Automatically Set "Let this user be granted rights"

Hello,

I am using RT 4.0.2, which is stable in Debian Squeeze.

I have external auth set to authenticate against AD. The problem I’m running into is that people who are logging in with AD accounts do not have the “Let this user be granted rights” box automatically checked, and therefore, they are not getting the permissions that I have set to the everyone group.

I have set up the everyone group as per the docs so that they should be able create tickets and to search for tickets for which they are the requestor. As it stands right now, AD users login, and they cannot do either (can’t do anything, really).

In order to check this box, an AD user must first login. We have many end-users working 24/7 on 5 different shifts, there is no way to coordinate this, so I really need the system to just allow an AD user to inherit the permissions of the everyone group upon first login.

How can this be achieved?

Thank you.

-Chris

Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981
www.experi-metal.comhttp://www.experi-metal.com/

[cid:image002.png@01CF4371.FA218560]http://www.experi-metal.com/

Connnect with Us! [cid:image003.png@01CF436A.2A49D5B0] http://www.twitter.com/experimetalinc [cid:image004.png@01CF436A.2A49D5B0] http://www.facebook.com/pages/Experi-Metal-INC/150560074972339?v=app_4949752878#!/pages/Experi-Metal-INC/150560074972339?v=wall [cid:image005.png@01CF436A.2A49D5B0] http://www.linkedin.com/companies/73915

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

Hi Jon,

Thank you for that. I see what this is doing… a little different than I was thinking, but it sounds like it will work for me.

I did not see a package for debian wheezy to install this (I know I said squeeze… my mistake!). So I installed using CPAN, though I am no perl guru by any stretch.

I think it is because of this that I’m running into the following error. This is what happens when I run: /usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/bin/rtldapimport --debug

Can’t locate RT/Extension/LDAPImport.pm in @INC (@INC contains: /usr/local/share/request-tracker4/lib /usr/share/request-tracker4/lib /usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/lib/RT/Extension/ /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14 /usr/local/lib/site_perl .) at /usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/bin/rtldapimport line 28.
BEGIN failed–compilation aborted at /usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/bin/rtldapimport line 28.

So I try to force the path by doing:
PERL5LIB=/usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/lib/RT/Extension/ /usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/bin/rtldapimport -debug

Which doesn’t work any better.

Any idea on how to fix this? Thank you.

-Chris

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

Hello again,

I’m afraid I’m experiencing a problem now. The import worked, and I have everyone with an account showing up in RT, and the “Let this user be granted right” checkbox is checked as it should…

BUT

Now I’m finding that any account imported does not work - that is, they cannot log in. In the log files I see this line:

“[Fri Apr 4 13:21:07 2014] [error]: Couldn’t create user jjjameson: Email address in use (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:237)”

So all the users are they, but they cannot log in. Curiously, the few users I used as a test account for external auth do work, but anyone who was imported, and has never logged in prior to the import, cannot log in.

What can I do to address this?

Thanks.

-ChrisFrom: Jon Witts [mailto:jwitts@queenmargarets.com]
Sent: Wednesday, March 26, 2014 4:43 AM
To: Chris Ditri
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Good to hear Chris.

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.comhttp://www.queenmargarets.com/

From: Chris Ditri [mailto:Cditri@experi-metal.com]
Sent: 24 March 2014 21:25
To: Jon Witts
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Thanks Jon, this works for me.

From: Jon Witts [mailto:jwitts@queenmargarets.com]
Sent: Wednesday, March 19, 2014 7:42 PM
To: Chris Ditri
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Try looking at the LDAP Import plugin RT::Extension::LDAPImport - Import Users from an LDAP store - metacpan.org it will let set imported users as privileged as well as adding them to a group of their own.

Jon

HI again,

OK… I found this
https://docs.bullardisd.net/public/helpdesk/rt.html

Which isn’t a help per se, but it did give me an idea. When a user that was imported from ldapimport tries to login, the login fails, and the logs say “Couldn’t create user xyz: email address in use”. So, I wiped the email address from the imported user - and suddenly, the user can login… Or so I thought. Instead, what is happening is that it is creating a second user with the same name! And, we have come full circle, because the 2nd instance of the user is not privileged.

So, I have a whole slew of accounts now imported from ldap/Active Directory, and they are now only debris in my way. I’m really wondering if running that script in the first place was the way to go… Because even though everyone on the network now has a user, they system seems to insist upon creating them a new account. All the accounts seem to have imported - but they are not useable.

Is there something I need to turn off in RT that says “Stop making new accounts when one already exists” or something? What can I do to fix this? Can I/should I delete all the imported accounts?

Thanks.

-ChrisFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Chris Ditri
Sent: Friday, April 04, 2014 9:49 AM
To: Jon Witts
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hello again,

I’m afraid I’m experiencing a problem now. The import worked, and I have everyone with an account showing up in RT, and the “Let this user be granted right” checkbox is checked as it should…

BUT

Now I’m finding that any account imported does not work - that is, they cannot log in. In the log files I see this line:

“[Fri Apr 4 13:21:07 2014] [error]: Couldn’t create user jjjameson: Email address in use (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:237)”

So all the users are they, but they cannot log in. Curiously, the few users I used as a test account for external auth do work, but anyone who was imported, and has never logged in prior to the import, cannot log in.

What can I do to address this?

Thanks.

-Chris

From: Jon Witts [mailto:jwitts@queenmargarets.com]
Sent: Wednesday, March 26, 2014 4:43 AM
To: Chris Ditri
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Good to hear Chris.

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.comhttp://www.queenmargarets.com/

From: Chris Ditri [mailto:Cditri@experi-metal.com]
Sent: 24 March 2014 21:25
To: Jon Witts
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Thanks Jon, this works for me.

From: Jon Witts [mailto:jwitts@queenmargarets.com]
Sent: Wednesday, March 19, 2014 7:42 PM
To: Chris Ditri
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Try looking at the LDAP Import plugin RT::Extension::LDAPImport - Import Users from an LDAP store - metacpan.org it will let set imported users as privileged as well as adding them to a group of their own.

Jon

Can you post your config for LDAPImport and for externalauth as this should not be happening; at least it does not happen with my install?

Obviously remove your passwords etc…

Jon

Director of Digital Strategy
Queen Margaret’s School
01904 727600

http://www.queenmargarets.comFrom: Chris Ditri [Cditri@experi-metal.com]
Sent: 07 April 2014 8:13 PM
To: Chris Ditri; Jon Witts
Cc: rt-users@lists.bestpractical.com
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

HI again,

OK… I found this
https://docs.bullardisd.net/public/helpdesk/rt.html

Which isn’t a help per se, but it did give me an idea. When a user that was imported from ldapimport tries to login, the login fails, and the logs say “Couldn’t create user xyz: email address in use”. So, I wiped the email address from the imported user – and suddenly, the user can login…. Or so I thought. Instead, what is happening is that it is creating a second user with the same name! And, we have come full circle, because the 2nd instance of the user is not privileged.

So, I have a whole slew of accounts now imported from ldap/Active Directory, and they are now only debris in my way. I’m really wondering if running that script in the first place was the way to go…. Because even though everyone on the network now has a user, they system seems to insist upon creating them a new account. All the accounts seem to have imported – but they are not useable.

Is there something I need to turn off in RT that says “Stop making new accounts when one already exists” or something? What can I do to fix this? Can I/should I delete all the imported accounts?

Thanks.

-Chris

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Chris Ditri
Sent: Friday, April 04, 2014 9:49 AM
To: Jon Witts
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hello again,

I’m afraid I’m experiencing a problem now. The import worked, and I have everyone with an account showing up in RT, and the “Let this user be granted right” checkbox is checked as it should…

BUT

Now I’m finding that any account imported does not work – that is, they cannot log in. In the log files I see this line:

“[Fri Apr 4 13:21:07 2014] [error]: Couldn’t create user jjjameson: Email address in use (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:237)”

So all the users are they, but they cannot log in. Curiously, the few users I used as a test account for external auth do work, but anyone who was imported, and has never logged in prior to the import, cannot log in.

What can I do to address this?

Thanks.

