Re: [rt-users] REST API for Assets
Josh, I may be able to get our company to contribute something, although I'm afraid it wouldn't be too much. We are tossing up between updating owr own existing solution or using RT to manage assets. Given the lack of an API it makes RT integration with our customer portal problematic. This is likely to push us away from RT and to just write our own specific implementation. If there is a commitment from Bestpractical to get the API implemented and funds were the only issue we would consider how we could help. Kind regards Bart Josh Tackitt <tacki...@reed.edu> writes: > Hi Bart, > > Unfortunately there is no REST API for Assets. I've heard rumors that > maybe they're working on it but pretty sure I've not seen anything official. > > Is anyone out there interested in combining funds to pay for the > development of this much needed feature? I'm sure we could convince > BestPractical to roll it into 'core' so that everyone would benefit. > > Best, > Josh > > On Wed, Nov 23, 2016 at 3:26 PM, Bart Bunting <bart.bunt...@ursys.com.au> > wrote: > >> Hi, >> >> Is there a REST API for assets in RT? >> >> I can't find any documentation for it. >> >> Can anyone shed any light on if it exists or is in the works? >> >> >> Kind regards >> Bart >> -- >> >> Bart Bunting - URSYS >> PH: 02 87452811 >> Mbl: 0409560005 >> - >> RT 4.4 and RTIR training sessions, and a new workshop day! >> https://bestpractical.com/training >> * Los Angeles - January 9-11 2017 >> > > > > -- > Reed College > Computer Hardware Services > ETC 114 > 503-788-6661 Bart -- Bart Bunting - URSYS PH: 02 87452811 Mbl: 0409560005 - RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training * Los Angeles - January 9-11 2017
[rt-users] REST API for Assets
Hi, Is there a REST API for assets in RT? I can't find any documentation for it. Can anyone shed any light on if it exists or is in the works? Kind regards Bart -- Bart Bunting - URSYS PH: 02 87452811 Mbl: 0409560005 - RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training * Los Angeles - January 9-11 2017
[rt-users] "Show results" link?
Hi again, In our old version of RT we used to have a "Show results" link when accessing tickets from searches. This appears to no longer exist and my helpdesk staff are sad :). It does exist inside the menu structure but the complaint is that they want a single click to be able to return to the search as in previous version. Is there a way of reenabling this behaviour or should I simply write my own customization to add this? I've looked through the config options and can't see anything that suggests it's configurable. Kind regards Bart -- Bart Bunting - URSYS PH: 02 87452811 Mbl: 0409560005 - RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Los Angeles - September, 2016
Re: [rt-users] Error when initializing database with external auth enabled
Shawn, Thanks for the fix. I'll rework my configuration once the commit is merged, things in that department are working ok at the moment and I'm still fighting other small fires from the transition. Much appreciate the update and fix though! Kind regards Bart Shawn Moore <sh...@bestpractical.com> writes: > On 2016年5月24日 at 20:27:02, Bart Bunting (bart.bunt...@ursys.com.au) wrote: >> Hi there, > > Hi Bart, > >> I may be just missing something but this is failing miserably for me and >> I am not sure what the correct way to fix it is: >> >> Running rt 4.4.1 rc1 as of today. > > I’m glad to hear it. :) > >> When I have the external authentication configuration enabled in >> RT_SiteConfig.pm the >> initial database import breaks. I think this is because when it trys to >> add the "root" user it attempts to canonicalize the name from ldap which >> fails. > > You’re exactly right. It’s even trying to canonicalize the RT System and > Nobody users too. > >> I can work around this by having puppet install one version of >> RT_SiteConfig.pm without >> external authentication configured, run the database import and then >> replace it with a version with external auth enabled. >> >> This works, I've tested it. >> >> It just feels terribly ugly and wrong. > > Indeed it is, but hey, it works. > >> Can anyone suggest what I might be doing wrong here or is this a genuine >> issue? > > It’s a genuine issue. I’ve created an Issues ticket on your behalf: > > https://issues.bestpractical.com/Ticket/Display.html?id=32009 > > I’ve also fixed the underlying issue with the following two commits (the > first for RT System and Nobody, the latter for the root user): > > https://github.com/bestpractical/rt/commit/86b45ac4e26 > https://github.com/bestpractical/rt/commit/a32c5813bdd > > These fixes will be included in RT 4.4.1rc2, but if you want to apply the > patches ahead of time, you can get rid of your double SiteConfig hack. > >> Kind regards >> Bart > > Thank you for testing the RCs! > Shawn > - > RT 4.4 and RTIR Training Sessions https://bestpractical.com/training > * Los Angeles - September, 2016 Bart -- Bart Bunting - URSYS PH: 02 87452811 Mbl: 0409560005 - RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Los Angeles - September, 2016
Re: [rt-users] Reproducible RT Configuration management
Hi,
Sorry for the slow reply.
