Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Mike, I would certainly like to see this. *wish mode* If you could drag down group memberships as well and if they exist in RT, then add that user to those RT groups, I would love to see that as well as it would mean all the functionality for User creation could be setup via LDAP as well. MediaWiki does this and it works well (although far less complicated than RT I suspect). Cheers, David - Original Message - From: "Mike Peachey" <[EMAIL PROTECTED]> To: "Kenneth Crocker" <[EMAIL PROTECTED]> Cc: "Pedro Lobo S. da Rocha" <[EMAIL PROTECTED]>, "RT Users" Sent: Saturday, 12 April, 2008 9:51:45 PM GMT +10:00 Brisbane Subject: Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension I have a thought. I don't know whether I will need to override the AutoCreate method or if I can do it all just by passing params from the autohandler auth callback, but it seems reasonable that I should be able to easily allow LDAP users to be autocreated as Privileged, while leaving the default AutoCreation at unprivileged. This way, by way of a configuration setting, that is individual to each ExternalAuth configuration group (LDAP/DBI etc) you could specify whether to autocreate as privileged or unprivileged, and RT would still retain it's own default setting for *other* users.. Do you think this is something you'd want built into the extension? Opinions welcome. -- Kind Regards, ___ Mike Peachey, IT Tel: +44 (0) 114 281 2655 Fax: +44 (0) 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK http://www.jennic.com Confidential ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Mike,
I think so. It seems like it would solve my problem of email only users
getting listed along with privileged users on the drop-downs.
Kenn
LBNL
On 4/12/2008 4:51 AM, Mike Peachey wrote:
> Kenneth Crocker wrote:
>> Mike, Pedro,
>>
>>
>> We use LDAP as well and the same setting (Set($AutoCreate,
>> {Privileged => 1});) and it works well as far as getting the new user
>> into the DB. All I have to do after that is put them in the
>> appropriate group the they will HAVE some privileges. We don't grant
>> many GLOBAL privileges so if someo wants to do something other than
>> reply to email on their own ticket or see their own ticket, they have
>> to be in a group.
>> The problem I'm having with autocreate is that when an email
>> address is added to some correspondence in the CC field, then RT adds
>> the entire email address as a privleged user instead of unprivileged.
>> Once that happens, they show up in a lot of drop-downs for watcher and
>> then I have this unrelated "privileged" email address being offered as
>> a possible USER ID for watchers and many of my regular users don't
>> know which of the two IDs to select for that one person. It gets
>> irritating and now I'm considering using SQL to get rid of them. Any
>> ideas on a better setting for adding email addresses as
>> "unprivileged"? Thanks
>>
>> Kenn
>> LBNL
>
> I have a thought. I don't know whether I will need to override the
> AutoCreate method or if I can do it all just by passing params from the
> autohandler auth callback, but it seems reasonable that I should be able
> to easily allow LDAP users to be autocreated as Privileged, while
> leaving the default AutoCreation at unprivileged.
>
> This way, by way of a configuration setting, that is individual to each
> ExternalAuth configuration group (LDAP/DBI etc) you could specify
> whether to autocreate as privileged or unprivileged, and RT would still
> retain it's own default setting for *other* users..
>
> Do you think this is something you'd want built into the extension?
>
> Opinions welcome.
> --
> Kind Regards,
>
> ___
>
> Mike Peachey, IT
> Tel: +44 (0) 114 281 2655
> Fax: +44 (0) 114 281 2951
> Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
> http://www.jennic.com
> Confidential
> ___
>
>
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Kenneth Crocker wrote:
> Mike, Pedro,
>
>
> We use LDAP as well and the same setting (Set($AutoCreate,
> {Privileged => 1});) and it works well as far as getting the new user
> into the DB. All I have to do after that is put them in the appropriate
> group the they will HAVE some privileges. We don't grant many GLOBAL
> privileges so if someo wants to do something other than reply to email
> on their own ticket or see their own ticket, they have to be in a group.
