Re: [rt-users] RT 3.8: questions on Kerberos, LDAP, and guest account setup
On Thu, Jun 09, 2011 at 09:57:49PM +0700, Ivan Shmakov wrote: > I was able to successfully configure RT and Apache to use > Kerberos for authentication, roughly as shown below. However, > now I'm somewhat concerned about the lack of authentication in > rt-mailgate(1) (Debian Bug#615890 [1].) Somehow, I feel that > this issue could be resolved easily, and wonder if anyone's > interested? We'd certainly consider patches > Also, I wonder, is it possible to make RT refer to LDAP for > certain information (like: login name, real name, e-mail, etc.) > about its users? It could easily become a painful experience to > either synchronize the RT user database with LDAP, or to > maintain the informations in both of the places simultaneously. Sounds like you want RT-Extension-LDAPImport > Additionally, I have set up an Unprivileged “guest” account. > However, this configuration results in the user being presented > with a somewhat “limited” Web interface (in particular, it lacks > the Search facility.) Should I make this account Privileged > instead, or is there another easy way of setting up a > “read-only” account with the Search facility being active? If you want the advanced search, you want a Privileged user. Unprivileged users are only going to see tickets that they're the Requestor of. -kevin pgpuQPyn90IBN.pgp Description: PGP signature
Re: [rt-users] RT 3.8: questions on Kerberos, LDAP, and guest account setup
> Kevin Falcone writes: > On Thu, Jun 09, 2011 at 09:57:49PM +0700, Ivan Shmakov wrote: […] >> Also, I wonder, is it possible to make RT refer to LDAP for >> certain information (like: login name, real name, e-mail, etc.) >> about its users? It could easily become a painful experience to >> either synchronize the RT user database with LDAP, or to >> maintain the informations in both of the places simultaneously. > Sounds like you want RT-Extension-LDAPImport I'll check it, thanks. >> Additionally, I have set up an Unprivileged “guest” account. >> However, this configuration results in the user being presented with >> a somewhat “limited” Web interface (in particular, it lacks the >> Search facility.) Should I make this account Privileged instead, or >> is there another easy way of setting up a “read-only” account with >> the Search facility being active? > If you want the advanced search, you want a Privileged user. Is it merely a limitation of the implementation, or something deeper? The inconvenience of setting up a Privileged guest account is that it will be necessary to maintain a separate group, whose members (which are all the Privileged users except the guest account) are actually granted “write access” to the tickets. With guest account now being Unprivileged, the Privileged group fulfills this role. > Unprivileged users are only going to see tickets that they're the > Requestor of. Apparently, it's not the case: I was able to see all the tickets belonging to the queues for which Everyone is granted SeeQueue and ShowTicket permissions. (RT 3.8.8 debian 7.) -- FSF associate member #7257
Re: [rt-users] RT 3.8: questions on Kerberos, LDAP, and guest account setup
On Fri, Jun 10, 2011 at 10:35:02PM +0700, Ivan Shmakov wrote: > > Kevin Falcone writes: > > If you want the advanced search, you want a Privileged user. > > Is it merely a limitation of the implementation, or something > deeper? I'm afraid I don't understand your question. Unprivileged users have no access to the Query Builder interface, and I'm not sure what level of effort would be required to make it so. > The inconvenience of setting up a Privileged guest account is > that it will be necessary to maintain a separate group, whose > members (which are all the Privileged users except the guest > account) are actually granted “write access” to the tickets. > With guest account now being Unprivileged, the Privileged group > fulfills this role. > > > Unprivileged users are only going to see tickets that they're the > > Requestor of. > > Apparently, it's not the case: I was able to see all the tickets > belonging to the queues for which Everyone is granted SeeQueue > and ShowTicket permissions. (RT 3.8.8 debian 7.) If you grant them ShowTicket globally, then anyone can see any ticket if they can log into the system. Unprivileged user dashboards only search for tickets where they are watchers. Granting Everyone ShowTicket is almost never the rights configuration you want. -kevin pgpq4Yj0q3F1t.pgp Description: PGP signature
