Re: [rt-users] How to Integrate request tracker 4.0.8 with Active directory 2008

2013-01-02 Thread Chris O'Kelly 

Hi Decenter,

Just 2 months ago I configured our RT (4.0.7 I think it was at the time) to 
work with AD following the pages on the wiki 
(http://requesttracker.wikia.com/wiki/ExternalAuth) hopefully this isn't one of 
the links you don't want to be pointed at, but it was first result for me 
googling Request Tracker Active Directory, so I figured you've already seen it.

Regards


Chris O'Kelly
Web Administrator

Minecorp Australia
37 Murdoch Circuit
Acacia Ridge QLD 4110
minecorp.com.au


P:   07 3723 1000
M:  0450 586 190
E:  chris.oke...@minecorp.com.au
S:  chris.okelly.mvs


 [http://i.imgur.com/XKjNC.png]

From: rt-users-boun...@lists.bestpractical.com 
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of decenter decenter
Sent: Thursday, 3 January 2013 4:38 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] How to Integrate request tracker 4.0.8 with Active 
directory 2008

I have been trying this since 7 days, but no luck. All the documents I have 
seen here in the web is for old version (3.0.8). So, please don't point out 
those wiki links to me. If there is any new document for v 4.0.8 and active 
directory 2008, please let me know.

Diehard RT FAN

[rt-users] How to Integrate request tracker 4.0.8 with Active directory 2008

2013-01-02 Thread decenter decenter 
I have been trying this since 7 days, but no luck. All the documents I have
seen here in the web is for old version (3.0.8). So, please don't point out
those wiki links to me. If there is any new document for v 4.0.8 and active
directory 2008, please let me know.

Diehard RT FAN

Re: [rt-users] R: R: R: Custom authentication script fails with > ExternalAuthPriority not defined, please check your configuration file

2013-01-02 Thread Thomas Sibley 
On 01/02/2013 03:53 PM, Scotto Alberto wrote:
>> Fix problems at the source
>
> Exactly. From my point of view, the "source" is who/what generates
> the input: the user who fills in a form. So, this is why I say that
> the input validation should be done around the View layer, while in
> the back ("rt_auth" function) I should assume with a precondition
> that the input is not evil anymore.

It's far too easy for the backend function to start being used somewhere
where the validation doesn't happen first, and then you're vulnerable
again.  The backend is a single point to fix, whereas validation might
need to happen across multiple views and interfaces.

The path of shoving the shell_exec() validation up into the view is
lined with awful websites which prohibit special characters in passwords.

[rt-users] R: R: R: Custom authentication script fails with > ExternalAuthPriority not defined, please check your configuration file

2013-01-02 Thread Scotto Alberto 



Alberto Scotto

Blue Reply
Via Cardinal Massaia, 83
10147 - Torino - ITALY
phone: +39 011 29100
al.sco...@reply.it
www.reply.it

On 01/01/2013 10:43 AM, Scotto Alberto wrote:
> Don't know what is the best. I think using preconditions is a strong
> practice that gives you freedom and lets you avoid duplicate checks.
> Actually, the preconditions must be documented...
>
> So I think that I may go for documenting the precondition in the wiki
> page (also for simplicity).
>
> What do you think?

Relying on the input being validated before handed to the function is
asking for trouble as soon as the function starts being used in multiple
places, some of which may not validate the input.  The function should
be a black box, and you shouldn't need to know that it's going to pass
provided arguments to shell_exec().  Fix problems at the source, not at
some more distant location.  You'll end up playing whack a mole otherwise.

Thomas

__


Thanks for your contribution.

> Fix problems at the source
Exactly.
>From my point of view, the "source" is who/what generates the input: the user 
>who fills in a form. So, this is why I say that the input validation should be 
>done around the View layer, while in the back ("rt_auth" function) I should 
>assume with a precondition that the input is not evil anymore.



--
The information transmitted is intended for the person or entity to which it is 
addressed and may contain confidential and/or privileged material. Any review, 
retransmission, dissemination or other use of, or taking of any action in 
reliance upon, this information by persons or entities other than the intended 
recipient is prohibited. If you received this in error, please contact the 
sender and delete the material from any computer.

Re: [rt-users] R: Custom authentication script fails with > ExternalAuthPriority not defined, please check your configuration file

2013-01-02 Thread Thomas Sibley 
On 01/02/2013 03:44 PM, Scotto Alberto wrote:
> Yep! That's something I was mumbling about.
> 
> Thanks to you, I've just given it a try.
> It's not that easy peasy: REST returns 200 even if you are not authenticated. 
> But you can deduce if you have been auth'd from the HTML page you get, 
> searching for 'span id="not-logged-in" ', for example.

