How to make LDAP authentication in RT3

Hello folks.

Could anyone post the procedure, file, … to enable LDAP authentication
against an external LDAP^server, with RT3 in linux.

I know that is possible to authenticate users against an external LDAP
server, I had been googling and searching in mail-lists, and I had found a
lot of different references, too much references, but not very clear, and
most of them refering to RT2, I wonder that it could be the same for RT3.
This is the mainly reason of my request.

Thanks in advance.

Hi,

You have to install apache mod_auth et mod_auth_ldap etc…

and there you all the code here that override the login connexion.
http://www.usit.uio.no/it/rt/modifications.html

Patrick.-----Original Message-----
From: rt-devel-bounces@lists.bestpractical.com
[mailto:rt-devel-bounces@lists.bestpractical.com]On Behalf Of Francisco
Javier Martínez Martinez
Sent: Monday, January 31, 2005 8:20 AM
To: rt-users@lists.bestpractical.com
Cc: rt-devel@lists.bestpractical.com
Subject: [Rt-devel] How to make LDAP authentication in RT3

Hello folks.

Could anyone post the procedure, file, … to enable LDAP authentication
against an external LDAP^server, with RT3 in linux.

I know that is possible to authenticate users against an external LDAP
server, I had been googling and searching in mail-lists, and I had found a
lot of different references, too much references, but not very clear, and
most of them refering to RT2, I wonder that it could be the same for RT3.
This is the mainly reason of my request.

Thanks in advance.

Rt-devel mailing list
Rt-devel@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel

Could anyone post the procedure, file, … to enable LDAP authentication
against an external LDAP^server, with RT3 in linux.

I know that is possible to authenticate users against an external LDAP
server, I had been googling and searching in mail-lists, and I had found a
lot of different references, too much references, but not very clear, and
most of them refering to RT2, I wonder that it could be the same for RT3.
This is the mainly reason of my request.

I switched it on on my testbox

Accept REMOTE_USER as authenticated:

in RT_SiteConfig.pm:

Set($WebExternalAuth , 1);
#Set($WebFallbackToInternalAuth , 1);

#If the user does not exist, create him:

Set($WebExternalAuto , 1);

//

And then in httpd.conf:

AuthName "Please type your [firstname.lastname] and your 

[mail-passwd] to acc ess RT"
AuthType Basic
AuthLDAPURL ldap://ldap.server.com:389/o=my-company?login?sub?(mail= *)
require valid-user

mod_auth_ldap is required, of course.

The user can then type his “login” attribute to login and can only login
if a mail-attribute is present and filled in his user data.

You could set this to “accessrt=yes” to make sure only people with an
"accessrt"-Attribute of “yes” could access rt. You’d have to manage that
attribute, though (create, maintain…).

I did not do any modifications on rt itself.

cheers
Alex

Alexander Finger
callto://ch.eurospot.af
mailto:af@syd.de

Hello.

First I wish to thank you to Steve and others for his quickly answer.

But my scenario is not that the RT delegates in the Apache the LDAP
authentication. My scenario is as follow:

RT (not apache) must self - authenticate users against a LDAP server, this
is due to that if is the Apache who makes the authentication the first
entrance page is missing, and in this first RT´s login page we want to
leave messages for users among others things.

I want to make this authentication with NO TLS.

I had tried many thing following recomendations founds in mailling list,
with no success. The last that I had tried is the following:

In RT_Siteconfig I had added/changed:

If $WebExternalAuth is defined, RT will defer to the environment’s

REMOTE_USER variable.

