Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
On Mon, Jan 18, 2010 at 11:40:09AM +0100, L B wrote: If a developer of this plugin read this, I think it would be nice to add a $RT::Logger-info at this step in the code... If you can provide a patch, I'd be happy to look at applying it -kevin pgpZh8jGTV1FH.pgp Description: PGP signature ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
Here is a script to convert old email address account names to LDAP/AD account names. http://wiki.bestpractical.com/view/rt_logins_email2ldap -- L.B. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
I tried what Ken said, and it didn't work on my login because of this
code in the RT-External-Authen plugin :
ExternalAuth/LDAP.pm : line 230
[...]
} else {
# If there's only one match, we're good; more than one and
# we don't know which is the right one so we skip it.
if ($ldap_msg-count == 1) {
my $entry = $ldap_msg-first_entry();
[...]
I had two sAMAccountName returned because my AD account with my email
address has one normal sAMAccountName, and another admin one (in the
same AD entry).
To make it work, I modified the ldap filter :
Set($EmailCompletionLdapFilter,
((objectclass=organizationalPerson)(!(sAMAccountName=admin*;
This filter will match my sAMAccountName but not the one starting with
admin (replace this filter in your config). (Be careful of regular
users having a login matching this string)
Once I had only one and only one sAMAccountName, I disabled my current
account (changed all the values insided), I sent an email to my RT in
debug mode and here my new account got created with the AD login.
If a developer of this plugin read this, I think it would be nice to
add a $RT::Logger-info at this step in the code...
--
L.B.
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
2010 RT Training Sessions!
San Francisco, CA, USA - Feb 22 23
Dublin, Ireland - Mar 15 16
Boston, MA, USA - April 5 6
Washington DC, USA - Oct 25 26
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
Why bother with that, when you just need to change the attribute you're
using for the account name. Here's a sanitized version of my
RT_SiteConfig.pm
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a Perl module, so you can include valid
# Perl code, as well.
#
# The converse is also true, if this file isn't valid Perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this command:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
Set($rtname, 'minervanetworks.com');
Set($Organization, minervanetworks.com);
Set($Timezone, 'US/Pacific');
Set($WebPath, /rt3);
Set($WebPort, 443);
Set($WebDomain, 'rt.minervanetworks.com');
Set($WebBaseURL, 'https://' . RT-Config-Get('WebDomain') . ':' .
RT-Config-Get('WebPort'));
Set($WebURL, RT-Config-Get('WebBaseURL') . RT-Config-Get('WebPath') .
/);
Set($WebImagesURL, RT-Config-Get('WebPath') . /NoAuth/images/);
Set($WebImagesURL , $WebPath . /images/); # need this for below
Set($LogoURL, https://rt.minervanetworks.com/Home_Logo.jpg;);
Set($LogoLinkURL, 'https://www.minervanetworks.com/');
Set($LogoAltText, Minerva Networks);
Set($AutoLogoff, 30);
Set($EnableReminders,1);
Set($LogToSyslog, 'info');
Set($LogDir, '/var/log');
Set($LogToFileNamed, rt.log);
Set($LogToFile, 'info');
Set($NotifyActor, 1);
Set($OwnerEmail , 'x...@minervanetworks.com');
Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM));
Set($LDAPHost, 'HOSTNAME.DOMAIN.TLD');
Set($LDAPUser, 'cn=BINDUSER,dc=DOMAIN,dc=TLD');
Set($LDAPPassword, 'PASSWORD');
Set($LDAPBase, 'dc=minervanetworks,dc=com');
Set($LDAPFilter, '((objectClass=user))');
Set($LDAPMapping, {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip'= 'postalCode',
'Country'= 'co'
}
);
Set($LDAPGroupName,'Employees');
Set($LDAPUpdateUsers,1);
Set($ExternalAuthPriority, ['My_LDAP']);
Set($ExternalInfoPriority, ['My_LDAP']);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set(
$ExternalSettings, {
'My_LDAP' = {
'type' = 'ldap',
'auth' = 1,
'info' = 1,
'server' = 'HOSTNAME.DOMAIN.TLD',
'user' = 'cn=BINDUSER,dc=DOMAIN,dc=TLD',
'pass' = 'PASSWORD',
'base' = 'dc=DOMAIN,dc=TLD',
'filter' = '(objectClass=*)',
'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' = 0,
'net_ldap_args' = [ version = 3 ],
'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName' ],
'attr_map'= {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip'= 'postalCode',
'Country'= 'co'
}
}
}
);
1;
On 1/14/10 11:49 AM, Ken Crocker kfcroc...@lbl.gov wrote:
LB,
This would be REALLY help for me. I've been doing this one user at a
time whenever I get some frre time (which isn't ofetn). I'd love a copy
of your code. Thanks.