REST should never return HTML.  Try an existing endpoint under
/REST/1.0/ instead of just that top level dir.

> What about the security point of view of the two methods of auth (my script 
> vs REST)?
> Assuming RT is reachable via https, can it be any worse than executing a 
> script via ssh?

1) You don't have to replicate the RT::Authen::ExternalAuth handling,
since it'll all Just Work if you treat the web interface as an auth
endpoint.

2) You won't suffer arbitrary code execution vulnerabilities in your ssh
exec wrapper.

3) It doesn't require your PHP app to live on the same server as RT's
source code and config.

[rt-users] R: Custom authentication script fails with > ExternalAuthPriority not defined, please check your configuration file

2013-01-02 Thread Scotto Alberto 
Yep! That's something I was mumbling about.

Thanks to you, I've just given it a try.
It's not that easy peasy: REST returns 200 even if you are not authenticated. 
But you can deduce if you have been auth'd from the HTML page you get, 
searching for 'span id="not-logged-in" ', for example.

What about the security point of view of the two methods of auth (my script vs 
REST)?
Assuming RT is reachable via https, can it be any worse than executing a script 
via ssh?


Da: Christian Loos [cl...@netsandbox.de]
Inviato: mercoledì 2 gennaio 2013 23.10
A: Scotto Alberto
Cc: rt-users@lists.bestpractical.com
Oggetto: Re: Custom authentication script fails with > ExternalAuthPriority not 
defined, please check your configuration file

Hi,

why not just call in you PHP app
https://your-rt-server-url/REST/1.0/
with user and pass as post parameter and check the first line of the
response for the status
* "200 Ok" = successful login
* "401 Credentials required" = not successful login


Chris


Am 20.12.2012 12:56, schrieb Scotto Alberto:
> Hi all,
>
>
>
> I’m writing a PHP application (a cloud self-service application that
> lets developers create testing environments and so on) for the company
> where I also installed RT. For the authentication part, I thought to
> authenticate users against RT, since the users of my PHP app are a
> subset of RT’s users.
>
> So, I’m down to writing a script (attached) that authenticates a user
> against RT, to be called from a PHP script.
>
> On RT I have RT-Authen-ExternalAuth that connects to LDAP.
>
> So in my perl script I’ve had to make two tries: first
> RT::Authen::ExternalAuth::DoAuth (for domain users); then, if it fails,
> $user->IsPassword($pass) (for local users).
>
> The problem is with RT::Authen::ExternalAuth::DoAuth; instead, the auth
> of local users with IsPassword always works.
>
> If I execute the script as root, it goes smooth.
>
> But for security reasons I want to execute it as another user (I created
> the Unix user “selfservice”, as well as the RT user “selfservice”).
> Executing the script as this Unix user, DoAuth fails with the following
> message:
>
>
>
> /ExternalAuthPriority not defined, please check your configuration file./
>
>
>
> What am I missing?
>
>
>
> Thank you very much!
>
>
>
> Regards
>
>
>
> Alberto Scotto
>





Alberto Scotto

Blue Reply
Via Cardinal Massaia, 83
10147 - Torino - ITALY
phone: +39 011 29100
al.sco...@reply.it
www.reply.it




--
The information transmitted is intended for the person or entity to which it is 
addressed and may contain confidential and/or privileged material. Any review, 
retransmission, dissemination or other use of, or taking of any action in 
reliance upon, this information by persons or entities other than the intended 
recipient is prohibited. If you received this in error, please contact the 
sender and delete the material from any computer.

Re: [rt-users] Custom authentication script fails with > ExternalAuthPriority not defined, please check your configuration file

2013-01-02 Thread Christian Loos 
Hi,

why not just call in you PHP app
https://your-rt-server-url/REST/1.0/
with user and pass as post parameter and check the first line of the
response for the status
* "200 Ok" = successful login
* "401 Credentials required" = not successful login


Chris


Am 20.12.2012 12:56, schrieb Scotto Alberto:
> Hi all,
> 
>  
> 
> I’m writing a PHP application (a cloud self-service application that
> lets developers create testing environments and so on) for the company
> where I also installed RT. For the authentication part, I thought to
> authenticate users against RT, since the users of my PHP app are a
> subset of RT’s users.
> 
> So, I’m down to writing a script (attached) that authenticates a user
> against RT, to be called from a PHP script.
> 
> On RT I have RT-Authen-ExternalAuth that connects to LDAP.
> 
> So in my perl script I’ve had to make two tries: first
> RT::Authen::ExternalAuth::DoAuth (for domain users); then, if it fails,
> $user->IsPassword($pass) (for local users).
> 
> The problem is with RT::Authen::ExternalAuth::DoAuth; instead, the auth
> of local users with IsPassword always works.
> 
> If I execute the script as root, it goes smooth.
> 
> But for security reasons I want to execute it as another user (I created
> the Unix user “selfservice”, as well as the RT user “selfservice”).
> Executing the script as this Unix user, DoAuth fails with the following
> message:
> 
>  
> 
> /ExternalAuthPriority not defined, please check your configuration file./
> 
>  
> 
> What am I missing?
> 
>  
> 
> Thank you very much!
> 
>  
> 
> Regards
> 
> 
> 
> Alberto Scotto
>

