Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi,
there are these settings in RT:
# tells RT to use the REMOTE_USER provided by the web server
Set($WebExternalAuth , 1);
# tells RT to display its normal login screen if REMOTE_USER fails
Set($WebFallbackToInternalAuth , 1);
# tells RT to create users automatically if no user matching REMOTE_USER is
found
Set($WebExternalAuto , 1);
I have them all set except the last one as we use LDAPImport. So I would expect
RT to not drop the REMOTE_USER. Or is this obsolete?
Best Regards,
Oliver
From: ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] On Behalf Of
Ruslan Zakirov
Sent: Dienstag, 3. September 2013 21:47
To: Oliver Weinmann
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi,
Why do you expect remote server where you host RT to respect REMOTE_USER and
not to drop it? If a web server would pass remotely provided REMOTE_USER
further to an app without additional configuration then we wouldn't use it for
authentication.
On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann
oliver.weinm...@telespazio-vega.demailto:oliver.weinm...@telespazio-vega.de
wrote:
Hi all,
we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we
need to get the setup running through our reverse proxy.
What we have on our reverse proxy is this:
ProxyPass/rt/ http://hostname.local/rt/ max=100
ProxyPassReverse /rt/ http://hostname.local/rt/
RedirectMatch ^/$ /rt/
# Proxy all locations
Proxy *
AddDefaultCharset off
Order deny,allow
Deny from none
/Proxy
Location /rt
AuthType Kerberos
AuthName Kerberos Login
KrbAuthRealms KRB5.LOCAL
Krb5KeyTab /etc/apache2/host.keytab
KrbMethodNegotiate on
KrbAuthoritative on
KrbMethodK5Passwd off
KrbSaveCredentials on
require valid-user
# SSO
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)$
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
/Location
Running tcpdump we can see that REMOTE_USER is set and send to the host hosting
RT. It looks like RT is not picking it up. As far as I understood is that my
user gets authenticated at the proxy and RT should trust these credentials and
log in the user.
--
Best regards, Ruslan.
[rt-users] Result page not up to date after TransactionBatch scrips
Hello,
We use RT 4.0.13, We customized our installation by some scrips. Part of
them have to work in TransactionBatch mode.
One of the scrips changes the ticket owner on queue change. This is done by
scrip working in mentioned TransactionBatch mode.
When the queue is changed on Basics screen (Ticket/Modify.html), scrip is
executed without a failure.
The problem is that result page shows the OLD VALUE of the owner.
Clicking Display or Basics again shows that owner was really changed by the
scrip.
The problem exists on blank RT instance as well (only one new queue and
following scrip created).
CustomPrepareCode1;/CustomPrepareCode
Queue0/Queue
ScripActionUser Defined/ScripAction
ScripConditionUser Defined/ScripCondition
StageTransactionBatch/Stage
TemplateBlank/Template
CustomCommitCode
my ($status_id, $status_msg);
my $qId;
my @batch = @{ $self-TicketObj-TransactionBatch };
foreach my $trans ( @batch ) {
if ($trans-Type eq 'Set' $trans-Field eq 'Queue') {
#if queue changed to COE_XX set owner to opcenter
$qId = $trans-NewValue;
my $qObj = new RT::Queue($RT::SystemUser);
$qObj-Load($qId);
if ($qObj-Name eq 'COE_XX')
{
($status_id, $status_msg) = $self-TicketObj-SetOwner
('opcenter', 'Force');
$RT::Logger-info(Change owner: $status_msg);
return !$status_id;
}
#in other cases, just set owner to nobody
($status_id, $status_msg) = $self-TicketObj-SetOwner(RT::Nobody
(), 'Force');
$RT::Logger-info(Change owner: $status_msg);
return 1;
}
}
1;
/CustomCommitCode
CustomIsApplicableCode
my @batch = @{ $self-TicketObj-TransactionBatch };
foreach my $trans ( @batch )
{
return 1 if ($trans-Field eq Queue);
}
return 0;
/CustomIsApplicableCode
Do you have any idea, how to force RT to show current values on result
page ?
Best regards,
Rafal
[rt-users] Fwd: Need Help on RT
This got directed to my personal mail by mistake -- forwarding to the list. -- Forwarded message -- Dear Concern, I need help on RT.I am new to linux and RT we have previously have RT 3.6.5 now with the help of my friend I have upgraded it to 3.8.0 I am facing two issues. 1.While sending mail from RT to one time CC and BB they are not getting mail. I have checked the notify scrips etc all are seem to be right. 2.When I send any mail to user along with attachment at the user end it will so message transition apper to have no context Please help me on this. it would be realy help full for me. I am stuck on this for last One Month Thanks a lot in advance . Alok Sent from BlackBerry® on Airtel
Re: [rt-users] Fwd: How to list all enabled users in Perl script?
