Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Mike, I would certainly like to see this. *wish mode* If you could drag down group memberships as well and if they exist in RT, then add that user to those RT groups, I would love to see that as well as it would mean all the functionality for User creation could be setup via LDAP as well. MediaWiki does this and it works well (although far less complicated than RT I suspect). Cheers, David - Original Message - From: "Mike Peachey" <[EMAIL PROTECTED]> To: "Kenneth Crocker" <[EMAIL PROTECTED]> Cc: "Pedro Lobo S. da Rocha" <[EMAIL PROTECTED]>, "RT Users" Sent: Saturday, 12 April, 2008 9:51:45 PM GMT +10:00 Brisbane Subject: Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension I have a thought. I don't know whether I will need to override the AutoCreate method or if I can do it all just by passing params from the autohandler auth callback, but it seems reasonable that I should be able to easily allow LDAP users to be autocreated as Privileged, while leaving the default AutoCreation at unprivileged. This way, by way of a configuration setting, that is individual to each ExternalAuth configuration group (LDAP/DBI etc) you could specify whether to autocreate as privileged or unprivileged, and RT would still retain it's own default setting for *other* users.. Do you think this is something you'd want built into the extension? Opinions welcome. -- Kind Regards, ___ Mike Peachey, IT Tel: +44 (0) 114 281 2655 Fax: +44 (0) 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK http://www.jennic.com Confidential ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Mike, I think so. It seems like it would solve my problem of email only users getting listed along with privileged users on the drop-downs. Kenn LBNL On 4/12/2008 4:51 AM, Mike Peachey wrote: > Kenneth Crocker wrote: >> Mike, Pedro, >> >> >> We use LDAP as well and the same setting (Set($AutoCreate, >> {Privileged => 1});) and it works well as far as getting the new user >> into the DB. All I have to do after that is put them in the >> appropriate group the they will HAVE some privileges. We don't grant >> many GLOBAL privileges so if someo wants to do something other than >> reply to email on their own ticket or see their own ticket, they have >> to be in a group. >> The problem I'm having with autocreate is that when an email >> address is added to some correspondence in the CC field, then RT adds >> the entire email address as a privleged user instead of unprivileged. >> Once that happens, they show up in a lot of drop-downs for watcher and >> then I have this unrelated "privileged" email address being offered as >> a possible USER ID for watchers and many of my regular users don't >> know which of the two IDs to select for that one person. It gets >> irritating and now I'm considering using SQL to get rid of them. Any >> ideas on a better setting for adding email addresses as >> "unprivileged"? Thanks >> >> Kenn >> LBNL > > I have a thought. I don't know whether I will need to override the > AutoCreate method or if I can do it all just by passing params from the > autohandler auth callback, but it seems reasonable that I should be able > to easily allow LDAP users to be autocreated as Privileged, while > leaving the default AutoCreation at unprivileged. > > This way, by way of a configuration setting, that is individual to each > ExternalAuth configuration group (LDAP/DBI etc) you could specify > whether to autocreate as privileged or unprivileged, and RT would still > retain it's own default setting for *other* users.. > > Do you think this is something you'd want built into the extension? > > Opinions welcome. > -- > Kind Regards, > > ___ > > Mike Peachey, IT > Tel: +44 (0) 114 281 2655 > Fax: +44 (0) 114 281 2951 > Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK > http://www.jennic.com > Confidential > ___ > > ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Kenneth Crocker wrote: > Mike, Pedro, > > > We use LDAP as well and the same setting (Set($AutoCreate, > {Privileged => 1});) and it works well as far as getting the new user > into the DB. All I have to do after that is put them in the appropriate > group the they will HAVE some privileges. We don't grant many GLOBAL > privileges so if someo wants to do something other than reply to email > on their own ticket or see their own ticket, they have to be in a group. > The problem I'm having with autocreate is that when an email address > is added to some correspondence in the CC field, then RT adds the entire > email address as a privleged user instead