Re: [rt-users] Customizing With Local Directory

2013-01-02 Thread Ruslan Zakirov 
On Wed, Jan 2, 2013 at 10:15 PM, Vega, Angel L.  wrote:
> Hello,
>
>
>
> I’m trying to customize the page in RTIR that displays incidents but I
> cannot see the changes I’ve made once I’ve restarted the webserver and
> cleared the Mason object cache.
>
> Here is where I placed the customized file in the ‘local’ directory:
> /opt/rt3/local/html/Ticket/Display.html
>

RTIR has its own set of pages to display Incidents/IRs/Invs and
Blocks. It customizes RT's display page to redirect to RTIR's version
if user tries to use RT's page on RTIR's ticket. So you're poking
wrong file.

> I’ve already read the wiki section, how can I get the customizations to show
> using the local directory?
>
>
>
> Thanks,
>
> Angel



-- 
Best regards, Ruslan.

[rt-users] Customizing With Local Directory

2013-01-02 Thread Vega, Angel L. 
Hello,

I'm trying to customize the page in RTIR that displays incidents but I cannot 
see the changes I've made once I've restarted the webserver and cleared the 
Mason object cache.
Here is where I placed the customized file in the 'local' directory: 
/opt/rt3/local/html/Ticket/Display.html

I've already read the 
wiki section, how 
can I get the customizations to show using the local directory?

Thanks,
Angel

Re: [rt-users] Custom fields and non privileged users

2013-01-02 Thread Thomas Sibley 
On 01/02/2013 03:21 AM, Martin Wheldon wrote:
> I suspect you may need to give write access to the custom fields for the
> non priviliged user,
> as I've never needed to I'm not sure.

Yes, you need to grant the ModifyCustomField right.

> For the priviliged user you could write a scrip that checked if a
> transaction is a create and status is not new then
> reset status to new.

This is unnecessary with Lifecycles.  You can configure which statuses
are acceptable when creating a ticket:

http://bestpractical.com/rt/docs/latest/RT_Config.html#Transitions-between-statuses-and-UI-actions

Re: [rt-users] R: R: Custom authentication script fails with > ExternalAuthPriority not defined, please check your configuration file

2013-01-02 Thread Thomas Sibley 
On 01/01/2013 10:43 AM, Scotto Alberto wrote:
> Don't know what is the best. I think using preconditions is a strong
> practice that gives you freedom and lets you avoid duplicate checks.
> Actually, the preconditions must be documented...
> 
> So I think that I may go for documenting the precondition in the wiki
> page (also for simplicity).
> 
> What do you think?

Relying on the input being validated before handed to the function is
asking for trouble as soon as the function starts being used in multiple
places, some of which may not validate the input.  The function should
be a black box, and you shouldn't need to know that it's going to pass
provided arguments to shell_exec().  Fix problems at the source, not at
some more distant location.  You'll end up playing whack a mole otherwise.

Thomas

Re: [rt-users] Request Tracker does not highlight a ticket when it receives a new reply

2013-01-02 Thread Jim Brandt 

There is an option to notify you if there are unread messages on a ticket:

http://bestpractical.com/rt/docs/latest/RT_Config.html#ShowUnreadMessageNotifications

This can be set as a global option or at the individual level by going 
to Logged in as > Settings > Options. Look for "Notify me of unread 
messages".


To see it in a ticket list somewhere in "RT at a glance", click on Edit 
for the section you want (e.g., 10 highest priority tickets I own). In 
the Display Columns section, add UpdateStatus to the shown columns. That 
will work in conjunction with ShowUnreadMessageNotifications and show 
you new messages. You can click the link at the top of the ticket 
display page to clear the unread messages for a given ticket.



On 12/29/12 8:24 AM, decenter decenter wrote:

Hello,

When a new ticket is created, I can see that in RT. But then if a new reply
or correspondence comes to that ticket, it is not getting highlighted (but
I can see the new correspondence in the ticket). Any solution?