That is more or less what I have using puppet scripts.
The question I am struggling with is that if we are to write scripts
every time a change is required, e.g. an admin cc is added to a queue
etc it is a time consuming process and I am questioning the effort
involved
I had hoped that rt-dump-metadata would be a useful tool to assist in
seeing which changes had been made by hand and then either used to
update the initialdata or create scripts to ensure the database was
consistent.
It appears that there are bugs in rt-dump-metadata.
When anything to do with a custom field is changed in the UI
rt-dump-metadata subsequently bombs out:
./sbin/rt-dump-metadata
[3047] [Sat Jun 18 01:34:29 2016] [critical]: RT::CustomField::AppliedTo
Unimplemented in main. (./sbin/rt-dump-metadata line 187)
(/opt/rt4/sbin/../lib/RT.pm:390)
RT::CustomField::AppliedTo Unimplemented in main. (./sbin/rt-dump-metadata line
187)
.
I guess this is a question for the Bestpractical folks is
rt-dump-metadata going to be supported ongoing or is it something that
isn't really best practice to use any more?
The git log suggests it hasn't been worked on much recently but then
again it could just mean there haven't been any recent issues found.
Any advice most welcome.
Kind regards
Bart
"James A. Peltier" <jpelt...@sfu.ca> writes:
> We script the base install including the setup of the base PERL/CPAN stuff,
> the installation of the base RT base system using the typical make + make
> install and then we run scripts to populate the RT database using scripts.
> We have chosen _not_ to alter the base initial data file because we don't
> want to have to keep track of any changes that may happen from version to
> version.
>
> Since the database is provided by our database group we initialize the
> database in the following way
>
>/opt/rt4/sbin/rt-setup-database --dba-password=$RT_DB_PASS --action init
> --skip-create
>
> This creates the database shell with just the default content to get a
> functioning RT install. We then enable full text searching using
>
> /opt/rt4/sbin/rt-setup-fulltext-index --dba ${RT_DB_USER} --dba-password
> ${RT_DB_PASS} --table=AttachmentsIndex --column=ContentIndex --index-type=GIN
>
> followed by installing any plugins that we need to install using a git
> checkout + make + make install + make initdb (if required). We version
> control all the configuration files and drop them into place when needed.
>
> So far this has allowed us to get a fully reproducible base installation of
> RT. We then apply our scripts to add custom fields, populate their values,
> make changes to initial data configurations such as default templates and
> scrips, etc.
>
> This makes for an easy way to create the base RT with all our customizations.
> We only run this if we're running tests to ensure that starting from scratch
> still works as expected, otherwise we make a backup of the database and just
> restore that because it's _so much faster_.
>
> - Original Message -
> |
> | Hi,
> |
> | I've had a look through the list archives and seen a couple of mentions
> | of this but nothing recent and thought I'd ask again in case there is
> | something new out there.
> |
> | What are people doing to manage reproducable deployments of RT other
> | than just dumping the database of a production machine and loading on a
> | development one.
> |
> | I am using puppet currently to deploy RT.
> |
> | Puppet does a good job of getting RT installed and running.
> |
> | I am struggling with how to manage the RT configuration itself, the
> | stuff that is done from within the web interface or from initialdata
> | using rt-setup-database.
> |
> | We use vagrant for the development environment and the ideal situation
> | is that running "vagrant up" will bring up a copy of RT running the
> | latest config.
> |
> | I want all changes on the production machines done not by the web
> | interface but in some sort of reproducable way.
> |
> | What I have so far is a hacked up solution using a custom script to call
> | rt_setup_database and using my own custom fragments to init the data.
> |
> | The main issue here is I wanted it to be idempotent so if called from
> | puppet no harm is done if it has already made the change.
