there, either. -Mathew When you do things right, people won't be sure you've done anything at
[rt-users] Using $AutoCreate
Where can I get a list of all of the options that can be passed by $AutoCreate? Are all of the Create hash params in Users.pm what I'm looking for? It doesn't seem like they would be because I have Privileged set, but according to the documentation the Create Privileged hash param returns a value rather than sets it whereas the SetPrivileged param actually sets the value. -Mathew When you do things right, people won't be sure you've done anything at all. - God; Futurama We'll get along much better once you accept that you're wrong and neither am I. - Me