-Chris

From: Jon Witts [mailto:jwitts@queenmargarets.com]
Sent: Wednesday, March 26, 2014 4:43 AM
To: Chris Ditri
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Good to hear Chris.

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.comhttp://www.queenmargarets.com/

From: Chris Ditri [mailto:Cditri@experi-metal.com]
Sent: 24 March 2014 21:25
To: Jon Witts
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Thanks Jon, this works for me.

From: Jon Witts [mailto:jwitts@queenmargarets.com]
Sent: Wednesday, March 19, 2014 7:42 PM
To: Chris Ditri
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Try looking at the LDAP Import plugin RT::Extension::LDAPImport - Import Users from an LDAP store - metacpan.org it will let set imported users as privileged as well as adding them to a group of their own.

Jon

Hi Jon, and thanks.

Set($WebDomain, ‘rt.my-company.com’);
Set($LDAPHost, ‘QZXW-dc.my-company.com’);
Set($LDAPUser, ‘cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com’);
Set($LDAPPassword, ‘MyPW1234’);
Set($LDAPBase, ‘ou=QZXW Users,dc=my-company,dc=com’);
Set($LDAPFilter, ‘(&)’);
Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_SSO_Cookie’
]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalAuthPriority,[‘My_LDAP’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘QZXW-dc.my-company.com’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘joeadmin@my-company.com’,

                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'majorlycrypticpw',

                                                    # The LDAP search base
                                                    'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                    # A catch-all example filter: '(objectClass=*)'
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  '',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  1,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3   ],
                                                    # Does authentication depend on group membership? What group name?
                                                    # What is the attribute for the group object that determines membership?
                                                    # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
                                                    # This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress',
                                                                                        'RealName',
                                                                                        'WorkPhone',
                                                                                        'Address2'
                                                                                    ],
                                                    # The mapping of RT attributes on to LDAP attributes
                                                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                        'EmailAddress' => 'mail',
                                                                                        'Organization' => 'physicalDeliveryOfficeName',
                                                                                        'RealName' => 'cn',
                                                                                        'ExternalAuthId' => 'sAMAccountName',
                                                                                        'Gecos' => 'sAMAccountName',
                                                                                        'WorkPhone' => 'telephoneNumber',
                                                                                        'Address1' => 'streetAddress',
                                                                                        'City' => 'l',
                                                                                        'State' => 'st',
                                                                                        'Zip' => 'postalCode',
                                                                                        'Country' => 'co'
                                                                                    }
                                                },
                            }

);

1;
my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

Set($rtname, ‘rt.my-company.com’);
Set($Organization, ‘RT.my-company.com’);

Set($CorrespondAddress , ‘maintenance@my-company.com’);
Set($CommentAddress , ‘maintenance@my-company.com’);
Set($RTAddressRegexp , ‘^maintenance(-comment)?@(maintenance|rt).(my-company.com|rt.my-company.com)$’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.my-company.com”);

Set($LogToSyslog , ‘debug’);
Set($LogToScreen , ‘info’);

Set($LogToFile , ‘debug’); #debug is very noisy
Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘QZXWBuild07’);

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName, ‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
1;
Spam - www.smoothwall.nethttp://www.smoothwall.net/

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

Hi there,

I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.

Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

My Plugins section looks like this:
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Also you are setting $ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined (‘My_SSO_Cookie’, ‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’). I think you should only be doing as follows:
Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);

I have my ldap bind user defined as a fully qualified ldap string rather than just a username…

In your LDAPImport settings try changing:
Set($LDAPMapping, {Name => ‘uid’

To:
Set($LDAPMapping, {Name => ‘sAMAccountName’,

And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);

Too.

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.comhttp://www.queenmargarets.com/From: Chris Ditri [mailto:Cditri@experi-metal.com]
Sent: 07 April 2014 22:20
To: Jon Witts; rt-users@lists.bestpractical.com
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon, and thanks.

Set($WebDomain, ‘rt.my-company.com’);
Set($LDAPHost, ‘QZXW-dc.my-company.com’);
Set($LDAPUser, ‘cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com’);
Set($LDAPPassword, ‘MyPW1234’);
Set($LDAPBase, ‘ou=QZXW Users,dc=my-company,dc=com’);
Set($LDAPFilter, ‘(&)’);
Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_SSO_Cookie’
]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalAuthPriority,[‘My_LDAP’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘QZXW-dc.my-company.com’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘joeadmin@my-company.com’,

                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'majorlycrypticpw',

                                                    # The LDAP search base
                                                    'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                    # A catch-all example filter: '(objectClass=*)'
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  '',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  1,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3   ],
                                                    # Does authentication depend on group membership? What group name?
                                                    # What is the attribute for the group object that determines membership?
                                                    # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
                                                    # This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress',
                                                                                        'RealName',
                                                                                        'WorkPhone',
                                                                                        'Address2'
                                                                                    ],
                                                    # The mapping of RT attributes on to LDAP attributes
                                                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                        'EmailAddress' => 'mail',
                                                                                        'Organization' => 'physicalDeliveryOfficeName',
                                                                                        'RealName' => 'cn',
                                                                                        'ExternalAuthId' => 'sAMAccountName',
                                                                                        'Gecos' => 'sAMAccountName',
                                                                                        'WorkPhone' => 'telephoneNumber',
                                                                                        'Address1' => 'streetAddress',
                                                                                        'City' => 'l',
                                                                                        'State' => 'st',
                                                                                        'Zip' => 'postalCode',
                                                                                        'Country' => 'co'
                                                                                    }
                                                },
                            }

);

1;
my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

Set($rtname, ‘rt.my-company.com’);
Set($Organization, ‘RT.my-company.com’);

Set($CorrespondAddress , ‘maintenance@my-company.com’);
Set($CommentAddress , ‘maintenance@my-company.com’);
Set($RTAddressRegexp , ‘^maintenance(-comment)?@(maintenance|rt).(my-company.com|rt.my-company.com)$’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.my-company.com”);

Set($LogToSyslog , ‘debug’);
Set($LogToScreen , ‘info’);

Set($LogToFile , ‘debug’); #debug is very noisy
Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘QZXWBuild07’);

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName, ‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
1;
Spam - www.smoothwall.nethttp://www.smoothwall.net/

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

Hi Jon,

I did add the My_SSO_Cookie thing back, just to troubleshoot. Normally, it is not there. I removed it again, however. I removed the second (redundant) ExternalAuthPriority entry. Thanks for that catch.

Using
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Doesn’t work. I need the “Set(@Plugins…” part.

The interesting thing is that when I do not have “Set(@Plugins, qw(RT::Extension::LDAPImport));” in my config, then I get all the errors in my log file, including the bit about the email already exists (logging is set to debug). If I do have that line in my config, all I get in my log file is “FAILED LOGIN for jjjameson from 118.128.73.X (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)”. Even though I have the log file set to debug, I get no more output than a simple login failure.

I tried switching uid to sAMAccountName, but that did no better. With no output in the logs, I’m at a complete loss on how to troubleshoot this. I don’t know if using the import carries over the password hash into rt’s own database, or if it checks it against the ldap/AD server. Since I can see the rest of the user information, perhaps it has to do with the password itself? I don’t know…

Thanks again for your help.

-ChrisFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jon Witts
Sent: Tuesday, April 08, 2014 3:53 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hi there,

I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.

Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

My Plugins section looks like this:
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Also you are setting $ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined (‘My_SSO_Cookie’, ‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’). I think you should only be doing as follows:
Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);

I have my ldap bind user defined as a fully qualified ldap string rather than just a username…

In your LDAPImport settings try changing:
Set($LDAPMapping, {Name => ‘uid’

To:
Set($LDAPMapping, {Name => ‘sAMAccountName’,

And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);

Too.

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.comhttp://www.queenmargarets.com/

From: Chris Ditri [mailto:Cditri@experi-metal.com]
Sent: 07 April 2014 22:20
To: Jon Witts; rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon, and thanks.

