Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
On Mon, Jan 18, 2010 at 11:40:09AM +0100, L B wrote: If a developer of this plugin read this, I think it would be nice to add a $RT::Logger-info at this step in the code... If you can provide a patch, I'd be happy to look at applying it -kevin pgpZh8jGTV1FH.pgp Description: PGP signature ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
Here is a script to convert old email address account names to LDAP/AD account names. http://wiki.bestpractical.com/view/rt_logins_email2ldap -- L.B. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
I tried what Ken said, and it didn't work on my login because of this code in the RT-External-Authen plugin : ExternalAuth/LDAP.pm : line 230 [...] } else { # If there's only one match, we're good; more than one and # we don't know which is the right one so we skip it. if ($ldap_msg-count == 1) { my $entry = $ldap_msg-first_entry(); [...] I had two sAMAccountName returned because my AD account with my email address has one normal sAMAccountName, and another admin one (in the same AD entry). To make it work, I modified the ldap filter : Set($EmailCompletionLdapFilter, ((objectclass=organizationalPerson)(!(sAMAccountName=admin*; This filter will match my sAMAccountName but not the one starting with admin (replace this filter in your config). (Be careful of regular users having a login matching this string) Once I had only one and only one sAMAccountName, I disabled my current account (changed all the values insided), I sent an email to my RT in debug mode and here my new account got created with the AD login. If a developer of this plugin read this, I think it would be nice to add a $RT::Logger-info at this step in the code... -- L.B. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
Why bother with that, when you just need to change the attribute you're using for the account name. Here's a sanitized version of my RT_SiteConfig.pm # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a Perl module, so you can include valid # Perl code, as well. # # The converse is also true, if this file isn't valid Perl, you're # going to run into trouble. To check your SiteConfig file, use # this command: # # perl -c /path/to/your/etc/RT_SiteConfig.pm Set($rtname, 'minervanetworks.com'); Set($Organization, minervanetworks.com); Set($Timezone, 'US/Pacific'); Set($WebPath, /rt3); Set($WebPort, 443); Set($WebDomain, 'rt.minervanetworks.com'); Set($WebBaseURL, 'https://' . RT-Config-Get('WebDomain') . ':' . RT-Config-Get('WebPort')); Set($WebURL, RT-Config-Get('WebBaseURL') . RT-Config-Get('WebPath') . /); Set($WebImagesURL, RT-Config-Get('WebPath') . /NoAuth/images/); Set($WebImagesURL , $WebPath . /images/); # need this for below Set($LogoURL, https://rt.minervanetworks.com/Home_Logo.jpg;); Set($LogoLinkURL, 'https://www.minervanetworks.com/'); Set($LogoAltText, Minerva Networks); Set($AutoLogoff, 30); Set($EnableReminders,1); Set($LogToSyslog, 'info'); Set($LogDir, '/var/log'); Set($LogToFileNamed, rt.log); Set($LogToFile, 'info'); Set($NotifyActor, 1); Set($OwnerEmail , 'x...@minervanetworks.com'); Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM)); Set($LDAPHost, 'HOSTNAME.DOMAIN.TLD'); Set($LDAPUser, 'cn=BINDUSER,dc=DOMAIN,dc=TLD'); Set($LDAPPassword, 'PASSWORD'); Set($LDAPBase, 'dc=minervanetworks,dc=com'); Set($LDAPFilter, '((objectClass=user))'); Set($LDAPMapping, { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip'= 'postalCode', 'Country'= 'co' } ); Set($LDAPGroupName,'Employees'); Set($LDAPUpdateUsers,1); Set($ExternalAuthPriority, ['My_LDAP']); Set($ExternalInfoPriority, ['My_LDAP']); Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set( $ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'auth' = 1, 'info' = 1, 'server' = 'HOSTNAME.DOMAIN.TLD', 'user' = 'cn=BINDUSER,dc=DOMAIN,dc=TLD', 'pass' = 'PASSWORD', 'base' = 'dc=DOMAIN,dc=TLD', 'filter' = '(objectClass=*)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'tls' = 0, 'net_ldap_args' = [ version = 3 ], 'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName' ], 'attr_map'= { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip'= 'postalCode', 'Country'= 'co' } } } ); 1; On 1/14/10 11:49 AM, Ken Crocker kfcroc...