[rt-users] managing ldap users / RT-Authen-ExternalAuth question
Hi, My RT-Authen-ExternalAuth works - as in, I can login to RT using my active directory username/password. however, when I login using my AD account I don't see many things. I only see open tickets / closed tickets / new ticket on the left side there.. how can I give the ability to view all queues to authenticated users, for instance? I tried doing this in config - global - group rights: SeeQueue to Everyone but that didn't seem to help.. also, another question: if I go to configuration - users I only see root there. I don't see the LDAP account that I successfully logged in with previously. Why? My RT_SiteConfig.pm and externalauth's RT_SiteConfig.pm are attached# Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a perl module, so you can include valid # perl code, as well. # # The converse is also true, if this file isn't valid perl, you're # going to run into trouble. To check your SiteConfig file, use # this comamnd: # # perl -c /path/to/your/etc/RT_SiteConfig.pm Set( $rtname, 'rt.mydomain.org'); Set( $Organization, 'rt.mydomain.org'); Set($MinimumPasswordLength , 5); Set($Timezone , 'US/Eastern'); Set(@Plugins, qw( RT::Authen::ExternalAuth )); Set($HomepageComponents, [qw( QuickCreate Quicksearch MyAdminQueues MySupportQueues MyReminders RefreshHomepage Dashboards )]); Set( $DatabaseType, 'mysql'); Set( $DatabaseHost, 'localhost'); Set( $DatabaseRTHost , 'localhost'); Set( $DatabaseName , 'rt3'); Set( $DatabasePort , ''); Set( $DatabaseUser , 'rtuser'); Set( $DatabasePassword , 'mypassword'); Set($OwnerEmail , 'root'); Set($LoopsToRTOwner , 1); Set($SendmailArguments , -oi -t -f vpolya...@mydomain.org); Set($MaxAttachmentSize , 1000); Set($RTAddressRegexp , '^...@rt.mydomain.org$'); Set($CorrespondAddress , 'no-re...@rt.mydomain.org'); Set($CommentAddress , 'no-re...@rt.mydomain.org'); Set($UseFriendlyFromLine , 1); Set($FriendlyFromLineFormat , \%s\ %s); Set($UseFriendlyToLine , 1); Set($FriendlyToLineFormat , \%s Ticket #%s\:;); Set($NotifyActor , 0); Set($RecordOutgoingEmail , 1); Set($WebPath , /ticket); Set($WebPort , 80); Set($WebBaseURL , http://rt;); Set($WebURL , $WebBaseURL . $WebPath . /); Set($WebImagesURL , $WebURL . /NoAuth/images); Set($MessageBoxWidth , 72); Set($MessageBoxWrap, HARD); Set($MaxInlineBody, 13456); Set($DefaultSummaryRows, 10); Set($OldestTransactionsFirst, '1'); Set($DateDayBeforeMonth , 0); Set($AmbiguousDayInPast , 1); require /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm; Set($Autocreate, {Privileged = 1}); #Set(@Plugins,(qw(Extension::QuickDelete RT::FM))); 1; RT_SiteConfig.pm.externalauth Description: Binary data RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
Can you log in as root? yes If so you should be able to search for the ldap user you logged in as and then grant them access. how? where do I search? the only 'users' that I see is in configuration - users, and you're saying thats the wrong place.. RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
perfect, that worked! few more questions: I downloaded rtldapimport and took a look at the readme, and here's the thing: my users are spread out across 5 OUs - there's no single OU to point rtldapimpoirt to and have it import all of my users. is there a way for me to specify the 5 bases to search in? and another: what would be the easiest/quickest way to make all my ldap users priveleged, after they are imported through rtldapimport? thanks again for all your help --Val Val, At the bottom of the COnfig-Users display page is a box you can check to include disabled users in the search. Check that you should see everyone. Kenn LBNL On Wed, Sep 29, 2010 at 9:11 AM, Val Polyakov v...@polyakov.me wrote: Can you log in as root? yes If so you should be able to search for the ldap user you logged in as and then grant them access. how? where do I search? the only 'users' that I see is in configuration - users, and you're saying thats the wrong place.. RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] managing ldap users / RT-Authen-ExternalAuth question
