External users unable to create tickets since ExternalAuth activated

RT Users
1

Since implementing external auth (LDAP option), RT works as expected for users within AD, but I’ve just realized that external users are unable to create tickets, even with the appropriate “Everybody” permissions set via the web interface (globally as well as queue-specific).

Error within logs:
timestamp RT RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Comments: Autocreated on ticket submission, Disabled: 0, EmailAddress: yyy@hotmail.com, Name: yyy@hotmail.com, Password: , Privileged: 0, RealName: Jane Doe (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Jan 10 21:21:58 RT RT: Couldn’t load user ‘yyy@hotmail.com’.giving up (/opt/rt3/bin/…/lib/RT/Interface/Email.pm:947)

RT_SiteConfig.pm:
Set($rtname , “xxx.com”);
Set($Organization , “xxx.com”);
Set($Timezone , ‘US/Eastern’);
Set($DatabaseType , ‘mysql’);
Set($DatabaseHost , ‘localhost’);
Set($DatabaseRTHost , ‘localhost’);
Set($DatabasePort , ‘’);
Set($DatabaseUser , ‘rt’);
Set($DatabasePassword , ‘xyz’);
Set($OwnerEmail , ‘root’);
Set($RTAddressRegexp , ‘([a-z]+)@rt.xxx.com$’);
Set($ValidateUserEmailAddresses, 1);
Set($CorrespondAddress , ‘no-reply@rt.xxx.com’);
Set($CommentAddress , ‘no-reply-comment@rt.xxx.com’);
Set( $WebDomain, ‘rt.xxx.com’ );
Set($WebPath, “”);
Set($CanonicalizeRedirectURLs, 1);
Set($LogToSyslog , ‘info’);
Set($UnsafeEmailCommands,1);
Set($LogToSyslog, “debug”);
Set($AutoCreateNonExternalUsers, 1);
Set($AutoCreate, {Privileged => 1});
Set(@Plugins,qw(RT::FM RT::Extension::QueueDeactivatedScrips RT::Extension::MobileUI RT::Authen::ExternalAuth));
require “/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/My_RT_SiteConfig.pm”;

1;

External User gets two returned e-mails from no-reply@rt.xxx.com:
RT could not load a valid user, and RT’s configuration does not allow for the creation of a new user for your email.
User ‘yyy@hotmail.com’ could not be loaded in the mail gateway

Any help and suggestions would be greatly appreciated.

Thanks,
Nicôle

2

Since implementing external auth (LDAP option), RT works as expected for users within AD, but I’ve just realized that external users are unable to create tickets, even with the appropriate “Everybody” permissions set via the web interface (globally as well as queue-specific).

This comes up about twice a month on the mailing list, there is a
config option documented in the RT-Authen-ExternalAuth config file to
enable the creation of external users

-kevin

3

Kevin,

Would this option require the use of a check to the DataBase? A’la My_Oracle
as a secondary External Setting?

I’m in the same situation where we have some outside consultants that are
NOT in our LDAP database, but need to reply/own tickets in RT.
I was looking at the RT_SiteConfig.pm setting options in
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc and saw the instructions
for ‘My_My_SQL’.

These are the parameters I used:

Set($ExternalAuthPriority, [ ‘My_LDAP’, ‘My_Oracle’] );

Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );

Set($ExternalServiceUsesSSLorTLS, 1);

Set($AutoCreateNonExternalUsers, 0);

