[rt-users] RT and SSO with SAML
Hi, The goal here is to have SSO on RT between a local user directory (AD) and an RT instance installed in the amazon cloud. I've setup mod_mellon ( https://code.google.com/p/modmellon/ ) with RT as a relying party on AWS and it works well, I'm able to log in with SSO (IdP used on premise is ADFS). I just had to configure RT with: Set($WebExternalAuth , 1); Set($WebFallbackToInternalAuth , 1); Set($WebExternalAuto , 1); so it uses the REMOTE_USER variable to login. I have three problems now: - populating users info: I think I can get some environment variables out of the SAML token with mod_mellon configuration like this: MellonSetEnv e-mail mail But then I don't know how to populate this into RT. - logout waits 1 second (default), and go back to login page, so I'm authenticated again. I think I need to change the logout link in the code? - SSO is always used and I'd like a way to do a local login (with root for example which is not in our user directory). I'm not sure how to do this yet. Has anyone played with this and went further than I did? Thanks, -- L.B. -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] RT and SSO with SAML
On Tue, Jun 18, 2013 at 4:38 PM, L B bertig...@gmail.com wrote: Hi, The goal here is to have SSO on RT between a local user directory (AD) and an RT instance installed in the amazon cloud. I've setup mod_mellon ( https://code.google.com/p/modmellon/ ) with RT as a relying party on AWS and it works well, I'm able to log in with SSO (IdP used on premise is ADFS). I just had to configure RT with: Set($WebExternalAuth , 1); Set($WebFallbackToInternalAuth , 1); Set($WebExternalAuto , 1); so it uses the REMOTE_USER variable to login. I have three problems now: - populating users info: I think I can get some environment variables out of the SAML token with mod_mellon configuration like this: MellonSetEnv e-mail mail But then I don't know how to populate this into RT. Solution: 1) With code. Grep for REMOTE_USER in RT source code and you'll find places where you can inject code to extract information mellon puts into ENV and put it into RT's tables. As far I recall remote user variable handled in one or two places. 2) No coding - use ExternalAuth module to extract info. It can work this way - info extraction only mode without auth. Info is updated on login into UI. 3) No coding - use LDAPImport to bring in users' data. Info is updated as often as you run the script. - logout waits 1 second (default), and go back to login page, so I'm authenticated again. I think I need to change the logout link in the code? Yes. Very specific to setup, so there is no direct solution that works for everybody. - SSO is always used and I'd like a way to do a local login (with root for example which is not in our user directory). I'm not sure how to do this yet. Host second RT as a virtual host on different URL without SSO. Only people with passwords in RT's database would be able to use this interface. Has anyone played with this and went further than I did? Thanks, -- L.B. -- RT Training in Seattle, June 19-20: http://bestpractical.com/training -- Best regards, Ruslan. -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] Is it possible to set CustomField in mailgate plugin?
Hello, full scenario is like this: new email arrive, new ticket is about to be created. I want to check check TO, or CC email header addresses against some special list of mail addresses. If match is found, i need to store the address in CF. I'd like to do the CF value assignment in mail plugin, because in mail plugin i have complete mail object available. So i know in which header the email address appeared. However, it seems i can't store the value in CF (within the mail plugin). I gues it's because we're delaing with NEW ticket, so the ticket itself does not really exists yet, therefore it is impossible to assign a CF value to it. I tried to do the stuff in Scrip, but in there i do not know in which header the address appeared. There is some method $self-TicketObj-TransactionAddresses() which return all addresses present in transaction, however there is not an info about in which email header the address was present. Maybe if there was any method to get the whole email message object within scrip - but i do not know abou such. I see i should specify my question more precisely: Is it possible to assign value to CF, in mail plugin, when the email message is about to create completely new ticket ? Thanks in advance Pavel Šidlo - LinuxBox.cz, s.r.o. 28. října 168, 709 00 Ostrava tel.: +420 591 166 234 mob.: +420 737 238 334 web:www.linuxbox.cz mobil servis: +420 737 238 656 email servis: ser...@linuxbox.cz - | | Od:| | --| |Kevin Falcone falc...@bestpractical.com | --| | | Komu: | | --| |rt-users@lists.bestpractical.com, | --| | | Datum: | | --| |14.06.2013 17:28 | --| | | Předmět: | | --| |Re: [rt-users] Is it possible to set CustomField in mailgate plugin? | --| On Fri, Jun 14, 2013 at 01:23:45PM +0200, pavel.si...