Re: [rt-users] [Rt-announce] RT for Mobile Devices 0.9
Thanks Jesse - love it, just bumped to v0.93 from your v9 release and works a treat on our iPhone 4's & BB STORM2's. Julian. -- Julian Grunnell This email is subject to: www.corporate.webfusion.co.uk/disclaimer >-Original Message- >From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- >boun...@lists.bestpractical.com] On Behalf Of Howard Jones >Sent: 06 August 2010 19:30 >To: rt-users@lists.bestpractical.com >Subject: Re: [rt-users] [Rt-announce] RT for Mobile Devices 0.9 > > On 06/08/2010 17:45, Jesse Vincent wrote: >> 0.92 should fix that issue. I've pushed it to cpan already. >0.93 from PAUSE resolved the Page Not Found for me. > >This will be a very valuable plugin for our on-call guys, who already >have an iPhone. Thanks, Jesse. > >Discover RT's hidden secrets with RT Essentials from O'Reilly Media. >Buy a copy at http://rtbook.bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT & mysql / LDAP Auth
>-Original Message-
>From: Mike Peachey [mailto:mike.peac...@jennic.com]
>Sent: 14 May 2010 10:33
>To: Julian Grunnell; rt-users@lists.bestpractical.com
>Subject: Re: [rt-users] RT & mysql / LDAP Auth
>
>Julian Grunnell wrote:
>
>> Right, thanks - that makes sense now. I misunderstood the use of this
>> and thought you had to define ALL the authentication methods you
>wanted
>> to use. So I have removed the MySQL section completely from the
config
>> and tried again with different results. Using my LDAP credentials I
>> still get "Your username or password is incorrect" BUT RT has created
>me
>> as a user, the "Let this user be granted rights" box is unchecked and
>> I'm NOT a member of any Groups. The logs created when this was done
>are:
>
>1. It found you and loaded your information from LDAP just as it
should.
>2. ExternalAuth cannot currently add you to any internal RT groups
based
>on LDAP information, this must be done in the RT administration panels.
>3. If you want LDAP users to be automatically assigned "Let this user
be
>granted rights" then you may do so with this config setting:
> Set($AutoCreate, {Privileged => 1});
>Otherwise it will need setting manually along with group membership.
>
>
>The only thing that is now failing for you is authentication and the
>reason is now obvious:
>
>Your config
>###
># Does authentication depend on group membership? What group name?
>'group' => 'GROUP_NAME',
># What is the attribute for the group object that determines
membership?
>'group_attr' => 'GROUP_ATTR',
>#######
>
>Your log
>###
>[Fri May 14 08:22:42 2010]
>
>[critical]:
>
>Search for (GROUP_ATTR=CN=Julian
>Grunnell,OU=Technical,OU=Users,OU=Leeds,OU=Webfusion,OU=Hosting,OU=Corp
,
>DC=internal,DC=hosteurope,DC=com)
>
>
>failed: LDAP_INVALID_DN_SYNTAX 34
>
>###
>
>You have told ExternalAuth that all ldap users must be in an ldap group
>named GROUP_NAME and that in order to confirm that the users are a
>member of that group, the members should be in the GROUP_ATTR attribute
>of that group.
>
>If you simply comment out group and group_attr it should work fine. If
>in future you wish to restrict access by group, ensure the group name
is
>specified in full ldap dn form.
>--
[>]
Thanks Mike - appreciate your help with this, made the changes you
suggest and it works a treat now. Now to look at the script that can
convert to ldap style logins.
Julian.