Val, You could set your RT_SiteConfigure.pm file with these settings: *Set($AutoCreate, ‘Privileged’=1);* This would ensure any additions would all be privileged. awesome, thanks As to those that are already Users, I have no idea how to make them all Privileged. it's a fresh install with no users, so far I was the only one who logged in to this thing with my AD account.. and I already made that one priveleged manually. so looks like I'm all set for now :) I've asked this before on the list, but didnt get any replies.. I'll try my luck again here, if you don't mind: My users are spread across 5 OUs: ou=users,ou=city,dc=mydomain,dc=org where city is the city that they reside in. there's no catchall OU with all of these users. how can I set up RT-Authen-ExternalAuth to look in all 5 OUs for the user? I have this now: ... 'base' = 'ou=Users,ou=Yonkers,dc=mydomain,dc=org', ... Feel like I'm overlooking something simple. perhaps I need to set up 5 ldap sections inside /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm (My_LDAP, My_LDAP1, MY_LDAP2, etc), with them being absolutely identical aside for the city OU? Not sure RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] ldap externalauth problem
ldapsearch works, i can find myself using: ldapsearch -LLL -x -H ldap://ADserver:389 -b 'ou=users,ou=yonkers,dc=mydomain,dc=org' -D 'cn=rt,ou=Service Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org' -w 'rtPassword' '((ObjectClass=Person)(cn=Polyakov, Valeriy))' I also turned on debug loging for externalauth, and here's what I see in the log. the password im providing is correct, it seems to be able to find my account, but then I get an auth failure.. why ? :/ [Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username (polyva) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Sep 27 17:11:18 2010] [debug]: UserExists params: username: polyva , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (((ObjectCategory=User))(sAMAccountName=polyva)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Mon Sep 27 17:11:18 2010] [debug]: Password validation required for service - Executing... (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155) [Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16) [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter: ((sAMAccountName=polyva)((ObjectCategory=User))) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43) [Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov\, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75) [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100) [Mon Sep 27 17:11:18 2010] [info]: My_LDAP AUTH FAILED: polyva (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) [Mon Sep 27 17:11:18 2010] [debug]: LDAP password validation result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334) [Mon Sep 27 17:11:18 2010] [debug]: Password Validation Check Result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159) [Mon Sep 27 17:11:18 2010] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) [Mon Sep 27 17:11:18 2010] [error]: FAILED LOGIN for polyva from 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) Val, Have you verified that ldapsearch works for you on this box? I used something like this to test: ldapsearch -LLL -x -H ldap://ldap server:389 -b 'DC=corp,DC=something,DC=com' -D 'ldapu...@corp.something.com' -w 'ldapuser password' '((ObjectClass=Person)(cn=username to search for))' I had to request from our Windows AD guys to allow the ldapuser to be able to read all user information. I also had to have them open the firewall to our server, because by default, they only allow certain servers to query the AD servers. John On 09/27/2010 10:14 AM, Val Polyakov wrote: Trying to get my RT 3.8.8 on RHEL5 to authenticate against our corporate AD. I followed this guide here: http://wiki.bestpractical.com/view/CentOS5InstallPlusSome I also checked that apache has access to over here (RT-Authen-ExternalAuth dir was chgrp -R'ed and chmod -R 770'ed): [r...@rt plugins]# pwd /opt/rt3/local/plugins [r...@rt plugins]# ls -ltr total 4 drwxrwx--- 5 root apache 4096 Sep 13 14:16 RT-Authen-ExternalAuth [r...@rt plugins]# ps awwwux |grep httpd root 2313 0.1 4.1 348008 83360 ?Ss 10:32 0:02 /usr/sbin/httpd apache2317 0.0 4.1 350272 82612 ?S10:32 0:00 /usr/sbin/httpd apache2318 0.0 4.1 350272 82616 ?S10:32 0:00 /usr/sbin/httpd apache2319 0.0 4.0 348204 82216 ?S10:32 0:00 /usr/sbin/httpd apache2320 0.0 4.1 350272
Re: [rt-users] ldap externalauth problem