Set($WebDomain, ‘rt.my-company.com’);
Set($LDAPHost, ‘QZXW-dc.my-company.com’);
Set($LDAPUser, ‘cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com’);
Set($LDAPPassword, ‘MyPW1234’);
Set($LDAPBase, ‘ou=QZXW Users,dc=my-company,dc=com’);
Set($LDAPFilter, ‘(&)’);
Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_SSO_Cookie’
]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalAuthPriority,[‘My_LDAP’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘QZXW-dc.my-company.com’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘joeadmin@my-company.com’,

                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'majorlycrypticpw',

                                                    # The LDAP search base
                                                    'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                    # A catch-all example filter: '(objectClass=*)'
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  '',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  1,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3   ],
                                                    # Does authentication depend on group membership? What group name?
                                                    # What is the attribute for the group object that determines membership?
                                                    # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
                                                    # This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress',
                                                                                        'RealName',
                                                                                        'WorkPhone',
                                                                                        'Address2'
                                                                                    ],
                                                    # The mapping of RT attributes on to LDAP attributes
                                                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                        'EmailAddress' => 'mail',
                                                                                        'Organization' => 'physicalDeliveryOfficeName',
                                                                                        'RealName' => 'cn',
                                                                                        'ExternalAuthId' => 'sAMAccountName',
                                                                                        'Gecos' => 'sAMAccountName',
                                                                                        'WorkPhone' => 'telephoneNumber',
                                                                                        'Address1' => 'streetAddress',
                                                                                        'City' => 'l',
                                                                                        'State' => 'st',
                                                                                        'Zip' => 'postalCode',
                                                                                        'Country' => 'co'
                                                                                    }
                                                },
                            }

);

1;
my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

Set($rtname, ‘rt.my-company.com’);
Set($Organization, ‘RT.my-company.com’);

Set($CorrespondAddress , ‘maintenance@my-company.com’);
Set($CommentAddress , ‘maintenance@my-company.com’);
Set($RTAddressRegexp , ‘^maintenance(-comment)?@(maintenance|rt).(my-company.com|rt.my-company.com)$’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.my-company.com”);

Set($LogToSyslog , ‘debug’);
Set($LogToScreen , ‘info’);

Set($LogToFile , ‘debug’); #debug is very noisy
Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘QZXWBuild07’);

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName, ‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
1;
Spam - www.smoothwall.nethttp://www.smoothwall.net/

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.nethttp://www.smoothwall.net/

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

What version of RT are you running?

You need to have both plugins (ExternalAuth and LDAPImport) set in your config. Try:

Set( @Plugins, qw(
RT::Authen::ExternalAuth
RT::Extension::LDAPImport
) );

As per the doc on the wiki here: http://requesttracker.wikia.com/wiki/SiteConfig

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.comhttp://www.queenmargarets.com/From: Chris Ditri [mailto:Cditri@experi-metal.com]
Sent: 08 April 2014 14:46
To: rt-users@lists.bestpractical.com
Cc: Jon Witts
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon,

I did add the My_SSO_Cookie thing back, just to troubleshoot. Normally, it is not there. I removed it again, however. I removed the second (redundant) ExternalAuthPriority entry. Thanks for that catch.

Using
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Doesn’t work. I need the “Set(@Plugins…” part.

The interesting thing is that when I do not have “Set(@Plugins, qw(RT::Extension::LDAPImport));” in my config, then I get all the errors in my log file, including the bit about the email already exists (logging is set to debug). If I do have that line in my config, all I get in my log file is “FAILED LOGIN for jjjameson from 118.128.73.X (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)”. Even though I have the log file set to debug, I get no more output than a simple login failure.

I tried switching uid to sAMAccountName, but that did no better. With no output in the logs, I’m at a complete loss on how to troubleshoot this. I don’t know if using the import carries over the password hash into rt’s own database, or if it checks it against the ldap/AD server. Since I can see the rest of the user information, perhaps it has to do with the password itself? I don’t know…

Thanks again for your help.

-Chris

From: rt-users-bounces@lists.bestpractical.commailto:rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jon Witts
Sent: Tuesday, April 08, 2014 3:53 AM
To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hi there,

I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.

Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

My Plugins section looks like this:
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Also you are setting $ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined (‘My_SSO_Cookie’, ‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’). I think you should only be doing as follows:
Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);

I have my ldap bind user defined as a fully qualified ldap string rather than just a username…

In your LDAPImport settings try changing:
Set($LDAPMapping, {Name => ‘uid’

To:
Set($LDAPMapping, {Name => ‘sAMAccountName’,

And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);

Too.

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.comhttp://www.queenmargarets.com/

From: Chris Ditri [mailto:Cditri@experi-metal.com]
Sent: 07 April 2014 22:20
To: Jon Witts; rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon, and thanks.

Set($WebDomain, ‘rt.my-company.com’);
Set($LDAPHost, ‘QZXW-dc.my-company.com’);
Set($LDAPUser, ‘cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com’);
Set($LDAPPassword, ‘MyPW1234’);
Set($LDAPBase, ‘ou=QZXW Users,dc=my-company,dc=com’);
Set($LDAPFilter, ‘(&)’);
Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_SSO_Cookie’
]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalAuthPriority,[‘My_LDAP’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘QZXW-dc.my-company.com’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘joeadmin@my-company.com’,

                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'majorlycrypticpw',

                                                    # The LDAP search base
                                                    'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                    # A catch-all example filter: '(objectClass=*)'
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  '',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  1,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3   ],
                                                    # Does authentication depend on group membership? What group name?
                                                    # What is the attribute for the group object that determines membership?
                                                    # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
                                                    # This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress',
                                                                                        'RealName',
                                                                                        'WorkPhone',
                                                                                        'Address2'
                                                                                    ],
                                                    # The mapping of RT attributes on to LDAP attributes
                                                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                        'EmailAddress' => 'mail',
                                                                                        'Organization' => 'physicalDeliveryOfficeName',
                                                                                        'RealName' => 'cn',
                                                                                        'ExternalAuthId' => 'sAMAccountName',
                                                                                        'Gecos' => 'sAMAccountName',
                                                                                        'WorkPhone' => 'telephoneNumber',
                                                                                        'Address1' => 'streetAddress',
                                                                                        'City' => 'l',
                                                                                        'State' => 'st',
                                                                                        'Zip' => 'postalCode',
                                                                                        'Country' => 'co'
                                                                                    }
                                                },
                            }

);

1;
my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

Set($rtname, ‘rt.my-company.com’);
Set($Organization, ‘RT.my-company.com’);

Set($CorrespondAddress , ‘maintenance@my-company.com’);
Set($CommentAddress , ‘maintenance@my-company.com’);
Set($RTAddressRegexp , ‘^maintenance(-comment)?@(maintenance|rt).(my-company.com|rt.my-company.com)$’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.my-company.com”);

Set($LogToSyslog , ‘debug’);
Set($LogToScreen , ‘info’);

Set($LogToFile , ‘debug’); #debug is very noisy
Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘QZXWBuild07’);

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName, ‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
1;
Spam - www.smoothwall.nethttp://www.smoothwall.net/

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.nethttp://www.smoothwall.net/

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

Chris,

Please keep your responses on the list so that others may benefit or assist.

So what happens when you set your @plugins as I described?

Jon

Director of Digital Strategy

Queen Margaret’s School

01904 727600

http://www.queenmargarets.comFrom: Chris Ditri [Cditri@experi-metal.com]

Sent: 08 April 2014 6:35 PM

To: Jon Witts

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

4.0.7 – it is what is stable on debian Wheezy.

Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981

Connnect with Us!

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 12:11 PM

To: rt-users@lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

What version of RT are you running?

You need to have both plugins (ExternalAuth and LDAPImport) set in your config. Try:

Set( @Plugins, qw(
RT::Authen::ExternalAuth

RT::Extension::LDAPImport
) );

As per the doc on the wiki here:
http://requesttracker.wikia.com/wiki/SiteConfig

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:

From: Chris Ditri [mailto:Cditri@experi-metal.com]

Sent: 08 April 2014 14:46

To:
rt-users@lists.bestpractical.com

Cc: Jon Witts

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon,

I did add the My_SSO_Cookie thing back, just to troubleshoot. Normally, it is not there. I removed it again, however. I removed the second (redundant) ExternalAuthPriority entry. Thanks for that catch.

