[rt-users] Reproducible RT Configuration management

2016-05-29 Thread Bart Bunting


I've had a look through the list archives and seen a couple of mentions
of this but nothing recent and thought I'd ask again in case there is
something new out there.

What are people doing to manage reproducable deployments of RT other
than just dumping the database of a production machine and loading on a
development one.

I am using puppet currently to deploy RT.

Puppet does a good job of getting RT installed and running.

I am struggling with how to manage the RT configuration itself, the
stuff that is done from within the web interface or from initialdata
using rt-setup-database.

We use vagrant for the development environment and the ideal situation
is that running "vagrant up" will bring up a copy of RT running the
latest config.

I want all changes on the production machines done not by the web
interface but in some sort of reproducable way.

What I have so far is a hacked up solution using a custom script to call
rt_setup_database and using my own custom fragments to init the data.

The main issue here is I wanted it to be idempotent so if called from
puppet no harm is done if it has already made the change.

So far I'm doing ugly things like using the @Init section to check if a
particular change exists in the database already and not making it if it
does.  This also prevents adding multiple entries for things when the
code is run multiple times.

My solution is working although it feels clunky.

I guess one better option would be a full puppet implementation modeling all of
Rt's configuration.  That just felt like a job far too big to tackle :(.

Does anyone have any suggestions or stories of how they are managing
this situation?

Kind regards

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Los Angeles - September, 2016

Re: [rt-users] Error when initializing database with external auth enabled

2016-05-29 Thread Bart Bunting
Hi Jim,

Sorry for not posting the relevant details.  It is a totally new install
being built to replace our customized version of rt 3.6 :).   Probably
time for an upgrade :).

Here are the configuration details that are to do with authentication.

As previously mentioned I think the error is happening when RT is trying
to use the external ldap server to canonicalize the root user when it's
added from initialdata:

use utf8;
#* Authentication
# configure external authentication

#Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
Set( $ExternalInfoPriority, ['URSYS_LDAP'] );

# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );

# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);

# LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
'URSYS_LDAP'   =>  {
'type' =>  'ldap',
'server'   =>  'xxx',
'base' =>  'cn=users,cn=accounts,dc=xxx',
'user' => 'uid=system,cn=sysaccounts,cn=etc,dc=xxx',
'pass' => 'xxx',
'filter' => '(&(memberOf=cn=helpdesk-*))',
'attr_match_list'  => [
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
} );

#* Ldapimport Configuration

Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
Set($LDAPMapping, {Name => 'uid', # required
   EmailAddress => 'mail',
   RealName => 'cn',
   WorkPhone=> 'telephoneNumber',
   Organization => 'departmentName'});

# create users as privileged
Set($LDAPCreatePrivileged, 1);

# sync Groups from LDAP into RT
Set($LDAPGroupBase, 'cn=accounts,dc=xxx');
Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
Set($LDAPGroupMapping, {Name   => 'cn',
Description   => 'description',
Member_Attr=> 'member',
Member_Attr_Value  => 'dn',

#* Slack Notifier configuration
# All parameters with the exclusion of Proxy are directly passed to the 
WebService::Slack::IncomingWebHook object

Kind regards

Jim Brandt  writes:

> To clarify the previous question, if you were using 
> RT::Authen::ExternalAuth in a previous version of RT (pre-4.4) and have 
> it pulled in as a Plugin, you need to remove it because it is now in 
> core. It's not clear to me if your RT_SiteConfig.pm is from an earlier 
> RT version. If so, you will need to make some updates due to the RT 
> version change:
> https://docs.bestpractical.com/rt/4.4.1/UPGRADING-4.4.html
> On 5/25/16 10:21 PM, Bart Bunting wrote:
>> Peter,
>> Not sure, but this is a new install using rt 4.4.
>> Kind regards
>> Peter Viskup  writes:
>>> Couldn't this be related to RT::Authen::ExternalAuth migration to RT
>>> core since 4.4 version?
>>> https://docs.bestpractical.com/rt/4.4.0/UPGRADING-4.4.html
>>> --
>>> Peter
>>> On Wed, May 25, 2016 at 2:26 AM, Bart Bunting  
>>> wrote:

 Hi there,

 I may be just missing something but this is failing miserably for me and
 I am not sure what the correct way to fix it is:

 Running rt 4.4.1 rc1 as of today.

 The situation is I have external authentication working fine using both
 RT::Authen::ExternalAuth and RT::LDAPImport.

 I use puppet to provision the machine.

 When I have the external authentication configuration enabled in
 RT_SiteConfig.pm the
 initial database import breaks.  I think this is because when it trys to
 add the "root" user it attempts to canonicalize the name from ldap which

 Here is an example of the run:

   make initialize-database
 /usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database 
 --action init --prompt-for-dba-password
 In order to create or update your RT database, this script needs to 
 connect to your  mysql instance on localhost (port '') as root
 Please specify that user's database password below. If the user has no 
 password, just press return.

 Working with:
 Type:   mysql
 Host:   localhost
 Name:   rt4
 User:   rt
 Now creating a mysql database rt4 for RT.
 Now populating database schema.