@lbl.gov wrote: LB, This would be REALLY help for me. I've been doing this one user at a time whenever I get some frre time (which isn't ofetn). I'd love a copy of your code. Thanks. Kenn LBNL On 1/14/2010 10:34 AM, L B wrote: I'm going to think about it, but the problem I see it that email addresses might not be unique (I mean we can have two AD accounts with the same email address). I have already done a script to mass-rename email addresses to AD logins, because we use AD authentication for a long time and we wanted to make the users use their AD login instead of their email address. This script is not linked to the plugin, but I think it might be useful for some admins. I can upload it on the wiki or maybe it can be part of an extras directory in the plugin package. I have to cleanup my code and make it generic, but it does the job, I already applied it successfully on many RT instances. Don't you think
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
On Thu, Jan 14, 2010 at 12:17:40PM -0800, Gary Greene wrote: Why bother with that, when you just need to change the attribute you're using for the account name. Here's a sanitized version of my RT_SiteConfig.pm If this works for email creation of AD users, fantastic. I've heard many reports of it not working -kevin # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a Perl module, so you can include valid # Perl code, as well. # # The converse is also true, if this file isn't valid Perl, you're # going to run into trouble. To check your SiteConfig file, use # this command: # # perl -c /path/to/your/etc/RT_SiteConfig.pm Set($rtname, 'minervanetworks.com'); Set($Organization, minervanetworks.com); Set($Timezone, 'US/Pacific'); Set($WebPath, /rt3); Set($WebPort, 443); Set($WebDomain, 'rt.minervanetworks.com'); Set($WebBaseURL, 'https://' . RT-Config-Get('WebDomain') . ':' . RT-Config-Get('WebPort')); Set($WebURL, RT-Config-Get('WebBaseURL') . RT-Config-Get('WebPath') . /); Set($WebImagesURL, RT-Config-Get('WebPath') . /NoAuth/images/); Set($WebImagesURL , $WebPath . /images/); # need this for below Set($LogoURL, https://rt.minervanetworks.com/Home_Logo.jpg;); Set($LogoLinkURL, 'https://www.minervanetworks.com/'); Set($LogoAltText, Minerva Networks); Set($AutoLogoff, 30); Set($EnableReminders,1); Set($LogToSyslog, 'info'); Set($LogDir, '/var/log'); Set($LogToFileNamed, rt.log); Set($LogToFile, 'info'); Set($NotifyActor, 1); Set($OwnerEmail , 'x...@minervanetworks.com'); Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM)); Set($LDAPHost, 'HOSTNAME.DOMAIN.TLD'); Set($LDAPUser, 'cn=BINDUSER,dc=DOMAIN,dc=TLD'); Set($LDAPPassword, 'PASSWORD'); Set($LDAPBase, 'dc=minervanetworks,dc=com'); Set($LDAPFilter, '((objectClass=user))'); Set($LDAPMapping, { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip'= 'postalCode', 'Country'= 'co' } ); Set($LDAPGroupName,'Employees'); Set($LDAPUpdateUsers,1); Set($ExternalAuthPriority, ['My_LDAP']); Set($ExternalInfoPriority, ['My_LDAP']); Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set( $ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'auth' = 1, 'info' = 1, 'server' = 'HOSTNAME.DOMAIN.TLD', 'user' = 'cn=BINDUSER,dc=DOMAIN,dc=TLD', 'pass' = 'PASSWORD', 'base' = 'dc=DOMAIN,dc=TLD', 'filter' = '(objectClass=*)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'tls' = 0, 'net_ldap_args' = [ version = 3 ], 'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName' ], 'attr_map'= { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip'= 'postalCode', 'Country'= 'co' } } } ); 1; On 1/14/10 11:49 AM, Ken Crocker kfcroc...