sure 'filter'= '((ObjectCategory=User))', 'd_filter' = '(userAccountControl=514)', [Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Sep 27 17:39:08 2010] [debug]: Calling UserExists with $username (polyva) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Sep 27 17:39:08 2010] [debug]: UserExists params: username: polyva , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (((ObjectCategory=User))(sAMAccountName=polyva)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Mon Sep 27 17:39:08 2010] [debug]: Password validation required for service - Executing... (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155) [Mon Sep 27 17:39:08 2010] [debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16) [Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: ((sAMAccountName=polyva)((ObjectCategory=User))) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43) [Mon Sep 27 17:39:08 2010] [debug]: Found LDAP DN: CN=Polyakov\, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75) [Mon Sep 27 17:39:08 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100) [Mon Sep 27 17:39:08 2010] [info]: My_LDAP AUTH FAILED: polyva (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) [Mon Sep 27 17:39:08 2010] [debug]: LDAP password validation result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334) [Mon Sep 27 17:39:08 2010] [debug]: Password Validation Check Result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159) [Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) [Mon Sep 27 17:39:08 2010] [error]: FAILED LOGIN for polyva from 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) [Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Sep 27 17:39:08 2010] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) Can you remove the d_filter you have? Its different than what I have 'd_filter' = '(userAccountControl=514)', Jason Ledford Systems Analyst The Biltmore Company One North Pack Square Asheville, NC 28801 (828) 225-6127 From: rt-users-boun...@lists.bestpractical.com [rt-users-boun...@lists.bestpractical.com] On Behalf Of Val Polyakov [...@polyakov.me] Sent: Monday, September 27, 2010 1:19 PM To: John Alberts Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] ldap externalauth problem ldapsearch works, i can find myself using: ldapsearch -LLL -x -H ldap://ADserver:389 -b 'ou=users,ou=yonkers,dc=mydomain,dc=org' -D 'cn=rt,ou=Service Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org' -w 'rtPassword' '((ObjectClass=Person)(cn=Polyakov, Valeriy))' I also turned on debug loging for externalauth, and here's what I see in the log. the password im providing is correct, it seems to be able to find my account, but then I get an auth failure.. why ? :/ [Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT
Re: [rt-users] ldap externalauth problem
17:39:08 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:100) [Mon Sep 27 17:39:08 2010] [info]: My_LDAP AUTH FAILED: polyva (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:127) [Mon Sep 27 17:39:08 2010] [debug]: LDAP password validation result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:334) [Mon Sep 27 17:39:08 2010] [debug]: Password Validation Check Result: 0 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:159) [Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth. Response: (0, Password Invalid) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) [Mon Sep 27 17:39:08 2010] [error]: FAILED LOGIN for polyva from 192.168.110.125 (/opt/rt3/bin/../lib/RT/Interface/Web.pm:424) [Mon Sep 27 17:39:08 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Sep 27 17:39:08 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Sep 27 17:39:08 2010] [debug]: SSO Failed and no user to test with. Nexting (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Mon Sep 27 17:39:08 2010] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) Can you remove the d_filter you have? Its different than what I have 'd_filter' = '(userAccountControl=514)', Jason Ledford Systems Analyst The Biltmore Company One North Pack Square Asheville, NC 28801 (828) 225-6127 From: rt-users-boun...@lists.bestpractical.com [rt-users-boun...@lists.bestpractical.com] On Behalf Of Val Polyakov [...