Using
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Doesn’t work. I need the “Set(@Plugins…” part.

The interesting thing is that when I do not have “Set(@Plugins, qw(RT::Extension::LDAPImport));” in my config, then I get all the errors in my log file, including the bit about the email already exists (logging is set to debug). If I do have that line in my config, all I get in my log file is “FAILED LOGIN for jjjameson from 118.128.73.X (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)”. Even though I have the log file set to debug, I get no more output than a simple login failure.

I tried switching uid to sAMAccountName, but that did no better. With no output in the logs, I’m at a complete loss on how to troubleshoot this. I don’t know if using the import carries over the password hash into rt’s own database, or if it checks it against the ldap/AD server. Since I can see the rest of the user information, perhaps it has to do with the password itself? I don’t know…

Thanks again for your help.

-Chris

From:

rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 3:53 AM

To:
rt-users@lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hi there,

I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.

Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

My Plugins section looks like this:
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Also you are setting
$ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined (‘My_SSO_Cookie’, ‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’). I think you should only be doing as follows:
Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);

I have my ldap bind user defined as a fully qualified ldap string rather than just a username…

In your LDAPImport settings try changing:
Set($LDAPMapping, {Name => ‘uid’

To:
Set($LDAPMapping, {Name => ‘sAMAccountName’,

And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);

Too.

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:

From: Chris Ditri [mailto:Cditri@experi-metal.com]

Sent: 07 April 2014 22:20

To: Jon Witts;
rt-users@lists.bestpractical.com

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon, and thanks.

Set($WebDomain, ‘rt.my-company.com’);
Set($LDAPHost, ‘QZXW-dc.my-company.com’);
Set($LDAPUser, ‘cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com’);
Set($LDAPPassword, ‘MyPW1234’);
Set($LDAPBase, ‘ou=QZXW Users,dc=my-company,dc=com’);
Set($LDAPFilter, ‘(&)’);
Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_SSO_Cookie’
]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalAuthPriority,[‘My_LDAP’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘QZXW-dc.my-company.com’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘joeadmin@my-company.com’,

                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'majorlycrypticpw',
                                                    
                                                    # The LDAP search base
                                                    'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                    # A catch-all example filter: '(objectClass=*)'
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  '',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  1,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3   ],
                                                    # Does authentication depend on group membership? What group name?
                                                    # What is the attribute for the group object that determines membership?
                                                    # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
                                                    # This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress',
                                                                                        'RealName',
                                                                                        'WorkPhone',
                                                                                        'Address2'
                                                                                    ],
                                                    # The mapping of RT attributes on to LDAP attributes
                                                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                        'EmailAddress' => 'mail',
                                                                                        'Organization' => 'physicalDeliveryOfficeName',
                                                                                        'RealName' => 'cn',
                                                                                        'ExternalAuthId' => 'sAMAccountName',
                                                                                        'Gecos' => 'sAMAccountName',
                                                                                        'WorkPhone' => 'telephoneNumber',
                                                                                        'Address1' => 'streetAddress',
                                                                                        'City' => 'l',
                                                                                        'State' => 'st',
                                                                                        'Zip' => 'postalCode',
                                                                                        'Country' => 'co'
                                                                                    }
                                                },
                            }

);

1;
my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

Set($rtname, ‘rt.my-company.com’);
Set($Organization, ‘RT.my-company.com’);

Set($CorrespondAddress , ‘maintenance@my-company.com’);
Set($CommentAddress , ‘maintenance@my-company.com’);
Set($RTAddressRegexp , ‘^maintenance(-comment)?@(maintenance|rt).(my-company.com|rt.my-company.com)$’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.my-company.com”);

Set($LogToSyslog , ‘debug’);
Set($LogToScreen , ‘info’);

Set($LogToFile , ‘debug’); #debug is very noisy
Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘QZXWBuild07’);

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName, ‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }
1;

Spam -

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed
and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality
marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam -

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed
and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality
marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam -

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential
information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or
nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

Hi Jon,

It still is not working. It is, once again, complaining that the email exists already.
[error]: Couldn’t create user jjjameson: Email address in use (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:237)

I don’t understand it… It doesn’t seem to matter if I use uid, or sAMAccountName either.

-Chris

Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981

Connnect with Us!-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jon Witts
Sent: Tuesday, April 08, 2014 1:41 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Chris,

Please keep your responses on the list so that others may benefit or assist.

So what happens when you set your @plugins as I described?

Jon

Director of Digital Strategy

Queen Margaret’s School

01904 727600

From: Chris Ditri [Cditri@experi-metal.com]

Sent: 08 April 2014 6:35 PM

To: Jon Witts

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

4.0.7 - it is what is stable on debian Wheezy.

Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981

Connnect with Us!

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 12:11 PM

To: rt-users@lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

What version of RT are you running?

You need to have both plugins (ExternalAuth and LDAPImport) set in your config. Try:

Set( @Plugins, qw(
RT::Authen::ExternalAuth

RT::Extension::LDAPImport
) );

As per the doc on the wiki here:
http://requesttracker.wikia.com/wiki/SiteConfig

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:

From: Chris Ditri [mailto:Cditri@experi-metal.com]

Sent: 08 April 2014 14:46

To:
rt-users@lists.bestpractical.com

Cc: Jon Witts

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon,

I did add the My_SSO_Cookie thing back, just to troubleshoot. Normally, it is not there. I removed it again, however. I removed the second (redundant) ExternalAuthPriority entry. Thanks for that catch.

Using
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Doesn’t work. I need the “Set(@Plugins…” part.

The interesting thing is that when I do not have “Set(@Plugins, qw(RT::Extension::LDAPImport));” in my config, then I get all the errors in my log file, including the bit about the email already exists (logging is set to debug). If I do have that line in my config, all I get in my log file is “FAILED LOGIN for jjjameson from 118.128.73.X (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)”. Even though I have the log file set to debug, I get no more output than a simple login failure.

I tried switching uid to sAMAccountName, but that did no better. With no output in the logs, I’m at a complete loss on how to troubleshoot this. I don’t know if using the import carries over the password hash into rt’s own database, or if it checks it against the ldap/AD server. Since I can see the rest of the user information, perhaps it has to do with the password itself? I don’t know…

Thanks again for your help.

-Chris

From:

rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 3:53 AM

To:
rt-users@lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hi there,

I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.

Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

My Plugins section looks like this:
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Also you are setting
$ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined (‘My_SSO_Cookie’, ‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’). I think you should only be doing as follows:
Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);

I have my ldap bind user defined as a fully qualified ldap string rather than just a username…

In your LDAPImport settings try changing:
Set($LDAPMapping, {Name => ‘uid’

To:
Set($LDAPMapping, {Name => ‘sAMAccountName’,

And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);

Too.

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:

From: Chris Ditri [mailto:Cditri@experi-metal.com]

Sent: 07 April 2014 22:20

To: Jon Witts;
rt-users@lists.bestpractical.com

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon, and thanks.