Hi, Nathan Cutler wrote: Find `sub Next` in lib/RT/Extension/MergeUsers.pm, put logging or printing debug statements there to check what is going on. OK, I'll try that. I ran some more tests on my testing RT instance. Here's what I just found out: When no users are merged, the script produces the same output (same users, same number of users) as the SELECT statement. When I then go and merge a single user into another user, the number of users produced by the script decreases by *two* -- the merged user *plus* the alphabetically last user. I can reproduce this on our installation (RT 4.0.17). I suspect it's also the cause for the problem I reported earlier last week - while logged in as a merged user, my user wouldn't show up as potential owner when modi fying a ticket. It's not a rights problem in my case since this user can take any ticket. I did try to trace the problem in the code, but I got lost in the vast wilderness of DBIx::SearchBuilder subclasses ;-) MfG, Thomas Bätzler -- BRINGE Informationstechnik GmbH Zur Seeplatte 12 D-76228 Karlsruhe Germany Fon: +49 721 94246-0 Fon: +49 171 5438457 Fax: +49 721 94246-66 Web: http://www.bringe.de/ Geschäftsführer: Dipl.-Ing. (FH) Martin Bringe Ust.Id: DE812936645, HRB 108943 Mannheim
Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi,
http://www.gossamer-threads.com/lists/apache/dev/370306
On Wed, Sep 4, 2013 at 10:37 AM, Oliver Weinmann
oliver.weinm...@telespazio-vega.de wrote:
Hi,
** **
there are these settings in RT:
** **
# tells RT to use the REMOTE_USER provided by the web server
Set($WebExternalAuth , 1);
# tells RT to display its normal login screen if REMOTE_USER fails
Set($WebFallbackToInternalAuth , 1);
# tells RT to create users automatically if no user matching REMOTE_USER
is found
Set($WebExternalAuto , 1);
** **
I have them all set except the last one as we use LDAPImport. So I would
expect RT to not drop the REMOTE_USER. Or is this obsolete?
** **
Best Regards,
Oliver
*From:* ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] *On
Behalf Of *Ruslan Zakirov
*Sent:* Dienstag, 3. September 2013 21:47
*To:* Oliver Weinmann
*Cc:* rt-users@lists.bestpractical.com
*Subject:* Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with
mod_auth_kerb
** **
Hi,
** **
Why do you expect remote server where you host RT to respect REMOTE_USER
and not to drop it? If a web server would pass remotely provided
REMOTE_USER further to an app without additional configuration then we
wouldn't use it for authentication.
** **
On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann
oliver.weinm...@telespazio-vega.de wrote:
Hi all,
we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb.
Now we need to get the setup running through our reverse proxy.
What we have on our reverse proxy is this:
ProxyPass/rt/ http://hostname.local/rt/ max=100
ProxyPassReverse /rt/ http://hostname.local/rt/
RedirectMatch ^/$ /rt/
# Proxy all locations
Proxy *
AddDefaultCharset off
Order deny,allow
Deny from none
/Proxy
Location /rt
AuthType Kerberos
AuthName Kerberos Login
KrbAuthRealms KRB5.LOCAL
Krb5KeyTab /etc/apache2/host.keytab
KrbMethodNegotiate on
KrbAuthoritative on
KrbMethodK5Passwd off
KrbSaveCredentials on
require valid-user
# SSO
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)$
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
/Location
Running tcpdump we can see that REMOTE_USER is set and send to the host
hosting RT. It looks like RT is not picking it up. As far as I understood
is that my user gets authenticated at the proxy and RT should trust these
credentials and log in the user.
** **
--
Best regards, Ruslan.
--
Best regards, Ruslan.
Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi, thanks for the hint, but this doesn’t solve the issue yet. I have done the following. I have tested the KRB5 setup on the host directly. This works fine. I see this in the logs on the RT host. Accessing the RT host directly: [Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1628): [client ] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1240): [client ] Acquiring creds for HTTP@gedadvl05-clone [Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1385): [client ] Verifying client data using KRB5 GSS-API [Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1401): [client ] Client didn't delegate us their credential [Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1420): [client ] GSS-API token of length 181 bytes will be sent back [Wed Sep 04 14:00:11 2013] [debug] mod_deflate.c(615): [client ] Zlib: Compressed 43435 to 6091 : URL /rt/ Accessing via the reverse proxy: [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1628): [client ] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1240): [client ] Acquiring creds for HTTP@gedadvl05-clone [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1385): [client ] Verifying client data using KRB5 GSS-API [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1401): [client ] Client didn't delegate us their credential [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1420): [client ] GSS-API token of length 9 bytes will be sent back [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1101): [client ] GSS-API major_status:000d, minor_status:000186a5 [Wed Sep 04 14:02:55 2013] [error] [client ] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ) [Wed Sep 04 14:02:55 2013] [debug] mod_deflate.c(615): [client ] Zlib: Compressed 482 to 326 : URL /rt/ I’m also not sure about the configuration of the RT host itself. Does it have to be Kerberos enabled too? I have this in /etc/apache2/httpd.conf: #Directory /usr/share/request-tracker4/html # AuthType Kerberos # AuthName Request Tracker # KrbMethodNegotiate On # KrbMethodK5Passwd On # KrbVerifyKDC On # Krb5Keytab /etc/apache2/rtkeytab # KrbAuthoritative On # KrbSaveCredentials On # Require valid-user # AllowOverride None #/Directory If I disable this I’m not logged in but there is also not login (username/password) displayed, but the RT website is shown also when accessing via the proxy. From: ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] On Behalf Of Ruslan Zakirov Sent: Mittwoch, 4. September 2013 13:19 To: Oliver Weinmann Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb Hi, http://www.gossamer-threads.com/lists/apache/dev/370306 On Wed, Sep 4, 2013 at 10:37 AM, Oliver Weinmann oliver.weinm...@telespazio-vega.demailto:oliver.weinm...@telespazio-vega.de wrote: Hi, there are these settings in RT: # tells RT to use the REMOTE_USER provided by the web server Set($WebExternalAuth , 1); # tells RT to display its normal login screen if REMOTE_USER fails Set($WebFallbackToInternalAuth , 1); # tells RT to create users automatically if no user matching REMOTE_USER is found Set($WebExternalAuto , 1); I have them all set except the last one as we use LDAPImport. So I would expect RT to not drop the REMOTE_USER. Or is this obsolete? Best Regards, Oliver From: ruslan.zaki...@gmail.commailto:ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.commailto:ruslan.zaki...@gmail.com] On Behalf Of Ruslan Zakirov Sent: Dienstag, 3. September 2013 21:47 To: Oliver Weinmann Cc: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb Hi, Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn't use it for authentication. On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann oliver.weinm...@telespazio-vega.demailto:oliver.weinm...@telespazio-vega.de wrote: Hi all, we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy. What we have on our reverse proxy is this: ProxyPass/rt/ http://hostname.local/rt/ max=100 ProxyPassReverse /rt/ http://hostname.local/rt/ RedirectMatch ^/$ /rt/ # Proxy all locations Proxy * AddDefaultCharset off Order deny,allow Deny from none /Proxy Location /rt AuthType Kerberos AuthName Kerberos Login KrbAuthRealms
Re: [rt-users] Fwd: How to list all enabled users in Perl script?
On Wed, Sep 4, 2013 at 2:45 PM, Thomas Bätzler t.baetz...@bringe.comwrote: Hi, Nathan Cutler wrote: Find `sub Next` in lib/RT/Extension/MergeUsers.pm, put logging or printing debug statements there to check what is going on. OK, I'll try that. I ran some more tests on my testing RT instance. Here's what I just found out: When no users are merged, the script produces the same output (same users, same number of users) as the SELECT statement. When I then go and merge a single user into another user, the number of users produced by the script decreases by *two* -- the merged user *plus* the alphabetically last user. I can reproduce this on our installation (RT 4.0.17). I suspect it's also the cause for the problem I reported earlier last week - while logged in as a merged user, my user wouldn't show up as potential owner when modi fying a ticket. It's not a rights problem in my case since this user can take any ticket. agree. I did try to trace the problem in the code, but I got lost in the vast wilderness of DBIx::SearchBuilder subclasses ;-) I'm planning to look at it later tonight or tomorrow. Guys, please send version of DBIx::SearchBuilder, just in case it's not the latest. MfG, Thomas Bätzler -- BRINGE Informationstechnik GmbH Zur Seeplatte 12 D-76228 Karlsruhe Germany Fon: +49 721 94246-0 Fon: +49 171 5438457 Fax: +49 721 94246-66 Web: http://www.bringe.de/ Geschäftsführer: Dipl.-Ing. (FH) Martin Bringe Ust.Id: DE812936645, HRB 108943 Mannheim -- Best regards, Ruslan.