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT & mysql / LDAP Auth
-- Julian Grunnell This email is subject to: www.corporate.webfusion.co.uk/disclaimer >-Original Message- >From: Mike Peachey [mailto:mike.peac...@jennic.com] >Sent: 13 May 2010 13:56 >To: Julian Grunnell >Cc: rt-users@lists.bestpractical.com >Subject: Re: [rt-users] RT & mysql / LDAP Auth > >Julian Grunnell wrote: >>> -Original Message- >>> From: Mike Peachey [mailto:mike.peac...@jennic.com] >>> Sent: 10 May 2010 12:54 >>> To: Julian Grunnell >>> Cc: rt-users@lists.bestpractical.com >>> Subject: Re: [rt-users] RT & mysql / LDAP Auth >>> >> >> So at present users are just authenticating against RT's own DB for >user >> access. What I'd like to do is keep this but also have LDAP. The >reason >> being users now have multiple usernames / passwords for different >> services we run and I want to use LDAP as a way to simplify this - BUT >> in order for this to be done I also need to be able to keep the MySQL >> access for now and not break RT for all the users. >> >> The RT DB is on a different physical server and the fact that after I >> restarted httpd with the config above and could still login with my >> usual (mysql) credentials assumed that atleast part of it was working >- >> is this not the case? > >No, you've misunderstood and it has massively complicated your debugging >of the situation. > >ExternalAuth *only* adds to the available authentication mechanisms. It >does not replace RT's own. The use of ExternalAuth MySQL authentication >is if you want to be able to authenticate against some other MySQL >source such as a custom website database or the database of another >web-application. This is /in addition/ to checking against RT's own >internal database (whether this is hosted locally or not). > >So, authentication happens in this order: > >1. ExternalAuth >2. RT-Internal > >And you can have as many ExternalAuth sources as you wish. > > >For your setup, what you want is to only specify the LDAP source which >is then checked for a valid user. If there's no user in LDAP, RT's >internal DB will be checked. >-- >Kind Regards, > [>] Right, thanks - that makes sense now. I misunderstood the use of this and thought you had to define ALL the authentication methods you wanted to use. So I have removed the MySQL section completely from the config and tried again with different results. Using my LDAP credentials I still get "Your username or password is incorrect" BUT RT has created me as a user, the "Let this user be granted rights" box is unchecked and I'm NOT a member of any Groups. The logs created when this was done are: [Fri May 14 08:22:41 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:64) [Fri May 14 08:22:41 2010] [debug]: Calling UserExists with $username (jgrunnell) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:105) [Fri May 14 08:22:41 2010] [debug]: UserExists params: username: jgrunnell , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:274) [Fri May 14 08:22:41 2010] [debug]: LDAP Search === Base: ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter: (&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber, sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:304) [Fri May 14 08:22:41 2010] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with: Disabled: 0, EmailAddress: , Gecos: jgrunnell, Name: jgrunnell, Privileged: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:450) [Fri May 14 08:22:41 2010] [debug]: Attempting to get user info using this external service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:458) [Fri May 14 08:22:41 2010] [debug]: Attempting to use this canonicalization key: Name (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h.pm:472) [Fri May 14 08:22:41 2010] [debug]: LDAP Search === Base: ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter: (&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber, sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut h/LDAP.pm:195) [Fri May 14 08:22:41 2010] [info]: RT::Authen::ExternalAu
Re: [rt-users] RT & mysql / LDAP Auth
>-Original Message-
>From: Mike Peachey [mailto:mike.peac...@jennic.com]
>Sent: 10 May 2010 12:54
>To: Julian Grunnell
>Cc: rt-users@lists.bestpractical.com
>Subject: Re: [rt-users] RT & mysql / LDAP Auth
>
>Julian Grunnell wrote:
>> Hi - hoping someone can help me, I'm trying to get the
>> RT::Authen::ExternalAuth plugin to work so I can use LDAP for
>> authentication. Just using mysql at the moment, so want to keep this
>as
>> well. Running RT 3.8.5 on Centos, I'd like mysql auth first and then
>> LDAP next. I've managed to configure this without any errors and my
>> mysql authentication still works after a httpd restart. However LDAP
>> auth never works, I'm not that familiar with LDAP so am hoping if I
>> provide my config and rt.log below someone might be able to point me
>in
>> the right direction:
>
>Looks like the whole thing is dying during the MySQL check.