@linuxbox.cz wrote: I'v got a mailgate plugin in which i am trying to set value to Ticket CustomField. I'm using this method: my ($st,$msg) = $args{Ticket}-AddCustomFieldValue( Field = $CFObj- id, Value = $id, RecordTransaction = 1 ); However this always fail with error message: Failed to save CF value: 100 as value for CF. Error: Custom field 1 does not apply to this object This look like the CF value cannot be assigne just because the ticket itself does not really exist yet. Is it the problem? What's the Action? Is this during creation or a correspond/comment? Normally folks do CF manipulation from Scrips rather than Mail Plugins. -kevin [attachment att0q8g1.dat deleted by Pavel Šidlo/linuxbox/cz] -- RT Training in Seattle, June 19-20: http://bestpractical.com/training inline: graycol.gifinline: ecblank.gif -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] RT 4.0.8 - rt-mailgate hangs on authenticated RT server
- Original Message - Message: 6 Date: Mon, 17 Jun 2013 15:21:19 -0700 From: Thomas Sibley t...@bestpractical.com To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT 4.0.8 - rt-mailgate hangs on authenticated RT server Message-ID: 51bf8bdf@bestpractical.com Content-Type: text/plain; charset=UTF-8 On 06/17/2013 03:06 PM, Duncan Napier wrote: I understand that to get around this, you open up areas of the server to the the localhost (127.0.0.1) so no authentication is required. I have tried a bunch of fixes, but none seem to work. They seem require NoAuth areas of the rt directory have authentication disabled using Apache Location or Directory directives, as in: # # Begin Code Fragment # LocationMatch /share/html/NoAuth Satisfy Any Allow from all /LocationMatch LocationMatch /share/html/REST/1.0/NoAuth Satisfy Any Allow from all /LocationMatch Your Apache configuration directives are wrong. Location/LocationMatch take a URL location, not a directory path (that's what Directory/DirectoryMatch are for). You also aren't using the matching power of LocationMatch, and don't need it, so you want something like: Location /REST/1.0/NoAuth/mail-gateway Satisfy any Allow from 127.0.0.1 /Location You don't need to allow /NoAuth for mailgate. Hi Thomas, Thanks very much. I did succeed in making it work, but still using LocatioMatch directive. I changed # # Begin Code Fragment # LocationMatch /share/html/NoAuth Satisfy Any Allow from all /LocationMatch LocationMatch /share/html/REST/1.0/NoAuth Satisfy Any Allow from all /LocationMatch by changing the above fragment (and putting in required quotes that were missing! Doh!) to LocationMatch /NoAuth Satisfy Any Allow from all /LocationMatch LocationMatch /REST Satisfy Any Allow from all /LocationMatch It works fine now and I'm not going to mess with it (the cardinal rule of RT - don't mess with what works!!!), unless you have some additional comments or advice about it. Regards, Duncan. -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] Question about restricting queues
Le 17/06/2013 20:33, Chris Hall a écrit : They asked me if there was any way to group these queues up in such a way that, for example, if a ticket is made in any of the Queue A's they are locked in and can only be transferred between the Queue A's. Depending on your setup/organization, you could restrict the visible queues (some people would have access to queues A tier 1/2/3, others to Queues B tier 1/2/3). If this is not possible, you could force the correct queue or reject the transfer from inside a scrip I guess, something like this (untested) : Example to reject the transaction : In condition : my $TransObj = $self-TransactionObj; if ($TransObj-Type eq Set and $transObj-Field eq Queue) { return 0 if (substr($TransObj-OldValue,0,7) ne substr($TransObj-NewValue,0,7); # 7 is length of Queue A } return 1; -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
[rt-users] Confusion about See/ModifyCustomField rights
Hello, I am trying to troubleshoot a problem and I got a little bit confused about how See/ModifyCustomField privileges work. Both exist as Custom Field rights as well as Queue rights and they somehow overlap, but it's not very clear to me how. With See/ModifyCustomField set for a group on a queue, I can see and edit custom fields for any tickets in that queue, but at the same time I can't see the same custom fields in search edit - even after selecting a queue first. With See/ModifyCustomField granted for the same group in the custom field properties, on the other hand, RT will show it in search options. It seems like a similar difference exists in API. With queue rights I can access and iterate on $Ticket-CustomFields, but creating a custom field object instance and loading one of the same custom fields by queue and name fails unless the user has See/Modify rights on the actual field. Could someone explain how these rights really work? Best regards, Maciek -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] Is it possible to set CustomField in mailgate plugin?