Set($WebExternalAuth , undef);

$LDAPExternalAuth = 1; # will enable LDAP-Auth

$LDAPInternalAuthRequired = 1; # will require internal

password

$LDAPExternalAuto = 1; # will create accounts “on the fly”

$LdapServer=“ldapxxx.domain.com”; # LDAP server for authentication

$LdapCert= “”; # enables TLS, name is checked instead of

the server name

$LdapCertDir= “”; # enables TLS, will check server name and

certificate vs. CA chain from dir

$LdapUser=""; # user name for binding
$LdapPass=""; # password for binding
$LdapBase=“dc=domain,dc=com”; # search base
$LdapUidAttr=“uid”; # attribute for RT user name
$LdapFilter="(objectclass=*)"; # additional filter

#$LdapMap = { # mapping LDAP attributes to RT3

‘RT user paramater’ => ‘LDAP entry’,

‘Name’ => $RT::LdapUidAttr,

‘EmailAddress’ => ‘mail’,

‘RealName’ => ‘cn’,

};

If $WebFallbackToInternalAuth is undefined, the user is allowed a chance

of fallback to the login screen, even if REMOTE_USER failed.

Set($WebFallbackToInternalAuth , undef);

And I had created both cases with no success:

/usr/local/rt3/lib/RT/User_Local.pm
and
/usr/local/rt3/local/lib/RT/User_Local.pm

MANIFEST: LDAP Overlay for RT3

$Id: RT::User_Local.pm,v 1.0 2004/12/21 zardoz Exp $

no warnings qw(redefine);

{{{ sub IsPassword

Modification Originally by Marcelo Bartsch bartschm_cl@hotmail.com

Update by Stewart James <stewart.james@vu.edu.au for rt3.

Update by Ruediger Riediger ruediger.riediger@sun.com to support TLS

sub IsPassword {
my $self = shift;
my $value = shift;

     #TODO there isn't any apparent way to legitimately ACL this

     # RT does not allow null passwords
     if ( ( !defined($value) ) or ( $value eq '' ) ) {
             $RT::Logger->debug("AUTH FAILED: " . $self->Name . " - no 

password submitted\n");
return (undef);
}

     if ( $self->PrincipalObj->Disabled ) {
             $RT::Logger->info(
                     "Disabled user " . $self->Name . " tried to log in" );
             return (undef);
     }

     if ( ($self->__Value('Password') eq '') ||
             ($self->__Value('Password') eq undef) )  {
             $RT::Logger->debug("AUTH FAILED: " . $self->Name . " - no 

password in database\n");
return(undef);
}

     # generate an md5 password
     if ($self->_GeneratePassword($value) eq $self->__Value('Password')) {
             $RT::Logger->debug("AUTH OK: " . $self->Name . " - MD5 

password\n");
return(1);
}

     #  if it's a historical password we say ok.

/ LDAP Overlay for RT3 /

     if (! $RT::LDAPExternalAuth)
     {
             if ($self->__Value('Password') eq crypt($value, 

$self->__Value(‘Password’))) {
$RT::Logger->debug(“AUTH OK: " . $self->Name . " -
crypt password\n”);
return (1);
}
else {
$RT::Logger->debug(“AUTH FAILED: " . $self->Name .
” - no password match\n");
return (undef);
}
}
else
{
if ($self->__Value(‘Password’) eq crypt($value,
$self->__Value(‘Password’))) {
$RT::Logger->debug(“AUTH OK: " . $self->Name . " -
crypt password\n”);
return (1);
}

             # do not allow LDAP if there is a local password and
             # LDAPInternalAuthRequired is set
             unless ( $RT::LDAPInternalAuthRequired &&
                 ($self->__Value('Password') eq '*NO-PASSWORD*') )
             {
                     $RT::Logger->debug("AUTH FAILED: " . $self->Name . 