@polyakov.me] Sent: Monday, September 27, 2010 1:19 PM To: John Alberts Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] ldap externalauth problem ldapsearch works, i can find myself using: ldapsearch -LLL -x -H ldap://ADserver:389 -b 'ou=users,ou=yonkers,dc=mydomain,dc=org' -D 'cn=rt,ou=Service Accounts,ou=Users,ou=HIGHSECURITY,dc=mydomain,dc=org' -w 'rtPassword' '((ObjectClass=Person)(cn=Polyakov, Valeriy))' I also turned on debug loging for externalauth, and here's what I see in the log. the password im providing is correct, it seems to be able to find my account, but then I get an auth failure.. why ? :/ [Mon Sep 27 17:11:18 2010] [debug]: Reloading RT::User to work around a bug in RT-3.8.0 and RT-3.8.1 (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:14) [Mon Sep 27 17:11:18 2010] [debug]: Attempting to use external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Mon Sep 27 17:11:18 2010] [debug]: Calling UserExists with $username (polyva) and $service (My_LDAP) (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:105) [Mon Sep 27 17:11:18 2010] [debug]: UserExists params: username: polyva , service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:274) [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (((ObjectCategory=User))(sAMAccountName=polyva)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,mail (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:304) [Mon Sep 27 17:11:18 2010] [debug]: Password validation required for service - Executing... (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:155) [Mon Sep 27 17:11:18 2010] [debug]: Trying external auth service: My_LDAP (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:16) [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=consumer,dc=org == Filter: ((sAMAccountName=polyva)((ObjectCategory=User))) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:43) [Mon Sep 27 17:11:18 2010] [debug]: Found LDAP DN: CN=Polyakov\, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:75) [Mon Sep 27 17:11:18 2010] [debug]: LDAP Search === Base: ou=Users,ou=Yonkers,dc=mydomain,dc=org == Filter: (member=CN=Polyakov, Valeriy,OU=Users,OU=YONKERS,DC=mydomain,DC=org) == Attrs: dn (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT
Re: [rt-users] Securing /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
Any thoughts, anyone ? Hello, what are our options as far as securing RT_SiteConfig.pm goes? My company has pretty strict security requirements, and our security team will simply not allow us to store the ldap username/password in a plain text file on the RT server (and I can fully understand their concerns). What are some options here? Again, keeping in mind that the requirement is for the password (at least the password, that is) to NOT be plaintext in RT_SiteConfig.pm Solutions like well make the file only readable by root aren't going to be accepted (not by me, but by our security team). Needs to be a hashed password, may be, or something.. I don't know.. soliciting ideas. --Val RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
[rt-users] Securing /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
Hello, what are our options as far as securing RT_SiteConfig.pm goes? My company has pretty strict security requirements, and our security team will simply not allow us to store the ldap username/password in a plain text file on the RT server (and I can fully understand their concerns). What are some options here? Again, keeping in mind that the requirement is for the password (at least the password, that is) to NOT be plaintext in RT_SiteConfig.pm Solutions like well make the file only readable by root aren't going to be accepted (not by me, but by our security team). Needs to be a hashed password, may be, or something.. I don't know.. soliciting ideas. --Val RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] Securing /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
Plaintext. But that doesnt matter - because its a RT db, with nothing else on it. Security has no problem with it. They only have a problem with storing the domain account credentials in plaintext. --Val On 09/15/2010 12:52 PM, Val Polyakov wrote: Hello, what are our options as far as securing RT_SiteConfig.pm goes? My company has pretty strict security requirements, and our security team will simply not allow us to store the ldap username/password in a plain text file on the RT server (and I can fully understand their concerns). What are some options here? Again, keeping in mind that the requirement is for the password (at least the password, that is) to NOT be plaintext in RT_SiteConfig.pm Solutions like well make the file only readable by root aren't going to be accepted (not by me, but by our security team). Needs to be a hashed password, may be, or something.. I don't know.. soliciting ideas. --Val How are you storing the database userid and password in that case? Jeff RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