If you use procmail - rt-mailgate, you could use procmail to modify the email to pass the field in the body where CommandByMail could pick it up (or the ExtractCustomField extension). Thanks, Jok -- | Joachim Thuau | IT Systems Engineer - Linux / SpaceX | From: pavel.si...@linuxbox.czmailto:pavel.si...@linuxbox.cz pavel.si...@linuxbox.czmailto:pavel.si...@linuxbox.cz Date: Tuesday, June 18, 2013 7:39 AM To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com Subject: Re: [rt-users] Is it possible to set CustomField in mailgate plugin? Hello, full scenario is like this: new email arrive, new ticket is about to be created. I want to check check TO, or CC email header addresses against some special list of mail addresses. If match is found, i need to store the address in CF. I'd like to do the CF value assignment in mail plugin, because in mail plugin i have complete mail object available. So i know in which header the email address appeared. However, it seems i can't store the value in CF (within the mail plugin). I gues it's because we're delaing with NEW ticket, so the ticket itself does not really exists yet, therefore it is impossible to assign a CF value to it. I tried to do the stuff in Scrip, but in there i do not know in which header the address appeared. There is some method $self-TicketObj-TransactionAddresses() which return all addresses present in transaction, however there is not an info about in which email header the address was present. Maybe if there was any method to get the whole email message object within scrip - but i do not know abou such. I see i should specify my question more precisely: Is it possible to assign value to CF, in mail plugin, when the email message is about to create completely new ticket ? Thanks in advance Pavel Šidlo - LinuxBox.cz, s.r.o. 28. října 168, 709 00 Ostrava tel.: +420 591 166 234 mob.: +420 737 238 334 web:www.linuxbox.cz mobil servis: +420 737 238 656 email servis: ser...@linuxbox.czmailto:ser...@linuxbox.cz - [Inactive hide details for Kevin Falcone ---14.06.2013 17:28:29---On Fri, Jun 14, 2013 at 01:23:45PM +0200, pavel.sidlo@linuxbox]Kevin Falcone ---14.06.2013 17:28:29---On Fri, Jun 14, 2013 at 01:23:45PM +0200, pavel.si...@linuxbox.czmailto:pavel.si...@linuxbox.cz wrote: I'v got a mailgate plu Od: Kevin Falcone falc...@bestpractical.commailto:falc...@bestpractical.com Komu: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com, Datum: 14.06.2013 17:28 Předmět: Re: [rt-users] Is it possible to set CustomField in mailgate plugin? On Fri, Jun 14, 2013 at 01:23:45PM +0200, pavel.si...@linuxbox.czmailto:pavel.si...@linuxbox.cz wrote: I'v got a mailgate plugin in which i am trying to set value to Ticket CustomField. I'm using this method: my ($st,$msg) = $args{Ticket}-AddCustomFieldValue( Field = $CFObj-id, Value = $id, RecordTransaction = 1 ); However this always fail with error message: Failed to save CF value: 100 as value for CF. Error: Custom field 1 does not apply to this object This look like the CF value cannot be assigne just because the ticket itself does not really exist yet. Is it the problem? What's the Action? Is this during creation or a correspond/comment? Normally folks do CF manipulation from Scrips rather than Mail Plugins. -kevin [attachment att0q8g1.dat deleted by Pavel Šidlo/linuxbox/cz] -- RT Training in Seattle, June 19-20: http://bestpractical.com/training attachment: graycol.gifattachment: ecblank.gif -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] Is it possible to set CustomField in mailgate plugin?