" - no password match\n");
return (undef);
}

             $RT::Logger->info("Using External Authentication\n");
             use Net::LDAP qw(LDAP_SUCCESS LDAP_PARTIAL_RESULTS);
             use Net::LDAP::Util qw (ldap_error_name);

             my $mesg;
             my $ldap = Net::LDAP->new($RT::LdapServer, version=>3) or 

$RT::Logger->critical("GetExternalUserWithLDAP: " . “Cannot connect
to LDAP’\n”), return 0;

             # Switch on TLS or bail out
             if ( (defined($RT::LdapCert) && $RT::LdapCert)
                 || (defined($RT::LdapCertDir) && $RT::LdapCertDir) ) {
                     if(defined($RT::LdapCertDir) && $RT::LdapCertDir) {
                             my $cert_dir = $RT::LdapCertDir;
                             my $cert_vrfy = "require";
                     } else {
                             my $cert_dir = undef;
                             my $cert_vrfy = "none";
                     }
                     if($ldap->start_tls(verify => $cert_vrfy, capath 

=> $cert_dir)
&& $ldap->certificate) {
if( ( defined($RT::LdapCert) && $RT::LdapCert
&& $ldap->certificate->subject_name
!~ /$RT::LdapCert/oi )
|| ( $ldap->certificate->subject_name
!~ /\bCN=$RT::LdapServer\b/oi ) ) {
$RT::Logger->critical(“GetExternalUserWithLDAP:
Wrong Certificate: “,
$ldap->certificate->subject_name,
”\n”);
return 0;
}
} else {
if($cert_dir) {
$RT::Logger->critical(“GetExternalUserWithLDAP:
” . “Cannot verify TLS certificate\n”);
} else {
$RT::Logger->critical(“GetExternalUserWithLDAP:
” . “Cannot switch to TLS\n”);
}
return 0;
}
}

             # I seem to have problems is I try and bind with a NULL 

username by hand
# So this now checks to see if we are really going to bind
with a
# username.
if (defined($RT::LdapUser) && $RT::LdapUser) {
$mesg = $ldap->bind($RT::LdapUser, password
=>$RT::LdapPass );
} else {
$mesg = $ldap->bind;
}
if ($mesg->code != LDAP_SUCCESS) {
$RT::Logger->critical(“GetExternalUserWithLDAP:
Cannot bind to LDAP:”,
$mesg->code, “\n”);
return 0;
}

             my $filter = "(&(&(objectclass=person)(" . 

$RT::LdapUidAttr . “=” . $self->Name ."))$RT::LdapFilter)";
$RT::Logger->debug(“GetExternalUserWithLDAP: First search
filter ‘$filter’\n”);
$mesg = $ldap->search(base => $RT::LdapBase,
filter => $filter,
attrs => [‘dn’]);
if (!(($mesg->code == LDAP_SUCCESS) or ($mesg->code ==
LDAP_PARTIAL_RESULTS)))
{
$RT::Logger->debug(“GetExternalUserWithLDAP: Could
not search for $filter: “,
$mesg->code, “” ,
ldap_error_name($mesg->code) ,”\n”);
return 0;
}
$RT::Logger->debug(“GetExternalUserWithLDAP: First search
produced “,
$mesg->count, " results\n”);
if (! $mesg->count)
{
$RT::Logger->debug(“AUTH FAILED: " . $self->Name .
” - LDAP failed\n”);
return (undef);
}

$RT::Logger->debug("LDAP DN: " . $mesg->first_entry->dn . "

" . $value . “\n”);
$RT::Logger->debug(“LDAP DN: " . $mesg->first_entry->dn .
”\n");
my $mesg2 = $ldap->bind($mesg->first_entry->dn, password
=>$value );
if ($mesg2->code != LDAP_SUCCESS) {
$RT::Logger->critical(“GetExternalUserWithLDAP:
Cannot bind to LDAP:”,
$mesg2->code, “\n”);
return 0;
}
else
{
$RT::Logger->debug(“AUTH OK: " . $self->Name . " -
LDAP (” .$mesg->first_entry->dn . “)\n”);
return 1;
}
}

