[rt-users] Automatically Set "Let this user be granted rights"
Chris Ditri
Cditri at experi-metal.com
Wed Apr 9 07:53:35 EDT 2014
Hi Jon,
It still is not working. It is, once again, complaining that the email exists already.
[error]: Couldn't create user jjjameson: Email address in use (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:237)
I don't understand it... It doesn't seem to matter if I use uid, or sAMAccountName either.
-Chris
Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981
www.experi-metal.com
Connnect with Us!
-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Jon Witts
Sent: Tuesday, April 08, 2014 1:41 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set "Let this user be granted rights"
Chris,
Please keep your responses on the list so that others may benefit or assist.
So what happens when you set your @plugins as I described?
Jon
Director of Digital Strategy
Queen Margaret's School
01904 727600
http://www.queenmargarets.com
From: Chris Ditri [Cditri at experi-metal.com]
Sent: 08 April 2014 6:35 PM
To: Jon Witts
Subject: RE: [rt-users] Automatically Set "Let this user be granted rights"
4.0.7 - it is what is stable on debian Wheezy.
Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981
www.experi-metal.com
Connnect with Us!
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com]
On Behalf Of Jon Witts
Sent: Tuesday, April 08, 2014 12:11 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set "Let this user be granted rights"
What version of RT are you running?
You need to have both plugins (ExternalAuth and LDAPImport) set in your config. Try:
Set( @Plugins, qw(
RT::Authen::ExternalAuth
RT::Extension::LDAPImport
) );
As per the doc on the wiki here:
http://requesttracker.wikia.com/wiki/SiteConfig
Jon
-----------------------------------------------------
Jon Witts
Director of Digital Strategy
Queen Margaret's School
Escrick Park
York YO19 6EU
Telephone: 01904 727600
Fax: 01904 728150
Website:
www.queenmargarets.com
From: Chris Ditri [mailto:Cditri at experi-metal.com]
Sent: 08 April 2014 14:46
To:
rt-users at lists.bestpractical.com
Cc: Jon Witts
Subject: RE: [rt-users] Automatically Set "Let this user be granted rights"
Hi Jon,
I did add the My_SSO_Cookie thing back, just to troubleshoot. Normally, it is not there. I removed it again, however. I removed the second (redundant) ExternalAuthPriority entry. Thanks for that catch.
Using
Plugin( "RT::Authen::ExternalAuth" );
Plugin( "RT::Extension::LDAPImport" );
Doesn't work. I need the "Set(@Plugins..." part.
The interesting thing is that when I do not have "Set(@Plugins, qw(RT::Extension::LDAPImport));" in my config, then I get all the errors in my log file, including the bit about the email already exists (logging is set to debug). If I do have that line in my config, all I get in my log file is "FAILED LOGIN for jjjameson from 118.128.73.X (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)". Even though I have the log file set to debug, I get no more output than a simple login failure.
I tried switching uid to sAMAccountName, but that did no better. With no output in the logs, I'm at a complete loss on how to troubleshoot this. I don't know if using the import carries over the password hash into rt's own database, or if it checks it against the ldap/AD server. Since I can see the rest of the user information, perhaps it has to do with the password itself? I don't know...
Thanks again for your help.
-Chris
From:
rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com]
On Behalf Of Jon Witts
Sent: Tuesday, April 08, 2014 3:53 AM
To:
rt-users at lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set "Let this user be granted rights"
Hi there,
I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.
Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
My Plugins section looks like this:
Plugin( "RT::Authen::ExternalAuth" );
Plugin( "RT::Extension::LDAPImport" );
Also you are setting
$ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined ('My_SSO_Cookie', 'My_Oracle','SecondaryLDAP','Other-DB'). I think you should only be doing as follows:
Set($ExternalAuthPriority, [ 'My_LDAP',
]
);
I have my ldap bind user defined as a fully qualified ldap string rather than just a username...
In your LDAPImport settings try changing:
Set($LDAPMapping, {Name => 'uid'
To:
Set($LDAPMapping, {Name => 'sAMAccountName',
And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);
Too.
Jon
-----------------------------------------------------
Jon Witts
Director of Digital Strategy
Queen Margaret's School
Escrick Park
York YO19 6EU
Telephone: 01904 727600
Fax: 01904 728150
Website:
www.queenmargarets.com
From: Chris Ditri [mailto:Cditri at experi-metal.com]
Sent: 07 April 2014 22:20
To: Jon Witts;
rt-users at lists.bestpractical.com
Subject: RE: [rt-users] Automatically Set "Let this user be granted rights"
Hi Jon, and thanks.