of unprivileged. Once that > happens, they show up in a lot of drop-downs for watcher and then I have > this unrelated "privileged" email address being offered as a possible > USER ID for watchers and many of my regular users don't know which of > the two IDs to select for that one person. It gets irritating and now > I'm considering using SQL to get rid of them. Any ideas on a better > setting for adding email addresses as "unprivileged"? Thanks > > Kenn > LBNL I have a thought. I don't know whether I will need to override the AutoCreate method or if I can do it all just by passing params from the autohandler auth callback, but it seems reasonable that I should be able to easily allow LDAP users to be autocreated as Privileged, while leaving the default AutoCreation at unprivileged. This way, by way of a configuration setting, that is individual to each ExternalAuth configuration group (LDAP/DBI etc) you could specify whether to autocreate as privileged or unprivileged, and RT would still retain it's own default setting for *other* users.. Do you think this is something you'd want built into the extension? Opinions welcome. -- Kind Regards, ___ Mike Peachey, IT Tel: +44 (0) 114 281 2655 Fax: +44 (0) 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK http://www.jennic.com Confidential ___ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Stephen, Yea, yea. But I'm an ADVENTUREOUS person!. HA! Just kidding. Actually, I already have done it, but just for two users that I CAREFULLY selected after looking closely at the DB, i.e. USERS, GROUPS, GROUPMEMBERS, CACHEDGROUPMEMBERS, etc.). First, I got the id's of each duplicate ID (different id's for the same person). Then I went to the ACL table to see which one had rights to tickets, etc. Then I checked what groups those ids were in and checked THEM against the ACL table. Then I searched all tickets that had those ID's as a CC, etc. and removed that reference and replaced it with the correct ID (all using RT) on each ticket. THEN, I went back to the DB and removed the old duplicate ID's from the USER Table, the related membership in any GROUP, CACHEDGROUPMEMEBERS, GROUPMEMBERS. Then, for each group Id that existed ONLY for the dup User IDs, I removed those Group records, etc. So far, no problem. Do you think I missed anything? Kenn LBNL On 4/11/2008 9:59 AM, Stephen Turner wrote: > At Friday 4/11/2008 12:50 PM, Kenneth Crocker wrote: >> Mike, Pedro, >> >> >> >> The problem I'm having with autocreate is that when an email >> address is >> added to some correspondence in the CC field, then RT adds the entire >> email address as a privleged user instead of unprivileged. Once that >> happens, they show up in a lot of drop-downs for watcher and then I have >> this unrelated "privileged" email address being offered as a possible >> USER ID for watchers and many of my regular users don't know which of >> the two IDs to select for that one person. > > > >> It gets irritating and now I'm considering using SQL to get rid of them. > > Kenn - don't do this!! You'll be sorry. Ruslan's Shredder is the safe > way to remove unwanted user accounts. > > Steve > > > > ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
At Friday 4/11/2008 12:50 PM, Kenneth Crocker wrote: >Mike, Pedro, > > > > The problem I'm having with autocreate is that when an > email address is >added to some correspondence in the CC field, then RT adds the entire >email address as a privleged user instead of unprivileged. Once that >happens, they show up in a lot of drop-downs for watcher and then I have >this unrelated "privileged" email address being offered as a possible >USER ID for watchers and many of my regular users don't know which of >the two IDs to select for that one person. >It gets irritating and now I'm considering using SQL to get rid of them. Kenn - don't do this!! You'll be sorry. Ruslan's Shredder is the safe way to remove unwanted user accounts. Steve ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Mike, Pedro, We use LDAP as well and the same setting (Set($AutoCreate, {Privileged => 1});) and it works well as far as getting the new user into the DB. All I have to do after that is put them in the appropriate group the they will HAVE some privileges. We don't grant many GLOBAL privileges so if someo wants to do something other than reply to email on their own ticket or see their own ticket, they have to be in a group. The problem I'm having with autocreate is that when an email address is added to some correspondence in the CC field, then RT adds the entire email address as a privleged user