[rt-users] RT 3.8.8 rt-mailgate issues
rt-mailgate doesn't seem to be injecting new tickets into a fresh install of rt 3.8.8 on RHEL5 /var/log/maillog reports: Sep 14 14:20:13 myhost sendmail[32687]: o8EIKDHh032687: from=r...@myhost.mydomain.com, size=353, class=0, nrcpts=1, msgid=201009141820.o8eikdoz032...@myhost.mydomain.com, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Sep 14 14:20:13 myhost sendmail[32686]: o8EIKDoZ032686: to...@myhost.mydomain.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30065, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (o8EIKDHh032687 Message accepted for delivery) Sep 14 14:20:13 myhost sendmail[32688]: o8EIKDHh032687: to=|/etc/smrsh/rt-mailgate --queue general --action correspond --url http://myhost.mydomain.com/ticket;, ctladdr=r...@myhost.mydomain.com (8/0), delay=00:00:00, xdelay=00:00:00, mailer=prog, pri=30576, dsn=2.0.0, stat=Sent I have the following in /etc/aliases : rt: |/etc/smrsh/rt-mailgate --queue general --action correspond --url http://myhost.mydomain.com/ticket; rt-comment: |/etc/smrsh/rt-mailgate --queue general --action comment --url http://myhost.mydomain.com/ticket; The following produces no errors, but doesn't inject the ticket into RT either: [r...@myhost ~]# cat msg.txt | /etc/smrsh/rt-mailgate --queue general --action correspond --url http://myhost.mydomain.com/ticket [r...@myhost ~]# [r...@myhost ~]# cat msg.txt testing [r...@myhost ~]# Can anyone push me in the right direction on how to troubleshoot this? RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] RT 3.8.8 rt-mailgate issues
Hello, anyone ? [r...@myhost ~]# echo hi | /etc/smrsh/rt-mailgate --queue General --action correspond --url http://myhost.mydomain.com/ticket --debug /etc/smrsh/rt-mailgate: temp file is '/tmp/Bsdm047j3r' /etc/smrsh/rt-mailgate: connecting to http://myhost.mydomain.com/ticket/REST/1.0/NoAuth/mail-gateway not ok - Could not load a valid user [r...@myhost ~]# I have granted CreateTicket and ReplyToTicket rights to Everyone for the general queue ... does anyone know what's going on? rt-mailgate doesn't seem to be injecting new tickets into a fresh install of rt 3.8.8 on RHEL5 /var/log/maillog reports: Sep 14 14:20:13 myhost sendmail[32687]: o8EIKDHh032687: from=r...@myhost.mydomain.com, size=353, class=0, nrcpts=1, msgid=201009141820.o8eikdoz032...@myhost.mydomain.com, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1] Sep 14 14:20:13 myhost sendmail[32686]: o8EIKDoZ032686: to...@myhost.mydomain.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30065, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (o8EIKDHh032687 Message accepted for delivery) Sep 14 14:20:13 myhost sendmail[32688]: o8EIKDHh032687: to=|/etc/smrsh/rt-mailgate --queue general --action correspond --url http://myhost.mydomain.com/ticket;, ctladdr=r...@myhost.mydomain.com (8/0), delay=00:00:00, xdelay=00:00:00, mailer=prog, pri=30576, dsn=2.0.0, stat=Sent I have the following in /etc/aliases : rt: |/etc/smrsh/rt-mailgate --queue general --action correspond --url http://myhost.mydomain.com/ticket; rt-comment: |/etc/smrsh/rt-mailgate --queue general --action comment --url http://myhost.mydomain.com/ticket; The following produces no errors, but doesn't inject the ticket into RT either: [r...@myhost ~]# cat msg.txt | /etc/smrsh/rt-mailgate --queue general --action correspond --url http://myhost.mydomain.com/ticket [r...@myhost ~]# [r...@myhost ~]# cat msg.txt testing [r...@myhost ~]# Can anyone push me in the right direction on how to troubleshoot this? RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
[rt-users] rt 3.8.8 issue with CSS