/\ LDAP Overlay for RT3 /\

     # no password check has succeeded. get out

     $RT::Logger->debug("AUTH FAILED: " . $self->Name . " - all auth 

methods failed \n");
return (undef);
}

}}}

{{{ LoadOrCreateByEmail

sub LoadOrCreateByEmail {
my $self = shift;
my $email = shift;

     my ($val, $message);

     my ( $Address, $Name ) =
             RT::EmailParser::ParseAddressFromHeader('', $email);
     $email = $Address;

     $self->LoadByEmail($email);
     $message = $self->loc('User loaded');

/ LDAP Overlay for RT3 /

     unless ($self->Id || ($email =~ /\@/)) {
         # that's not an email!
         $self->Load($email);
         $message = $self->loc('User loaded from uid');
     }

     my %UserInfo;
     my $UserFoundInExternalDatabase;
     unless ($self->Id) {
         # Now, we might need to correlate the email address used with an
         # external stored identity - retrieve from LDAP
         ( $UserFoundInExternalDatabase, %UserInfo ) =
           RT::EmailParser::LookupExternalUserInfo( $email, undef, undef );
         if ( $UserFoundInExternalDatabase
           && exists($UserInfo{'Name'}) && $UserInfo{'Name'} ) {
             $self->Load($UserInfo{'Name'});
             $message = $self->loc('User loaded from LDAP');
             $email = $UserInfo{'EmailAddress'}
               if(exists($UserInfo{'EmailAddress'}) && 

$UserInfo{‘EmailAddress’});
$UserInfo{‘Comments’} = ‘Autocreated with LDAP Data when
added as a watcher’;
} else {
$UserInfo{‘Name’} = $email;
$UserInfo{‘EmailAddress’} = $email;
$UserInfo{‘RealName’} = $email;
$UserInfo{‘Comments’} = ‘Autocreated when added as a
watcher’; }
$UserInfo{‘Privileged’} = 0;
$UserInfo{‘Password’} = undef;
}

/\ LDAP Overlay for RT3 /\

     unless ($self->Id) {

/ use Create(%UserInfo) for LDAP Overlay for RT3 /

         ( $val, $message ) = $self->Create(%UserInfo);
         unless ($val) {
             # Deal with the race condition of two account creations at 

once
$self->LoadByEmail($email);
unless ($self->Id) {
sleep 5;
$self->LoadByEmail($email);
}
if ($self->Id) {
$RT::Logger->error(“Recovered from creation failure
due to race condition”);
$message = $self->loc(“User loaded”);
}
else {
$RT::Logger->crit(“Failed to create user “.$email .”:
” .$message);
}
}
}

     if ($self->Id) {
         return($self->Id, $message);
     }
     else {
         return(0, $message);
     }


 }

}}}

1;

At 15:32 31/01/2005, steve wrote:

Francisco Javier Mart�nez Martinez schrieb:

But my scenario is not that the RT delegates in the Apache the LDAP
authentication. My scenario is as follow:

RT (not apache) must self - authenticate users against a LDAP server,
this is due to that if is the Apache who makes the authentication the
first entrance page is missing, and in this first RT�s login page we
want to leave messages for users among others things.

Sounds way too complex to me.

Why don’t you just put up a static html page in front of the rt?

index.html -> your static page contains the info + a meta refresh on
http://server/rt/

After a time defined in the refresh tag, users get automatically
redirected to rt and have to type in their login.

Looks more straight to me than modifying the code.

cheers
Alex

Francisco Javier Mart�nez Martinez wrote

I had tried many thing following recomendations founds in mailling list,
with no success. The last that I had tried is the following:

sounds like you are using our overlay.

$LDAPExternalAuto = 1; # will create accounts “on the fly”

-> this means ever user for RT must be with uid= in your
LDAP, and then can bind to LDAP using a password.

