Re: [rt-users] User Provisioning from AD
On Thu, Aug 27, 2009 at 02:59:03PM -0500, Robert Nesius wrote: Hi Kevin, I finally had time to circle back and work on piloting/configuring RT Quick Recap - I had asked about solutions for bulk-loading identities from LDAP (active directory in my case) into RT so that the users appeared in the system as privileged users. You suggested two things: 1) Setting the flag that makes auto-created users privileged. 2) Using RT-Extension-LDAPImport I've installed RT-Extension-LDAPImport and was reading the README. What jumped out at me is that there is both a script to run (presumably to bulk-load identities) and a plug-in. I was expecting to see a script, but a plugin was unexpected, which lead me to wonder if this module is both a method for importing users from ldap, and an on-the-fly authentication and user-creation tool too? If so, that implies I don't need the 3rd party ldapauth plug-in I already have installed. (I'd rather use a module from Best Practical if I had a choice). Rob Please keep comments on the list rather than in my personal mailbox If you look at the script, it is 23 lines long. The plugin is where the import code is stored and organized, the script is just a wrapper. You still need RT-Authen-ExternalAuth or apache LDAP authentication if you want to validate passwords against an external source -kevin Just trying to make sure I'm understanding things correctly. Thanks much! -Rob On Tue, Aug 18, 2009 at 12:52 PM, Robert Nesius [1]nes...@gmail.com wrote: On Tue, Aug 18, 2009 at 12:50 PM, Kevin Falcone [2]falc...@bestpractical.com wrote: Have you looked at RT-Extension-LDAPImport ? -kevin I had not found my way to it yet! Now that I read the cpan page, that looks very much like what I'm looking for. Thanks so much, Kevin. I'll play with this and see how it goes! ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] User Provisioning from AD
On Fri, Aug 28, 2009 at 7:20 AM, Kevin Falcone falc...@bestpractical.comwrote: On Thu, Aug 27, 2009 at 02:59:03PM -0500, Robert Nesius wrote: I've installed RT-Extension-LDAPImport and was reading the README. What jumped out at me is that there is both a script to run (presumably to bulk-load identities) and a plug-in. I was expecting to see a script, but a plugin was unexpected, which lead me to wonder if this module is both a method for importing users from ldap, and an on-the-fly authentication and user-creation tool too? If so, that implies I don't need the 3rd party ldapauth plug-in I already have installed. (I'd rather use a module from Best Practical if I had a choice). If you look at the script, it is 23 lines long. The plugin is where the import code is stored and organized, the script is just a wrapper. I saw that and I get that the script is a wrapper. What I was wondering is why the import code is stored in a plug-in and loaded as a plug-in, but I think I figured it out. Basically the import code is working against the objects and subsystems in RT, and needs those objects to exist before it's loaded, so you load your import code indirectly via by simply loading the RT runtime via the RT Module, which inspects RT_SiteConfig.pm, initializes the environment, and then eventually loads your plug-in, thus making your code available to your script within the context of a complete RT runtime environment. Okay, so I get that now. Once I configured the script the first thing I wanted to do was test the config. I was extremely surprised to see there is no look before you leap flag. Rather, just a comment advising back up your database first, which has this sense of playing russian roulette with a revolver with no empty cylinders. Having looked at the code I can see some ways to work around that. Not cleanly, since fetch users and load users are sitting inside one api call but it shouldn't be hard to change that. -Rob You still need RT-Authen-ExternalAuth or apache LDAP authentication if you want to validate passwords against an external source -kevin Just trying to make sure I'm understanding things correctly. Thanks much! -Rob On Tue, Aug 18, 2009 at 12:52 PM, Robert Nesius [1]nes...@gmail.com wrote: On Tue, Aug 18, 2009 at 12:50 PM, Kevin Falcone [2] falc...@bestpractical.com wrote: Have you looked at RT-Extension-LDAPImport ? -kevin I had not found my way to it yet! Now that I read the cpan page, that looks very much like what I'm looking for. Thanks so much, Kevin. I'll play with this and see how it goes! ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] User Provisioning from AD
On Mon, Aug 17, 2009 at 04:16:40PM -0500, Robert Nesius wrote: Slight correction: On Mon, Aug 17, 2009 at 12:49 PM, Robert Nesius [1]nes...@gmail.com wrote: I'm looking at deploying RT (running over apache2 on GNU/Linux) into an environment that is windows-centric, and to ease administrative overhead I'd like to use AD for authentication and the provisioning of identities. I've successfully accomplished AD-Authentication a few different ways, but what I'm running into is that the users RT creates based on AD credentials are not privileged within AD. are not privileged within RT. Set($AutoCreate, {Privileged = 1}); in your config -kevin To ease service configuration (Group Creation/Rights Delegation) I'd like to bulk-load identities into RT from AD before rolling out the service, and have a nightly cron catch any new additions/changes (names changing due to state-changes in marital status, etc..). I'm guessing this is a solved problem, but have not stumbled my away across a tool despite numerous google searches. Anyone out there who can point me in the right direction or share their learnings? Thanks very much! -Rob References Visible links 1. mailto:nes...@gmail.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] User Provisioning from AD
