Admin permissions


#1

Hi all.

I have installed a rt 3.6.7 on a Linux Server. Now the problem is that
authentication is against a LDAP server running on this system. As I
configured the system to use the login on the webaccess as well as login
on the rt I cannot give any admin permissions to anyone.
Which tables of the database have to be configured to give a user/group
admin permissions?

Thank you for your answer.

Best Chris


#2

Doesn�t anybody know howto give a User/Group admin permissions by
editing the mysql database? Do you need more information?

I use the script “rtimportldap.pl” to import groups from ldap into the
mysql database. Now I want to be able to give a certain group admin
permissions. As I cannot login with user root I want to do it directly
in the database.

Best Chris

Christian Forjahn wrote:


#3

http://wiki.bestpractical.com/view/RecoverSuperUserRights

Quoting Christian Forjahn christian.forjahn@collax.com:

Doesn´t anybody know howto give a User/Group admin permissions by
editing the mysql database? Do you need more information?

I use the script “rtimportldap.pl” to import groups from ldap into the
mysql database. Now I want to be able to give a certain group admin
permissions. As I cannot login with user root I want to do it directly
in the database.

Best Chris

Christian Forjahn wrote:

Hi all.

I have installed a rt 3.6.7 on a Linux Server. Now the problem is that
authentication is against a LDAP server running on this system. As I
configured the system to use the login on the webaccess as well as login
on the rt I cannot give any admin permissions to anyone.
Which tables of the database have to be configured to give a user/group
admin permissions?

Thank you for your answer.

Best Chris


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Lawrence McAbee
X-PGP-Fingerprint: 1605 D207 E39D 4D7E 79C4 D65D 3EBC 365E BFA8 CC17


#4

Hi Lawrence.

thanks for your answer. But when I understand correctly this gives
Superuser permissions to the user root. With our system I�m not able to
login as root. There is no apache access for this user. (a little
special system).
can I use the script the same way to give Superuser support to a Systemuser?

Best Chris

Lawrence McAbee wrote:


#5

Thanks a lot.
That works perfectly.

Best Chris

Lawrence McAbee wrote:


#6

the root user you log into RT with is entirely different than the box’s
root user. Following that you can get into RT and assign rights in the
web UI. Editing the database directly = VERY bad

Christian Forjahn wrote:

Hi Lawrence.

thanks for your answer. But when I understand correctly this gives
Superuser permissions to the user root. With our system I�m not able to
login as root. There is no apache access for this user. (a little
special system).
can I use the script the same way to give Superuser support to a Systemuser?

Best Chris

Lawrence McAbee wrote:

http://wiki.bestpractical.com/view/RecoverSuperUserRights

Quoting Christian Forjahn christian.forjahn@collax.com:

Doesn�t anybody know howto give a User/Group admin permissions by
editing the mysql database? Do you need more information?

I use the script “rtimportldap.pl” to import groups from ldap into the
mysql database. Now I want to be able to give a certain group admin
permissions. As I cannot login with user root I want to do it directly
in the database.

Best Chris

Christian Forjahn wrote:

Hi all.

I have installed a rt 3.6.7 on a Linux Server. Now the problem is that
authentication is against a LDAP server running on this system. As I
configured the system to use the login on the webaccess as well as login
on the rt I cannot give any admin permissions to anyone.
Which tables of the database have to be configured to give a user/group
admin permissions?

Thank you for your answer.

Best Chris


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com



http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Drew Barnes
Applications Analyst
Network Resources Department
Raymond Walters College
University of Cincinnati


#7

Drew Barnes wrote:

the root user you log into RT with is entirely different than the box’s
root user. Following that you can get into RT and assign rights in the
web UI. Editing the database directly = VERY bad

You are right. But the authentication is not rt�s authentication. I
login using the ldap server. As root and admin are not in ldap and
cannot be added i have to use a user. rt then uses the users loginname
as authentication method.

Is there a problem using the script to give a user superuser access. My
aim is to have a user that can grant other users/groups permission to
add queues etc.

Best Chris.


#8

Christian,

I could do it in Oracle, if I wanted to take that risk. However, RT 

maintains extremely sensitive and volatile relationships between various
tables to maintain consistency in the way those permissions work
throughout RT that I find it way too risky to mess with permissions on a
DataBase level. I find it easier, in the long term, to let RT do what RT
does best when it comes to keeping it’s own house in order. Also, I’m
not sure if mysql has the same DB tables as Oracle so my list of those
relationships may not help you. Sorry.

Kenn
LBNLOn 7/2/2008 2:07 AM, Christian Forjahn wrote:

Doesn�t anybody know howto give a User/Group admin permissions by
editing the mysql database? Do you need more information?

I use the script “rtimportldap.pl” to import groups from ldap into the
mysql database. Now I want to be able to give a certain group admin
permissions. As I cannot login with user root I want to do it directly
in the database.

Best Chris

Christian Forjahn wrote:

Hi all.

I have installed a rt 3.6.7 on a Linux Server. Now the problem is that
authentication is against a LDAP server running on this system. As I
configured the system to use the login on the webaccess as well as login
on the rt I cannot give any admin permissions to anyone.
Which tables of the database have to be configured to give a user/group
admin permissions?

Thank you for your answer.

Best Chris


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


#9

Kenneth,

I found out that I have to write my own script like “rtimport.pl”. this
script involves a script to give groups SU permissions which is much
better for my needs. As it uses only rt-internal-scripts to edit the
database there should be no harm using it.

As I will also implement a groupmapping and groupsync I will publish it
after being tested. rtimport.pl’s groupsync is no solution for me as every
user found in ldap will be added to every group. What I need is a real
sync between ldap and rt’s database including SU permissions. I think it
should be finished tomorow.

Thanks everyone for the help.

Best Chris


#10

Kenneth,

I found out that I have to write my own script like “rtimport.pl”. this
script involves a script to give groups SU permissions which is much
better for my needs. As it uses only rt-internal-scripts to edit the
database there should be no harm using it.

As I will also implement a groupmapping and groupsync I will publish it
after being tested. rtimport.pl’s groupsync is no solution for me as every
user found in ldap will be added to every group. What I need is a real
sync between ldap and rt’s database including SU permissions. I think it
should be finished tomorow.

Thanks everyone for the help.

Best Chris


#11

Christian Forjahn wrote:

Kenneth,

I found out that I have to write my own script like “rtimport.pl”. this
script involves a script to give groups SU permissions which is much
better for my needs. As it uses only rt-internal-scripts to edit the
database there should be no harm using it.

As I will also implement a groupmapping and groupsync I will publish it
after being tested. rtimport.pl’s groupsync is no solution for me as every
user found in ldap will be added to every group. What I need is a real
sync between ldap and rt’s database including SU permissions. I think it
should be finished tomorow.

Thanks everyone for the help.

Best Chris

would like to take a peek at that when you get it done

thanx


#12

sorry for the late reply. I sent the mail yesterday but it was only sent
to Drew. I didn�t reply to all.

Best Chris

Groupmapping script.

Hi there.

I have just finished the groupmapping script. For you it needs to be
adapted to your needs. It works like this: you have to know the groups
in LDAP that have access to rt3. You have to know the members of these
groups. The groups are added to rt3 if they have the permission.
Otherwise the groups will be disabled. Same way with the Users. Then the
Users will be added to the groups. In the last step admin permissions
are granted to the admin groups.

I hope it helps you too.

Best Chris

ldap_rt_group_sync.pl (3.43 KB)