> |
> | So far I'm doing ugly things like using the @Init section to check if a
> | particular change exists in the database already and not making it if it
> | does. This also prevents adding multiple entries for things when the
> | code is run multiple times.
> |
> | My solution is working although it feels clunky.
> |
> | I guess one better option would be a full puppet implementation modeli
[rt-users] Reproducible RT Configuration management
Hi, I've had a look through the list archives and seen a couple of mentions of this but nothing recent and thought I'd ask again in case there is something new out there. What are people doing to manage reproducable deployments of RT other than just dumping the database of a production machine and loading on a development one. I am using puppet currently to deploy RT. Puppet does a good job of getting RT installed and running. I am struggling with how to manage the RT configuration itself, the stuff that is done from within the web interface or from initialdata using rt-setup-database. We use vagrant for the development environment and the ideal situation is that running "vagrant up" will bring up a copy of RT running the latest config. I want all changes on the production machines done not by the web interface but in some sort of reproducable way. What I have so far is a hacked up solution using a custom script to call rt_setup_database and using my own custom fragments to init the data. The main issue here is I wanted it to be idempotent so if called from puppet no harm is done if it has already made the change. So far I'm doing ugly things like using the @Init section to check if a particular change exists in the database already and not making it if it does. This also prevents adding multiple entries for things when the code is run multiple times. My solution is working although it feels clunky. I guess one better option would be a full puppet implementation modeling all of Rt's configuration. That just felt like a job far too big to tackle :(. Does anyone have any suggestions or stories of how they are managing this situation? Kind regards Bart -- Bart Bunting - URSYS PH: 02 87452811 Mbl: 0409560005 - RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Los Angeles - September, 2016
Re: [rt-users] Error when initializing database with external auth enabled
Hi Jim,
Sorry for not posting the relevant details. It is a totally new install
being built to replace our customized version of rt 3.6 :). Probably
time for an upgrade :).
Here are the configuration details that are to do with authentication.
As previously mentioned I think the error is happening when RT is trying
to use the external ldap server to canonicalize the root user when it's
added from initialdata:
use utf8;
#* Authentication
# configure external authentication
#Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);
# LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
'URSYS_LDAP' => {
'type' => 'ldap',
'server' => 'xxx',
'base' => 'cn=users,cn=accounts,dc=xxx',
'user' => 'uid=system,cn=sysaccounts,cn=etc,dc=xxx',
'pass' => 'xxx',
'filter' => '(&(memberOf=cn=helpdesk-*))',
'attr_match_list' => [
'Name',
],
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
},
},
} );
#* Ldapimport Configuration
Set($LDAPBase,'cn=users,cn=accounts,dc=xxx');
Set($LDAPHost,'xxx');
Set($LDAPUser,'uid=system,cn=sysaccounts,cn=etc,dc=xxx');
Set($LDAPPassword,'xxx');
Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
Set($LDAPMapping, {Name => 'uid', # required
EmailAddress => 'mail',
RealName => 'cn',
WorkPhone=> 'telephoneNumber',
Organization => 'departmentName'});
# create users as privileged
Set($LDAPCreatePrivileged, 1);
# sync Groups from LDAP into RT
Set($LDAPGroupBase, 'cn=accounts,dc=xxx');
Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
Set($LDAPGroupMapping, {Name => 'cn',
Description => 'description',
Member_Attr=> 'member',
Member_Attr_Value => 'dn',
});
#* Slack Notifier configuration
# All parameters with the exclusion of Proxy are directly passed to the
WebService::Slack::IncomingWebHook object
Kind regards
Bart
Jim Brandt <jbra...@bestpractical.com> writes:
> To clarify the previous question, if you were using
> RT::Authen::ExternalAuth in a previous version of RT (pre-4.4) and have
> it pulled in as a Plugin, you need to remove it because it is now in
> core. It's not clear to me if your RT_SiteConfig.pm is from an earlier
> RT version. If so, you will need to make some updates due to the RT
> version change:
>
> https://docs.bestpractical.com/rt/4.4.1/UPGRADING-4.4.html
>
> On 5/25/16 10:21 PM, Bart Bunting wrote:
>> Peter,
>>
>> Not sure, but this is a new install using rt 4.4.
>>
>>
>>
>> Kind regards
>> Peter Viskup <skupko...@gmail.com> writes:
>>
>>> Couldn't this be related to RT::Authen::ExternalAuth migration to RT
>>> core since 4.4 version?