On Tue, Aug 18, 2009 at 12:19 PM, Kevin Falcone falc...@bestpractical.comwrote: On Mon, Aug 17, 2009 at 04:16:40PM -0500, Robert Nesius wrote: Slight correction: On Mon, Aug 17, 2009 at 12:49 PM, Robert Nesius [1]nes...@gmail.com wrote: I'm looking at deploying RT (running over apache2 on GNU/Linux) into an environment that is windows-centric, and to ease administrative overhead I'd like to use AD for authentication and the provisioning of identities. I've successfully accomplished AD-Authentication a few different ways, but what I'm running into is that the users RT creates based on AD credentials are not privileged within AD. are not privileged within RT. Set($AutoCreate, {Privileged = 1}); in your config *blink* Thanks!I missed that one. :) Pre-loading users is something I'd still like to do so I can configure groups/queues before rolling out the service. I'll figure something out. -Rob -kevin To ease service configuration (Group Creation/Rights Delegation) I'd like to bulk-load identities into RT from AD before rolling out the service, and have a nightly cron catch any new additions/changes (names changing due to state-changes in marital status, etc..). I'm guessing this is a solved problem, but have not stumbled my away across a tool despite numerous google searches. Anyone out there who can point me in the right direction or share their learnings? Thanks very much! -Rob References Visible links 1. mailto:nes...@gmail.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] User Provisioning from AD
On Tue, Aug 18, 2009 at 12:31:21PM -0500, Robert Nesius wrote: On Tue, Aug 18, 2009 at 12:19 PM, Kevin Falcone [1]falc...@bestpractical.com wrote: On Mon, Aug 17, 2009 at 04:16:40PM -0500, Robert Nesius wrote: Slight correction: On Mon, Aug 17, 2009 at 12:49 PM, Robert Nesius [1][2]nes...@gmail.com wrote: I'm looking at deploying RT (running over apache2 on GNU/Linux) into an environment that is windows-centric, and to ease administrative overhead I'd like to use AD for authentication and the provisioning of identities. I've successfully accomplished AD-Authentication a few different ways, but what I'm running into is that the users RT creates based on AD credentials are not privileged within AD. are not privileged within RT. Set($AutoCreate, {Privileged = 1}); in your config *blink* Thanks! I missed that one. :) Pre-loading users is something I'd still like to do so I can configure groups/queues before rolling out the service. I'll figure something out. Have you looked at RT-Extension-LDAPImport ? -kevin To ease service configuration (Group Creation/Rights Delegation) I'd like to bulk-load identities into RT from AD before rolling out the service, and have a nightly cron catch any new additions/changes (names changing due to state-changes in marital status, etc..). I'm guessing this is a solved problem, but have not stumbled my away across a tool despite numerous google searches. Anyone out there who can point me in the right direction or share their learnings? Thanks very much! -Rob References Visible links 1. mailto:[3]nes...@gmail.com ___ [4]http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: [5]http://wiki.bestpractical.com Commercial support: [6]sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at [7]http://rtbook.bestpractical.com ___ [8]http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: [9]http://wiki.bestpractical.com Commercial support: [10]sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at [11]http://rtbook.bestpractical.com References Visible links 1. mailto:falc...@bestpractical.com 2. mailto:nes...@gmail.com 3. mailto:nes...@gmail.com 4. http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users 5. http://wiki.bestpractical.com/ 6. mailto:sa...@bestpractical.com 7. http://rtbook.bestpractical.com/ 8. http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users 9. http://wiki.bestpractical.com/ 10. mailto:sa...@bestpractical.com 11. http://rtbook.bestpractical.com/ ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] User Provisioning from AD
On Tue, Aug 18, 2009 at 12:50 PM, Kevin Falcone falc...@bestpractical.comwrote: Have you looked at RT-Extension-LDAPImport ? -kevin I had not found my way to it yet! Now that I read the cpan page, that looks very much like what I'm looking for. Thanks so much, Kevin. I'll play with this and see how it goes! -Rob ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] User Provisioning from AD
I'm looking at deploying RT (running over apache2 on GNU/Linux) into an environment that is windows-centric, and to ease administrative overhead I'd like to use AD for authentication and the provisioning of identities. I've successfully accomplished AD-Authentication a few different ways, but what I'm running into is that the users RT creates based on AD credentials are not privileged within AD. To ease service configuration (Group Creation/Rights Delegation) I'd like to bulk-load identities into RT from AD before rolling out the service, and have a nightly cron catch any new additions/changes (names changing due to state-changes in marital status, etc..). I'm guessing this is a solved problem, but have not stumbled my away across a tool despite numerous google searches. Anyone out there who can point me in the right direction or share their learnings? Thanks very much! -Rob ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com