These are the full settings for each external service as a HashOfHashes

Set(

  • $ExternalSettings,*

  •  {*

  •    'My_LDAP' =>*

  •       {*

  •        Our LDAP stuff - Works well*

  •       }

  •  },*

*# Settings for secondary Auth - using our Oracle DataBase

  •  {*

  •    'My_Oracle' =>*

  •       {*

  •        ‘type’           => 'db',*

  •        ‘server’        => 'luther',*

  •        ‘database’   => ‘rtdev’,*

  •        ‘table’          =>  ‘USERS’,*

  •        ‘user’           =>  ‘OURID’,*

  •        ‘pass’           =>  ‘XXXXXXXX’,*

  •        ‘port’           => '’,*

  •        ‘u_field’       =>  ‘name’,*

  •        ‘dbi_driver’ =>  ‘’,*

  •        ‘p_field’       =>  ‘’,*

  •        ‘p_enc_pkg’ =>  ‘’,*

  •        ‘p_enc_sub’ =>  ‘’,*

  •        ‘p_salt’         =>  ‘’,*

  •        ‘d_field’       =>   '’,*

  •        ‘d_values’    => '',*

  •        ‘attr_match_list’  => [' EmailAddress'],*

  •        ‘attr_map’            =>  ['EmailAddress'    => 'mail']*

  •       }*

  •  }*

  • );*
    *1;

Am I on the right track?
Kenn
LBNL*On Tue, Jan 11, 2011 at 7:40 AM, Kevin Falcone falcone@bestpractical.comwrote:

On Mon, Jan 10, 2011 at 11:04:52PM -0400, Nicôle Layne-Balram wrote:

Since implementing external auth (LDAP option), RT works as expected for
users within AD, but I’ve just realized that external users are unable to
create tickets, even with the appropriate “Everybody” permissions set via
the web interface (globally as well as queue-specific).

This comes up about twice a month on the mailing list, there is a
config option documented in the RT-Authen-ExternalAuth config file to
enable the creation of external users

-kevin

Error within logs:
timestamp RT RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo
returning Comments: Autocreated on ticket submission, Disabled: 0,
EmailAddress: yyy@hotmail.com, Name: yyy@hotmail.com, Password: ,
Privileged: 0, RealName: Jane Doe
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Jan 10 21:21:58 RT RT: Couldn’t load user ‘yyy@hotmail.com’.giving up
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:947)

RT_SiteConfig.pm:
Set($rtname , “xxx.com”);
Set($Organization , “xxx.com”);
Set($Timezone , ‘US/Eastern’);
Set($DatabaseType , ‘mysql’);
Set($DatabaseHost , ‘localhost’);
Set($DatabaseRTHost , ‘localhost’);
Set($DatabasePort , ‘’);
Set($DatabaseUser , ‘rt’);
Set($DatabasePassword , ‘xyz’);
Set($OwnerEmail , ‘root’);
Set($RTAddressRegexp , ‘([a-z]+)@rt.xxx.com$’);
Set($ValidateUserEmailAddresses, 1);
Set($CorrespondAddress , ‘no-reply@rt.xxx.com’);
Set($CommentAddress , ‘no-reply-comment@rt.xxx.com’);
Set( $WebDomain, ‘rt.xxx.com’ );
Set($WebPath, “”);
Set($CanonicalizeRedirectURLs, 1);
Set($LogToSyslog , ‘info’);
Set($UnsafeEmailCommands,1);
Set($LogToSyslog, “debug”);
Set($AutoCreateNonExternalUsers, 1);
Set($AutoCreate, {Privileged => 1});
Set(@Plugins,qw(RT::FM RT::Extension::QueueDeactivatedScrips
RT::Extension::MobileUI RT::Authen::ExternalAuth));
require
“/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/My_RT_SiteConfig.pm”;

1;

External User gets two returned e-mails from no-reply@rt.xxx.com:
RT could not load a valid user, and RT’s configuration does not allow for
the creation of a new user for your email.
User ‘yyy@hotmail.com’ could not be loaded in the mail gateway

Any help and suggestions would be greatly appreciated.

Thanks,
Nicôle

4

Kevin,

Would this option require the use of a check to the DataBase? A’la My_Oracle as a secondary
External Setting?
Set($ExternalAuthPriority, [ ‘My_LDAP’, My_Oracle] );

If you are attempting to have RT-Authen-ExternalAuth check RT’s
insternal Users table by defining My_Oracle that is wrong.
RT-Authen-ExternalAuth falls back to RT’s internal password checking
automatically. Defining My_Oracle is likely to cause nothing but
problems.

There is a config option in RT-Authen-ExternalAuth that controls
whether or not a user must exist in LDAP before being autocreated in
RT. It is documented in the config file and comes up roughly every
other week on the mailing list.