>>>
>>> https://docs.bestpractical.com/rt/4.4.0/UPGRADING-4.4.html
>>>
>>> --
>>> Peter
>>>
>>> On Wed, May 25, 2016 at 2:26 AM, Bart Bunting <bart.bunt...@ursys.com.au>
>>> wrote:
>>>>
>>>> Hi there,
>>>>
>>>> I may be just missing something but this is failing miserably for me and
>>>> I am not sure what the correct way to fix it is:
>>>>
>>>> Running rt 4.4.1 rc1 as of today.
>>>>
>>>> The situation is I have external authentication working fine using both
>>>> RT::Authen::ExternalAuth and RT::LDAPImport.
>>>>
>>>> I use puppet to provision the machine.
>>>>
>>>> When I have the external authentication configuration enabled in
>>>> RT_SiteConfig.pm the
>>>> initial database import breaks. I think this is because when it trys to
>>>> add the "root" user it attempts to canonicalize the name from ldap which
>>>> fails.
>>>>
>>>> Here is an example of the run:
>>>>
>>>> make initialize-database
>>>> /usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-datab
Re: [rt-users] Error when initializing database with external auth enabled
Peter, Not sure, but this is a new install using rt 4.4. Kind regards Peter Viskup <skupko...@gmail.com> writes: > Couldn't this be related to RT::Authen::ExternalAuth migration to RT > core since 4.4 version? > > https://docs.bestpractical.com/rt/4.4.0/UPGRADING-4.4.html > > -- > Peter > > On Wed, May 25, 2016 at 2:26 AM, Bart Bunting <bart.bunt...@ursys.com.au> > wrote: >> >> Hi there, >> >> I may be just missing something but this is failing miserably for me and >> I am not sure what the correct way to fix it is: >> >> Running rt 4.4.1 rc1 as of today. >> >> The situation is I have external authentication working fine using both >> RT::Authen::ExternalAuth and RT::LDAPImport. >> >> I use puppet to provision the machine. >> >> When I have the external authentication configuration enabled in >> RT_SiteConfig.pm the >> initial database import breaks. I think this is because when it trys to >> add the "root" user it attempts to canonicalize the name from ldap which >> fails. >> >> Here is an example of the run: >> >> make initialize-database >> /usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database >> --action init --prompt-for-dba-password >> In order to create or update your RT database, this script needs to connect >> to your mysql instance on localhost (port '') as root >> Please specify that user's database password below. If the user has no >> database >> password, just press return. >> >> Password: >> Working with: >> Type: mysql >> Host: localhost >> Port: >> Name: rt4 >> User: rt >> DBA:root >> Now creating a mysql database rt4 for RT. >> Done. >> Now populating database schema. >> Done. >> Now inserting database ACLs. >> Done. >> Now inserting RT core system objects. >> [15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine >> ::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at >> /opt/rt_source/sbin/../lib/RT/User.pm line 787. >> (/opt/rt_source/sbin/../lib/RT.pm:390) >> Undefined subroutine ::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo >> called at /opt/rt_source/sbin/../lib/RT/User.pm line 787. >> Makefile:386: recipe for target 'initialize-database' failed >> make: *** [initialize-database] Error 2 >> root@rt-dev:/opt/rt_source# >> >> I can work around this by having puppet install one version of >> RT_SiteConfig.pm without >> external authentication configured, run the database import and then >> replace it with a version with external auth enabled. >> >> This works, I've tested it. >> >> It just feels terribly ugly and wrong. >> >> Can anyone suggest what I might be doing wrong here or is this a genuine >> issue? >> >> >> Kind regards >> Bart >> -- >> >> Bart Bunting - URSYS >> PH: 02 87452811 >> Mbl: 0409560005 >> - >> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training >> * Los Angeles - September, 2016 Bart -- Bart Bunting - URSYS PH: 02 87452811 Mbl: 0409560005 - RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Los Angeles - September, 2016
[rt-users] Error when initializing database with external auth enabled
