[rt-users] Automatically Set "Let this user be granted rights"

Jon Witts jwitts at queenmargarets.com
Wed Apr 9 07:55:52 EDT 2014


Hi Chris,

I am afraid that I am running out of ideas on this one! I would be tempted to start again with a fresh database once you have both plugins installed and defined in your config correctly. How are you automating the LDAPImport? Have you set up a cron job?

Jon

-----------------------------------------------------

Jon Witts
Director of Digital Strategy
Queen Margaret's School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.com 

-----Original Message-----
From: Chris Ditri [mailto:Cditri at experi-metal.com] 
Sent: 09 April 2014 12:54
To: Jon Witts; rt-users at lists.bestpractical.com
Subject: RE: [rt-users] Automatically Set "Let this user be granted rights"

Hi Jon,

It still is not working.  It is, once again, complaining that the email exists already.
[error]: Couldn't create user jjjameson: Email address in use (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:237)

I don't understand it... It doesn't seem to matter if I use uid, or sAMAccountName either.

-Chris



Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981
www.experi-metal.com



Connnect with Us!











-----Original Message-----
From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] On Behalf Of Jon Witts
Sent: Tuesday, April 08, 2014 1:41 PM
To: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set "Let this user be granted rights"


Chris,

Please keep your responses on the list so that others may benefit or assist.

So what happens when you set your @plugins as I described?

Jon


Director of Digital Strategy

Queen Margaret's School

01904 727600



http://www.queenmargarets.com








From: Chris Ditri [Cditri at experi-metal.com]

Sent: 08 April 2014 6:35 PM

To: Jon Witts

Subject: RE: [rt-users] Automatically Set "Let this user be granted rights"







4.0.7 - it is what is stable on debian Wheezy.







Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981
www.experi-metal.com





Connnect with Us!


















From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 12:11 PM

To: rt-users at lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set "Let this user be granted rights"



What version of RT are you running?

You need to have both plugins (ExternalAuth and LDAPImport) set in your config. Try:

Set( @Plugins, qw(
RT::Authen::ExternalAuth

RT::Extension::LDAPImport
) );

As per the doc on the wiki here:
http://requesttracker.wikia.com/wiki/SiteConfig


Jon



-----------------------------------------------------

Jon Witts
Director of Digital Strategy
Queen Margaret's School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:
www.queenmargarets.com





From: Chris Ditri [mailto:Cditri at experi-metal.com]


Sent: 08 April 2014 14:46

To:
rt-users at lists.bestpractical.com

Cc: Jon Witts

Subject: RE: [rt-users] Automatically Set "Let this user be granted rights"



Hi Jon,

I did add the My_SSO_Cookie thing back, just to troubleshoot.  Normally, it is not there.  I removed it again, however.  I removed the second (redundant) ExternalAuthPriority entry.  Thanks for that catch.

Using
Plugin( "RT::Authen::ExternalAuth" );
Plugin( "RT::Extension::LDAPImport" );

Doesn't work.  I need the "Set(@Plugins..." part.

The interesting thing is that when I do not have  "Set(@Plugins, qw(RT::Extension::LDAPImport));" in my config, then I get all the errors in my log file, including the bit about the email already exists (logging is set to debug).  If I do have that line in my config, all I get in my log file is "FAILED LOGIN for jjjameson from 118.128.73.X (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)".  Even though I have the log file set to debug, I get no more output than a simple login failure.

I tried switching uid to sAMAccountName, but that did no better.  With no output in the logs, I'm at a complete loss on how to troubleshoot this.  I don't know if using the import carries over the password hash into rt's own database, or if it checks it against the ldap/AD server.  Since I can see the rest of the user information, perhaps it has to do with the password itself?  I don't know...

Thanks again for your help.

-Chris






From:

rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 3:53 AM

To:
rt-users at lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set "Let this user be granted rights"



Hi there,

I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.

Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

My Plugins section looks like this:
Plugin( "RT::Authen::ExternalAuth" );
Plugin( "RT::Extension::LDAPImport" );

Also you are setting
$ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined ('My_SSO_Cookie', 'My_Oracle','SecondaryLDAP','Other-DB'). I think you should only be doing as follows:
Set($ExternalAuthPriority,  [ 'My_LDAP',
                            ]
);

I have my ldap bind user defined as a fully qualified ldap string rather than just a username...

In your LDAPImport settings try changing:
Set($LDAPMapping, {Name         => 'uid'

To:
Set($LDAPMapping, {Name         => 'sAMAccountName',

And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);

Too.

Jon




-----------------------------------------------------

Jon Witts
Director of Digital Strategy
Queen Margaret's School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:
www.queenmargarets.com





From: Chris Ditri [mailto:Cditri at experi-metal.com]


Sent: 07 April 2014 22:20

To: Jon Witts;
rt-users at lists.bestpractical.com

Subject: RE: [rt-users] Automatically Set "Let this user be granted rights"



Hi Jon, and thanks.