>
>1. Provide the whole config
>2. Are you sure you're supposed to be using ExternalAuth for MySQL
auth?
>Are you actually using it to check against an external MySQL source, or
>are you trying to use MySQL to check RT's own database?
>
[>]
The whole config is:
##
## Local settings - overrides RT_Config.pm
##
Set($WebBaseURL, "https://xxx.xxx.xxx";);
Set($rtname, 'xxx');
Set($Organization , "xxx");
Set($MinimumPasswordLength , "8");
Set($OwnerEmail , 'jul...@xxx.xxx');
Set($SMTPFrom, 'supp...@xxx.xxx');
Set($Timezone , 'GB/London');
Set($UsernameFormat, 'concise');
Set($OldestTransactionsFirst, '0');
Set($SenderMustExistInExternalDatabase);
Set($LogToSyslog, 'debug');
Set($UseFriendlyFromLine, 0);
Set($WebDomain, 'xxx.xxx.xxx');
Set($WebDefaultStylesheet, '3.5-default');
Set($WebPort, 443);
Set($MaxInlineBody, 148000);
## Display Webfusion logo / link
##
Set($WebImagesURL , $WebPath . "/NoAuth/images/"); # need this for
below
Set($LogoURL, $WebImagesURL . "xxx-logo.png");
Set($LogoLinkURL, 'http://xxx.xxx.xxx');
Set($LogoImageURL, $WebImagesURL . "xxx.xxx.png");
Set($LogoAltText, "xxx");
# {{{ Logging
Set($LogToSyslog,'critical');
Set($LogToScreen, 'error');
Set($LogToFile , 'debug');
Set($LogDir, '/opt/rt3/var/log/rt3');
Set($LogToFileNamed , "rt.log");#log to rt.log
#Set(@Plugins,(qw(RT::Extension::SLA)));
#Set( %ServiceAgreements,
#Default => '4h',
#QueueDefault => {
#'General' => '4h',
#},
#Levels => {
#'2h' => {
# StartImmediately => 1,
# Resolve => { RealMinutes => 60*2 } },
#'4h' => {
# StartImmediately => 1,
# Resolve => { RealMinutes => 60*4 } },
#},
#);
#Set(@Plugins,(qw(Extension::QuickDelete RT::FM)));
## MySQL / LDAP Configuration
#
# The order in which the services defined in ExternalSettings
# should be used to authenticate users. User is authenticated
# if successfully confirmed by any service - no more services
# are checked.
Set($ExternalAuthPriority, [ 'My_MySQL',
'My_LDAP'
]
);
# The order in which the services defined in ExternalSettings
# should be used to get information about users. This includes
# RealName, Tel numbers etc, but also whether or not the user
# should be considered disabled.
#
# Once user info is found, no more services are checked.
#
# You CANNOT use a SSO cookie for authentication.
Set($ExternalInfoPriority, [ 'My_MySQL',
'My_LDAP'
]
);
# If this is set to true, then the relevant packages will
# be loaded to use SSL/TLS connections. At the moment,
# this just means "use Net::SSLeay;"
Set($ExternalServiceUsesSSLorTLS,0);
# If this is set to 1, then users should be autocreated by RT
# as internal users if they fail to authenticate from an
# external service.
Set($AutoCreateNonExternalUsers,0);