@lbl.gov wrote: LB, This would be REALLY help for me. I've been doing this one user at a time whenever I get some frre time (which isn't ofetn). I'd love a copy of your code. Thanks. Kenn LBNL On 1/14/2010 10:34 AM, L B wrote: I'm going to think about it, but the problem I see it that email addresses might not be unique (I mean we can have two AD accounts with the same email address). I have already done a script to mass-rename email addresses to AD logins, because we use AD authentication for a long time and we wanted to make the users use their AD login instead of their email address. This script is not linked to the plugin, but I think it might be
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
Gary, Thanks. I'll look that over. We use LDAP as well, so this might make it all easier. Thanks. Kenn LBNL On 1/14/2010 12:17 PM, Gary Greene wrote: Why bother with that, when you just need to change the attribute you're using for the account name. Here's a sanitized version of my RT_SiteConfig.pm # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a Perl module, so you can include valid # Perl code, as well. # # The converse is also true, if this file isn't valid Perl, you're # going to run into trouble. To check your SiteConfig file, use # this command: # # perl -c /path/to/your/etc/RT_SiteConfig.pm Set($rtname, 'minervanetworks.com'); Set($Organization, minervanetworks.com); Set($Timezone, 'US/Pacific'); Set($WebPath, /rt3); Set($WebPort, 443); Set($WebDomain, 'rt.minervanetworks.com'); Set($WebBaseURL, 'https://' . RT-Config-Get('WebDomain') . ':' . RT-Config-Get('WebPort')); Set($WebURL, RT-Config-Get('WebBaseURL') . RT-Config-Get('WebPath') . /); Set($WebImagesURL, RT-Config-Get('WebPath') . /NoAuth/images/); Set($WebImagesURL , $WebPath . /images/); # need this for below Set($LogoURL, https://rt.minervanetworks.com/Home_Logo.jpg;); Set($LogoLinkURL, 'https://www.minervanetworks.com/'); Set($LogoAltText, Minerva Networks); Set($AutoLogoff, 30); Set($EnableReminders,1); Set($LogToSyslog, 'info'); Set($LogDir, '/var/log'); Set($LogToFileNamed, rt.log); Set($LogToFile, 'info'); Set($NotifyActor, 1); Set($OwnerEmail , 'x...@minervanetworks.com'); Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM)); Set($LDAPHost, 'HOSTNAME.DOMAIN.TLD'); Set($LDAPUser, 'cn=BINDUSER,dc=DOMAIN,dc=TLD'); Set($LDAPPassword, 'PASSWORD'); Set($LDAPBase, 'dc=minervanetworks,dc=com'); Set($LDAPFilter, '((objectClass=user))'); Set($LDAPMapping, { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip'= 'postalCode', 'Country'= 'co' } ); Set($LDAPGroupName,'Employees'); Set($LDAPUpdateUsers,1); Set($ExternalAuthPriority, ['My_LDAP']); Set($ExternalInfoPriority, ['My_LDAP']); Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set( $ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'auth' = 1, 'info' = 1, 'server' = 'HOSTNAME.DOMAIN.TLD', 'user' = 'cn=BINDUSER,dc=DOMAIN,dc=TLD', 'pass' = 'PASSWORD', 'base' = 'dc=DOMAIN,dc=TLD', 'filter' = '(objectClass=*)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'tls' = 0, 'net_ldap_args' = [ version = 3 ], 'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName' ], 'attr_map'= { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip'= 'postalCode', 'Country'= 'co' } } } ); 1; On 1/14/10 11:49 AM, Ken Crocker kfcroc...@lbl.gov wrote: LB, This would be REALLY help for me. I've been doing this one user at a time whenever I get some frre time (which isn't ofetn). I'd love a copy of your code. Thanks. Kenn LBNL On 1/14/2010 10:34 AM, L B wrote: I'm going to think about it, but the problem I see it that email addresses might not be unique (I mean we can have two AD accounts with the same email address). I have already done a script to mass-rename email addresses to AD logins, because we use AD authentication for a long time and we wanted to make the users use their AD login instead of their email address. This script is not linked to the plugin, but I think it might be useful for some admins. I can upload it on the wiki or maybe it can be part of an extras directory in the plugin package. I have to cleanup my code
