[rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2

Ruslan Zakirov ruslan.zakirov at gmail.com
Thu Jun 4 19:04:34 EDT 2009


Ken, to cleanup the mess you can use MergeUsersHistory extesion. From
the beginning I want to note that it's been tested only on RT 3.8 and
it's recommended to check changes it makes very carefully. I suggest
you to do it as part of migration from 3.6 to 3.8 with careful testing
of everything.

If you know that later you wouldn't have duplicates because of
canonicalization (LDAP or some other way) then it's all you need. You
even can delete duplicates from DB using shredder.

Otherwise MergeUsers extension can be used to make two accounts in
RT's Users table behave like one.

On Thu, Jun 4, 2009 at 8:24 PM, Ken Crocker <kfcrocker at lbl.gov> wrote:
> Cass,
>
>     You mentioned in your response that when you went to 3.8 you had trouble
> with multiple users of the same email address. I have a similar problem.
>     I am on 3.6.4 and have a bunch of users out there with the email address
> as the User Name due to them being added automatically as watchers. When
> they sign on (Using LDAP) at a later date, they get a new UserID, correct
> name, SAME Email address. Now I have 2 id's for the same user. I want to
> clean that mess up before I upgrade to 3.8.
>     So, how did you go about cleaning up the mess?
>     Also, do you have any suggestions on how to config my RT so that when a
> User is added automatically as a watcher, RT will create a real User Name
> and NOT use the Email address? Thanks.
>
> Kenn
> LBNL
>
> On 6/3/2009 3:06 PM, Cassandra L. Brockett wrote:
>
> ((Apologies for top-posting, but it's just easier at the moment for me to
> use outlook to send email))
>
> I can answer a few of your questsions:-
> 1) Users with multiple email addresses on our system become one single user,
> the LDAP query finds the one user responsible for the email address, and
> just link the submitted ticket to the correct ID.
>
> 2) You cannot have multiple RT accounts with the same email address in the
> system, we had a lot of cleanup when we migrated to 3.8.2 from a badly
> botched install of 3.6, and this was our biggest hassle.
>
> 3) I have AutoCreateNonExternalUsers on, but that's mostly because of the
> nature of the business my company is in :)  However, the system seems to
> work fine with that disabled, and it doesn't autocreate any non-LDAP
> accounts unless you do so yourself.
>
> On another level, I know you'll hear this from a lot of angles, but it
> always deserves to be said... You should try this sort of thing out on a
> test system before setting it up in production...  Especially when dealing
> with things like authentication, you really want to make sure youself that
> it does what you want it to do...
>
> --
> Cass
>
>
> -----Original Message-----
> From: rt-users-bounces at lists.bestpractical.com
> [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Susan McClure
> Sent: Wednesday, June 03, 2009 2:30 PM
> To: rt-users at lists.bestpractical.com
> Cc: Susan McClure
> Subject: [rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2
>
> I have been reading the postings about RT-Authen-ExternalAuth but am
> confused on what appears to be some conflicting setup information.
>
> I am using:
>   RT 3.8.2
>   RT-Authen-ExternalAuth 0.08
>
> I would like to use LDAP for authentication and information first, and that
> part seems to work OK.
> But  I also would like to:
>   - add LOCAL users to RT internal DB (i.e; test and test-admin type
> accounts)
>   - NOT autocreate a new RT account, if we receive an email from a user that
> is unknown in local RT or LDAP.
>   - NOT make multiple accounts for a user's multiple email aliases.
> (Our ldap contains several email addresses for each user (uid) )
>
>
> When I try to add a local account through the Web(using Root,
> Configuration->Users->Create). I receive the error "Name in Use"
> The username I am trying to create is NOT in existence, but the email for
> that new account IS.
>
> My  error_log shows:
> ==================================
>
>
> [Tue Jun  2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP )
> root User not found
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
> lib/RT/Authen/ExternalAuth/LDAP.pm:318)
> [Tue Jun  2 17:45:21 2009] [debug]: Autohandler called ExternalAuth.
> Response: (0, No User)
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
> html/Callbacks/ExternalAuth/autohandler/Auth:26)
> [Tue Jun  2 17:45:21 2009] [info]: Successful login for root from
> 168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
> [Tue Jun  2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header
> calls old style callback, use $m->callback
> (/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
> [Tue Jun  2 17:46:40 2009] [crit]: HasRight called with no valid
> object (/usr/site/rt-3.8/PROD/bin/../lib/RT/Principal_Overlay.pm:322)
> [Tue Jun  2 17:51:36 2009] [debug]:
> RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
> /opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/l
> ib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: ,
> City: , Comments: Admin Authority Level Account for RT,
> ContactInfoSystem: , Country: , Disabled: 0, EmailAddress:
> smcclure at rice.edu, EmailEncoding: , ExternalAuthId: ,
> ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: ,
> Lang: en, MobilePhone: , Name: smcclure-admin, NickName:
> Smcclure-Admin,
> Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure,
> Signature: , State: ,
> WebEncoding: , WorkPhone: , Zip:
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
> lib/RT/Authen/ExternalAuth.pm:450)
> [Tue Jun  2 17:51:36 2009] [debug]: Attempting to get user info using
> this external service: My_LDAP
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
> lib/RT/Authen/ExternalAuth.pm:458)
> [Tue Jun  2 17:51:36 2009] [debug]: Attempting to use this
> canonicalization key: Name
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
> lib/RT/Authen/ExternalAuth.pm:472)
> [Tue Jun  2 17:51:36 2009] [debug]: LDAP Search ===  Base:
> ou=People,dc=rice,dc=edu == Filter:
> (&(objectclass=*)(uid=smcclure-admin)) == Attrs:
> Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
> physicalDeliveryOfficeName,uid
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
> lib/RT/Authen/ExternalAuth/LDAP.pm:195)
> [Tue Jun  2 17:51:36 2009] [debug]: Attempting to use this
> canonicalization key: EmailAddress
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
> lib/RT/Authen/ExternalAuth.pm:472)
> [Tue Jun  2 17:51:36 2009] [debug]: LDAP Search ===  Base:
> ou=People,dc=rice,dc=edu == Filter:
> (&(objectclass=*)(mail=smcclure at rice.edu)) == Attrs:
> Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
> physicalDeliveryOfficeName,uid
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
> lib/RT/Authen/ExternalAuth/LDAP.pm:195)
> [Tue Jun  2 17:51:36 2009] [info]:
> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
> Address1: 6100 Main Street, Address2: , AuthSystem: , City: ,
> Comments: Admin Authority Level Account for RT, ContactInfoSystem: ,
> Country: , Disabled: 0, EmailAddress: smcclure at rice.edu,
> EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: ,
> FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: ,
> Name: smcclure, NickName: Smcclure-Admin,
> Organization: 222 Mudd Building, PagerPhone: , Privileged: 1,
> RealName: McClure, Susan, Signature: , State: , WebEncoding: ,
> WorkPhone: 713-348-4852, Zip: 77005
> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
> lib/RT/Authen/ExternalAuth.pm:536)
>
>
> ==============
>
> My Current RT_SiteConfig.pm for LDAP and External Auth has
> ====================================
> Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth .......
>
> and for LDAP
> #  special options for various plugins
> #  Authen::ExternalAuth
> Set($ExternalAuthPriority, ['My_LDAP'] ); Set($ExternalInfoPriority,
> ['My_LDAP'] );
> Set($ExternalServiceUsesSSLorTLS,    1);
> Set($ExternalSettings,      {
>                                       'My_LDAP'     =>  {   ## GENERIC
> SECTION
>                                                'type'
>    =>  'ldap',
>                                                'server'
>    =>  'ldap.rice.edu',
>                                                'user'
>    =>  'cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu',
>      ..... etc etc .........
> .................
> And the LDAP Attributes mappings:
>
>
> ## RT ATTRIBUTE MATCHING SECTION
>                                                # The list of RT attributes
> that uniquely identify a user
>                                                # This example shows what you
> *can* specify.. I recommend reducing this
>                                                # to just the Name and
> EmailAddress to save encountering problems later.
>                                                'attr_match_list'
> => [    'Name',
>
> 'EmailAddress',
>
> 'RealName',
>                                                        			
> 'WorkPhone',
> 										   'Address2'
>
> ],
>                                                # The mapping of RT
> attributes on to LDAP attributes
>                                                 'attr_map'              =>
> {   'Name' => 'uid',
>
> 'EmailAddress' => 'mail',
>
> 'Organization' => 'physicalDeliveryOfficeName',
>
> 'RealName' => 'cn',
>
> 'ExternalAuthId' => 'uid',
>
> 'Gecos' => 'gecos',
>
> 'WorkPhone' => 'telephoneNumber',
>
> 'Address1' => 'postalAddress',
>
> 'City' => 'Houston',
>
> 'State' => 'TX',
>
> 'Zip' => 'postalCode'
>
> }
>                                                              }
> 	                         }
>
> );
>
>
> ===================
>
> Looking at all the postings, I am afraid that if I add:
>
> ==> Set($AutoCreateNonExternalUsers,    1);
>
> That I will automatically MAKE a new account for users that send email or
> authenticate in some way other than being in our LDAP.
>
> Can someone clarify the different options to help me get the setup I want
> please?
>
> Thanks
>
> Susie McClure
>
> smcclure at rice.edu
>
>
> ----------------------------------
> Check out the Barracuda Spam & Virus Firewall - offering the fastest
> virus & malware protection in the industry: www.barracudanetworks.com/spam
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
>
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>



-- 
Best regards, Ruslan.



More information about the rt-users mailing list