-kevin

5

Any thoughts on this issue?

Kind regards,
Nicole

Message: 2Date: Mon, 10 Jan 2011 23:04:52 -0400
From: Nicole Layne-Balram nlayne@telebarbados.com
To: rt-users@lists.bestpractical.com
Subject: [rt-users] External users unable to create tickets since
ExternalAuth activated
Message-ID:
4C137E3BA6DB4A4291596A118437D8E501929A70@exchange1.telebarbados.com
Content-Type: text/plain; charset=“iso-8859-1”

Since implementing external auth (LDAP option), RT works as expected for users within AD, but I’ve just realized that external users are unable to create tickets, even with the appropriate “Everybody” permissions set via the web interface (globally as well as queue-specific).

Error within logs:
timestamp RT RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Comments: Autocreated on ticket submission, Disabled: 0, EmailAddress: yyy@hotmail.com, Name: yyy@hotmail.com, Password: , Privileged: 0, RealName: Jane Doe (/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Jan 10 21:21:58 RT RT: Couldn’t load user ‘yyy@hotmail.com’.giving up (/opt/rt3/bin/…/lib/RT/Interface/Email.pm:947)

RT_SiteConfig.pm:
Set($rtname , “xxx.com”);
Set($Organization , “xxx.com”);
Set($Timezone , ‘US/Eastern’);
Set($DatabaseType , ‘mysql’);
Set($DatabaseHost , ‘localhost’);
Set($DatabaseRTHost , ‘localhost’);
Set($DatabasePort , ‘’);
Set($DatabaseUser , ‘rt’);
Set($DatabasePassword , ‘xyz’);
Set($OwnerEmail , ‘root’);
Set($RTAddressRegexp , ‘([a-z]+)@rt.xxx.com$’);
Set($ValidateUserEmailAddresses, 1);
Set($CorrespondAddress , ‘no-reply@rt.xxx.com’);
Set($CommentAddress , ‘no-reply-comment@rt.xxx.com’);
Set( $WebDomain, ‘rt.xxx.com’ );
Set($WebPath, “”);
Set($CanonicalizeRedirectURLs, 1);
Set($LogToSyslog , ‘info’);
Set($UnsafeEmailCommands,1);
Set($LogToSyslog, “debug”);
Set($AutoCreateNonExternalUsers, 1);
Set($AutoCreate, {Privileged => 1});
Set(@Plugins,qw(RT::FM RT::Extension::QueueDeactivatedScrips RT::Extension::MobileUI RT::Authen::ExternalAuth));
require “/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/My_RT_SiteConfig.pm”;

1;

External User gets two returned e-mails from no-reply@rt.xxx.com:
RT could not load a valid user, and RT’s configuration does not allow for the creation of a new user for your email.
User ‘yyy@hotmail.com’ could not be loaded in the mail gateway

Any help and suggestions would be greatly appreciated.

Thanks,
Nicole

6

Kevin,

Your suggestion on using the LDAP setting for adding users worked well.
Thank you.

I do have a question as to why all that explanation on My_Oracle and such in
the ExternalAuth notes if we should use such settings?

Kenn
LBNLOn Thu, Jan 13, 2011 at 10:31 AM, Nicôle Layne-Balram < nlayne@telebarbados.com> wrote:

Any thoughts on this issue?

Kind regards,
Nicole

Message: 2
Date: Mon, 10 Jan 2011 23:04:52 -0400
From: Nicole Layne-Balram nlayne@telebarbados.com
To: rt-users@lists.bestpractical.com
Subject: [rt-users] External users unable to create tickets since
ExternalAuth activated
Message-ID:
<
4C137E3BA6DB4A4291596A118437D8E501929A70@exchange1.telebarbados.com>
Content-Type: text/plain; charset=“iso-8859-1”

Since implementing external auth (LDAP option), RT works as expected for
users within AD, but I’ve just realized that external users are unable to
create tickets, even with the appropriate “Everybody” permissions set via
the web interface (globally as well as queue-specific).