Hi there, I may be just missing something but this is failing miserably for me and I am not sure what the correct way to fix it is: Running rt 4.4.1 rc1 as of today. The situation is I have external authentication working fine using both RT::Authen::ExternalAuth and RT::LDAPImport. I use puppet to provision the machine. When I have the external authentication configuration enabled in RT_SiteConfig.pm the initial database import breaks. I think this is because when it trys to add the "root" user it attempts to canonicalize the name from ldap which fails. Here is an example of the run: make initialize-database /usr/bin/perl -I/opt/rt4/local/lib -I/opt/rt4/lib sbin/rt-setup-database --action init --prompt-for-dba-password In order to create or update your RT database, this script needs to connect to your mysql instance on localhost (port '') as root Please specify that user's database password below. If the user has no database password, just press return. Password: Working with: Type: mysql Host: localhost Port: Name: rt4 User: rt DBA:root Now creating a mysql database rt4 for RT. Done. Now populating database schema. Done. Now inserting database ACLs. Done. Now inserting RT core system objects. [15076] [Wed May 25 00:15:29 2016] [critical]: Undefined subroutine ::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/../lib/RT/User.pm line 787. (/opt/rt_source/sbin/../lib/RT.pm:390) Undefined subroutine ::Authen::ExternalAuth::LDAP::CanonicalizeUserInfo called at /opt/rt_source/sbin/../lib/RT/User.pm line 787. Makefile:386: recipe for target 'initialize-database' failed make: *** [initialize-database] Error 2 root@rt-dev:/opt/rt_source# I can work around this by having puppet install one version of RT_SiteConfig.pm without external authentication configured, run the database import and then replace it with a version with external auth enabled. This works, I've tested it. It just feels terribly ugly and wrong. Can anyone suggest what I might be doing wrong here or is this a genuine issue? Kind regards Bart -- Bart Bunting - URSYS PH: 02 87452811 Mbl: 0409560005 - RT 4.4 and RTIR Training Sessions https://bestpractical.com/training * Los Angeles - September, 2016
Re: [rt-users] Problems with external auth and double prompting for authentication
Jim,
Found it.
There was a random apache process running that was causing the error.
Somehow it must have been started by hand.
Resulted in odd behaviour as sometimes it would work and sometimes not.
Thanks for your help!
Kind regards
Bart
Jim Brandt <jbra...@bestpractical.com> writes:
> Browser authentication is typically triggered by an Apache
> configuration, so if your goal is to have just RT authentication, you
> might compare your Apache configuration with the example in the docs:
>
> https://docs.bestpractical.com/rt/4.4.0/web_deployment.html
>
> On 5/11/16 3:50 AM, Bart Bunting wrote:
>>
>>
>> Hi everyone,
>>
>> I have been trying to get external authentication with ldapauth and
>> ldapimport working on a brand new rt 4.4 from the latest pull of
>> 4.4-trunk.
>>
>> I have the ldap authentication and rt-ldapimport working correctly
>> against our ldap server.
>>
>> The one issue I can not appear to resolve is that I am prompted first
>> by the browsers authentication prompt and then by the RT login screen.
>> So you need to enter your authentication credentials twice.
>>
>> I am hoping to just have the RT login screen, no browser authentication
>> prompt.
>>
>> I'm sure it's something simple but I'm pulling my hair out :).
>>
>> If someone could take a look at my config and tell me where the error is
>> I'd be eternally grateful:
>>
>> Here is the section of my rt config.
>>
>> The first few options are commented out as they are part of previous
>> attempts to make it work as expected.
>>
>> #* Authentication
>> # configure external authentication
>>
>> #Set($WebRemoteUserAuth, 1);
>> # check authentication on each request rather than just once
>> #Set($WebRemoteUserContinuous, 1);
>>
>> # fall back to rt login if external auth fails.
>> #Set($WebFallbackToRTLogin, 1);
>>
>> Set ($ExternalAuth, 1);
>> Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
>> Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
>>
>> # Make users created from LDAP Privileged
>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>
>> # Users should still be autocreated by RT as internal users if they
>> # fail to exist in an external service; this is so requestors (who
>> # are not in LDAP) can still be created when they email in.