> The problem I'm having with autocreate is that when an email address
> is added to some correspondence in the CC field, then RT adds the entire
> email address as a privleged user instead of unprivileged. Once that
> happens, they show up in a lot of drop-downs for watcher and then I have
> this unrelated "privileged" email address being offered as a possible
> USER ID for watchers and many of my regular users don't know which of
> the two IDs to select for that one person. It gets irritating and now
> I'm considering using SQL to get rid of them. Any ideas on a better
> setting for adding email addresses as "unprivileged"? Thanks
>
> Kenn
> LBNL
I have a thought. I don't know whether I will need to override the
AutoCreate method or if I can do it all just by passing params from the
autohandler auth callback, but it seems reasonable that I should be able
to easily allow LDAP users to be autocreated as Privileged, while
leaving the default AutoCreation at unprivileged.
This way, by way of a configuration setting, that is individual to each
ExternalAuth configuration group (LDAP/DBI etc) you could specify
whether to autocreate as privileged or unprivileged, and RT would still
retain it's own default setting for *other* users..
Do you think this is something you'd want built into the extension?
Opinions welcome.
--
Kind Regards,
___
Mike Peachey, IT
Tel: +44 (0) 114 281 2655
Fax: +44 (0) 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
http://www.jennic.com
Confidential
___
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Stephen, Yea, yea. But I'm an ADVENTUREOUS person!. HA! Just kidding. Actually, I already have done it, but just for two users that I CAREFULLY selected after looking closely at the DB, i.e. USERS, GROUPS, GROUPMEMBERS, CACHEDGROUPMEMBERS, etc.). First, I got the id's of each duplicate ID (different id's for the same person). Then I went to the ACL table to see which one had rights to tickets, etc. Then I checked what groups those ids were in and checked THEM against the ACL table. Then I searched all tickets that had those ID's as a CC, etc. and removed that reference and replaced it with the correct ID (all using RT) on each ticket. THEN, I went back to the DB and removed the old duplicate ID's from the USER Table, the related membership in any GROUP, CACHEDGROUPMEMEBERS, GROUPMEMBERS. Then, for each group Id that existed ONLY for the dup User IDs, I removed those Group records, etc. So far, no problem. Do you think I missed anything? Kenn LBNL On 4/11/2008 9:59 AM, Stephen Turner wrote: > At Friday 4/11/2008 12:50 PM, Kenneth Crocker wrote: >> Mike, Pedro, >> >> >> >> The problem I'm having with autocreate is that when an email >> address is >> added to some correspondence in the CC field, then RT adds the entire >> email address as a privleged user instead of unprivileged. Once that >> happens, they show up in a lot of drop-downs for watcher and then I have >> this unrelated "privileged" email address being offered as a possible >> USER ID for watchers and many of my regular users don't know which of >> the two IDs to select for that one person. > > > >> It gets irritating and now I'm considering using SQL to get rid of them. > > Kenn - don't do this!! You'll be sorry. Ruslan's Shredder is the safe > way to remove unwanted user accounts. > > Steve > > > > ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
At Friday 4/11/2008 12:50 PM, Kenneth Crocker wrote: >Mike, Pedro, > > > > The problem I'm having with autocreate is that when an > email address is >added to some correspondence in the CC field, then RT adds the entire >email address as a privleged user instead of unprivileged. Once that >happens, they show up in a lot of drop-downs for watcher and then I have >this unrelated "privileged" email address being offered as a possible >USER ID for watchers and many of my regular users don't know which of >the two IDs to select for that one person. >It gets irritating and now I'm considering using SQL to get rid of them. Kenn - don't do this!! You'll be sorry. Ruslan's Shredder is the safe way to remove unwanted user accounts. Steve ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Mike, Pedro,
We use LDAP as well and the same setting (Set($AutoCreate, {Privileged
=> 1});) and it works well as far as getting the new user into the DB.
All I have to do after that is put them in the appropriate group the
they will HAVE some privileges. We don't grant many GLOBAL privileges so
if someo wants to do something other than reply to email on their own
ticket or see their own ticket, they have to be in a group.
