Ldap and logging

hi all, i know that this was discussed more than once, and i read
through all the docs i can find, and still am needing a bit of help here

if you configured rt3 to authenticate purely via ldap , (in addition to
the db users) can you please give me some pointers on how you got this
accomplished,

also i have the following defined in RT_SiteConfig.pm
Set($LogToFileNamed , “/usr/local/rt3/var/log/rt.log”);

Log level

Set($LogToFile , ‘debug’);

but get no error messages on that log file,

am on freebsd 4.10 rt 3.0.11
apache1.3.33 mod perl, ssl etc…

thanx folks

steve.vcf (774 Bytes)

hi all, i know that this was discussed more than once, and i read
through all the docs i can find, and still am needing a bit of help here

if you configured rt3 to authenticate purely via ldap , (in addition to
the db users) can you please give me some pointers on how you got this
accomplished,

also i have the following defined in RT_SiteConfig.pm
Set($LogToFileNamed , “/usr/local/rt3/var/log/rt.log”);

Log level

Set($LogToFile , ‘debug’);

but get no error messages on that log file,

am on freebsd 4.10 rt 3.0.11
apache1.3.33 mod perl, ssl etc…

Did you turn on external auth in your RT_SiteConfig.pm file?

Andy Harrison

here is my RT_SiteConfig.pm file

WARNING: NEVER EDIT RT_Config.pm. Instead, copy any sections you want to change to RT_SiteConfig.pm

and edit them there.

package RT;

=head1 NAME

RT::Config

=for testing

use RT::Config;

=cut
$LDAPExternalAuth = 1;
$LdapServer=“ldap.something.com”;
$LdapUser=“cn=admin,o=something”;
$LdapPass=“another”;
$LdapBase=“o=doom.com”;
$LdapUidAttr=“uid”;
$LdapFilter="(objectclass=*)";
$LdapTLS = 0;
$LdapGroup =“cn=RT,ou=Group,dc=example,dc=com”;
$LdapGroupAttribute = ‘uniqueMember’;

{{{ Base Configuration

$rtname the string that RT will look for in mail messages to

figure out what ticket a new piece of mail belongs to

Your domain name is recommended, so as not to pollute the namespace.

once you start using a given tag, you should probably never change it.

(otherwise, mail for existing tickets won’t get put in the right place

Set($rtname , “rt.noc.tbwachiat.com”);

You should set this to your organization’s DNS domain. For example,

fsck.com or asylum.arkham.ma.us. It’s used by the linking interface to

guarantee that ticket URIs are unique and easy to construct.

Set($Organization , “tbwachiat.com”);

$user_passwd_min defines the minimum length for user passwords. Setting

it to 0 disables this check

Set($MinimumPasswordLength , “5”);

$Timezone is used to convert times entered by users into GMT and back again

It should be set to a timezone recognized by your local unix box.

Set($Timezone , ‘US/Eastern’);

}}}

}}}

{{{ Database Configuration

Database driver beeing used. Case matters

Valid types are “mysql”, “Oracle” and “Pg”

Set($DatabaseType , ‘mysql’);

The domain name of your database server

If you’re running mysql and it’s on localhost,

leave it blank for enhanced performance

Set($DatabaseHost , ‘’);
Set($DatabaseRTHost , ‘’);

The port that your database server is running on. Ignored unless it’s

a positive integer. It’s usually safe to leave this blank

Set($DatabasePort , ‘’);

#The name of the database user (inside the database)
Set($DatabaseUser , ‘root’);

Password the DatabaseUser should use to access the database

Set($DatabasePassword , ‘’);

The name of the RT’s database on your database server

Set($DatabaseName , ‘rt3’);

If you’re using Postgres and have compiled in SSL support,

set DatabaseRequireSSL to 1 to turn on SSL communication

Set($DatabaseRequireSSL , undef);

}}}

{{{ Incoming mail gateway configuration

OwnerEmail is the address of a human who manages RT. RT will send

errors generated by the mail gateway to this address. This address

should not be an address that’s managed by your RT instance.

