Making autocreated AD users into privileged users

Good Afternoon,

I have been working to figure this out for a while and I am just not sure
what I am not doing wrong and I am unable to find much information on this
on the web. I am running Request Tracker 3.8.7 on Ubuntu 10.04 with MySQL
5.0.92 and Apache 2.2.14 with mod perl 2.0.4. I have
RT::Authen::ExternalAuth configured and I am able to send an email as a user
and they are then able to log in and view their ticket. However, I would
like to set up some of the users as privileged users as they are the queue
managers but they are not showing in the Configuration/Users screen. I have
Set($AutoCreate, {Privileged => 1}); so I thought I would be able to at
least edit my users, but they are not showing up. My RTSiteConfig.pm is
below with the personal info obscured. If anyone can help that would be
greatly appreciated. Thanks!

April

This file was generated by running “update-rt-siteconfig-3.8”.

While local modifications will not be overwritten without permission,

it is recommended the they are instead placed in

/etc/request-tracker3.8/RT_SiteConfig.d

Note that modifications to the RT_SiteConfig.d directory won’t

take effect until the update command mentioned above is run again.

start /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone

dynamically find out the current timezone

my $zone = “UTC”;

$zone=/bin/cat /etc/timezone

if -f "/etc/timezone";

chomp $zone;

Set($Timezone, $zone);

end /etc/request-tracker3.8/RT_SiteConfig.d/40-timezone

start /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf

THE BASICS:

Set($rtname, ‘tickets’);

Set($Organization, ’ XXXXXX ');

Set($CorrespondAddress , ’ XXXXXX ');

Set($CommentAddress , ’ XXXXXX ');

Set($WebExternalAuth , ‘1’);

Set($WebFallbackToInternalAuth , ‘1’);

Set($WebExternalGecos , undef);

Set($WebExternalAuto , ‘1’);

Set($MaxAttachmentSize , 10000000);

Set($FriendlyFromLineFormat, “”%s" <%s>");

Set( @Plugins, qw(RT::Authen::ExternalAuth) );

THE WEBSERVER:

Set($WebPath , “/rt”);

Set($WebBaseURL , "http:// XXXXXX ");

end /etc/request-tracker3.8/RT_SiteConfig.d/50-debconf

start /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common

THE DATABASE:

generated by dbconfig-common

map from dbconfig-common database types to their names as known by RT

my %typemap = (

mysql   => 'mysql',

pgsql   => 'Pg',

sqlite3 => 'SQLite',

);

Set($DatabaseType, $typemap{mysql} || “UNKNOWN”);

Set($DatabaseHost, ‘localhost’);

Set($DatabasePort, ‘’);

Set($DatabaseUser , ’ XXXXXX ');

Set($DatabasePassword , ’ XXXXXX ');

SQLite needs a special case, since $DatabaseName must be a full pathname

my $dbc_dbname = ‘rtdb’; if ( “mysql” eq “sqlite3” ) { Set ($DatabaseName,
’’ . ‘/’ . $dbc_dbname); } else { Set ($DatabaseName, $dbc_dbname); }

end /etc/request-tracker3.8/RT_SiteConfig.d/51-dbconfig-common

1;

The order in which the services defined in ExternalSettings

should be used to authenticate users. User is authenticated

if successfully confirmed by any service - no more services

are checked.

Set($ExternalAuthPriority, [ ‘My_LDAP’ ] );

The order in which the services defined in ExternalSettings

should be used to get information about users. This includes

RealName, Tel numbers etc, but also whether or not the user

should be considered disabled.

Once user info is found, no more services are checked.

You CANNOT use a SSO cookie for authentication.

Set($ExternalInfoPriority, [ ‘My_LDAP’ ] );

If this is set to true, then the relevant packages will

be loaded to use SSL/TLS connections. At the moment,

this just means “use Net::SSLeay;”

Set($ExternalServiceUsesSSLorTLS, 0);

If this is set to 1, then users should be autocreated by RT

as internal users if they fail to authenticate from an

external service.

Set($AutoCreateNonExternalUsers, 0);

Set($AutoCreate, {Privileged => 1});

These are the full settings for each external service as a HashOfHashes

Note that you may have as many external services as you wish. They will

be checked in the order specified in the Priority directives above.

e.g.

#Set(ExternalAuthPriority,[‘My_LDAP’]);

Set($ExternalSettings, { # AN EXAMPLE LDAP SERVICE

                            'My_LDAP'       =>  {

‘type’ => ‘ldap’,

‘server’ => ’ XXXXXX ',

‘user’ => ’ XXXXXX ',

‘pass’ => ’ XXXXXX ',

‘base’ => ’ XXXXXX ',

                                                    # ALL FILTERS MUST

BE VALID LDAP FILTERS ENCASED IN PARENTHESES!

                                                    # YOU **MUST**

SPECIFY A filter AND A d_filter!!

