[rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2
Ken Crocker
kfcrocker at lbl.gov
Fri Jun 5 12:59:13 EDT 2009
Ruslan,
That's a good suggestion. In fact, I'm going upstairs to talk to my
guy who is building our new DEV environment in a few minutes. We're
going to start by installing 3.8.3 in that environment, so these ideas
will make for good testing scripts. OH! I reserve the right to recall
you as a witness (ha ha) when testing this stuff. Just joking. Thanks a
heap.
By the way. Thanks to your help, I got that scrip working for
parsing CC's to a ticket on a queue-by-queue basis.
Kenn
LBNL
On 6/4/2009 4:04 PM, Ruslan Zakirov wrote:
> Ken, to cleanup the mess you can use MergeUsersHistory extesion. From
> the beginning I want to note that it's been tested only on RT 3.8 and
> it's recommended to check changes it makes very carefully. I suggest
> you to do it as part of migration from 3.6 to 3.8 with careful testing
> of everything.
>
> If you know that later you wouldn't have duplicates because of
> canonicalization (LDAP or some other way) then it's all you need. You
> even can delete duplicates from DB using shredder.
>
> Otherwise MergeUsers extension can be used to make two accounts in
> RT's Users table behave like one.
>
> On Thu, Jun 4, 2009 at 8:24 PM, Ken Crocker <kfcrocker at lbl.gov> wrote:
>
>> Cass,
>>
>> You mentioned in your response that when you went to 3.8 you had trouble
>> with multiple users of the same email address. I have a similar problem.
>> I am on 3.6.4 and have a bunch of users out there with the email address
>> as the User Name due to them being added automatically as watchers. When
>> they sign on (Using LDAP) at a later date, they get a new UserID, correct
>> name, SAME Email address. Now I have 2 id's for the same user. I want to
>> clean that mess up before I upgrade to 3.8.
>> So, how did you go about cleaning up the mess?
>> Also, do you have any suggestions on how to config my RT so that when a
>> User is added automatically as a watcher, RT will create a real User Name
>> and NOT use the Email address? Thanks.
>>
>> Kenn
>> LBNL
>>
>> On 6/3/2009 3:06 PM, Cassandra L. Brockett wrote:
>>
>> ((Apologies for top-posting, but it's just easier at the moment for me to
>> use outlook to send email))
>>
>> I can answer a few of your questsions:-
>> 1) Users with multiple email addresses on our system become one single user,
>> the LDAP query finds the one user responsible for the email address, and
>> just link the submitted ticket to the correct ID.
>>
>> 2) You cannot have multiple RT accounts with the same email address in the
>> system, we had a lot of cleanup when we migrated to 3.8.2 from a badly
>> botched install of 3.6, and this was our biggest hassle.
>>
>> 3) I have AutoCreateNonExternalUsers on, but that's mostly because of the
>> nature of the business my company is in :) However, the system seems to
>> work fine with that disabled, and it doesn't autocreate any non-LDAP
>> accounts unless you do so yourself.
>>
>> On another level, I know you'll hear this from a lot of angles, but it
>> always deserves to be said... You should try this sort of thing out on a
>> test system before setting it up in production... Especially when dealing
>> with things like authentication, you really want to make sure youself that
>> it does what you want it to do...
>>
>> --
>> Cass
>>
>>
>> -----Original Message-----
>> From: rt-users-bounces at lists.bestpractical.com
>> [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Susan McClure
>> Sent: Wednesday, June 03, 2009 2:30 PM
>> To: rt-users at lists.bestpractical.com
>> Cc: Susan McClure
>> Subject: [rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2
>>
>> I have been reading the postings about RT-Authen-ExternalAuth but am
>> confused on what appears to be some conflicting setup information.
>>
>> I am using:
>> RT 3.8.2
>> RT-Authen-ExternalAuth 0.08
>>
>> I would like to use LDAP for authentication and information first, and that
>> part seems to work OK.
>> But I also would like to:
>> - add LOCAL users to RT internal DB (i.e; test and test-admin type
>> accounts)
>> - NOT autocreate a new RT account, if we receive an email from a user that
>> is unknown in local RT or LDAP.
>> - NOT make multiple accounts for a user's multiple email aliases.
>> (Our ldap contains several email addresses for each user (uid) )
>>
>>
>> When I try to add a local account through the Web(using Root,
>> Configuration->Users->Create). I receive the error "Name in Use"
>> The username I am trying to create is NOT in existence, but the email for
>> that new account IS.
>>
>> My error_log shows:
>> ==================================
>>
>>
>> [Tue Jun 2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP )
>> root User not found
>> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
>> lib/RT/Authen/ExternalAuth/LDAP.pm:318)
>> [Tue Jun 2 17:45:21 2009] [debug]: Autohandler called ExternalAuth.