And I had created both cases with no success:

/usr/local/rt3/lib/RT/User_Local.pm
and
/usr/local/rt3/local/lib/RT/User_Local.pm

did you use the /usr/local/rt3/local/html/autohandle ?

http://lists.bestpractical.com/pipermail/rt-devel/2004-December/006627.html

$LdapPass=“5…ia”;

Looks like someone has to change password now :wink:

httpd.conf

ServerName helpdesk…com
DocumentRoot /usr/local/rt3/share/html
AddDefaultCharset UTF-8
PerlModule Apache::DBI
PerlRequire /usr/local/rt3/bin/webmux.pl

SetHandler perl-script
PerlHandler RT::Mason
AuthName "RT Web Users"
AuthType Basic
AuthLDAPAuthoritative off
AuthLDAPurl ldap://ldap…com/?cn?sub
require valid-user

ErrorLog /var/log/helpdesk-error.log
CustomLog /var/log/helpdesk-access.log common
CustomLog /var/log/helpdesk-combined.log combined

you do not need any LDAP in httpd.conf

Best regards,

Ruediger Riediger

Dr. Ruediger Riediger Sun Microsystems GmbH
NSG - SunCERT Komturstr. 18a
mailto:Ruediger.Riediger@Sun.com D-12099 Berlin
NOTICE: This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
PGP 2048RSA/0x2C5020E9 964C E189 0FF0 8882 2BAB 65E2 6912 1FF2

Francisco Javier Mart�nez Martinez wrote:

Hello folks.

Could anyone post the procedure, file, … to enable LDAP authentication
against an external LDAP^server, with RT3 in linux.

I know that is possible to authenticate users against an external LDAP
server, I had been googling and searching in mail-lists, and I had found
a lot of different references, too much references, but not very clear,
and most of them refering to RT2, I wonder that it could be the same for
RT3. This is the mainly reason of my request.

Thanks in advance.


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

RT Administrator and Developer training is coming to your town soon!
(Boston, San Francisco, Austin, Sydney) Contact
training@bestpractical.com for details.

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

here is my RT_Siteconfig.pm and vbelow the lines from my httpd.conf
which does the actual authentication

#RNING: NEVER EDIT RT_Config.pm. Instead, copy any sections you want to
change to RT_SiteConfig.pm

and edit them there.

package RT;

=head1 NAME

RT::Config

=for testing

use RT::Config;

=cut
$LDAPExternalAuth = 1;
$LdapServer=“ldap…com”;
$LdapUser=“cn=admin,o=…”;
$LdapPass=“5equ0ia”;
$LdapBase="";
$LdapUidAttr=“uid”;
$LdapFilter="(objectclass=*)";
$LdapTLS = 0;
$LdapGroup =“cn=NY-Everyone,ou=Groups,ou=NY,ou=TBWA,ou=NAM”;
$LdapGroupAttribute = ‘member’;

{{{ Base Configuration

$rtname the string that RT will look for in mail messages to

figure out what ticket a new piece of mail belongs to

Your domain name is recommended, so as not to pollute the namespace.

once you start using a given tag, you should probably never change it.

(otherwise, mail for existing tickets won’t get put in the right place

Set($rtname , “helpdesk…com”);

You should set this to your organization’s DNS domain. For example,

fsck.com or asylum.arkham.ma.us. It’s used by the linking interface to

guarantee that ticket URIs are unique and easy to construct.

Set($Organization , “…com”);

$user_passwd_min defines the minimum length for user passwords. Setting

it to 0 disables this check

Set($MinimumPasswordLength , “5”);

$Timezone is used to convert times entered by users into GMT and back

again

It should be set to a timezone recognized by your local unix box.