Set($OwnerEmail , ‘root’);

If $LoopsToRTOwner is defined, RT will send mail that it believes

might be a loop to $RT::OwnerEmail

Set($LoopsToRTOwner , 1);

If $StoreLoopss is defined, RT will record messages that it believes

to be part of mail loops.

As it does this, it will try to be careful not to send mail to the

sender of these messages

Set($StoreLoops , undef);

$MaxAttachmentSize sets the maximum size (in bytes) of attachments stored

in the database.

For mysql and oracle, we set this size at 10 megabytes.

If you’re running a postgres version earlier than 7.1, you will need

to drop this to 8192. (8k)

Set($MaxAttachmentSize , 10000000);

$TruncateLongAttachments: if this is set to a non-undef value,

RT will truncate attachments longer than MaxAttachmentLength.

Set($TruncateLongAttachments , undef);

$DropLongAttachments: if this is set to a non-undef value,

RT will silently drop attachments longer than MaxAttachmentLength.

Set($DropLongAttachments , undef);

If $ParseNewMessageForTicketCcs is true, RT will attempt to divine

Ticket ‘Cc’ watchers from the To and Cc lines of incoming messages

Be forewarned that if you have any addresses which forward mail to

RT automatically and you enable this option without modifying

“RTAddressRegexp” below, you will get yourself into a heap of trouble.

Set($ParseNewMessageForTicketCcs , undef);

RTAddressRegexp is used to make sure RT doesn’t add itself as a ticket CC if

the setting above is enabled.

Set($RTAddressRegexp , ‘^steve.rieger@something.com$’);

RT provides functionality which allows the system to rewrite

incoming email addresses. In its simplest form,

you can substitute the value in CanonicalizeEmailAddressReplace

for the value in CanonicalizeEmailAddressMatch

(These values are passed to the CanonicalizeEmailAddress subroutine in RT/User.pm)

By default, that routine performs a s/$Match/$Replace/gi on any address passed to it

Set($CanonicalizeEmailAddressMatch , ‘subdomain.example.com$’);
Set($CanonicalizeEmailAddressReplace , ‘example.com’);

If $SenderMustExistInExternalDatabase is true, RT will refuse to

create non-privileged accounts for unknown users if you are using

the “LookupSenderInExternalDatabase” option.

Instead, an error message will be mailed and RT will forward the

message to $RTOwner.

If you are not using $LookupSenderInExternalDatabase, this option

has no effect.

If you define an AutoRejectRequest template, RT will use this

template for the rejection message.

Set($SenderMustExistInExternalDatabase , undef);

}}}

{{{ Outgoing mail configuration

RT is designed such that any mail which already has a ticket-id associated

with it will get to the right place automatically.

$CorrespondAddress and $CommentAddress are the default addresses

that will be listed in From: and Reply-To: headers of correspondence

and comment mail tracked by RT, unless overridden by a queue-specific

address.

Set($CorrespondAddress , ‘tickets@something.com’);

Set($CommentAddress , ‘helpdesk-ny@something.com’);

#Sendmail Configuration

$MailCommand defines which method RT will use to try to send mail

We know that ‘sendmailpipe’ works fairly well.

If ‘sendmailpipe’ doesn’t work well for you, try ‘sendmail’

Note that you should remove the ‘-t’ from $SendmailArguments

if you use 'sendmail rather than ‘sendmailpipe’

Set($MailCommand , ‘sendmailpipe’);

$SendmailArguments defines what flags to pass to $Sendmail

assuming you picked ‘sendmail’ or ‘sendmailpipe’ as the $MailCommand above.

If you picked ‘sendmailpipe’, you MUST add a -t flag to $SendmailArguments

These options are good for most sendmail wrappers and workalikes

Set($SendmailArguments , “-oi -t”);

These arguments are good for sendmail brand sendmail 8 and newer

#Set($SendmailArguments,"-oi -t -ODeliveryMode=b -OErrorMode=m");

If you selected ‘sendmailpipe’ above, you MUST specify the path

to your sendmail binary in $SendmailPath.