The problem I'm having with autocreate is that when an email address is
added to some correspondence in the CC field, then RT adds the entire
email address as a privleged user instead of unprivileged. Once that
happens, they show up in a lot of drop-downs for watcher and then I have
this unrelated "privileged" email address being offered as a possible
USER ID for watchers and many of my regular users don't know which of
the two IDs to select for that one person. It gets irritating and now
I'm considering using SQL to get rid of them. Any ideas on a better
setting for adding email addresses as "unprivileged"? Thanks
Kenn
LBNL
On 4/11/2008 5:03 AM, Mike Peachey wrote:
> Pedro Lobo S. da Rocha wrote:
>> Right, I think I got it. But there's one thing. When I go to
>> Configuration -> Groups -> "Select one group" -> Members, the
>> auto-created user doesn't appears in the user's list so I can add him as
>> a member. Do you know why this is happening?
>
> I'm guessing that you are not using:
> Set($AutoCreate, {Privileged => 1});
>
> which means that by default your new users are unprivileged.
>
> By default, lists of user in RT only include privileged users. This
> means that you will need to search for the user and then, in the user's
> information page, tick the "Allow this user to be granted privileges"
> box. They should then show up in the groups selection list.
>
>
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Pedro Lobo S. da Rocha wrote:
> Right, I think I got it. But there's one thing. When I go to
> Configuration -> Groups -> "Select one group" -> Members, the
> auto-created user doesn't appears in the user's list so I can add him as
> a member. Do you know why this is happening?
I'm guessing that you are not using:
Set($AutoCreate, {Privileged => 1});
which means that by default your new users are unprivileged.
By default, lists of user in RT only include privileged users. This
means that you will need to search for the user and then, in the user's
information page, tick the "Allow this user to be granted privileges"
box. They should then show up in the groups selection list.
--
Kind Regards,
__
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Mike Peachey wrote: > James Treleaven wrote: >> The username/password pair that I specified in the script are fine, >> however. > > Everybody!! : > > "OH NO IT ISN'T!" > >> LDAP MESSAGE: LDAP_PP_PASSWORD_EXPIRED > > This is the error message being returned by Net::LDAP when attempting to > bind to your AD server. I'm feeling nice, so I'm going to code around this in v0.06 There will be a new config option called AllowExpiredPasswords or similar and if set to true it will consider LDAP_PP_PASSWORD_EXPIRED a successful bind, but log a warning that a user with an expired passsword has logged in. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Pedro Lobo S. da Rocha wrote:
> Mike,
>
> Another doubt came up. How do I manage permissions for AD users in RT?
You don't really. You need to manually play with the permissions for the
users once they have logged in for the first time. I recommend creating
a group in RT and setting the relevant permissions on that group and
then just add your AD users into that group once they're logged in.
> When i log in with a AD user, which permissions are given to him?
There is one way that I know of to set default permissions for users
that get AutoCreated:
Set($AutoCreate, {Privileged => 1});
Which allows you to set whether auto-created users should be privileged
(and other settings can go in there too), but I would be careful with it
as you will likely find all your users will be "Auto"-Created.. but in
any case that setting is not part of my code, it's part of RT and I'm
not all that familiar with when/who/why/how/where auto-creating occurs
other than ExternalAuth users.
--
Kind Regards,
__
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
James Treleaven wrote: > The username/password pair that I specified in the script are fine, > however. Everybody!! : "OH NO IT ISN'T!" > LDAP MESSAGE: LDAP_PP_PASSWORD_EXPIRED This is the error message being returned by Net::LDAP when attempting to bind to your AD server. As per the Net::LDAP documentation: LDAP_PP_PASSWORD_EXPIRED The account's password has expired. To be fair, the result code is still a 0 which means it *should* succeed I think, but can't guarantee it. The result you're really looking for is: LDAP_SUCCESS Operation completed without error -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Mike Peachey wrote:
> Please let me know your results, people!
I have run it twice, once with anonymous binding enabled and once with
it disabled. I am afraid I got the same results both times:
The username/password pair that I specified in the script are fine,
however. It is my admin usercode, which I used to log into the server
and run the Active Directory admin applications.