Regards,



--

Re: [rt-users] Custom fields and non privileged users

2013-01-02 Thread Martin Wheldon 

Hi,

I suspect you may need to give write access to the custom fields for 
the non priviliged user,

as I've never needed to I'm not sure.

For the priviliged user you could write a scrip that checked if a 
transaction is a create and status is not new then

reset status to new.

Best Regards

Martin

On 2013-01-02 11:32, Xavier Barnada wrote:

Hi

I'm configuring a RT4 and I have a problem. I want to use custom
fields on tickets.
I tried to create a non privileged user with "view custom fields"
permission .I tried to create a ticket with this user and the custom
field don't appear on the form of ticket and don't allow me to create
the ticket because a custom field validation error.
I searched possible solutions and set this user as a privileged
user.With privileged user the custom field appear on the create 
ticket

form  but appear another option that allows the user to set the
initial status of the ticket and I want the user only can create
tickets as "New".

There is any possible solution to show the custom field on non
privileged users or hide the initial status on the privileged users?

Cheers

!DSPAM:9,50e4133033231824719915!

[rt-users] Custom fields and non privileged users

2013-01-02 Thread Xavier Barnada 
Hi

I'm configuring a RT4 and I have a problem. I want to use custom
fields on tickets.
I tried to create a non privileged user with "view custom fields"
permission .I tried to create a ticket with this user and the custom
field don't appear on the form of ticket and don't allow me to create
the ticket because a custom field validation error.
I searched possible solutions and set this user as a privileged
user.With privileged user the custom field appear on the create ticket
form  but appear another option that allows the user to set the
initial status of the ticket and I want the user only can create
tickets as "New".

There is any possible solution to show the custom field on non
privileged users or hide the initial status on the privileged users?

Cheers

Re: [rt-users] History/log for Scrip in RT 4.0.1

2013-01-02 Thread Ruslan Zakirov 
On Wed, Jan 2, 2013 at 1:43 PM, tobiasbp  wrote:
> Hello list.
>
> Is there any way to document when a Scrip has been dis/en-abled in RT
> 4.0.1. Looking at the database itself, I can see when the rule
> definition itself has been updated and by whom, but not when it was
> last dis/en-abled.
>
> Any ideas?

RT doesn't record transactions for scrips, so history is limited. It's
not hard to implement. Patches for master branch are welcome.

>
> Thank you,
> Tobias Balle-Petersen



-- 
Best regards, Ruslan.

Re: [rt-users] Placing 2 CF in RT ticket subject

2013-01-02 Thread Martin Wheldon 

Hi,

How about something like:

my $subject = sprintf("%s %s", 
$self->TicketObj->FirstCustomFieldValue('Custom Field 1'), 
$self->TicketObj->FirstCustomFieldValue('Custom Field 2');


Best Regards

Martin Wheldon


On 2012-12-29 08:48, Nums wrote:

I am trying to create a script which will pull 2 custom field values
into the RT
ticket subject upon creation.
I am able to do it with one using script below, but
unable to manage to pull 2 CF values, is this possible?

my $subject = $self->TicketObj->FirstCustomFieldValue('Custom Field
Selection')

$self->TicketObj->SetSubject($subject);


!DSPAM:9,50def36133231913920786!

Re: [rt-users] Placing 2 CF in RT ticket subject

2013-01-02 Thread Tim Cutts 

On 29 Dec 2012, at 08:48, Nums  wrote:

> I am trying to create a script which will pull 2 custom field values into the 
> RT 
> ticket subject upon creation. 
> I am able to do it with one using script below, but 
> unable to manage to pull 2 CF values, is this possible?
> 
> my $subject = $self->TicketObj->FirstCustomFieldValue('Custom Field 
> Selection')
> 
> $self->TicketObj->SetSubject($subject); 

my $field1 = $self->TicketObj->FirstCustomFieldValue('Custom Field Selection');
my $field2 = $self->TicketObj->FirstCustomFieldValue('Other Custom Field');

my $subject = "$field1 $field2";

$self->TicketObj->SetSubject($subject); 

or something like that.

Tim.

--
 The Wellcome Trust Sanger Institute is operated by Genome Research
 Limited, a charity registered in England with number 1021457 and a
 company registered in England with number 2742969, whose registered
 office is 215 Euston Road, London, NW1 2BE.

[rt-users] History/log for Scrip in RT 4.0.1

2013-01-02 Thread tobiasbp 
Hello list.

Is there any way to document when a Scrip has been dis/en-abled in RT
4.0.1. Looking at the database itself, I can see when the rule
definition itself has been updated and by whom, but not when it was
last dis/en-abled.

Any ideas?

Thank you,
Tobias Balle-Petersen