Set($Timezone , ‘US/Eastern’);

}}}

}}}

{{{ Database Configuration

Database driver beeing used. Case matters

Valid types are “mysql”, “Oracle” and “Pg”

Set($DatabaseType , ‘mysql’);

The domain name of your database server

If you’re running mysql and it’s on localhost,

leave it blank for enhanced performance

Set($DatabaseHost , ‘’);
Set($DatabaseRTHost , ‘’);

The port that your database server is running on. Ignored unless it’s

a positive integer. It’s usually safe to leave this blank

Set($DatabasePort , ‘’);

#The name of the database user (inside the database)
Set($DatabaseUser , ‘root’);

Password the DatabaseUser should use to access the database

Set($DatabasePassword , ‘m4dne55’);

The name of the RT’s database on your database server

Set($DatabaseName , ‘rtnew’);

If you’re using Postgres and have compiled in SSL support,

set DatabaseRequireSSL to 1 to turn on SSL communication

Set($DatabaseRequireSSL , undef);

}}}

{{{ Incoming mail gateway configuration

OwnerEmail is the address of a human who manages RT. RT will send

errors generated by the mail gateway to this address. This address

should not be an address that’s managed by your RT instance.

Set($OwnerEmail , ‘root’);

If $LoopsToRTOwner is defined, RT will send mail that it believes

might be a loop to $RT::OwnerEmail

Set($LoopsToRTOwner , 1);

If $StoreLoopss is defined, RT will record messages that it believes

to be part of mail loops.

As it does this, it will try to be careful not to send mail to the

sender of these messages

Set($StoreLoops , undef);

$MaxAttachmentSize sets the maximum size (in bytes) of attachments stored

in the database.

For mysql and oracle, we set this size at 10 megabytes.

If you’re running a postgres version earlier than 7.1, you will need

to drop this to 8192. (8k)

Set($MaxAttachmentSize , 10000000);

$TruncateLongAttachments: if this is set to a non-undef value,

RT will truncate attachments longer than MaxAttachmentLength.

Set($TruncateLongAttachments , undef);

$DropLongAttachments: if this is set to a non-undef value,

RT will silently drop attachments longer than MaxAttachmentLength.

Set($DropLongAttachments , undef);

If $ParseNewMessageForTicketCcs is true, RT will attempt to divine

Ticket ‘Cc’ watchers from the To and Cc lines of incoming messages

Be forewarned that if you have any addresses which forward mail to

RT automatically and you enable this option without modifying

“RTAddressRegexp” below, you will get yourself into a heap of trouble.

Set($ParseNewMessageForTicketCcs , undef);

RTAddressRegexp is used to make sure RT doesn’t add itself as a ticket

CC if

the setting above is enabled.

Set($RTAddressRegexp , ‘^steve.rieger@…com$’);

RT provides functionality which allows the system to rewrite

incoming email addresses. In its simplest form,

you can substitute the value in CanonicalizeEmailAddressReplace

for the value in CanonicalizeEmailAddressMatch

(These values are passed to the CanonicalizeEmailAddress subroutine in

RT/User.pm)

By default, that routine performs a s/$Match/$Replace/gi on any

address passed to it

Set($CanonicalizeEmailAddressMatch , ‘subdomain…com$’);
Set($CanonicalizeEmailAddressReplace , ‘…com’);

If $SenderMustExistInExternalDatabase is true, RT will refuse to

create non-privileged accounts for unknown users if you are using

the “LookupSenderInExternalDatabase” option.

Instead, an error message will be mailed and RT will forward the

message to $RTOwner.

If you are not using $LookupSenderInExternalDatabase, this option

has no effect.

If you define an AutoRejectRequest template, RT will use this

template for the rejection message.

Set($SenderMustExistInExternalDatabase , undef);

}}}

{{{ Outgoing mail configuration

RT is designed such that any mail which already has a ticket-id associated

with it will get to the right place automatically.

$CorrespondAddress and $CommentAddress are the default addresses

that will be listed in From: and Reply-To: headers of correspondence

and comment mail tracked by RT, unless overridden by a queue-specific

address.

Set($CorrespondAddress , ‘tickets@…com’);

Set($CommentAddress , ‘helpdesk-ny@…com’);

#Sendmail Configuration

$MailCommand defines which method RT will use to try to send mail

We know that ‘sendmailpipe’ works fairly well.