Kenn
LBNL
On 1/14/2010 10:34 AM, L B wrote:
I'm going to think about it, but the problem I see it that email
addresses might not be unique (I mean we can have two AD accounts with
the same email address).
I have already done a script to mass-rename email addresses to AD
logins, because we use AD authentication for a long time and we wanted
to make the users use their AD login instead of their email address.
This script is not linked to the plugin, but I think it might be
useful for some admins. I can upload it on the wiki or maybe it can be
part of an extras directory in the plugin package. I have to cleanup
my code and make it generic, but it does the job, I already applied it
successfully on many RT instances.
Don't you think
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
On Thu, Jan 14, 2010 at 12:17:40PM -0800, Gary Greene wrote:
Why bother with that, when you just need to change the attribute you're
using for the account name. Here's a sanitized version of my
RT_SiteConfig.pm
If this works for email creation of AD users, fantastic.
I've heard many reports of it not working
-kevin
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a Perl module, so you can include valid
# Perl code, as well.
#
# The converse is also true, if this file isn't valid Perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this command:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
Set($rtname, 'minervanetworks.com');
Set($Organization, minervanetworks.com);
Set($Timezone, 'US/Pacific');
Set($WebPath, /rt3);
Set($WebPort, 443);
Set($WebDomain, 'rt.minervanetworks.com');
Set($WebBaseURL, 'https://' . RT-Config-Get('WebDomain') . ':' .
RT-Config-Get('WebPort'));
Set($WebURL, RT-Config-Get('WebBaseURL') . RT-Config-Get('WebPath') .
/);
Set($WebImagesURL, RT-Config-Get('WebPath') . /NoAuth/images/);
Set($WebImagesURL , $WebPath . /images/); # need this for below
Set($LogoURL, https://rt.minervanetworks.com/Home_Logo.jpg;);
Set($LogoLinkURL, 'https://www.minervanetworks.com/');
Set($LogoAltText, Minerva Networks);
Set($AutoLogoff, 30);
Set($EnableReminders,1);
Set($LogToSyslog, 'info');
Set($LogDir, '/var/log');
Set($LogToFileNamed, rt.log);
Set($LogToFile, 'info');
Set($NotifyActor, 1);
Set($OwnerEmail , 'x...@minervanetworks.com');
Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM));
Set($LDAPHost, 'HOSTNAME.DOMAIN.TLD');
Set($LDAPUser, 'cn=BINDUSER,dc=DOMAIN,dc=TLD');
Set($LDAPPassword, 'PASSWORD');
Set($LDAPBase, 'dc=minervanetworks,dc=com');
Set($LDAPFilter, '((objectClass=user))');
Set($LDAPMapping, {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip'= 'postalCode',
'Country'= 'co'
}
);
Set($LDAPGroupName,'Employees');
Set($LDAPUpdateUsers,1);
Set($ExternalAuthPriority, ['My_LDAP']);
Set($ExternalInfoPriority, ['My_LDAP']);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set(
$ExternalSettings, {
'My_LDAP' = {
'type' = 'ldap',
'auth' = 1,
'info' = 1,
'server' = 'HOSTNAME.DOMAIN.TLD',
'user' = 'cn=BINDUSER,dc=DOMAIN,dc=TLD',
'pass' = 'PASSWORD',
'base' = 'dc=DOMAIN,dc=TLD',
'filter' = '(objectClass=*)',
'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' = 0,
'net_ldap_args' = [ version = 3 ],
'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName' ],
'attr_map'= {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip'= 'postalCode',
'Country'= 'co'
}
}
}
);
1;
On 1/14/10 11:49 AM, Ken Crocker kfcroc...@lbl.gov wrote:
LB,
This would be REALLY help for me. I've been doing this one user at a
time whenever I get some frre time (which isn't ofetn). I'd love a copy
of your code. Thanks.