Set($WebDomain, 'rt.my-company.com');
Set($LDAPHost, 'QZXW-dc.my-company.com'); Set($LDAPUser, 'cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com'); Set($LDAPPassword, 'MyPW1234'); Set($LDAPBase, 'ou=QZXW Users,dc=my-company,dc=com'); Set($LDAPFilter, '(&)'); Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name => 'uid', # required
EmailAddress => 'mail',
RealName => 'cn',
WorkPhone => 'telephoneNumber',
Organization => 'departmentName'});
Set($ExternalAuthPriority, [ 'My_LDAP',
'My_SSO_Cookie'
]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority, [ 'My_LDAP'
]
);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set($ExternalAuthPriority,['My_LDAP','My_Oracle','SecondaryLDAP','Other-DB']);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
'My_LDAP' => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
'type' => 'ldap',
# The server hosting the service
'server' => 'QZXW-dc.my-company.com',
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
'user' => 'joeadmin at my-company.com',
# The password RT should use to connect to the LDAP server
'pass' => 'majorlycrypticpw',
#
# The LDAP search base
'base' => 'ou=QZXW USERS,dc=my-company,dc=com',
#
# ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
# YOU **MUST** SPECIFY A filter AND A d_filter!!
#
# The filter to use to match RT-Users
'filter' => '(&)', ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
# A catch-all example filter: '(objectClass=*)'
#
# The filter that will only match disabled users
'd_filter' => '',
# A catch-none example d_filter: '(objectClass=FooBarBaz)'
#
# Should we try to use TLS to encrypt connections?
'tls' => 1,
# SSL Version to provide to Net::SSLeay *if* using SSL
'ssl_version' => 3,
# What other args should I pass to Net::LDAP->new($host, at args)?
'net_ldap_args' => [ version => 3 ],
# Does authentication depend on group membership? What group name?
# What is the attribute for the group object that determines membership?
# What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
## RT ATTRIBUTE MATCHING SECTION
# The list of RT attributes that uniquely identify a user
# This example shows what you *can* specify.. I recommend reducing this
# to just the Name and EmailAddress to save encountering problems later.
'attr_match_list' => [ 'Name',
'EmailAddress',
'RealName',
'WorkPhone',
'Address2'
],
# The mapping of RT attributes on to LDAP attributes
'attr_map' => { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
}
},
}
);
1;
my $zone = "UTC";
$zone=`/bin/cat /etc/timezone`
if -f "/etc/timezone";
chomp $zone;
Set($Timezone, $zone);
Set($rtname, 'rt.my-company.com');
Set($Organization, 'RT.my-company.com');
Set($CorrespondAddress , 'maintenance at my-company.com'); Set($CommentAddress , 'maintenance at my-company.com'); Set($RTAddressRegexp , '^maintenance(-comment)?\@(maintenance|rt)\.(my-company\.com|rt\.my-company\.com)$');
Set($WebPath , "/rt");
Set($WebBaseURL , "http://rt.my-company.com");
Set($LogToSyslog , 'debug');
Set($LogToScreen , 'info');
Set($LogToFile , 'debug'); #debug is very noisy Set($LogDir, '/var/log/request-tracker4');
Set($LogToFileNamed , "rt.log"); #log to rt.log
my %typemap = (
mysql => 'mysql',
pgsql => 'Pg',
sqlite3 => 'SQLite',
);
Set($DatabaseType, $typemap{mysql} || "UNKNOWN");
Set($DatabaseHost, 'localhost');
Set($DatabasePort, '');
Set($DatabaseUser , 'rtuser');
Set($DatabasePassword , 'QZXWBuild07');
my $dbc_dbname = 'rtdb'; if ( "mysql" eq "sqlite3" ) { Set ($DatabaseName, '' . '/' . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); } 1;
Spam -
www.smoothwall.net
DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.
WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.
Thank you very much for your cooperation.
This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net
DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed
and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality
marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.
WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.
Thank you very much for your cooperation.
This email has been processed by Smoothwall Anti-Spam -
www.smoothwall.net
DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential
information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or
nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.
WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.
Thank you very much for your cooperation.
This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net
--
RT Training - Dallas May 20-21
http://bestpractical.com/training
DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.
WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.
Thank you very much for your cooperation.
More information about the rt-users
mailing list