>> Set($AutoCreateNonExternalUsers, 1);
>>
>> # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
>> # further details and examples
>> Set($ExternalSettings, {
>> 'URSYS_LDAP' => {
>> 'type' => 'ldap',
>> 'server' => 'ldap.x,
>> 'base' => 'cn=users,cn=accounts,dc=xx',
>> 'user' => 'uid=system,cn=sysaccounts,x',
>> 'pass' => 'xx',
>> 'filter' => '(&(memberOf=cn=helpdesk-*))',
>> 'attr_match_list' => [
>> 'Name',
>> ],
>> 'attr_map' => {
>> 'Name' => 'uid',
>> 'EmailAddress' => 'mail',
>> },
>> },
>> } );
>>
>> # * rt-ldapimport configuration
>> # enable plugin
>> Plugin( qw(RT::LDAPImport));
>>
>> Set($LDAPBase,'cn=users,cn=accounts,x');
>> Set($LDAPHost,'ldap.x');
>> Set($LDAPUser,'uid=system,cn=sysaccounts,xx');
>> Set($LDAPPassword,'');
>> Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
>> Set($LDAPMapping, {Name => 'uid', # required
>> EmailAddress => 'mail',
>> RealName => 'cn',
>> WorkPhone=> 'telephoneNumber',
>> Organization => 'departmentName'});
>> # create users as privileged
>> Set($LDAPCreatePrivileged, 1);
>>
>> # sync Groups from LDAP into RT
>> Set($LDAPGroupBase, 'cn=accounts,x');
>> Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
>> Set($LDAPGroupMapping, {Name => 'cn',
>> Description => 'description',
>> Member_Attr=> 'member',
>> Member_Attr_Value => 'dn',
>> });
>>
>> As above all the ldap stuff appears to work apart from the double
>> request for authentication.
>>
>>
>>
>> Kind regards
>> Bart
>>
> -
> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
> * Washington DC - May 23 & 24, 2016
Bart
--
Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Washington DC - May 23 & 24, 2016
Re: [rt-users] Problems with external auth and double prompting for authentication
Hi Jim,
Thanks for the quick reply.
I should have included my apache virtualhost config:
Here it is for reference. I did have ldap auth working at one point but
it is totally commented out in the config.
Apache is apache2 2.4.18-2ubuntu3
amd64 debian Xenial LTS
#
# Vhost template in module puppetlabs-apache
# Managed by Puppet
#
ServerName helpdesk.in.urnet.com.au
## Vhost docroot
DocumentRoot "/opt/rt4/share/html"
## Alias declarations for resources outside the DocumentRoot
AliasMatch /NoAuth/images/ "/opt/rt4/share/html/NoAuth/images/"
## Directories, there should at least be a declaration for /opt/rt4/share/html
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
## Logging
ErrorLog "/var/log/apache2/helpdesk.in.urnet.com.au_error.log"
ServerSignature Off
CustomLog "/var/log/apache2/helpdesk.in.urnet.com.au_access.log" combined
## Custom fragment
AddDefaultCharset UTF-8
ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/
DocumentRoot "/opt/rt4/share/html"
# bart: disabled for now until we move towards SSO
# AuthType Basic
# AuthName "Ursys LDAP"
# AuthBasicProvider ldap
# AuthLDAPURL ldap://ldap.:389/cn=accounts,?uid?sub
# AuthLDAPBindDN uid=system,cn=sysaccounts,xxx
# AuthLDAPBindPassword x
# Require ldap-group cn=noc,cn=groups,xx
Require all granted
Options +ExecCGI
AddHandler fcgid-script fcgi
Is there anything wrong with that, it pritty much mirrors the config
described in the documentation.
If there is a better way of doing things other than mod_fastcgi I'm open to
trying that.
Kind regards
Bart
Jim Brandt <jbra...@bestpractical.com> writes:
> Browser authentication is typically triggered by an Apache
> configuration, so if your goal is to have just RT authentication, you
> might compare your Apache configuration with the example in the docs:
>
> https://docs.bestpractical.com/rt/4.4.0/web_deployment.html
>
> On 5/11/16 3:50 AM, Bart Bunting wrote:
>>
>>
>> Hi everyone,
>>
>> I have been trying to get external authentication with ldapauth and
>> ldapimport working on a brand new rt 4.4 from the latest pull of
>> 4.4-trunk.
>>
>> I have the ldap authentication and rt-ldapimport working correctly
>> against our ldap server.
>>
>> The one issue I can not appear to resolve is that I am prompted first
>> by the browsers authentication prompt and then by the RT login screen.
>> So you need to enter your authentication credentials twice.
>>
>> I am hoping to just have the RT login screen, no browser authentication
>> prompt.