Set($WebDomain, ‘rt.my-company.com’);
Set($LDAPHost, ‘QZXW-dc.my-company.com’); Set($LDAPUser, ‘cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com’); Set($LDAPPassword, ‘MyPW1234’); Set($LDAPBase, ‘ou=QZXW Users,dc=my-company,dc=com’); Set($LDAPFilter, ‘(&)’); Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_SSO_Cookie’
]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalAuthPriority,[‘My_LDAP’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘QZXW-dc.my-company.com’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘joeadmin@my-company.com’,

                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'majorlycrypticpw',

                                                    # The LDAP search base
                                                    'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                    # A catch-all example filter: '(objectClass=*)'
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  '',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  1,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3   ],
                                                    # Does authentication depend on group membership? What group name?
                                                    # What is the attribute for the group object that determines membership?
                                                    # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
                                                    # This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress',
                                                                                        'RealName',
                                                                                        'WorkPhone',
                                                                                        'Address2'
                                                                                    ],
                                                    # The mapping of RT attributes on to LDAP attributes
                                                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                        'EmailAddress' => 'mail',
                                                                                        'Organization' => 'physicalDeliveryOfficeName',
                                                                                        'RealName' => 'cn',
                                                                                        'ExternalAuthId' => 'sAMAccountName',
                                                                                        'Gecos' => 'sAMAccountName',
                                                                                        'WorkPhone' => 'telephoneNumber',
                                                                                        'Address1' => 'streetAddress',
                                                                                        'City' => 'l',
                                                                                        'State' => 'st',
                                                                                        'Zip' => 'postalCode',
                                                                                        'Country' => 'co'
                                                                                    }
                                                },
                            }

);

1;
my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

Set($rtname, ‘rt.my-company.com’);
Set($Organization, ‘RT.my-company.com’);

Set($CorrespondAddress , ‘maintenance@my-company.com’); Set($CommentAddress , ‘maintenance@my-company.com’); Set($RTAddressRegexp , ‘^maintenance(-comment)?@(maintenance|rt).(my-company.com|rt.my-company.com)$’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.my-company.com”);

Set($LogToSyslog , ‘debug’);
Set($LogToScreen , ‘info’);

Set($LogToFile , ‘debug’); #debug is very noisy Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘QZXWBuild07’);

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName, ‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); } 1;

Spam -

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed
and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality
marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam -

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential
information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or
nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

RT Training - Dallas May 20-21

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

Hi Chris,

I am afraid that I am running out of ideas on this one! I would be tempted to start again with a fresh database once you have both plugins installed and defined in your config correctly. How are you automating the LDAPImport? Have you set up a cron job?

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.com-----Original Message-----
From: Chris Ditri [mailto:Cditri@experi-metal.com]
Sent: 09 April 2014 12:54
To: Jon Witts; rt-users@lists.bestpractical.com
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon,

It still is not working. It is, once again, complaining that the email exists already.
[error]: Couldn’t create user jjjameson: Email address in use (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:237)

I don’t understand it… It doesn’t seem to matter if I use uid, or sAMAccountName either.

-Chris

Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981

Connnect with Us!

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jon Witts
Sent: Tuesday, April 08, 2014 1:41 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Chris,

Please keep your responses on the list so that others may benefit or assist.

So what happens when you set your @plugins as I described?

Jon

Director of Digital Strategy

Queen Margaret’s School

01904 727600

From: Chris Ditri [Cditri@experi-metal.com]

Sent: 08 April 2014 6:35 PM

To: Jon Witts

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

4.0.7 - it is what is stable on debian Wheezy.

Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981

Connnect with Us!

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 12:11 PM

To: rt-users@lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

What version of RT are you running?

You need to have both plugins (ExternalAuth and LDAPImport) set in your config. Try:

Set( @Plugins, qw(
RT::Authen::ExternalAuth

RT::Extension::LDAPImport
) );

As per the doc on the wiki here:
http://requesttracker.wikia.com/wiki/SiteConfig

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:

From: Chris Ditri [mailto:Cditri@experi-metal.com]

Sent: 08 April 2014 14:46

To:
rt-users@lists.bestpractical.com

Cc: Jon Witts

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon,

I did add the My_SSO_Cookie thing back, just to troubleshoot. Normally, it is not there. I removed it again, however. I removed the second (redundant) ExternalAuthPriority entry. Thanks for that catch.

Using
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Doesn’t work. I need the “Set(@Plugins…” part.

The interesting thing is that when I do not have “Set(@Plugins, qw(RT::Extension::LDAPImport));” in my config, then I get all the errors in my log file, including the bit about the email already exists (logging is set to debug). If I do have that line in my config, all I get in my log file is “FAILED LOGIN for jjjameson from 118.128.73.X (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)”. Even though I have the log file set to debug, I get no more output than a simple login failure.

I tried switching uid to sAMAccountName, but that did no better. With no output in the logs, I’m at a complete loss on how to troubleshoot this. I don’t know if using the import carries over the password hash into rt’s own database, or if it checks it against the ldap/AD server. Since I can see the rest of the user information, perhaps it has to do with the password itself? I don’t know…

Thanks again for your help.

-Chris

From:

rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 3:53 AM

To:
rt-users@lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hi there,

I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.

Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

My Plugins section looks like this:
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Also you are setting
$ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined (‘My_SSO_Cookie’, ‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’). I think you should only be doing as follows:
Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);

I have my ldap bind user defined as a fully qualified ldap string rather than just a username…

In your LDAPImport settings try changing:
Set($LDAPMapping, {Name => ‘uid’

To:
Set($LDAPMapping, {Name => ‘sAMAccountName’,

And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);

Too.

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:

From: Chris Ditri [mailto:Cditri@experi-metal.com]

Sent: 07 April 2014 22:20

To: Jon Witts;
rt-users@lists.bestpractical.com

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon, and thanks.

Set($WebDomain, ‘rt.my-company.com’);
Set($LDAPHost, ‘QZXW-dc.my-company.com’); Set($LDAPUser, ‘cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com’); Set($LDAPPassword, ‘MyPW1234’); Set($LDAPBase, ‘ou=QZXW Users,dc=my-company,dc=com’); Set($LDAPFilter, ‘(&)’); Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_SSO_Cookie’
]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalAuthPriority,[‘My_LDAP’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘QZXW-dc.my-company.com’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘joeadmin@my-company.com’,

                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'majorlycrypticpw',

                                                    # The LDAP search base
                                                    'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                    # A catch-all example filter: '(objectClass=*)'
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  '',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  1,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3   ],
                                                    # Does authentication depend on group membership? What group name?
                                                    # What is the attribute for the group object that determines membership?
                                                    # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
                                                    # This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress',
                                                                                        'RealName',
                                                                                        'WorkPhone',
                                                                                        'Address2'
                                                                                    ],
                                                    # The mapping of RT attributes on to LDAP attributes
                                                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                        'EmailAddress' => 'mail',
                                                                                        'Organization' => 'physicalDeliveryOfficeName',
                                                                                        'RealName' => 'cn',
                                                                                        'ExternalAuthId' => 'sAMAccountName',
                                                                                        'Gecos' => 'sAMAccountName',
                                                                                        'WorkPhone' => 'telephoneNumber',
                                                                                        'Address1' => 'streetAddress',
                                                                                        'City' => 'l',
                                                                                        'State' => 'st',
                                                                                        'Zip' => 'postalCode',
                                                                                        'Country' => 'co'
                                                                                    }
                                                },
                            }

);

1;
my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

Set($rtname, ‘rt.my-company.com’);
Set($Organization, ‘RT.my-company.com’);

Set($CorrespondAddress , ‘maintenance@my-company.com’); Set($CommentAddress , ‘maintenance@my-company.com’); Set($RTAddressRegexp , ‘^maintenance(-comment)?@(maintenance|rt).(my-company.com|rt.my-company.com)$’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.my-company.com”);

Set($LogToSyslog , ‘debug’);
Set($LogToScreen , ‘info’);

Set($LogToFile , ‘debug’); #debug is very noisy Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘QZXWBuild07’);

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName, ‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); } 1;

Spam -

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

RT Training - Dallas May 20-21

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

Actually no. I didn’t want to cron it until I’m sure it is working. I’ve just been running it manually.