Hello, I have a fresh install of rt-3.8.8 on RHEL5 when I go to http://serverIP/ticket (/ticket is aliased in apache configs to /opt/rt3/share/html, which is where the RT is installed) I get the login screen, but alasa, with no CSS. so it looks ugly.. I don't see any errors at all in apache's access_log and error_log (no 404s or anything) I see that I do, indeed, have CSS: [r...@curt css]# pwd /opt/rt3/share/html/NoAuth/css [r...@curt css]# ls -l total 28 drwxr-xr-x 2 root bin 4096 Sep 7 12:34 3.4-compat drwxr-xr-x 2 root bin 4096 Sep 7 12:34 3.5-default -rw-r--r-- 1 root bin 2390 Sep 7 12:34 autohandler drwxr-xr-x 2 root bin 4096 Sep 7 12:34 base -rw-r--r-- 1 root bin 2649 Sep 7 12:34 dhandler -rw-r--r-- 1 root bin 3043 Sep 7 12:34 print.css drwxr-xr-x 3 root bin 4096 Sep 7 12:34 web2 [r...@curt css]# nothing's weird about the install, SELinux is disabled, etc.. any ideas? RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] rt 3.8.8 issue with CSS
Also, thought it might be a good idea to attach my RT_SiteConfig.pm ... And this: [r...@curt conf.d]# cat rt3.conf Alias /ticket /opt/rt3/share/html PerlRequire /opt/rt3/bin/webmux.pl Directory /opt/rt3/share/html AllowOverride All Options ExecCGI FollowSymlinks RewriteEngine On RedirectMatch permanent (.*)/$ $1/index.html AddDefaultCharset UTF-8 SetHandler perl-script PerlHandler RT::Mason /Directory [r...@curt conf.d]# Any help is highly appreciated, this is sort of urgent :/ Hello, I have a fresh install of rt-3.8.8 on RHEL5 when I go to http://serverIP/ticket (/ticket is aliased in apache configs to /opt/rt3/share/html, which is where the RT is installed) I get the login screen, but alasa, with no CSS. so it looks ugly.. I don't see any errors at all in apache's access_log and error_log (no 404s or anything) I see that I do, indeed, have CSS: [r...@curt css]# pwd /opt/rt3/share/html/NoAuth/css [r...@curt css]# ls -l total 28 drwxr-xr-x 2 root bin 4096 Sep 7 12:34 3.4-compat drwxr-xr-x 2 root bin 4096 Sep 7 12:34 3.5-default -rw-r--r-- 1 root bin 2390 Sep 7 12:34 autohandler drwxr-xr-x 2 root bin 4096 Sep 7 12:34 base -rw-r--r-- 1 root bin 2649 Sep 7 12:34 dhandler -rw-r--r-- 1 root bin 3043 Sep 7 12:34 print.css drwxr-xr-x 3 root bin 4096 Sep 7 12:34 web2 [r...@curt css]# nothing's weird about the install, SELinux is disabled, etc.. any ideas? RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! # Any configuration directives you include here will override # RT's default configuration file, RT_Config.pm # # To include a directive here, just copy the equivalent statement # from RT_Config.pm and change the value. We've included a single # sample value below. # # This file is actually a perl module, so you can include valid # perl code, as well. # # The converse is also true, if this file isn't valid perl, you're # going to run into trouble. To check your SiteConfig file, use # this comamnd: # # perl -c /path/to/your/etc/RT_SiteConfig.pm Set( $rtname, 'myhostname.mydomain.com'); Set( $Organization, 'myhostname.mydomain.com'); Set($MinimumPasswordLength , 5); Set($Timezone , 'US/Eastern'); #Set(@Plugins, qw( # RT::Authen::ExternalAuth # )); Set($HomepageComponents, [qw( QuickCreate Quicksearch MyAdminQueues MySupportQueues MyReminders RefreshHomepage Dashboards )]); Set( $DatabaseType, 'mysql'); Set( $DatabaseHost, 'localhost'); Set( $DatabaseRTHost , 'localhost'); Set( $DatabaseName , 'rt3'); Set( $DatabasePort , ''); Set( $DatabaseUser , 'myrtuser'); Set( $DatabasePassword , 'myrtpass'); Set($OwnerEmail , 'root'); Set($LoopsToRTOwner , 1); Set($SendmailArguments , -oi -t -f m...@mydomain.com); Set($MaxAttachmentSize , 1000); Set($RTAddressRegexp , '^...@myhostname.mydomain.com$'); Set($CorrespondAddress , 'no-re...@myhostname.mydomain.com'); Set($CommentAddress , 'no-re...@myhostname.mydomain.com'); Set($UseFriendlyFromLine , 1); Set($FriendlyFromLineFormat , \%s\ %s); Set($UseFriendlyToLine , 1); Set($FriendlyToLineFormat , \%s Ticket #%s\:;); Set($NotifyActor , 0); Set($RecordOutgoingEmail , 1); Set($WebPath , /ticket); Set($WebPort , 80); Set($WebBaseURL , http://curt;); Set($WebURL , $WebBaseURL . $WebPath . /); Set($WebImagesURL , $WebURL . /NoAuth/images); Set($MessageBoxWidth , 72); Set($MessageBoxWrap, HARD); Set($MaxInlineBody, 13456); Set($DefaultSummaryRows, 10); Set($OldestTransactionsFirst, '1'); Set($DateDayBeforeMonth , 0); Set($AmbiguousDayInPast , 1); #require /opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm; #Set($Autocreate, {Privileged = 1}); #Set(@Plugins,(qw(Extension::QuickDelete RT::FM))); 1; RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!