instead of unprivileged. Once that happens, they show up in a lot of drop-downs for watcher and then I have this unrelated "privileged" email address being offered as a possible USER ID for watchers and many of my regular users don't know which of the two IDs to select for that one person. It gets irritating and now I'm considering using SQL to get rid of them. Any ideas on a better setting for adding email addresses as "unprivileged"? Thanks Kenn LBNL On 4/11/2008 5:03 AM, Mike Peachey wrote: > Pedro Lobo S. da Rocha wrote: >> Right, I think I got it. But there's one thing. When I go to >> Configuration -> Groups -> "Select one group" -> Members, the >> auto-created user doesn't appears in the user's list so I can add him as >> a member. Do you know why this is happening? > > I'm guessing that you are not using: > Set($AutoCreate, {Privileged => 1}); > > which means that by default your new users are unprivileged. > > By default, lists of user in RT only include privileged users. This > means that you will need to search for the user and then, in the user's > information page, tick the "Allow this user to be granted privileges" > box. They should then show up in the groups selection list. > > ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Pedro Lobo S. da Rocha wrote: > Right, I think I got it. But there's one thing. When I go to > Configuration -> Groups -> "Select one group" -> Members, the > auto-created user doesn't appears in the user's list so I can add him as > a member. Do you know why this is happening? I'm guessing that you are not using: Set($AutoCreate, {Privileged => 1}); which means that by default your new users are unprivileged. By default, lists of user in RT only include privileged users. This means that you will need to search for the user and then, in the user's information page, tick the "Allow this user to be granted privileges" box. They should then show up in the groups selection list. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Mike Peachey wrote: > James Treleaven wrote: >> The username/password pair that I specified in the script are fine, >> however. > > Everybody!! : > > "OH NO IT ISN'T!" > >> LDAP MESSAGE: LDAP_PP_PASSWORD_EXPIRED > > This is the error message being returned by Net::LDAP when attempting to > bind to your AD server. I'm feeling nice, so I'm going to code around this in v0.06 There will be a new config option called AllowExpiredPasswords or similar and if set to true it will consider LDAP_PP_PASSWORD_EXPIRED a successful bind, but log a warning that a user with an expired passsword has logged in. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Pedro Lobo S. da Rocha wrote: > Mike, > > Another doubt came up. How do I manage permissions for AD users in RT? You don't really. You need to manually play with the permissions for the users once they have logged in for the first time. I recommend creating a group in RT and setting the relevant permissions on that group and then just add your AD users into that group once they're logged in. > When i log in with a AD user, which permissions are given to him? There is one way that I know of to set default permissions for users that get AutoCreated: Set($AutoCreate, {Privileged => 1}); Which allows you to set whether auto-created users should be privileged (and other settings can go in there too), but I would be careful with it as you will likely find all your users will be "Auto"-Created.. but in any case that setting is not part of my code, it's part of RT and I'm not all that familiar with when/who/why/how/where auto-creating occurs other than ExternalAuth users. -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
James Treleaven wrote: > The username/password pair that I specified in the script are fine, > however. Everybody!! : "OH NO IT ISN'T!" > LDAP MESSAGE: LDAP_PP_PASSWORD_EXPIRED This is the error message being returned by Net::LDAP when attempting to bind to your AD server. As per the Net::LDAP documentation: LDAP_PP_PASSWORD_EXPIRED The account's password has expired. To be fair, the result code is still a 0 which means it *should* succeed I think, but can't guarantee it. The result you're really looking for is: LDAP_SUCCESS Operation completed without error -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Mike Peachey wrote: > Please let me know your results, people! I have run it twice, once with anonymous binding enabled and once with it disabled. I am afraid I got the same results both times: The username/password pair that I specified in the script are fine, however. It is my admin usercode, which