Kenn
LBNL
On 1/14/2010 10:34 AM, L B wrote:
I'm going to think about it, but the problem I see it that email
addresses might not be unique (I mean we can have two AD accounts with
the same email address).
I have already done a script to mass-rename email addresses to AD
logins, because we use AD authentication for a long time and we wanted
to make the users use their AD login instead of their email address.
This script is not linked to the plugin, but I think it might be
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
Gary,
Thanks. I'll look that over. We use LDAP as well, so this might make it
all easier. Thanks.
Kenn
LBNL
On 1/14/2010 12:17 PM, Gary Greene wrote:
Why bother with that, when you just need to change the attribute you're
using for the account name. Here's a sanitized version of my
RT_SiteConfig.pm
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a Perl module, so you can include valid
# Perl code, as well.
#
# The converse is also true, if this file isn't valid Perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this command:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
Set($rtname, 'minervanetworks.com');
Set($Organization, minervanetworks.com);
Set($Timezone, 'US/Pacific');
Set($WebPath, /rt3);
Set($WebPort, 443);
Set($WebDomain, 'rt.minervanetworks.com');
Set($WebBaseURL, 'https://' . RT-Config-Get('WebDomain') . ':' .
RT-Config-Get('WebPort'));
Set($WebURL, RT-Config-Get('WebBaseURL') . RT-Config-Get('WebPath') .
/);
Set($WebImagesURL, RT-Config-Get('WebPath') . /NoAuth/images/);
Set($WebImagesURL , $WebPath . /images/); # need this for below
Set($LogoURL, https://rt.minervanetworks.com/Home_Logo.jpg;);
Set($LogoLinkURL, 'https://www.minervanetworks.com/');
Set($LogoAltText, Minerva Networks);
Set($AutoLogoff, 30);
Set($EnableReminders,1);
Set($LogToSyslog, 'info');
Set($LogDir, '/var/log');
Set($LogToFileNamed, rt.log);
Set($LogToFile, 'info');
Set($NotifyActor, 1);
Set($OwnerEmail , 'x...@minervanetworks.com');
Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM));
Set($LDAPHost, 'HOSTNAME.DOMAIN.TLD');
Set($LDAPUser, 'cn=BINDUSER,dc=DOMAIN,dc=TLD');
Set($LDAPPassword, 'PASSWORD');
Set($LDAPBase, 'dc=minervanetworks,dc=com');
Set($LDAPFilter, '((objectClass=user))');
Set($LDAPMapping, {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip'= 'postalCode',
'Country'= 'co'
}
);
Set($LDAPGroupName,'Employees');
Set($LDAPUpdateUsers,1);
Set($ExternalAuthPriority, ['My_LDAP']);
Set($ExternalInfoPriority, ['My_LDAP']);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set(
$ExternalSettings, {
'My_LDAP' = {
'type' = 'ldap',
'auth' = 1,
'info' = 1,
'server' = 'HOSTNAME.DOMAIN.TLD',
'user' = 'cn=BINDUSER,dc=DOMAIN,dc=TLD',
'pass' = 'PASSWORD',
'base' = 'dc=DOMAIN,dc=TLD',
'filter' = '(objectClass=*)',
'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' = 0,
'net_ldap_args' = [ version = 3 ],
'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName' ],
'attr_map'= {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip'= 'postalCode',
'Country'= 'co'
}
}
}
);
1;
On 1/14/10 11:49 AM, Ken Crocker kfcroc...@lbl.gov wrote:
LB,
This would be REALLY help for me. I've been doing this one user at a
time whenever I get some frre time (which isn't ofetn). I'd love a copy
of your code. Thanks.
Kenn
LBNL
On 1/14/2010 10:34 AM, L B wrote:
I'm going to think about it, but the problem I see it that email
addresses might not be unique (I mean we can have two AD accounts with
the same email address).
I have already done a script to mass-rename email addresses to AD
logins, because we use AD authentication for a long time and we wanted
to make the users use their AD login instead of their email address.
This script is not linked to the plugin, but I think it might be
useful for some admins. I can upload it on the wiki or maybe it can be
part of an extras directory in the plugin package. I have to cleanup
my code
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
I'll try Ken's tip and let you know the results.
I'll also reply to this this thread with my script (probably end of)
next week once it's cleaned up.