                                                    # The filter to use

to match RT-Users

        'filter'                    =>

‘(&(ObjectCategory=User)(ObjectClass=Person))’,

                                                    # The filter that

will only match disabled users

                                                   'd_filter'

=> ‘(userAccountControl:1.2.840.113556.1.4.803:=2)’,

‘tls’ => 0,

‘ssl_version’ => 3,

‘net_ldap_args’ => [ version => 3 ],

                                                    # Does

authentication depend on group membership? What group name?

#‘group’ => ‘cn=Domain
Users,cn=Users,dc=ad,dc=yelpcorp,dc=com’,

                                                    # What is the

attribute for the group object that determines membership?

#‘group_attr’ => ‘member’,

                                                    ## RT ATTRIBUTE

MATCHING SECTION

                                                    # The list of RT

attributes that uniquely identify a user

                                                    # This example shows

what you can specify… I recommend reducing this

                                                    # to just the Name

and EmailAddress to save encountering problems later.

‘attr_match_list’ => [ ‘EmailAddress’ ],

                                                    # The mapping of RT

attributes on to LDAP attributes

‘attr_map’ => { ‘Name’ => ‘sAMAccountName’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘sAMAccountName’,

              'Gecos'

=> ‘sAMAccountName’,

‘WorkPhone’ => ‘telephoneNumber’,

     'Address1'

=> ‘streetAddress’,

‘City’ => ‘l’,

                                                  'State' => 'st',

‘Zip’ => ‘postalCode’,

                  'Country' => 'co'

}

                                                }

                            }

);

1;

I have been working to figure this out for a while and I am just not sure
what I am not doing wrong and I am unable to find much information on this
on the web. I am running Request Tracker 3.8.7 on Ubuntu 10.04 with MySQL
5.0.92 and Apache 2.2.14 with mod perl 2.0.4. I have
RT::Authen::ExternalAuth configured and I am able to send an email as a user
and they are then able to log in and view their ticket. However, I would
like to set up some of the users as privileged users as they are the queue
managers but they are not showing in the Configuration/Users screen. I have
Set($AutoCreate, {Privileged => 1}); so I thought I would be able to at
least edit my users, but they are not showing up. My RTSiteConfig.pm is
below with the personal info obscured. If anyone can help that would be
greatly appreciated. Thanks!

Under Configuration -> Users use the search feature. Unprivileged
users aren’t listed. If your users were being created as Privileged,
then they would show up in the list. I suggest searching for their
email address for the best chance of success. I’m not sure what
version of RT-Authen-ExternalAuth you’re using, so I can’t tell you if
AutoCreate should be working or not in your configuration.

-kevin

Thanks for the tip, I hadn’t tried searching since I had one user that is
visible. It is RT::Auth 0.08. But I am now able to change my users to
privileged, so all is awesome!

AprilFrom: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Kevin
Falcone
Sent: Wednesday, September 07, 2011 2:56 PM
To: RT-Users@lists.bestpractical.com
Subject: Re: [rt-users] Making autocreated AD users into privileged users

I have been working to figure this out for a while and I am just not
sure what I am not doing wrong and I am unable to find much
information on this on the web. I am running Request Tracker 3.8.7 on
Ubuntu 10.04 with MySQL
5.0.92 and Apache 2.2.14 with mod perl 2.0.4. I have
RT::Authen::ExternalAuth configured and I am able to send an email as
a user and they are then able to log in and view their ticket.
However, I would like to set up some of the users as privileged users
as they are the queue managers but they are not showing in the
Configuration/Users screen. I have Set($AutoCreate, {Privileged =>
1}); so I thought I would be able to at least edit my users, but they
are not showing up. My RTSiteConfig.pm is below with the personal
info obscured. If anyone can help that would be greatly appreciated.
Thanks!

Under Configuration -> Users use the search feature. Unprivileged users
aren’t listed. If your users were being created as Privileged, then they
would show up in the list. I suggest searching for their email address
for the best chance of success. I’m not sure what version of
RT-Authen-ExternalAuth you’re using, so I can’t tell you if AutoCreate
should be working or not in your configuration.

-kevin

Thanks for the tip, I hadn’t tried searching since I had one user that is
visible. It is RT::Auth 0.08. But I am now able to change my users to
privileged, so all is awesome!

Great.
I missed originally that you were creating the users by sending mail,
but I’m pretty sure AutoCreate is only used by
RT::Authen::ExternalAuth when logging in via the webui

-kevin

Thanks for the tip, I hadn’t tried searching since I had one user that
is
visible. It is RT::Auth 0.08. But I am now able to change my users to
privileged, so all is awesome!

Great.
I missed originally that you were creating the users by sending mail,
but I’m pretty sure AutoCreate is only used by
RT::Authen::ExternalAuth when logging in via the webui

Here’s what I ended up doing to autocreate AD users as priveleged:

Set($AutoCreateNonExternalUsers, 1);
Set($AutoCreate, {Privileged => 1});

–Yan