If ‘sendmailpipe’ doesn’t work well for you, try ‘sendmail’

Note that you should remove the ‘-t’ from $SendmailArguments

if you use 'sendmail rather than ‘sendmailpipe’

Set($MailCommand , ‘sendmailpipe’);

$SendmailArguments defines what flags to pass to $Sendmail

assuming you picked ‘sendmail’ or ‘sendmailpipe’ as the $MailCommand

above.

If you picked ‘sendmailpipe’, you MUST add a -t flag to $SendmailArguments

These options are good for most sendmail wrappers and workalikes

Set($SendmailArguments , “-oi -t”);

These arguments are good for sendmail brand sendmail 8 and newer

#Set($SendmailArguments,"-oi -t -ODeliveryMode=b -OErrorMode=m");

If you selected ‘sendmailpipe’ above, you MUST specify the path

to your sendmail binary in $SendmailPath.

!! If you did not # select ‘sendmailpipe’ above, this has no effect!!

Set($SendmailPath , “/usr/sbin/sendmail”);

By default, RT sets the outgoing mail’s “From:” header to

“SenderName via RT”. Setting this option to 0 disables it.

Set($UseFriendlyFromLine , 1);

sprintf() format of the friendly ‘From:’ header; its arguments

are SenderName and SenderEmailAddress.

Set($FriendlyFromLineFormat , “”%s via RT" <%s>");

RT can optionally set a “Friendly” ‘To:’ header when sending messages to

Ccs or AdminCcs (rather than having a blank ‘To:’ header.

This feature DOES NOT WORK WITH SENDMAIL[tm] BRAND SENDMAIL

If you are using sendmail, rather than postfix, qmail, exim or some

other MTA,

you must disable this option.

Set($UseFriendlyToLine , 0);

sprintf() format of the friendly ‘From:’ header; its arguments

are WatcherType and TicketId.

Set($FriendlyToLineFormat, “”%s of $RT::rtname Ticket #%s":;");

By default RT doesn’t notify the person who performs an update, as they

already know what they’ve done. If you’d like to change this behaviour,

Set $NotifyActor to 1

Set($NotifyActor, 1);

}}}

{{{ Logging

Logging. The default is to log anything except debugging

information to syslog. Check the Log::Dispatch POD for

information about how to get things by syslog, mail or anything

else, get debugging info in the log, etc.

It might generally make

sense to send error and higher by email to some administrator.

If you do this, be careful that this email isn’t sent to this RT instance.

the minimum level error that will be logged to the specific device.

levels from lowest to highest:

debug info notice warning error critical alert emergency

Mail loops will generate a critical log message.

#Set($LogToSyslog , ‘debug’);
#Set($LogToScreen , ‘info’);
Set($LogToFile , ‘debug’);
Set($LogDir, ‘/usr/local/rt3/var/log’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

On Solaris, set to ( socket => ‘inet’ ). Options here override any

other options RT passes to Log::Dispatch::Syslog. Other interesting

flags include facility and logopt. (See the Log::Dispatch::Syslog

documentation for more information.) (Maybe ident too, if you have

multiple RT installations.)

#socket => ‘inet’
@LogToSyslogConf = () unless (@LogToSyslogConf);

}}}

{{{ Web interface configuration

Define the directory name to be used for images in rt web

documents.

If you’re putting the web ui somewhere other than at the root of

your server

$WebPath requires a leading / but no trailing /

Set($WebPath , “”);

This is the Scheme, server and port for constructing urls to webrt

$WebBaseURL doesn’t need a trailing /

Set($WebBaseURL , “http://…com”);

Set($WebURL , $WebBaseURL . $WebPath . “/”);

$WebImagesURL points to the base URL where RT can find its images.

Set($WebImagesURL , $WebURL . “NoAuth/images/”);

$RTLogoURL points to the URL of the RT logo displayed in the web UI

Set($LogoURL , $WebImagesURL . “rt.jpg”);

For message boxes, set the entry box width and what type of wrapping

to use.