# These are the full settings for each external service as a
HashOfHashes
# Note that you may have as many external services as you wish. They
will
# be checked in the order specified in the Priority directives above.
# e.g.
#
Set(ExternalAuthPriority,['My_LDAP','My_MySQL','My_Oracle','SecondaryLDA
P','Other-DB']);
#
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
'My_MySQL' => { ## GENERIC
SECTION
[rt-users] RT & mysql / LDAP Auth
'EmailAddress',
'RealName',
'WorkPhone',
'Address2'
],
# The mapping of
RT attributes on to LDAP attributes
'attr_map'
=> { 'Name' => 'sAMAccountName',
'EmailAddress' => 'mail',
'Organization' => 'physicalDeliveryOfficeName',
'RealName' => 'cn',
'ExternalAuthId' => 'sAMAccountName',
'Gecos' => 'sAMAccountName',
'WorkPhone' => 'telephoneNumber',
'Address1' => 'streetAddress',
'City' => 'l',
'State' => 'st',
'Zip' => 'postalCode',
'Country' => 'co'
And this is a complete log entry if I try to use my LDAP credentials:
[Sun May 9 10:10:24 2010] [debug]: RT's GnuPG libraries couldn't
successfully read your configured GnuPG home directory
(/opt/rt3/var/data/gpg). PGP support has been disabled
(/opt/rt3/bin/../lib/RT/Config.pm:380)
[Sun May 9 10:10:24 2010] [debug]: Reloading RT::User to work around a
bug in RT-3.8.0 and RT-3.8.1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAu
th/autohandler/Auth:14)
[Sun May 9 10:10:24 2010] [debug]: Attempting to use external auth
service: My_MySQL
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)
[Sun May 9 10:10:24 2010] [debug]: Calling UserExists with $username
(jgrunnell) and $service (My_MySQL)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:105)
[Sun May 9 10:10:24 2010] [debug]: Disable Check Failed :: ( My_MySQL )
jgrunnell User not found
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/DBI.pm:234)
[Sun May 9 10:10:24 2010] [debug]: Attempting to use external auth
service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:64)
[Sun May 9 10:10:24 2010] [debug]: Calling UserExists with $username
(jgrunnell) and $service (My_LDAP)
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:105)
[Sun May 9 10:10:24 2010] [debug]: UserExists params:
username: jgrunnell , service: My_LDAP
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:274)
[Sun May 9 10:10:25 2010] [debug]: LDAP Search === Base:
ou=hosting,ou=corp,dc=internal,dc=hosteurope,dc=com == Filter:
(&(objectClass=User)(sAMAccountName=jgrunnell)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,
sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/LDAP.pm:304)
[Sun May 9 10:10:25 2010] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20
with: Disabled: 0, EmailAddress: , Gecos: jgrunnell, Name: jgrunnell,
Privileged: 0
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:450)
[Sun May 9 10:10:25 2010] [debug]: Attempting to get user info using
this external service: My_MySQL
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:458)
[Sun May 9 10:10:25 2010] [debug]: Attempting to use this
canonicalization key: Gecos
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h.pm:472)
[Sun May 9 10:10:25 2010] [warning]: DBD::mysql::db selectall_hashref
failed: Unknown column 'email' in 'field list' at
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth
/DBI.pm line 163, line 273.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/DBI.pm:163)
[Sun May 9 10:10:25 2010] [warning]: Issuing rollback() for database
handle being DESTROY'd without explicit disconnect() at
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth
/DBI.pm line 163, line 273.
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAut
h/DBI.pm:163)
[Sun May 9 10:10:25 2010] [error]: FAILED LOGIN for jgrunnell from
212.103.233.1 (/opt/rt3/share/html/autohandler:268)
Thanks in advance.
Julian Grunnell
Unix Sys Admin
Webfusion Limited.
Phone:0208 587 7212
Mobile:07803649593
Email:julian.grunn...@webfusion.com
<http://www.webfusion.com/>
Bringing the world's ideas online
Webfusion <http://www.webfusion.com> , 123-reg
<http://www.123-reg.co.uk> , Donhost <http://www.donhost.co.uk> ,
Supanames <http://www.supanames.co.uk>
Follow us on Twitter: Webfusion <http://twitter.com/webfusion> , 123-reg
<http://twitter.com/123reg>
This e-mail is subject to: Webfusion disclaimer
<http://www.corporate.webfusion.co.uk/disclaimer>
Please consider the environment before printing this email
<>
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