--
LB
On Thu, Jan 14, 2010 at 10:14 PM, Ken Crocker kfcroc...@lbl.gov wrote:
Gary,
Thanks. I'll look that over. We use LDAP as well, so this might make it all
easier. Thanks.
Kenn
LBNL
On 1/14/2010 12:17 PM, Gary Greene wrote:
Why bother with that, when you just need to change the attribute you're
using for the account name. Here's a sanitized version of my
RT_SiteConfig.pm
# Any configuration directives you include here will override
# RT's default configuration file, RT_Config.pm
#
# To include a directive here, just copy the equivalent statement
# from RT_Config.pm and change the value. We've included a single
# sample value below.
#
# This file is actually a Perl module, so you can include valid
# Perl code, as well.
#
# The converse is also true, if this file isn't valid Perl, you're
# going to run into trouble. To check your SiteConfig file, use
# this command:
#
# perl -c /path/to/your/etc/RT_SiteConfig.pm
Set($rtname, 'minervanetworks.com');
Set($Organization, minervanetworks.com);
Set($Timezone, 'US/Pacific');
Set($WebPath, /rt3);
Set($WebPort, 443);
Set($WebDomain, 'rt.minervanetworks.com');
Set($WebBaseURL, 'https://' . RT-Config-Get('WebDomain') . ':' .
RT-Config-Get('WebPort'));
Set($WebURL, RT-Config-Get('WebBaseURL') . RT-Config-Get('WebPath') .
/);
Set($WebImagesURL, RT-Config-Get('WebPath') . /NoAuth/images/);
Set($WebImagesURL , $WebPath . /images/); # need this for below
Set($LogoURL, https://rt.minervanetworks.com/Home_Logo.jpg;);
Set($LogoLinkURL, 'https://www.minervanetworks.com/');
Set($LogoAltText, Minerva Networks);
Set($AutoLogoff, 30);
Set($EnableReminders,1);
Set($LogToSyslog, 'info');
Set($LogDir, '/var/log');
Set($LogToFileNamed, rt.log);
Set($LogToFile, 'info');
Set($NotifyActor, 1);
Set($OwnerEmail , 'x...@minervanetworks.com');
Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM));
Set($LDAPHost, 'HOSTNAME.DOMAIN.TLD');
Set($LDAPUser, 'cn=BINDUSER,dc=DOMAIN,dc=TLD');
Set($LDAPPassword, 'PASSWORD');
Set($LDAPBase, 'dc=minervanetworks,dc=com');
Set($LDAPFilter, '((objectClass=user))');
Set($LDAPMapping, {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip'= 'postalCode',
'Country'= 'co'
}
);
Set($LDAPGroupName,'Employees');
Set($LDAPUpdateUsers,1);
Set($ExternalAuthPriority, ['My_LDAP']);
Set($ExternalInfoPriority, ['My_LDAP']);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set(
$ExternalSettings, {
'My_LDAP' = {
'type' = 'ldap',
'auth' = 1,
'info' = 1,
'server' = 'HOSTNAME.DOMAIN.TLD',
'user' = 'cn=BINDUSER,dc=DOMAIN,dc=TLD',
'pass' = 'PASSWORD',
'base' = 'dc=DOMAIN,dc=TLD',
'filter' = '(objectClass=*)',
'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)',
'tls' = 0,
'net_ldap_args' = [ version = 3 ],
'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName' ],
'attr_map'= {
'Name' = 'sAMAccountName',
'EmailAddress' = 'mail',
'RealName' = 'cn',
'ExternalAuthId' = 'sAMAccountName',
'Gecos' = 'sAMAccountName',
'WorkPhone' = 'telephoneNumber',
'Address1' = 'streetAddress',
'City' = 'l',
'State' = 'st',
'Zip'= 'postalCode',
'Country'= 'co'
}
}
}
);
1;
On 1/14/10 11:49 AM, Ken Crocker kfcroc...@lbl.gov wrote:
LB,
This would be REALLY help for me. I've been doing this one user at a
time whenever I get some frre time (which isn't ofetn). I'd love a copy
of your code. Thanks.
Kenn
LBNL
On 1/14/2010 10:34 AM, L B wrote:
I'm going to think about it, but the problem I see it that email
addresses might not be unique (I mean we can have two AD accounts with
the same email address).
I have already done a script to mass-rename email addresses to AD
logins, because