--
[EMAIL PROTECTED] work]# perl mike.pm
$VAR1 = bless( {
'parent' => bless( {
'net_ldap_version' => 3,
'net_ldap_scheme' => 'ldap',
'net_ldap_debug' => 0,
'net_ldap_socket' => bless(
\*Symbol::GEN0, 'IO::Socket::INET' ),
'net_ldap_host' =>
'redacted.comalc.com',
'net_ldap_uri' =>
'redacted.comalc.com',
'net_ldap_resp' => {},
'net_ldap_mesg' => {},
'net_ldap_async' => 0,
'net_ldap_port' => 389,
'net_ldap_refcnt' => 1
}, 'Net::LDAP' ),
'errorMessage' => '',
'ctrl_hash' => undef,
'resultCode' => 0,
'callback' => undef,
'mesgid' => 1,
'matchedDN' => '',
'controls' => undef,
'raw' => undef
}, 'Net::LDAP::Bind' );
LDAP MESSAGE: LDAP_PP_PASSWORD_EXPIRED
--
__
This email has been scanned for viruses and spam by the MessageLabs Email
Security System.
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Pedro Lobo S. da Rocha wrote: > Mike, > > I change somethings on my configuration and it seems almost right. I am > now receiving the following log messages: > > 18. [Thu Apr 10 17:38:19 2008] [debug]: LDAP Search === Base: dc=DOMAIN,dc=com == Filter: (&(objectclass=*)(sAMAccountName=teste)) == Attrs: uid (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:890) > 19. [Thu Apr 10 17:38:19 2008] [info]: DISABLED user teste per External Service (1, Disabled changed from (no value) to "1") > > I don't know whats happening at line 19. Do you? > Err... bugger! You've just found a bug. I will fix this tomorrow morning when I get to work. The problem is that I hadn't programmed for the possibility of there being no d_filter, therefore, if you don't specify a d_filter (disable filter) it will consider ALL of your users disabled instead of none of them. Whoops. You can fix this temporarily in one of two ways: 1. Specify a disable filter. 2. Edit User_Vendor.pm manually. HOWTO: 1. Since you're using Active Directory, the simplest way for you to sort this out is to use the Active Directory disable filter since I doubt there's any reason you would want someone to still be able to access RT if you've set their account to disabled in Active Directory. To do this, add this line to your LDAP settings (add it under 'filter'): 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)', 2. If you want to allow access to RT to users that have been disabled in Active Directory, change line 904 in $RTHOME/local/lib/RT/UserVendor.pm from this: $user_disabled = 1; to this: $user_disabled = 0; And it will then be overwritten with a fix once I update the code and release v0.06 tomorrow. P.S. Please join the RT-Users mailing list and then CC rt-users@lists.bestpractical.com in any replies if you can so that others may benefit. -- Kind Regards, ___ Mike Peachey, IT Tel: +44 (0) 114 281 2655 Fax: +44 (0) 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK http://www.jennic.com Confidential ___ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
I've been working on this and I think I have the answer (although I know
one person has already told me they tried it and didn't work for them..
perhaps there was some other issue there?).
I used this script to test against my Active Directory servers and found
that, if you specify the windows domain in the "user" field as well as
the username it will not only work with anonymous binding off.. but it
should still work with anonymous binding on!
##
#!/usr/bin/perl
use Net::LDAP;
use Net::LDAP::Util qw(ldap_error_name);
use Data::Dumper;
use strict;
my $ldap_server = 'server';
my $ldap_user = 'DOMAIN\username';
my $ldap_pass = 'password';
my $ldap_args = [version=>3];
my $ldap = new Net::LDAP($ldap_server, @$ldap_args);
my $msg = $ldap->bind($ldap_user, password => $ldap_pass);
print(Dumper($msg));
print("\n");
print("LDAP MESSAGE: ");
print(ldap_error_name($msg->code));
print("\n");
##
To repeat myself.. you SHOULD be able to solve this problem by correctly
specifying your username in the full domain\username format as specified
by Active Directory.
e.g.
Domain = MYDOMAIN
Username = myaccount
'user' => 'MYDOMAIN\myaccount',
Also, be careful that you should be using single quotes and therefore
ensuring that the backslash isn't interpreted as an escaping character.
Please let me know your results, people!
--
Kind Regards,
__
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