Error within logs:
timestamp RT RT: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
Comments: Autocreated on ticket submission, Disabled: 0, EmailAddress:
yyy@hotmail.com, Name: yyy@hotmail.com, Password: , Privileged: 0,
RealName: Jane Doe
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)
Jan 10 21:21:58 RT RT: Couldn’t load user ‘yyy@hotmail.com’.giving up
(/opt/rt3/bin/…/lib/RT/Interface/Email.pm:947)

RT_SiteConfig.pm:
Set($rtname , “xxx.com”);
Set($Organization , “xxx.com”);
Set($Timezone , ‘US/Eastern’);
Set($DatabaseType , ‘mysql’);
Set($DatabaseHost , ‘localhost’);
Set($DatabaseRTHost , ‘localhost’);
Set($DatabasePort , ‘’);
Set($DatabaseUser , ‘rt’);
Set($DatabasePassword , ‘xyz’);
Set($OwnerEmail , ‘root’);
Set($RTAddressRegexp , ‘([a-z]+)@rt.xxx.com$’);
Set($ValidateUserEmailAddresses, 1);
Set($CorrespondAddress , ‘no-reply@rt.xxx.com’);
Set($CommentAddress , ‘no-reply-comment@rt.xxx.com’);
Set( $WebDomain, ‘rt.xxx.com’ );
Set($WebPath, “”);
Set($CanonicalizeRedirectURLs, 1);
Set($LogToSyslog , ‘info’);
Set($UnsafeEmailCommands,1);
Set($LogToSyslog, “debug”);
Set($AutoCreateNonExternalUsers, 1);
Set($AutoCreate, {Privileged => 1});
Set(@Plugins,qw(RT::FM RT::Extension::QueueDeactivatedScrips
RT::Extension::MobileUI RT::Authen::ExternalAuth));
require
“/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/My_RT_SiteConfig.pm”;

1;

External User gets two returned e-mails from no-reply@rt.xxx.com:
RT could not load a valid user, and RT’s configuration does not allow for
the creation of a new user for your email.
User ‘yyy@hotmail.com’ could not be loaded in the mail gateway

Any help and suggestions would be greatly appreciated.

Thanks,
Nicole

7

I do have a question as to why all that explanation on My_Oracle and such in the ExternalAuth
notes if we should use such settings?

Because you can validate against some other app’s database?

What gave you the idea that you needed to configure
RT-Authen-ExternalAuth to talk to RT’s internal Users table?
Documentation implying that needs to be fixed

-kevin

8

Any thoughts on this issue?

Please see my reply to you on Tuesday

-kevin

9

Kevin,

I guess that when I read things, I read them differently. From what I read
about ExternalAuth, I assumed it did the authorizing but didn’t see where it
defaulted back to RT (checking the USERS Table) when an ExternalAuth
failed. My mistake, again.
I did figure that if ExternalAuth allowed a non-LDAP to be added (per
setting) that the regular AutoCreate,Privileged, 0/1 setting would determine
whether they were added as privileged or not, but I didn’t realize that if
the Auth didn’t Pass LDAP, RT would look at the Users DataBase for the User.
I just didn’t see it that way when I read the documentation. No one’s fault
but my own. Sorry.

Kenn
LBNLOn Thu, Jan 13, 2011 at 10:42 AM, Kevin Falcone falcone@bestpractical.comwrote:

On Thu, Jan 13, 2011 at 10:37:03AM -0800, Kenneth Crocker wrote:

I do have a question as to why all that explanation on My_Oracle and
such in the ExternalAuth
notes if we should use such settings?

Because you can validate against some other app’s database?

What gave you the idea that you needed to configure
RT-Authen-ExternalAuth to talk to RT’s internal Users table?
Documentation implying that needs to be fixed

-kevin

10

Hi Kevin,

I was not seeing your replies through the user’s e-mail digest. It’s only when I logged into the gossamer-threads that I saw them. So, sorry if you thought I was ignoring or not accepting your answer.

I was specifically looking at the RT_SiteConfig file and did not go through the ExternalAuth config line for line.

This line did the trick:
Set($AutoCreateNonExternalUsers, 1);

Thanks again for responding.