Re: [rt-users] rt 3.8.8 issue with CSS
another update: when I go to http://myServer/ticket/NoAuth/css/index.html this is what I get: Error during compilation of /opt/rt3/share/html/NoAuth/css/dhandler: Can't locate CSS/Squish.pm in @INC (@INC contains: /opt/rt3/bin/../local/lib /opt/rt3/bin/../lib /opt/rt3/lib /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 . /etc/httpd) at /opt/rt3/share/html/NoAuth/css/dhandler line 67. Stack: [/opt/rt3/share/html/NoAuth/css/dhandler:67] [CSS/Squish.pm:67] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Interp.pm:817] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Interp.pm:445] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Interp.pm:773] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm:256] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm:212] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm:97] [/opt/rt3/bin/../lib/RT/Interface/Web/Request.pm:68] [/usr/lib/perl5/site_perl/5.8.8/Class/Container.pm:275] [/usr/lib/perl5/site_perl/5.8.8/Class/Container.pm:353] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Interp.pm:348] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm:868] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm:822] [/opt/rt3/bin/webmux.pl:78] [CSS/Squish.pm:67] BEGIN failed--compilation aborted at /opt/rt3/share/html/NoAuth/css/dhandler line 67. Stack: [/opt/rt3/share/html/NoAuth/css/dhandler:67] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Interp.pm:817] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Interp.pm:445] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Interp.pm:773] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm:256] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Request.pm:212] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm:97] [/opt/rt3/bin/../lib/RT/Interface/Web/Request.pm:68] [/usr/lib/perl5/site_perl/5.8.8/Class/Container.pm:275] [/usr/lib/perl5/site_perl/5.8.8/Class/Container.pm:353] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/Interp.pm:348] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm:868] [/usr/lib/perl5/site_perl/5.8.8/HTML/Mason/ApacheHandler.pm:822] [/opt/rt3/bin/webmux.pl:78] [/opt/rt3/share/html/NoAuth/css/dhandler:67] however: [r...@curt ~]# perl -MCPAN -e 'install CSS::Squish' CPAN: Storable loaded ok Going to read /home/vpolya/.cpan/Metadata Database was generated on Mon, 13 Sep 2010 11:30:52 GMT CSS::Squish is up to date. [r...@curt ~]# this is probably the source of my CSS issue.. why cant it find it, while CPAN claims its installed? :/ Also, thought it might be a good idea to attach my RT_SiteConfig.pm ... And this: [r...@curt conf.d]# cat rt3.conf Alias /ticket /opt/rt3/share/html PerlRequire /opt/rt3/bin/webmux.pl Directory /opt/rt3/share/html AllowOverride All Options ExecCGI FollowSymlinks RewriteEngine On RedirectMatch permanent (.*)/$ $1/index.html AddDefaultCharset UTF-8 SetHandler perl-script PerlHandler RT::Mason /Directory [r...@curt conf.d]# Any help is highly appreciated, this is sort of urgent :/ Hello, I have a fresh install of rt-3.8.8 on RHEL5 when I go to http://serverIP/ticket (/ticket is aliased in apache configs to /opt/rt3/share/html, which is where the RT is installed) I get the login screen, but alasa, with no CSS. so it looks ugly.. I don't see any errors at all in apache's access_log and error_log (no 404s or anything) I see that I do, indeed, have CSS: [r...@curt css]# pwd /opt/rt3/share/html/NoAuth/css [r...@curt css]# ls -l total 28 drwxr-xr-x 2 root bin 4096 Sep 7 12:34 3.4-compat drwxr-xr-x 2 root bin 4096 Sep 7 12:34 3.5-default -rw-r--r-- 1 root bin 2390 Sep 7 12:34 autohandler drwxr-xr-x 2 root bin 4096 Sep 7 12:34 base -rw-r--r-- 1 root bin 2649 Sep 7 12:34 dhandler -rw-r--r-- 1 root bin 3043 Sep 7 12:34 print.css drwxr-xr-x 3 root bin 4096 Sep 7 12:34 web2 [r...@curt css]# nothing's weird about the install, SELinux is disabled, etc.. any ideas? RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT! RT Training in Washington DC, USA on Oct 25 26 2010 Last one this year -- Learn how to get the most out of RT!