!! If you did not # select ‘sendmailpipe’ above, this has no effect!!

Set($SendmailPath , “/usr/sbin/sendmail”);

By default, RT sets the outgoing mail’s “From:” header to

“SenderName via RT”. Setting this option to 0 disables it.

Set($UseFriendlyFromLine , 1);

sprintf() format of the friendly ‘From:’ header; its arguments

are SenderName and SenderEmailAddress.

Set($FriendlyFromLineFormat , “”%s via RT" <%s>");

RT can optionally set a “Friendly” ‘To:’ header when sending messages to

Ccs or AdminCcs (rather than having a blank ‘To:’ header.

This feature DOES NOT WORK WITH SENDMAIL[tm] BRAND SENDMAIL

If you are using sendmail, rather than postfix, qmail, exim or some other MTA,

you must disable this option.

Set($UseFriendlyToLine , 0);

sprintf() format of the friendly ‘From:’ header; its arguments

are WatcherType and TicketId.

Set($FriendlyToLineFormat, “”%s of $RT::rtname Ticket #%s":;");

By default RT doesn’t notify the person who performs an update, as they

already know what they’ve done. If you’d like to change this behaviour,

Set $NotifyActor to 1

Set($NotifyActor, 1);

}}}

{{{ Logging

Logging. The default is to log anything except debugging

information to syslog. Check the Log::Dispatch POD for

information about how to get things by syslog, mail or anything

else, get debugging info in the log, etc.

It might generally make

sense to send error and higher by email to some administrator.

If you do this, be careful that this email isn’t sent to this RT instance.

the minimum level error that will be logged to the specific device.

levels from lowest to highest:

debug info notice warning error critical alert emergency

Mail loops will generate a critical log message.

#Set($LogToSyslog , ‘debug’);
#Set($LogToScreen , ‘info’);
Set($LogToFile , ‘info’);
Set($LogDir, ‘/usr/local/rt3/var/log’);
Set($LogToFileNamed , “rt.log”); #log to rt.log

On Solaris, set to ( socket => ‘inet’ ). Options here override any

other options RT passes to Log::Dispatch::Syslog. Other interesting

flags include facility and logopt. (See the Log::Dispatch::Syslog

documentation for more information.) (Maybe ident too, if you have

multiple RT installations.)

#socket => ‘inet’
@LogToSyslogConf = () unless (@LogToSyslogConf);

}}}

{{{ Web interface configuration

Define the directory name to be used for images in rt web

documents.

If you’re putting the web ui somewhere other than at the root of

your server

$WebPath requires a leading / but no trailing /

Set($WebPath , “”);

This is the Scheme, server and port for constructing urls to webrt

$WebBaseURL doesn’t need a trailing /

Set($WebBaseURL , “http://rt.something.com”);

Set($WebURL , $WebBaseURL . $WebPath . “/”);

$WebImagesURL points to the base URL where RT can find its images.

Set($WebImagesURL , $WebURL . “NoAuth/images/”);

$RTLogoURL points to the URL of the RT logo displayed in the web UI

Set($LogoURL , $WebImagesURL . “rt.jpg”);

For message boxes, set the entry box width and what type of wrapping

to use.

Default width: 72

Set($MessageBoxWidth , 72);

Default wrapping: “HARD” (choices “SOFT”, “HARD”)

Set($MessageBoxWrap, “HARD”);

if TrustHTMLAttachments is not defined, we will display them

as text. This prevents malicious HTML and javascript from being

sent in a request (although there is probably more to it than that)

Set($TrustHTMLAttachments , undef);

If $WebExternalAuth is defined, RT will defer to the environment’s

REMOTE_USER variable.

Set($WebExternalAuth , undef);

If $WebFallbackToInternalAuth is undefined, the user is allowed a chance

of fallback to the login screen, even if REMOTE_USER failed.