>> Response: (0, No User)
>> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
>> html/Callbacks/ExternalAuth/autohandler/Auth:26)
>> [Tue Jun 2 17:45:21 2009] [info]: Successful login for root from
>> 168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
>> [Tue Jun 2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header
>> calls old style callback, use $m->callback
>> (/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
>> [Tue Jun 2 17:46:40 2009] [crit]: HasRight called with no valid
>> object (/usr/site/rt-3.8/PROD/bin/../lib/RT/Principal_Overlay.pm:322)
>> [Tue Jun 2 17:51:36 2009] [debug]:
>> RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
>> /opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/l
>> ib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: ,
>> City: , Comments: Admin Authority Level Account for RT,
>> ContactInfoSystem: , Country: , Disabled: 0, EmailAddress:
>> smcclure at rice.edu, EmailEncoding: , ExternalAuthId: ,
>> ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: ,
>> Lang: en, MobilePhone: , Name: smcclure-admin, NickName:
>> Smcclure-Admin,
>> Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure,
>> Signature: , State: ,
>> WebEncoding: , WorkPhone: , Zip:
>> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
>> lib/RT/Authen/ExternalAuth.pm:450)
>> [Tue Jun 2 17:51:36 2009] [debug]: Attempting to get user info using
>> this external service: My_LDAP
>> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
>> lib/RT/Authen/ExternalAuth.pm:458)
>> [Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
>> canonicalization key: Name
>> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
>> lib/RT/Authen/ExternalAuth.pm:472)
>> [Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
>> ou=People,dc=rice,dc=edu == Filter:
>> (&(objectclass=*)(uid=smcclure-admin)) == Attrs:
>> Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
>> physicalDeliveryOfficeName,uid
>> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
>> lib/RT/Authen/ExternalAuth/LDAP.pm:195)
>> [Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
>> canonicalization key: EmailAddress
>> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
>> lib/RT/Authen/ExternalAuth.pm:472)
>> [Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
>> ou=People,dc=rice,dc=edu == Filter:
>> (&(objectclass=*)(mail=smcclure at rice.edu)) == Attrs:
>> Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
>> physicalDeliveryOfficeName,uid
>> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
>> lib/RT/Authen/ExternalAuth/LDAP.pm:195)
>> [Tue Jun 2 17:51:36 2009] [info]:
>> RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
>> Address1: 6100 Main Street, Address2: , AuthSystem: , City: ,
>> Comments: Admin Authority Level Account for RT, ContactInfoSystem: ,
>> Country: , Disabled: 0, EmailAddress: smcclure at rice.edu,
>> EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: ,
>> FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: ,
>> Name: smcclure, NickName: Smcclure-Admin,
>> Organization: 222 Mudd Building, PagerPhone: , Privileged: 1,
>> RealName: McClure, Susan, Signature: , State: , WebEncoding: ,
>> WorkPhone: 713-348-4852, Zip: 77005
>> (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
>> lib/RT/Authen/ExternalAuth.pm:536)
>>
>>
>> ==============
>>
>> My Current RT_SiteConfig.pm for LDAP and External Auth has
>> ====================================
>> Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth .......
>>
>> and for LDAP
>> # special options for various plugins
>> # Authen::ExternalAuth
>> Set($ExternalAuthPriority, ['My_LDAP'] ); Set($ExternalInfoPriority,
>> ['My_LDAP'] );
>> Set($ExternalServiceUsesSSLorTLS, 1);
>> Set($ExternalSettings, {
>> 'My_LDAP' => { ## GENERIC
>> SECTION
>> 'type'
>> => 'ldap',
>> 'server'
>> => 'ldap.rice.edu',
>> 'user'
>> => 'cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu',
>> ..... etc etc .........
>> .................
>> And the LDAP Attributes mappings:
>>
>>
>> ## RT ATTRIBUTE MATCHING SECTION
>> # The list of RT attributes
>> that uniquely identify a user
>> # This example shows what you
>> *can* specify.. I recommend reducing this
>> # to just the Name and
>> EmailAddress to save encountering problems later.
>> 'attr_match_list'
>> => [ 'Name',
>>
>> 'EmailAddress',
>>
>> 'RealName',
>>
>> 'WorkPhone',
>> 'Address2'
>>
>> ],
>> # The mapping of RT
>> attributes on to LDAP attributes
>> 'attr_map' =>
>> { 'Name' => 'uid',
>>
>> 'EmailAddress' => 'mail',
>>
>> 'Organization' => 'physicalDeliveryOfficeName',
>>
>> 'RealName' => 'cn',
>>
>> 'ExternalAuthId' => 'uid',
>>
>> 'Gecos' => 'gecos',
>>
>> 'WorkPhone' => 'telephoneNumber',
>>
>> 'Address1' => 'postalAddress',
>>
>> 'City' => 'Houston',
>>
>> 'State' => 'TX',
>>
>> 'Zip' => 'postalCode'
>>
>> }
>> }
>> }
>>
>> );
>>
>>
>> ===================
>>
>> Looking at all the postings, I am afraid that if I add:
>>
>> ==> Set($AutoCreateNonExternalUsers, 1);
>>
>> That I will automatically MAKE a new account for users that send email or
>> authenticate in some way other than being in our LDAP.
>>
>> Can someone clarify the different options to help me get the setup I want
>> please?
>>
>> Thanks
>>
>> Susie McClure
>>
>> smcclure at rice.edu
>>
>>
>> ----------------------------------
>> Check out the Barracuda Spam & Virus Firewall - offering the fastest
>> virus & malware protection in the industry: www.barracudanetworks.com/spam
>>
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
>>
>>
>>
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090605/376c1704/attachment.htm>
More information about the rt-users
mailing list