I used to log into the server and run the Active Directory admin applications. -- [EMAIL PROTECTED] work]# perl mike.pm $VAR1 = bless( { 'parent' => bless( { 'net_ldap_version' => 3, 'net_ldap_scheme' => 'ldap', 'net_ldap_debug' => 0, 'net_ldap_socket' => bless( \*Symbol::GEN0, 'IO::Socket::INET' ), 'net_ldap_host' => 'redacted.comalc.com', 'net_ldap_uri' => 'redacted.comalc.com', 'net_ldap_resp' => {}, 'net_ldap_mesg' => {}, 'net_ldap_async' => 0, 'net_ldap_port' => 389, 'net_ldap_refcnt' => 1 }, 'Net::LDAP' ), 'errorMessage' => '', 'ctrl_hash' => undef, 'resultCode' => 0, 'callback' => undef, 'mesgid' => 1, 'matchedDN' => '', 'controls' => undef, 'raw' => undef }, 'Net::LDAP::Bind' ); LDAP MESSAGE: LDAP_PP_PASSWORD_EXPIRED -- __ This email has been scanned for viruses and spam by the MessageLabs Email Security System. __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
Pedro Lobo S. da Rocha wrote: > Mike, > > I change somethings on my configuration and it seems almost right. I am > now receiving the following log messages: > > 18. [Thu Apr 10 17:38:19 2008] [debug]: LDAP Search === Base: dc=DOMAIN,dc=com == Filter: (&(objectclass=*)(sAMAccountName=teste)) == Attrs: uid (/usr/local/share/request-tracker3.6/lib/RT/User_Vendor.pm:890) > 19. [Thu Apr 10 17:38:19 2008] [info]: DISABLED user teste per External Service (1, Disabled changed from (no value) to "1") > > I don't know whats happening at line 19. Do you? > Err... bugger! You've just found a bug. I will fix this tomorrow morning when I get to work. The problem is that I hadn't programmed for the possibility of there being no d_filter, therefore, if you don't specify a d_filter (disable filter) it will consider ALL of your users disabled instead of none of them. Whoops. You can fix this temporarily in one of two ways: 1. Specify a disable filter. 2. Edit User_Vendor.pm manually. HOWTO: 1. Since you're using Active Directory, the simplest way for you to sort this out is to use the Active Directory disable filter since I doubt there's any reason you would want someone to still be able to access RT if you've set their account to disabled in Active Directory. To do this, add this line to your LDAP settings (add it under 'filter'): 'd_filter' => '(userAccountControl:1.2.840.113556.1.4.803:=2)', 2. If you want to allow access to RT to users that have been disabled in Active Directory, change line 904 in $RTHOME/local/lib/RT/UserVendor.pm from this: $user_disabled = 1; to this: $user_disabled = 0; And it will then be overwritten with a fix once I update the code and release v0.06 tomorrow. P.S. Please join the RT-Users mailing list and then CC rt-users@lists.bestpractical.com in any replies if you can so that others may benefit. -- Kind Regards, ___ Mike Peachey, IT Tel: +44 (0) 114 281 2655 Fax: +44 (0) 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK http://www.jennic.com Confidential ___ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] SOLVED? LDAP_INVALID_CREDENTIALS error with 'ExternalAuth' extension
I've been working on this and I think I have the answer (although I know one person has already told me they tried it and didn't work for them.. perhaps there was some other issue there?). I used this script to test against my Active Directory servers and found that, if you specify the windows domain in the "user" field as well as the username it will not only work with anonymous binding off.. but it should still work with anonymous binding on! ## #!/usr/bin/perl use Net::LDAP; use Net::LDAP::Util qw(ldap_error_name); use Data::Dumper; use strict; my $ldap_server = 'server'; my $ldap_user = 'DOMAIN\username'; my $ldap_pass = 'password'; my $ldap_args = [version=>3]; my $ldap = new Net::LDAP($ldap_server, @$ldap_args); my $msg = $ldap->bind($ldap_user, password => $ldap_pass); print(Dumper($msg)); print("\n"); print("LDAP MESSAGE: "); print(ldap_error_name($msg->code)); print("\n"); ## To repeat myself.. you SHOULD be able to solve this problem by correctly specifying your username in the full domain\username format as specified by Active Directory. e.g. Domain = MYDOMAIN Username = myaccount 'user' => 'MYDOMAIN\myaccount', Also, be careful that you should be using single quotes and therefore ensuring that the backslash isn't interpreted as an escaping character. Please let me know your results, people! -- Kind Regards, __ Mike Peachey, IT Tel: +44 114 281 2655 Fax: +44 114 281 2951 Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK Comp Reg No: 3191371 - Registered In England http://www.jennic.com __ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com