Re: [rt-users] Recommended method for auto creating users with Active Directory and Authen-ExternalAuth
I'll try Ken's tip and let you know the results. I'll also reply to this this thread with my script (probably end of) next week once it's cleaned up. -- LB On Thu, Jan 14, 2010 at 10:14 PM, Ken Crocker kfcroc...@lbl.gov wrote: Gary, Thanks. I'll look that over. We use LDAP as well, so this might make it all easier. Thanks. Kenn LBNL On 1/14/2010 12:17 PM, Gary Greene wrote: Why bother with that, when you just need to change the attribute you're using for the account name. Here's a sanitized version of my RT_SiteConfig.pm # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a Perl module, so you can include valid # Perl code, as well. # # The converse is also true, if this file isn't valid Perl, you're # going to run into trouble. To check your SiteConfig file, use # this command: # # perl -c /path/to/your/etc/RT_SiteConfig.pm Set($rtname, 'minervanetworks.com'); Set($Organization, minervanetworks.com); Set($Timezone, 'US/Pacific'); Set($WebPath, /rt3); Set($WebPort, 443); Set($WebDomain, 'rt.minervanetworks.com'); Set($WebBaseURL, 'https://' . RT-Config-Get('WebDomain') . ':' . RT-Config-Get('WebPort')); Set($WebURL, RT-Config-Get('WebBaseURL') . RT-Config-Get('WebPath') . /); Set($WebImagesURL, RT-Config-Get('WebPath') . /NoAuth/images/); Set($WebImagesURL , $WebPath . /images/); # need this for below Set($LogoURL, https://rt.minervanetworks.com/Home_Logo.jpg;); Set($LogoLinkURL, 'https://www.minervanetworks.com/'); Set($LogoAltText, Minerva Networks); Set($AutoLogoff, 30); Set($EnableReminders,1); Set($LogToSyslog, 'info'); Set($LogDir, '/var/log'); Set($LogToFileNamed, rt.log); Set($LogToFile, 'info'); Set($NotifyActor, 1); Set($OwnerEmail , 'x...@minervanetworks.com'); Set(@Plugins, qw(RT::Authen::ExternalAuth RT::FM)); Set($LDAPHost, 'HOSTNAME.DOMAIN.TLD'); Set($LDAPUser, 'cn=BINDUSER,dc=DOMAIN,dc=TLD'); Set($LDAPPassword, 'PASSWORD'); Set($LDAPBase, 'dc=minervanetworks,dc=com'); Set($LDAPFilter, '((objectClass=user))'); Set($LDAPMapping, { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip'= 'postalCode', 'Country'= 'co' } ); Set($LDAPGroupName,'Employees'); Set($LDAPUpdateUsers,1); Set($ExternalAuthPriority, ['My_LDAP']); Set($ExternalInfoPriority, ['My_LDAP']); Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 0); Set( $ExternalSettings, { 'My_LDAP' = { 'type' = 'ldap', 'auth' = 1, 'info' = 1, 'server' = 'HOSTNAME.DOMAIN.TLD', 'user' = 'cn=BINDUSER,dc=DOMAIN,dc=TLD', 'pass' = 'PASSWORD', 'base' = 'dc=DOMAIN,dc=TLD', 'filter' = '(objectClass=*)', 'd_filter' = '(userAccountControl:1.2.840.113556.1.4.803:=2)', 'tls' = 0, 'net_ldap_args' = [ version = 3 ], 'attr_match_list' = [ 'Name', 'EmailAddress', 'RealName' ], 'attr_map'= { 'Name' = 'sAMAccountName', 'EmailAddress' = 'mail', 'RealName' = 'cn', 'ExternalAuthId' = 'sAMAccountName', 'Gecos' = 'sAMAccountName', 'WorkPhone' = 'telephoneNumber', 'Address1' = 'streetAddress', 'City' = 'l', 'State' = 'st', 'Zip'= 'postalCode', 'Country'= 'co' } } } ); 1; On 1/14/10 11:49 AM, Ken Crocker kfcroc...@lbl.gov wrote: LB, This would be REALLY help for me. I've been doing this one user at a time whenever I get some frre time (which isn't ofetn). I'd love a copy of your code. Thanks. Kenn LBNL On 1/14/2010 10:34 AM, L B wrote: I'm going to think about it, but the problem I see it that email addresses might not be unique (I mean we can have two AD accounts with the same email address). I have already done a script to mass-rename email addresses to AD logins, because