>>
>> I'm sure it's something simple but I'm pulling my hair out :).
>>
>> If someone could take a look at my config and tell me where the error is
>> I'd be eternally grateful:
>>
>> Here is the section of my rt config.
>>
>> The first few options are commented out as they are part of previous
>> attempts to make it work as expected.
>>
>> #* Authentication
>> # configure external authentication
>>
>> #Set($WebRemoteUserAuth, 1);
>> # check authentication on each request rather than just once
>> #Set($WebRemoteUserContinuous, 1);
>>
>> # fall back to rt login if external auth fails.
>> #Set($WebFallbackToRTLogin, 1);
>>
>> Set ($ExternalAuth, 1);
>> Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
>> Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
>>
>> # Make users created from LDAP Privileged
>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>
>> # Users should still be autocreated by RT as internal users if they
>> # fail to exist in an external service; this is so requestors (who
>> # are not in LDAP) can still be created when they email in.
>> Set($AutoCreateNonExternalUsers, 1);
>>
>> # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
>> # further details and examples
>> Set($ExternalSettings, {
>> 'URSYS_LDAP' => {
>> 'type' => 'ldap',
>> 'server' => 'ldap.x,
>> 'base' => 'cn=users,cn=accounts,dc=xx',
>> 'user' => 'uid=system,cn=sysaccounts,x',
>> 'pass' => 'xx',
>> 'filter' => '(&(memberOf=cn=helpdesk-*))',
>> 'attr_match_list' => [
>> 'Name
[rt-users] Problems with external auth and double prompting for authentication
Hi everyone,
I have been trying to get external authentication with ldapauth and
ldapimport working on a brand new rt 4.4 from the latest pull of
4.4-trunk.
I have the ldap authentication and rt-ldapimport working correctly
against our ldap server.
The one issue I can not appear to resolve is that I am prompted first
by the browsers authentication prompt and then by the RT login screen.
So you need to enter your authentication credentials twice.
I am hoping to just have the RT login screen, no browser authentication
prompt.
I'm sure it's something simple but I'm pulling my hair out :).
If someone could take a look at my config and tell me where the error is
I'd be eternally grateful:
Here is the section of my rt config.
The first few options are commented out as they are part of previous
attempts to make it work as expected.
#* Authentication
# configure external authentication
#Set($WebRemoteUserAuth, 1);
# check authentication on each request rather than just once
#Set($WebRemoteUserContinuous, 1);
# fall back to rt login if external auth fails.
#Set($WebFallbackToRTLogin, 1);
Set ($ExternalAuth, 1);
Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
# Make users created from LDAP Privileged
Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
# Users should still be autocreated by RT as internal users if they
# fail to exist in an external service; this is so requestors (who
# are not in LDAP) can still be created when they email in.
Set($AutoCreateNonExternalUsers, 1);
# LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
# further details and examples
Set($ExternalSettings, {
'URSYS_LDAP' => {
'type' => 'ldap',
'server' => 'ldap.x,
'base' => 'cn=users,cn=accounts,dc=xx',
'user' => 'uid=system,cn=sysaccounts,x',
'pass' => 'xx',
'filter' => '(&(memberOf=cn=helpdesk-*))',
'attr_match_list' => [
'Name',
],
'attr_map' => {
'Name' => 'uid',
'EmailAddress' => 'mail',
},
},
} );
# * rt-ldapimport configuration
# enable plugin
Plugin( qw(RT::LDAPImport));
Set($LDAPBase,'cn=users,cn=accounts,x');
Set($LDAPHost,'ldap.x');
Set($LDAPUser,'uid=system,cn=sysaccounts,xx');
Set($LDAPPassword,'');
Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
Set($LDAPMapping, {Name => 'uid', # required
EmailAddress => 'mail',
RealName => 'cn',
WorkPhone=> 'telephoneNumber',
Organization => 'departmentName'});
# create users as privileged
Set($LDAPCreatePrivileged, 1);
# sync Groups from LDAP into RT
Set($LDAPGroupBase, 'cn=accounts,x');
Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
Set($LDAPGroupMapping, {Name => 'cn',
Description => 'description',
Member_Attr=> 'member',
Member_Attr_Value => 'dn',
});
As above all the ldap stuff appears to work apart from the double
request for authentication.
Kind regards
Bart
--
Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
-
RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
* Washington DC - May 23 & 24, 2016