This is interesting though… I just noticed that the errors in the logs are the same now regardless of if I use the correct password for the user or not. So, logging in as jjjameson with the correct password, and an incorrect one gives me the following:

[Wed Apr 9 11:56:39 2014] [debug]: Attempting to use external auth service: My_LDAP (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:172)
[Wed Apr 9 11:56:39 2014] [debug]: Calling UserExists with $username (jjjameson) and $service (My_LDAP) (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:213)
[Wed Apr 9 11:56:39 2014] [debug]: UserExists params:
username: jjjameson , service: My_LDAP (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:299)
[Wed Apr 9 11:56:39 2014] [debug]: LDAP Search === Base: ou=COMPANY USERS,dc=my-company,dc=com == Filter: (&(&)(sAMAccountName=jjjameson)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:329)
[Wed Apr 9 11:56:39 2014] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::Authen::ExternalAuth /usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm 668 with: Disabled: , EmailAddress: , Gecos: jjjameson, Name: jjjameson, Privileged: (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:565)
[Wed Apr 9 11:56:39 2014] [debug]: Attempting to get user info using this external service: My_LDAP (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:573)
[Wed Apr 9 11:56:39 2014] [debug]: Attempting to use this canonicalization key: Name (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:587)
[Wed Apr 9 11:56:40 2014] [debug]: LDAP Search === Base: ou=COMPANY USERS,dc=my-company,dc=com == Filter: (&(&)(sAMAccountName=jjjameson)) == Attrs: l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumber,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:217)
[Wed Apr 9 11:56:40 2014] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: , City: , Country: , Disabled: , EmailAddress: jjjameson@my-company.com, ExternalAuthId: jjjameson, Gecos: jjjameson, Name: jjjameson, Organization: , Privileged: , RealName: J. Jonah, Jameson, State: , WorkPhone: , Zip: (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:651)
[Wed Apr 9 11:56:40 2014] [error]: Couldn’t create user jjjameson: Email address in use (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:237)
[Wed Apr 9 11:56:40 2014] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:11)
[Wed Apr 9 11:56:40 2014] [error]: FAILED LOGIN for jjjameson from 192.155.78.155 (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jon Witts
Sent: Wednesday, April 09, 2014 7:56 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hi Chris,

I am afraid that I am running out of ideas on this one! I would be tempted to start again with a fresh database once you have both plugins installed and defined in your config correctly. How are you automating the LDAPImport? Have you set up a cron job?

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.com

-----Original Message-----
From: Chris Ditri [mailto:Cditri@experi-metal.com]
Sent: 09 April 2014 12:54
To: Jon Witts; rt-users@lists.bestpractical.com
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon,

It still is not working. It is, once again, complaining that the email exists already.
[error]: Couldn’t create user jjjameson: Email address in use (/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:237)

I don’t understand it… It doesn’t seem to matter if I use uid, or sAMAccountName either.

-Chris

Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981

Connnect with Us!

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jon Witts
Sent: Tuesday, April 08, 2014 1:41 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Chris,

Please keep your responses on the list so that others may benefit or assist.

So what happens when you set your @plugins as I described?

Jon

Director of Digital Strategy

Queen Margaret’s School

01904 727600

From: Chris Ditri [Cditri@experi-metal.com]

Sent: 08 April 2014 6:35 PM

To: Jon Witts

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

4.0.7 - it is what is stable on debian Wheezy.

Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981

Connnect with Us!

From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 12:11 PM

To: rt-users@lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

What version of RT are you running?

You need to have both plugins (ExternalAuth and LDAPImport) set in your config. Try:

Set( @Plugins, qw(
RT::Authen::ExternalAuth

RT::Extension::LDAPImport
) );

As per the doc on the wiki here:
http://requesttracker.wikia.com/wiki/SiteConfig

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:

From: Chris Ditri [mailto:Cditri@experi-metal.com]

Sent: 08 April 2014 14:46

To:
rt-users@lists.bestpractical.com

Cc: Jon Witts

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon,

I did add the My_SSO_Cookie thing back, just to troubleshoot. Normally, it is not there. I removed it again, however. I removed the second (redundant) ExternalAuthPriority entry. Thanks for that catch.

Using
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Doesn’t work. I need the “Set(@Plugins…” part.

The interesting thing is that when I do not have “Set(@Plugins, qw(RT::Extension::LDAPImport));” in my config, then I get all the errors in my log file, including the bit about the email already exists (logging is set to debug). If I do have that line in my config, all I get in my log file is “FAILED LOGIN for jjjameson from 118.128.73.X (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)”. Even though I have the log file set to debug, I get no more output than a simple login failure.

I tried switching uid to sAMAccountName, but that did no better. With no output in the logs, I’m at a complete loss on how to troubleshoot this. I don’t know if using the import carries over the password hash into rt’s own database, or if it checks it against the ldap/AD server. Since I can see the rest of the user information, perhaps it has to do with the password itself? I don’t know…

Thanks again for your help.

-Chris

From:

rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 3:53 AM

To:
rt-users@lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hi there,

I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.

Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

My Plugins section looks like this:
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Also you are setting
$ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined (‘My_SSO_Cookie’, ‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’). I think you should only be doing as follows:
Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);

I have my ldap bind user defined as a fully qualified ldap string rather than just a username…

In your LDAPImport settings try changing:
Set($LDAPMapping, {Name => ‘uid’

To:
Set($LDAPMapping, {Name => ‘sAMAccountName’,

And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);

Too.

Jon

Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:

From: Chris Ditri [mailto:Cditri@experi-metal.com]

Sent: 07 April 2014 22:20

To: Jon Witts;
rt-users@lists.bestpractical.com

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon, and thanks.

Set($WebDomain, ‘rt.my-company.com’);
Set($LDAPHost, ‘QZXW-dc.my-company.com’); Set($LDAPUser, ‘cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com’); Set($LDAPPassword, ‘MyPW1234’); Set($LDAPBase, ‘ou=QZXW Users,dc=my-company,dc=com’); Set($LDAPFilter, ‘(&)’); Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_SSO_Cookie’
]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalAuthPriority,[‘My_LDAP’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘QZXW-dc.my-company.com’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
# The username RT should use to connect to the LDAP server
‘user’ => ‘joeadmin@my-company.com’,

                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'majorlycrypticpw',

                                                    # The LDAP search base
                                                    'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                    # A catch-all example filter: '(objectClass=*)'
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  '',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  1,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3   ],
                                                    # Does authentication depend on group membership? What group name?
                                                    # What is the attribute for the group object that determines membership?
                                                    # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
                                                    # This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress',
                                                                                        'RealName',
                                                                                        'WorkPhone',
                                                                                        'Address2'
                                                                                    ],
                                                    # The mapping of RT attributes on to LDAP attributes
                                                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                        'EmailAddress' => 'mail',
                                                                                        'Organization' => 'physicalDeliveryOfficeName',
                                                                                        'RealName' => 'cn',
                                                                                        'ExternalAuthId' => 'sAMAccountName',
                                                                                        'Gecos' => 'sAMAccountName',
                                                                                        'WorkPhone' => 'telephoneNumber',
                                                                                        'Address1' => 'streetAddress',
                                                                                        'City' => 'l',
                                                                                        'State' => 'st',
                                                                                        'Zip' => 'postalCode',
                                                                                        'Country' => 'co'
                                                                                    }
                                                },
                            }

);

1;
my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

Set($rtname, ‘rt.my-company.com’);
Set($Organization, ‘RT.my-company.com’);

Set($CorrespondAddress , ‘maintenance@my-company.com’); Set($CommentAddress , ‘maintenance@my-company.com’); Set($RTAddressRegexp , ‘^maintenance(-comment)?@(maintenance|rt).(my-company.com|rt.my-company.com)$’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.my-company.com”);

Set($LogToSyslog , ‘debug’);
Set($LogToScreen , ‘info’);

Set($LogToFile , ‘debug’); #debug is very noisy Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘QZXWBuild07’);

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName, ‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); } 1;

Spam -

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

RT Training - Dallas May 20-21

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam - www.smoothwall.net

RT Training - Dallas May 20-21

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

Actually no. I didn’t want to cron it until I’m sure it is working. I’ve just been running it manually.

This is interesting though… I just noticed that the errors in the
logs are the same now regardless of if I use the correct password for
the user or not. So, logging in as jjjameson with the correct
password, and an incorrect one gives me the following:

RT-Authen-ExternalAuth will actually try and create the user that you
try to log in as, since it exists in LDAP. This is old/known
behavior.

I have no idea if it’s the root of your problem, but your

         'attr_match_list' => [
             'Name',
             'EmailAddress',
             'RealName',
             'WorkPhone',
             'Address2'
         ],

is quite dangerous and frankly wrong, since it should only be things
that are unique to a user, generally that’s Name and EmailAddress.

Also, in a quick review, I don’t see where you’ve shown
select * from Users where EmailAddress = 'jjjameson@my-company.com’
so that the list can see what the existing user which is conflicting looks like.

