Final

final test
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.716 / Virus Database: 472 - Release Date: 2004/07/05

Sorry for this message it was meant for the RT box-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com]On Behalf Of Khutjo
Phillip Leremi
Sent: 07 July 2004 05:18
To: rt-users
Subject: [rt-users] final

final test
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.716 / Virus Database: 472 - Release Date: 2004/07/05

http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT wiki at http://wiki.bestpractical.com

Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.716 / Virus Database: 472 - Release Date: 2004/07/05

Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.716 / Virus Database: 472 - Release Date: 2004/07/05

I finally figured our how to make Apache authenticate against LDAP and
once I got over that hurdle, RT plays very nicely.

Now that I have this in place there are a few more things I’d like to do.

Issue 1)

I would like LDAP authenticated people to have their account
automatically created (e.g. ($WebExternalAuto), including email address
info if possible, (if it didn’t already exist), and for those same
people to become priveleged users.

  • I don’t want everyone who sends an email to become a priveleged user
    though (just ldap authenticated folks).
  • Presumably some of them would already have already sent an email, so
    if I let it “autocreate an account” will there be a problem because
    their old username was their email address and presumably their new
    username would be their uid?

Is there a good way native in RT or am I better off writing my own
custom cron jobs scripts that’ll check against our ldap server create
the accounts if they don’t exist, strip off @domain.com from username,
elevate to priveleged if not, etc…?

Could I use RT scrip actions that to elevate ldap authenticated people
to priveleged users?

Any tips or examples of how to do this? I know there used to be
contributed code dump from LDAP for RT2, anything that works on 3.2?

Issue 2)
RT doesn’t seem to let me try mysql authentication when the account
doesn’t exist in ldap or my password is wrong. I’ve tried it with both
undef and 1.

Set($WebFallbackToInternalAuth , undef);

FYI: I find it useful to see people’s install steps, config files so I’m
sharing it here.

My build: FreeBSD 4.8 , Perl 5.8.4 , Apache/1.3.31, mod_perl/1.29,
mod_ssl/2.8.18, OpenSSL/0.9.7d , Mysql 4.0.2, RT 3.2.0 , RTFM 2.0.2 ,
Stats v_0_15
(against openldap our server for example called “directory.ourdomain.com”)

  1. I installed the auth_ldap & openldapclient ports (I may have
    installed some other things, imported a certificate etc when trying to
    get the TLS option to work).

  2. Set my httpd.conf to look like this:
    Alias /rt3/rt3/NoAuth/images/ /usr/local/rt3/share/html/NoAuth/images
    Alias /rt3 /usr/local/rt3/share/html/
    PerlRequire /usr/local/rt3/bin/webmux.pl
    <Location /rt3>
    SetHandler perl-script
    PerlHandler RT::Mason
    PerlModule Apache::DBI

    <Directory “/usr/local/rt3/share/html”>
    Options FollowSymLinks
    AllowOverride All
    #variables from now until bottom for ldap auth
    require valid-user
    #optional TLS encryption to LDAP server
    AuthLDAPStartTLS On
    AuthType Basic
    authName "LDAP/email username and password"
    AuthLDAPURL
    #you may want ou=people
    ldap://directory.ourdomain.com:389/dc=ourdomain,dc=com?uid

  3. Set($WebExternalAuth , 1); in my RT_SiteConfig

  4. stopped and started apache

ht:\Dig on bestpractical
FYI ht:\Dig on http://lists.bestpractical.com/search.html appears to
need a reindexing or at least I kept getting null results the last few
times I ran a search.

Mike Patterson wrote:

I finally figured our how to make Apache authenticate against LDAP and
once I got over that hurdle, RT plays very nicely.

Now that I have this in place there are a few more things I’d like to do.

Issue 1)

I would like LDAP authenticated people to have their account
automatically created (e.g. ($WebExternalAuto), including email address
info if possible, (if it didn’t already exist), and for those same
people to become priveleged users.

I just extended RT to do this here as well. For Web logins create
Web_Local.pm in the same location as your Web.pm file (lib/RT/Interface/
for me). You want to extend the WebExternalAutoInfo method from Web.pm
to map your LDAP attribs to RT user fields.

Scott Russell lnxgeek@us.ibm.com
IBM Linux Technology Center

I finally figured our how to make Apache authenticate against LDAP and
once I got over that hurdle, RT plays very nicely.

so your RT is just using ExternAuth, and apache is doing all the LDAP
auth? And everywhere you say “ldap authenticated” you mean web auth?

I would like LDAP authenticated people to have their account
automatically created (e.g. ($WebExternalAuto), including email
address info if possible, (if it didn’t already exist), and for those
same people to become priveleged users.

Override the WebCanonicalizeInfo function in Interface/Web.pm, I
thought it was doc’ed.

  • I don’t want everyone who sends an email to become a priveleged user
    though (just ldap authenticated folks).

so, uh, don’t set it that way.

  • Presumably some of them would already have already sent an email, so
    if I let it “autocreate an account” will there be a problem because
    their old username was their email address and presumably their new
    username would be their uid?

yes, I think it would be problem. 2 accounts can’t have the same email
address. You could make the web auto-create stuff more intelligent, or
have the email autocreate stuff more intelligent.

Is there a good way native in RT or am I better off writing my own
custom cron jobs scripts that’ll check against our ldap server create
the accounts if they don’t exist, strip off @domain.com from username,
elevate to priveleged if not, etc…?

I ended up doing both. I didn’t a bulk load every couple hours that
elevated permissions, and set group membership. (group membership was
the real point of my bulk uploads) And had the web autocreate stuff
act intelligently.

RT doesn’t seem to let me try mysql authentication when the account
doesn’t exist in ldap or my password is wrong. I’ve tried it with
both undef and 1.

I haven’t had a problem. You’d need to set WebFallbackToInternalAuth
to 1 (make sure to stop and start apache), make sure they have an RT
password, and make sure apache will let them access it.

seph