[rt-users] Custom Field as a column in search results?
Hi all! I have my RT instance set up to have a Change Management queue with the hidden _Approvals method (works awesome by the way). Tickets in this queue have a Custom Field set for an Impact to user level. I would like to be able to see this CF value as a column in the search results of the [_1] newest unowned tickets. Is this possible without major modifications? Thanks in advance! --- Matt Brister, Sr. Desktop Support Analyst (mbris...@talentwise.commailto:mbris...@talentwise.com) TalentWise
Re: [rt-users] Mail via ticket ID rather than queue
On Wed, Sep 04, 2013 at 12:53:29PM +1000, Sam Wilson wrote: Hi rt-users, I have configured a multiple queue RT instance with mailgate as follows, we create new tickets in the support queue before moving them to specific queues to be worked on and closed. supp...@example.com que...@example.com que...@example.com By itself mailgate is working fine. For example I can raise a ticket directly in queue1 via email. The issue is around the process of creating all tickets in the support pool before moving to a different queue. This means that users who reply to supp...@example.com after having the ticket moved will actually duplicate a new ticket with a new ID as their original ticket is now at que...@example.com. This isn't how a properly configured RT works. Are your users removing the Subject Tag? The [sitename #1234] in your email subjects allow RT to route email sent to supp...@example.com back to the ticket which has been moved to queue2. -kevin pgpfpJvpBTAwt.pgp Description: PGP signature
Re: [rt-users] Mail via ticket ID rather than queue
Turns out this was a pebkac issue for me. We had set a SubjectTag for each queue rather than using the sitename. After removing the individual subjecttags this is working correctly. Cheers, Sam On Thu, Sep 5, 2013 at 5:19 AM, Kevin Falcone falc...@bestpractical.comwrote: On Wed, Sep 04, 2013 at 12:53:29PM +1000, Sam Wilson wrote: Hi rt-users, I have configured a multiple queue RT instance with mailgate as follows, we create new tickets in the support queue before moving them to specific queues to be worked on and closed. supp...@example.com que...@example.com que...@example.com By itself mailgate is working fine. For example I can raise a ticket directly in queue1 via email. The issue is around the process of creating all tickets in the support pool before moving to a different queue. This means that users who reply to supp...@example.com after having the ticket moved will actually duplicate a new ticket with a new ID as their original ticket is now at que...@example.com. This isn't how a properly configured RT works. Are your users removing the Subject Tag? The [sitename #1234] in your email subjects allow RT to route email sent to supp...@example.com back to the ticket which has been moved to queue2. -kevin
Re: [rt-users] Mail via ticket ID rather than queue
On Thu, Sep 05, 2013 at 08:10:37AM +1000, Sam Wilson wrote: Turns out this was a pebkac issue for me. We had set a SubjectTag for each queue rather than using the sitename. After removing the individual subjecttags this is working correctly. Subject Tags, set on the Queue Admin page, work fine for the scenario you describe, we use them in production today with tickets that move across Queues and are sent to old email addresses. RT looks for the $rtname, $EmailSubjectTagRegex and every queue subject tag configured in the system I expect you have a misconfiguration or custom local development. -kevin On Thu, Sep 5, 2013 at 5:19 AM, Kevin Falcone [1]falc...@bestpractical.com wrote: On Wed, Sep 04, 2013 at 12:53:29PM +1000, Sam Wilson wrote: Hi rt-users, I have configured a multiple queue RT instance with mailgate as follows, we create new tickets in the support queue before moving them to specific queues to be worked on and closed. [2]supp...@example.com [3]que...@example.com [4]que...@example.com By itself mailgate is working fine. For example I can raise a ticket directly in queue1 via email. The issue is around the process of creating all tickets in the support pool before moving to a different queue. This means that users who reply to [5]supp...@example.com after having the ticket moved will actually duplicate a new ticket with a new ID as their original ticket is now at [6]que...@example.com. This isn't how a properly configured RT works. Are your users removing the Subject Tag? The [sitename #1234] in your email subjects allow RT to route email sent to [7]supp...@example.com back to the ticket which has been moved to queue2. pgpRBtWKUAH6e.pgp Description: PGP signature