Set($WebDomain, 'rt.my-company.com');
Set($LDAPHost, 'QZXW-dc.my-company.com'); Set($LDAPUser, 'cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com'); Set($LDAPPassword, 'MyPW1234'); Set($LDAPBase, 'ou=QZXW Users,dc=my-company,dc=com'); Set($LDAPFilter, '(&)'); Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name         => 'uid', # required
                   EmailAddress => 'mail',
                   RealName     => 'cn',
                   WorkPhone    => 'telephoneNumber',
                   Organization => 'departmentName'});
Set($ExternalAuthPriority,  [   'My_LDAP',
                                'My_SSO_Cookie'
                            ]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority,  [   'My_LDAP'
                            ]
);

Set($ExternalServiceUsesSSLorTLS,    0);

Set($AutoCreateNonExternalUsers,    0);

Set($ExternalAuthPriority,['My_LDAP','My_Oracle','SecondaryLDAP','Other-DB']);
Set($ExternalSettings,      {   # AN EXAMPLE DB SERVICE
                                'My_LDAP'       =>  {   ## GENERIC SECTION
                                                        # The type of service (db/ldap/cookie)
                                                        'type'                      =>  'ldap',
                                                        # The server hosting the service
                                                        'server'                    =>  'QZXW-dc.my-company.com',
                                                        ## SERVICE-SPECIFIC SECTION
                                                        # If you can bind to your LDAP server anonymously you should
                                                        # remove the user and pass config lines, otherwise specify them here:
                                                        #
                                                        # The username RT should use to connect to the LDAP server
                                                        'user'                      =>  'joeadmin at my-company.com',

                                                        # The password RT should use to connect to the LDAP server
                                                        'pass'                    =>  'majorlycrypticpw',

                                                        #
                                                        # The LDAP search base
                                                        'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                        #
                                                        # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                        # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                        #
                                                        # The filter to use to match RT-Users
                                                        'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                        # A catch-all example filter: '(objectClass=*)'
                                                        #
                                                        # The filter that will only match disabled users
                                                        'd_filter'                  =>  '',
                                                        # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                        #
                                                        # Should we try to use TLS to encrypt connections?
                                                        'tls'                       =>  1,
                                                        # SSL Version to provide to Net::SSLeay *if* using SSL
                                                        'ssl_version'               =>  3,
                                                        # What other args should I pass to Net::LDAP->new($host, at args)?
                                                        'net_ldap_args'             => [    version =>  3   ],
                                                        # Does authentication depend on group membership? What group name?
                                                        # What is the attribute for the group object that determines membership?
                                                        # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                        ## RT ATTRIBUTE MATCHING SECTION
                                                        # The list of RT attributes that uniquely identify a user
                                                        # This example shows what you *can* specify.. I recommend reducing this
                                                        # to just the Name and EmailAddress to save encountering problems later.
                                                        'attr_match_list'           => [    'Name',
                                                                                            'EmailAddress',
                                                                                            'RealName',
                                                                                            'WorkPhone',
                                                                                            'Address2'
                                                                                        ],
                                                        # The mapping of RT attributes on to LDAP attributes
                                                        'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                            'EmailAddress' => 'mail',
                                                                                            'Organization' => 'physicalDeliveryOfficeName',
                                                                                            'RealName' => 'cn',
                                                                                            'ExternalAuthId' => 'sAMAccountName',
                                                                                            'Gecos' => 'sAMAccountName',
                                                                                            'WorkPhone' => 'telephoneNumber',
                                                                                            'Address1' => 'streetAddress',
                                                                                            'City' => 'l',
                                                                                            'State' => 'st',
                                                                                            'Zip' => 'postalCode',
                                                                                            'Country' => 'co'
                                                                                        }
                                                    },
                                }
);

1;
my $zone = "UTC";
$zone=`/bin/cat /etc/timezone`
    if -f "/etc/timezone";
chomp $zone;
Set($Timezone, $zone);

Set($rtname, 'rt.my-company.com');
Set($Organization, 'RT.my-company.com');

Set($CorrespondAddress , 'maintenance at my-company.com'); Set($CommentAddress , 'maintenance at my-company.com'); Set($RTAddressRegexp , '^maintenance(-comment)?\@(maintenance|rt)\.(my-company\.com|rt\.my-company\.com)$');

Set($WebPath , "/rt");
Set($WebBaseURL , "http://rt.my-company.com");

Set($LogToSyslog    , 'debug');
Set($LogToScreen    , 'info');

Set($LogToFile , 'debug'); #debug is very noisy Set($LogDir, '/var/log/request-tracker4');
Set($LogToFileNamed , "rt.log");    #log to rt.log

my %typemap = (
    mysql   => 'mysql',
    pgsql   => 'Pg',
    sqlite3 => 'SQLite',
);

Set($DatabaseType, $typemap{mysql} || "UNKNOWN");

Set($DatabaseHost, 'localhost');
Set($DatabasePort, '');

Set($DatabaseUser , 'rtuser');
Set($DatabasePassword , 'QZXWBuild07');

my $dbc_dbname = 'rtdb'; if ( "mysql" eq "sqlite3" ) { Set ($DatabaseName, '' . '/' . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); } 1;

Spam -

www.smoothwall.net




DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed  and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality  marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.



WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
 Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.



Thank you very much for your cooperation.




This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net




DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed  and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality  marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.



WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
 Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.



Thank you very much for your cooperation.




This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net




DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential  information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or  nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.



WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
 Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.



Thank you very much for your cooperation.





This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

--
RT Training - Dallas May 20-21
http://bestpractical.com/training

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information.  You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author.  This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement.  If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.


This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net




More information about the rt-users mailing list