Default width: 72

Set($MessageBoxWidth , 72);

Default wrapping: “HARD” (choices “SOFT”, “HARD”)

Set($MessageBoxWrap, “HARD”);

if TrustHTMLAttachments is not defined, we will display them

as text. This prevents malicious HTML and javascript from being

sent in a request (although there is probably more to it than that)

Set($TrustHTMLAttachments , undef);

If $WebExternalAuth is defined, RT will defer to the environment’s

REMOTE_USER variable.

Set($WebExternalAuth , “true”);

If $WebFallbackToInternalAuth is undefined, the user is allowed a chance

of fallback to the login screen, even if REMOTE_USER failed.

Set($WebFallbackToInternalAuth , “true”);

$WebExternalGecos means to match ‘gecos’ field as the user identity);

useful with mod_auth_pwcheck and IIS Integrated Windows logon.

Set($WebExternalGecos , undef);

$WebExternalAuto will create users under the same name as REMOTE_USER

upon login, if it’s missing in the Users table.

Set($WebExternalAuto , “true”);

$WebSessionClass is the class you wish to use for managing Sessions.

It defaults to use your SQL database, but if you are using MySQL 3.x and

plans to use non-ascii Queue names, uncomment and add this line to

RT_SiteConfig.pm will prevent session corruption.

Set($WebSessionClass , ‘Apache::Session::File’);

$MaxInlineBody is the maximum attachment size that we want to see

inline when viewing a transaction. 13456 is a random sane-sounding

default.

Set($MaxInlineBody, 13456);

$MyTicketsLength is the length of the owned tickets table on the

front page. For some people, the default of 10 isn’t big enough

to get a feel for how much work needs to be done before you get

some time off.

Set($MyTicketsLength, 10);

$MyRequestsLength is the length of the requested tickets table

on the front page.

Set($MyRequestsLength, 10);

@MasonParameters is the list of parameters for the constructor of

HTML::Mason’s Apache or CGI Handler. This is normally only useful

for debugging, eg. profiling individual components with

(preamble => ‘my $p = MasonX::Profiler->new($m, $r);’);

@MasonParameters = () unless (@MasonParameters);

}}}

{{{ RT UTF-8 Settings

An array that contains languages supported by RT’s internationalization

interface. Defaults to all *.po lexicons; set it to qw(en ja) will make

RT bilingual instead of multilingual, but will save same memory.

@LexiconLanguages = qw(*) unless (@LexiconLanguages);

An array that contains default encodings used to guess which charset

an attachment uses if not specified. Must be recognized by

Encode::Guess.

@EmailInputEncodings = qw(utf-8 iso-8859-1 us-ascii) unless
(@EmailInputEncodings);

The charset for localized email. Must be recognized by Encode.

Set($EmailOutputEncoding , ‘utf-8’);

}}}

{{{ RT Date Handling Options (for Time::ParseDate)

Set this to 1 if your local date convention looks like “dd/mm/yy”

instead of “mm/dd/yy”.

Set($DateDayBeforeMonth , 1);

Should “Tuesday” default to meaning “Next Tuesday” or “Last Tuesday”?

Set to 0 for “Next” or 1 for “Last”.

Set($AmbiguousDayInPast , 1);

}}}

1;

httpd.conf

ServerName helpdesk…com
DocumentRoot /usr/local/rt3/share/html
AddDefaultCharset UTF-8
PerlModule Apache::DBI
PerlRequire /usr/local/rt3/bin/webmux.pl

SetHandler perl-script
PerlHandler RT::Mason
AuthName "RT Web Users"
AuthType Basic
AuthLDAPAuthoritative off
AuthLDAPurl ldap://ldap…com/?cn?sub
require valid-user

ErrorLog /var/log/helpdesk-error.log
CustomLog /var/log/helpdesk-access.log common
CustomLog /var/log/helpdesk-combined.log combined