-kevin

Hi Kevin,

The mapping was just the default in the config file (on a debian wheezy system). I’m not sure how it is dangerous though… can you elaborate?

You are correct, I didn’t show a select statement from the db. I wasn’t aware that would be helpful. I just know the log file was saying the email already exists (and it does, because it was imported through ldapimport). All the users were populated in the rt users screen from the import, after all. The thing I didn’t understand was why rt didn’t recognize the user as already existing. It still wanted to make a new one. Why wouldn’t it just say, “Oh jjjameson, I know him, let me check his password against AD… Yep… there he is. Access granted.” Instead, it seems like it is saying “Oh, jjjameson, I have no record of him (even though it exists). Let me check AD… Oh, there he is, now let’s make him a user in rt… wait a minute, his email address is already in use, I guess you are SOL here.” Of course it is in use! It was imported, afterall :).

I’m sure there is a logical explanation for this… but I’m afraid this is moot now. I restored a backup of the machine to the time just prior to the ldapimport. I am way past deadline on this project, and I need to get it rolled-out. It turns out that the import is not as important as I initially thought, so I think I can get away without it.

I appreciate the assistance though, very much.

Thank you.

-ChrisFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin Falcone
Sent: Wednesday, April 09, 2014 1:17 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Actually no. I didn’t want to cron it until I’m sure it is working. I’ve just been running it manually.

This is interesting though… I just noticed that the errors in the
logs are the same now regardless of if I use the correct password for
the user or not. So, logging in as jjjameson with the correct
password, and an incorrect one gives me the following:

RT-Authen-ExternalAuth will actually try and create the user that you try to log in as, since it exists in LDAP. This is old/known behavior.

I have no idea if it’s the root of your problem, but your

         'attr_match_list' => [
             'Name',
             'EmailAddress',
             'RealName',
             'WorkPhone',
             'Address2'
         ],

is quite dangerous and frankly wrong, since it should only be things that are unique to a user, generally that’s Name and EmailAddress.

Also, in a quick review, I don’t see where you’ve shown select * from Users where EmailAddress = ‘jjjameson@my-company.com’
so that the list can see what the existing user which is conflicting looks like.

-kevin

[Wed Apr 9 11:56:39 2014] [debug]: Attempting to use external auth
service: My_LDAP
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth.pm:172) [Wed Apr 9 11:56:39 2014] [debug]: Calling
UserExists with $username (jjjameson) and $service (My_LDAP)
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth.pm:213) [Wed Apr 9 11:56:39 2014] [debug]:
UserExists params:
username: jjjameson , service: My_LDAP
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth/LDAP.pm:299) [Wed Apr 9 11:56:39 2014] [debug]: LDAP
Search === Base: ou=COMPANY USERS,dc=my-company,dc=com == Filter:
(&(&)(sAMAccountName=jjjameson)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumbe
r,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth/LDAP.pm:329) [Wed Apr 9 11:56:39 2014] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by
RT::Authen::ExternalAuth
/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Auth
en/ExternalAuth.pm 668 with: Disabled: , EmailAddress: , Gecos:
jjjameson, Name: jjjameson, Privileged:
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth.pm:565) [Wed Apr 9 11:56:39 2014] [debug]:
Attempting to get user info using this external service: My_LDAP
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth.pm:573) [Wed Apr 9 11:56:39 2014] [debug]:
Attempting to use this canonicalization key: Name
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth.pm:587) [Wed Apr 9 11:56:40 2014] [debug]: LDAP
Search === Base: ou=COMPANY USERS,dc=my-company,dc=com == Filter:
(&(&)(sAMAccountName=jjjameson)) == Attrs:
l,cn,st,mail,sAMAccountName,co,streetAddress,postalCode,telephoneNumbe
r,sAMAccountName,physicalDeliveryOfficeName,sAMAccountName
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth/LDAP.pm:217) [Wed Apr 9 11:56:40 2014] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Address1: ,
City: , Country: , Disabled: , EmailAddress: jjjameson@my-company.com,
ExternalAuthId: jjjameson, Gecos: jjjameson, Name: jjjameson,
Organization: , Privileged: , RealName: J. Jonah, Jameson, State: ,
WorkPhone: , Zip:
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth.pm:651) [Wed Apr 9 11:56:40 2014] [error]: Couldn’t
create user jjjameson: Email address in use
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth.pm:237) [Wed Apr 9 11:56:40 2014] [debug]:
Autohandler called ExternalAuth. Response: (0, No User)
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/html/Eleme
nts/DoAuth:11) [Wed Apr 9 11:56:40 2014] [error]: FAILED LOGIN for
jjjameson from 192.155.78.155
(/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jon
Witts
Sent: Wednesday, April 09, 2014 7:56 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hi Chris,

I am afraid that I am running out of ideas on this one! I would be tempted to start again with a fresh database once you have both plugins installed and defined in your config correctly. How are you automating the LDAPImport? Have you set up a cron job?

Jon


Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website: www.queenmargarets.com

-----Original Message-----
From: Chris Ditri [mailto:Cditri@experi-metal.com]
Sent: 09 April 2014 12:54
To: Jon Witts; rt-users@lists.bestpractical.com
Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon,

It still is not working. It is, once again, complaining that the email exists already.
[error]: Couldn’t create user jjjameson: Email address in use
(/usr/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Aut
hen/ExternalAuth.pm:237)

I don’t understand it… It doesn’t seem to matter if I use uid, or sAMAccountName either.

-Chris

Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981
www.experi-metal.com

Connnect with Us!

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Jon
Witts
Sent: Tuesday, April 08, 2014 1:41 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Chris,

Please keep your responses on the list so that others may benefit or assist.

So what happens when you set your @plugins as I described?

Jon

Director of Digital Strategy

Queen Margaret’s School

01904 727600

http://www.queenmargarets.com

From: Chris Ditri [Cditri@experi-metal.com]

Sent: 08 April 2014 6:35 PM

To: Jon Witts

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

4.0.7 - it is what is stable on debian Wheezy.

Christopher Ditri
Manager, Information Systems
Experi-Metal Inc.
6385 Wall Street
Sterling Heights, MI 48312
Phone: (586) 977-7800
Fax: (586) 977-6981
www.experi-metal.com

Connnect with Us!

From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 12:11 PM

To: rt-users@lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

What version of RT are you running?

You need to have both plugins (ExternalAuth and LDAPImport) set in your config. Try:

Set( @Plugins, qw(
RT::Authen::ExternalAuth

RT::Extension::LDAPImport
) );

As per the doc on the wiki here:
http://requesttracker.wikia.com/wiki/SiteConfig

Jon


Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:
www.queenmargarets.com

From: Chris Ditri [mailto:Cditri@experi-metal.com]

Sent: 08 April 2014 14:46

To:
rt-users@lists.bestpractical.com

Cc: Jon Witts

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon,

I did add the My_SSO_Cookie thing back, just to troubleshoot. Normally, it is not there. I removed it again, however. I removed the second (redundant) ExternalAuthPriority entry. Thanks for that catch.

Using
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Doesn’t work. I need the “Set(@Plugins…” part.

The interesting thing is that when I do not have “Set(@Plugins, qw(RT::Extension::LDAPImport));” in my config, then I get all the errors in my log file, including the bit about the email already exists (logging is set to debug). If I do have that line in my config, all I get in my log file is “FAILED LOGIN for jjjameson from 118.128.73.X (/usr/share/request-tracker4/lib/RT/Interface/Web.pm:740)”. Even though I have the log file set to debug, I get no more output than a simple login failure.

I tried switching uid to sAMAccountName, but that did no better. With no output in the logs, I’m at a complete loss on how to troubleshoot this. I don’t know if using the import carries over the password hash into rt’s own database, or if it checks it against the ldap/AD server. Since I can see the rest of the user information, perhaps it has to do with the password itself? I don’t know…

Thanks again for your help.

-Chris

From:

rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com]
On Behalf Of Jon Witts

Sent: Tuesday, April 08, 2014 3:53 AM

To:
rt-users@lists.bestpractical.com

Subject: Re: [rt-users] Automatically Set “Let this user be granted rights”

Hi there,

I can only see you setting the ExternalAuth plugin there not the LDAPImport plugin too.