On Tue, Jun 18, 2013 at 04:39:55PM +0200, pavel.si...@linuxbox.cz wrote: I see i should specify my question more precisely: Is it possible to assign value to CF, in mail plugin, when the email message is about to create completely new ticket ? I think the better question is How do I get the To or Cc header from within a Scrip since you can't set the custom field on a ticket that doesn't exist yet (bit of a chicken and egg problem there). It sounds like you want to get the First Attachment of the Transaction object passed into the Scrip during the Create and call GetHeader on it - asking for the appropriate headers. You can also get the attachment back as a perl MIME object if you're more comfortable with that, but you have all the rope you need in a Scrip. -kevin pgpeFm6mtUT4J.pgp Description: PGP signature -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] Question about restricting queues
On Mon, Jun 17, 2013 at 02:33:07PM -0400, Chris Hall wrote: I've got a bit of a weird problem, and wondered if anybody has a solution for it. We have several queues, and a few are grouped up by name. For example: Queue A tier 1 Queue A tier 2 Queue A tier 3 Queue B tier 1 Queue B tier 2 Queue B tier 3 The managers at the helpdesk are having a problem w/ ppl making a ticket in Queue A tier 1, and then when they escalate it, accidentally transferring it to Queue B tier 2 (instead of Queue A tier 2). They asked me if there was any way to group these queues up in such a way that, for example, if a ticket is made in any of the Queue A's they are locked in and can only be transferred between the Queue A's. As Jean-Christophe notes, the common solution is Don't let them have access to B but you may not be able to do that. Unfortunately, a Scrip runs too late to stop the email from going out with the other queue's email address. The best solution may be modifying SelectQueue (using a callback if available) to limit the set of Queues presented to non-admin users. -kevin pgpkwlNZZVYl9.pgp Description: PGP signature -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] Question about restricting queues
On 06/18/2013 11:08 AM, Kevin Falcone wrote: On Mon, Jun 17, 2013 at 02:33:07PM -0400, Chris Hall wrote: I've got a bit of a weird problem, and wondered if anybody has a solution for it. We have several queues, and a few are grouped up by name. For example: Queue A tier 1 Queue A tier 2 Queue A tier 3 Queue B tier 1 Queue B tier 2 Queue B tier 3 The managers at the helpdesk are having a problem w/ ppl making a ticket in Queue A tier 1, and then when they escalate it, accidentally transferring it to Queue B tier 2 (instead of Queue A tier 2). They asked me if there was any way to group these queues up in such a way that, for example, if a ticket is made in any of the Queue A's they are locked in and can only be transferred between the Queue A's. As Jean-Christophe notes, the common solution is Don't let them have access to B but you may not be able to do that. Unfortunately, a Scrip runs too late to stop the email from going out with the other queue's email address. The best solution may be modifying SelectQueue (using a callback if available) to limit the set of Queues presented to non-admin users. Another solution which may be acceptable is defining different lifecycles for each trio of queues. The lifecycles don't have to actually be different, just named differently. Then if you omit a mapping between the two lifecycles, RT will prevent tickets moving between them (by _anyone_). It's a bit of a misuse, but will work. -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] Confusion about See/ModifyCustomField rights
On Tue, Jun 18, 2013 at 8:42 PM, Maciej Dobrzanski reg.bestpracti...@posterus.com wrote: Hello, I am trying to troubleshoot a problem and I got a little bit confused about how See/ModifyCustomField privileges work. Both exist as Custom Field rights as well as Queue rights and they somehow overlap, but it's not very clear to me how. With See/ModifyCustomField set for a group on a queue, I can see and edit custom fields for any tickets in that queue, but at the same time I can't see the same custom fields in search edit - even after selecting a queue first. With See/ModifyCustomField granted for the same group in the custom field properties, on the other hand, RT will show it in search options. It seems like a similar difference exists in API. With queue rights I can access and iterate on $Ticket-CustomFields, but creating a custom field object instance and loading one of the same custom fields by queue and name fails unless the user has See/Modify rights on the actual field. Could someone explain how these rights really work? SeeCustomField on Queue level should allow you to see all custom fields applied to the queue. Implementation is tricky and it's hard make it work in all cases. See SetContextObject in RT::CustomField. Basicly code says that user wants to interact with this custom field in context of ticket/queue X. So this feature is incomplete, but so wanted that it's kept in RT core and constantly improved to work properly in more and more situations. Situation you described is actually fixable to some point, but I don't remember if we have a fix or not. Best regards, Maciek -- RT Training in Seattle, June 19-20: http://bestpractical.com/training -- Best regards, Ruslan. -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
Re: [rt-users] RT and SSO with SAML
On 06/18/2013 05:58 AM, Ruslan Zakirov wrote: - logout waits 1 second (default), and go back to login page, so I'm authenticated again. I think I need to change the logout link in the code? Yes. Very specific to setup, so there is no direct solution that works for everybody. There's a Default callback in NoAuth/Logout.html which you can use to modify the URL redirected to. This lets you have RT redirect to the SSO endpoint's logout URL. - SSO is always used and I'd like a way to do a local login (with root for example which is not in our user directory). I'm not sure how to do this yet. Host second RT as a virtual host on different URL without SSO. Only people with passwords in RT's database would be able to use this interface. Alternatively you can tell Apache to Satisfy any and allow some local users depending on their IP address. You may or may not be able to configure mod_mellon to allow optional SSO auth. -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
[rt-users] ExternalAuth - attr_map used to populate Custom Fields?
This is a simple question that I suspect probably has a complicated answer: Can I use the attr_map to map Active Directory attributes to Request Tracker for Custom Fields? I would like to pull in some additional attributes such as 'company' and 'title' and populate some Custom Fields that I created for Users. Any advice? --- Kevin Elliott Networking Specialist II Alaska Department of Revenue, ASD-IT (907) 465-2314 -- RT Training in Seattle, June 19-20: http://bestpractical.com/training