Set($WebFallbackToInternalAuth , undef);

$WebExternalGecos means to match ‘gecos’ field as the user identity);

useful with mod_auth_pwcheck and IIS Integrated Windows logon.

Set($WebExternalGecos , undef);

$WebExternalAuto will create users under the same name as REMOTE_USER

upon login, if it’s missing in the Users table.

Set($WebExternalAuto , undef);

$WebSessionClass is the class you wish to use for managing Sessions.

It defaults to use your SQL database, but if you are using MySQL 3.x and

plans to use non-ascii Queue names, uncomment and add this line to

RT_SiteConfig.pm will prevent session corruption.

Set($WebSessionClass , ‘Apache::Session::File’);

$MaxInlineBody is the maximum attachment size that we want to see

inline when viewing a transaction. 13456 is a random sane-sounding

default.

Set($MaxInlineBody, 13456);

$MyTicketsLength is the length of the owned tickets table on the

front page. For some people, the default of 10 isn’t big enough

to get a feel for how much work needs to be done before you get

some time off.

Set($MyTicketsLength, 10);

$MyRequestsLength is the length of the requested tickets table

on the front page.

Set($MyRequestsLength, 10);

@MasonParameters is the list of parameters for the constructor of

HTML::Mason’s Apache or CGI Handler. This is normally only useful

for debugging, eg. profiling individual components with

(preamble => ‘my $p = MasonX::Profiler->new($m, $r);’);

@MasonParameters = () unless (@MasonParameters);

}}}

{{{ RT UTF-8 Settings

An array that contains languages supported by RT’s internationalization

interface. Defaults to all *.po lexicons; set it to qw(en ja) will make

RT bilingual instead of multilingual, but will save same memory.

@LexiconLanguages = qw(*) unless (@LexiconLanguages);

An array that contains default encodings used to guess which charset

an attachment uses if not specified. Must be recognized by

Encode::Guess.

@EmailInputEncodings = qw(utf-8 iso-8859-1 us-ascii) unless (@EmailInputEncodings);

The charset for localized email. Must be recognized by Encode.

Set($EmailOutputEncoding , ‘utf-8’);

}}}

{{{ RT Date Handling Options (for Time::ParseDate)

Set this to 1 if your local date convention looks like “dd/mm/yy”

instead of “mm/dd/yy”.

Set($DateDayBeforeMonth , 1);

Should “Tuesday” default to meaning “Next Tuesday” or “Last Tuesday”?

Set to 0 for “Next” or 1 for “Last”.

Set($AmbiguousDayInPast , 1);

}}}

1;

Andy Harrison wrote:>On Wed, 15 Dec 2004 13:35:58 -0500, steve steve@n2sw.com wrote:

hi all, i know that this was discussed more than once, and i read
through all the docs i can find, and still am needing a bit of help here

if you configured rt3 to authenticate purely via ldap , (in addition to
the db users) can you please give me some pointers on how you got this
accomplished,

also i have the following defined in RT_SiteConfig.pm
Set($LogToFileNamed , “/usr/local/rt3/var/log/rt.log”);

Log level

Set($LogToFile , ‘debug’);

but get no error messages on that log file,

am on freebsd 4.10 rt 3.0.11
apache1.3.33 mod perl, ssl etc…

Did you turn on external auth in your RT_SiteConfig.pm file?

steve.vcf (774 Bytes)

If $WebExternalAuth is defined, RT will defer to the environment’s

REMOTE_USER variable.

Set($WebExternalAuth , undef);

You need to enable this…

Andy Harrison

No, I don’t think you do. If RT is authenticating against LDAP
then you are not using $WebExternalAuth.

-ToddOn Wed, Dec 15, 2004 at 04:04:05PM -0500, Andy Harrison wrote:

If $WebExternalAuth is defined, RT will defer to the environment’s

REMOTE_USER variable.

Set($WebExternalAuth , undef);

You need to enable this…


Andy Harrison


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT wiki at http://wiki.bestpractical.com