Rather than:
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

My Plugins section looks like this:
Plugin( “RT::Authen::ExternalAuth” );
Plugin( “RT::Extension::LDAPImport” );

Also you are setting
$ExternalAuthPriority twice, and both times calling ExternalAuths which are not defined (‘My_SSO_Cookie’, ‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’). I think you should only be doing as follows:
Set($ExternalAuthPriority, [ ‘My_LDAP’,
]
);

I have my ldap bind user defined as a fully qualified ldap string rather than just a username…

In your LDAPImport settings try changing:
Set($LDAPMapping, {Name => ‘uid’

To:
Set($LDAPMapping, {Name => ‘sAMAccountName’,

And as it appears you are using Microsoft AD for your LDAP server it would probably be worth setting:
Set($LDAPSizeLimit, 1000);

Too.

Jon


Jon Witts
Director of Digital Strategy
Queen Margaret’s School
Escrick Park
York YO19 6EU

Telephone: 01904 727600
Fax: 01904 728150

Website:
www.queenmargarets.com

From: Chris Ditri [mailto:Cditri@experi-metal.com]

Sent: 07 April 2014 22:20

To: Jon Witts;
rt-users@lists.bestpractical.com

Subject: RE: [rt-users] Automatically Set “Let this user be granted rights”

Hi Jon, and thanks.

Set($WebDomain, ‘rt.my-company.com’);
Set($LDAPHost, ‘QZXW-dc.my-company.com’); Set($LDAPUser, ‘cn=rtuser,ou=utility,ou=QZXW Users,dc=my-company,dc=com’); Set($LDAPPassword, ‘MyPW1234’); Set($LDAPBase, ‘ou=QZXW Users,dc=my-company,dc=com’); Set($LDAPFilter, ‘(&)’); Set($LDAPUpdateUsers, 1);
Set($LDAPMapping, {Name => ‘uid’, # required
EmailAddress => ‘mail’,
RealName => ‘cn’,
WorkPhone => ‘telephoneNumber’,
Organization => ‘departmentName’});
Set($ExternalAuthPriority, [ ‘My_LDAP’,
‘My_SSO_Cookie’
]
);
Set( @Plugins, qw(RT::Authen::ExternalAuth) );
Set($ExternalInfoPriority, [ ‘My_LDAP’
]
);

Set($ExternalServiceUsesSSLorTLS, 0);

Set($AutoCreateNonExternalUsers, 0);

Set($ExternalAuthPriority,[‘My_LDAP’,‘My_Oracle’,‘SecondaryLDAP’,‘Other-DB’]);
Set($ExternalSettings, { # AN EXAMPLE DB SERVICE
‘My_LDAP’ => { ## GENERIC SECTION
# The type of service (db/ldap/cookie)
‘type’ => ‘ldap’,
# The server hosting the service
‘server’ => ‘QZXW-dc.my-company.com’,
## SERVICE-SPECIFIC SECTION
# If you can bind to your LDAP server anonymously you should
# remove the user and pass config lines, otherwise specify them here:
#
# The username RT should use to connect to the LDAP server
‘user’ => ‘joeadmin@my-company.com’,

                                                    # The password RT should use to connect to the LDAP server
                                                    'pass'                    =>  'majorlycrypticpw',

                                                    #
                                                    # The LDAP search base
                                                    'base'                      =>  'ou=QZXW USERS,dc=my-company,dc=com',
                                                    #
                                                    # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES!
                                                    # YOU **MUST** SPECIFY A filter AND A d_filter!!
                                                    #
                                                    # The filter to use to match RT-Users
                                                    'filter'                    =>  '(&)',  ##(I have flip-flopped between this and the one suggested in the generic config, either seems to work)
                                                    # A catch-all example filter: '(objectClass=*)'
                                                    #
                                                    # The filter that will only match disabled users
                                                    'd_filter'                  =>  '',
                                                    # A catch-none example d_filter: '(objectClass=FooBarBaz)'
                                                    #
                                                    # Should we try to use TLS to encrypt connections?
                                                    'tls'                       =>  1,
                                                    # SSL Version to provide to Net::SSLeay *if* using SSL
                                                    'ssl_version'               =>  3,
                                                    # What other args should I pass to Net::LDAP->new($host,@args)?
                                                    'net_ldap_args'             => [    version =>  3   ],
                                                    # Does authentication depend on group membership? What group name?
                                                    # What is the attribute for the group object that determines membership?
                                                    # What is the attribute of the user entry that should be matched against group_attr above? (Optional; defaults to 'dn')
                                                    ## RT ATTRIBUTE MATCHING SECTION
                                                    # The list of RT attributes that uniquely identify a user
                                                    # This example shows what you *can* specify.. I recommend reducing this
                                                    # to just the Name and EmailAddress to save encountering problems later.
                                                    'attr_match_list'           => [    'Name',
                                                                                        'EmailAddress',
                                                                                        'RealName',
                                                                                        'WorkPhone',
                                                                                        'Address2'
                                                                                    ],
                                                    # The mapping of RT attributes on to LDAP attributes
                                                    'attr_map'                  =>  {   'Name' => 'sAMAccountName',
                                                                                        'EmailAddress' => 'mail',
                                                                                        'Organization' => 'physicalDeliveryOfficeName',
                                                                                        'RealName' => 'cn',
                                                                                        'ExternalAuthId' => 'sAMAccountName',
                                                                                        'Gecos' => 'sAMAccountName',
                                                                                        'WorkPhone' => 'telephoneNumber',
                                                                                        'Address1' => 'streetAddress',
                                                                                        'City' => 'l',
                                                                                        'State' => 'st',
                                                                                        'Zip' => 'postalCode',
                                                                                        'Country' => 'co'
                                                                                    }
                                                },
                            }

);

1;
my $zone = “UTC”;
$zone=/bin/cat /etc/timezone
if -f “/etc/timezone”;
chomp $zone;
Set($Timezone, $zone);

Set($rtname, ‘rt.my-company.com’);
Set($Organization, ‘RT.my-company.com’);

Set($CorrespondAddress , ‘maintenance@my-company.com’);
Set($CommentAddress , ‘maintenance@my-company.com’);
Set($RTAddressRegexp ,
‘^maintenance(-comment)?@(maintenance|rt).(my-company.com|rt.my-co
mpany.com)$’);

Set($WebPath , “/rt”);
Set($WebBaseURL , “http://rt.my-company.com”);

Set($LogToSyslog , ‘debug’);
Set($LogToScreen , ‘info’);

Set($LogToFile , ‘debug’); #debug is very noisy Set($LogDir, ‘/var/log/request-tracker4’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

my %typemap = (
mysql => ‘mysql’,
pgsql => ‘Pg’,
sqlite3 => ‘SQLite’,
);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);
Set($DatabasePort, ‘’);

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘QZXWBuild07’);

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set
($DatabaseName, ‘’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName,
$dbc_dbname); } 1;

Spam -

www.smoothwall.net

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam -
www.smoothwall.net

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam -
www.smoothwall.net

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S.
Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam -
www.smoothwall.net


RT Training - Dallas May 20-21
Training — Best Practical Solutions

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

This email has been processed by Smoothwall Anti-Spam -
www.smoothwall.net


RT Training - Dallas May 20-21
Training — Best Practical Solutions

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.

RT Training - Dallas May 20-21
Training — Best Practical Solutions

DISCLAIMER: This message, including all attachments and/or linked documents, is intended for the exclusive use of the individual or entity to which it is addressed and may contain privileged, proprietary and confidential information. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited without permission from the author. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If this message has been received in error, please destroy the original message and all copies without reading it and notify Experi-Metal Inc. immediately via telephone at (586) 977-7800.

WARNING: This document may contain technical data whose export is restricted by the Arms Export Control Act (Title 22 U.S.C. 2751, et seq.) International Traffic in Arms Regulations (ITAR). Disclosure of any technical data to foreign persons without prior U.S. Government authorization is strictly prohibited. Violations of these laws and regulations are subject to severe criminal penalties.

Thank you very much for your cooperation.