Managing ldap users / RT-Authen-ExternalAuth question

RT Users
1

Hi,

My RT-Authen-ExternalAuth works - as in, I can login to RT using my active
directory username/password.

however, when I login using my AD account I don’t see many things. I only
see open tickets / closed tickets / new ticket on the left side there…

how can I give the ability to view all queues to authenticated users, for
instance? I tried doing this in config -> global -> group rights:
SeeQueue to Everyone
but that didn’t seem to help…

also, another question:

if I go to configuration -> users I only see root there. I don’t see the
LDAP account that I successfully logged in with previously. Why?

My RT_SiteConfig.pm and externalauth’s RT_SiteConfig.pm are attached

RT_SiteConfig.pm (2.2 KB)

RT_SiteConfig.pm.externalauth (2.44 KB)

2

Can you log in as root? If so you should be able to search for the ldap user you logged in as and then grant them access. I think the page you are talking about is only showing privledged users. Also, you will only be able to search for ldap users that have logged in, unless you also use the ldap import plugin RT::Extension::LDAPImport - Import Users from an LDAP store - metacpan.org

For the permissions problem, it sounds like you granted permissions, but didn’t make the user a priveledge user. If you search for your user like I mentioned above, when you look at their property sheet you will see a check box called make this user priveledged (something like that), checking that should give the user access.From: rt-users-bounces@lists.bestpractical.com [rt-users-bounces@lists.bestpractical.com] On Behalf Of Val Polyakov [val@polyakov.me]
Sent: Wednesday, September 29, 2010 11:46 AM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] managing ldap users / RT-Authen-ExternalAuth question

Hi,

My RT-Authen-ExternalAuth works - as in, I can login to RT using my active
directory username/password.

however, when I login using my AD account I don’t see many things. I only
see open tickets / closed tickets / new ticket on the left side there…

how can I give the ability to view all queues to authenticated users, for
instance? I tried doing this in config → global → group rights:
SeeQueue to Everyone
but that didn’t seem to help…

also, another question:

if I go to configuration → users I only see root there. I don’t see the
LDAP account that I successfully logged in with previously. Why?

My RT_SiteConfig.pm and externalauth’s RT_SiteConfig.pm are attached

3

Val,

First of all, “SeeQueue” doesn’t really have anything to do with “seeing”
tickets. It merely gives user the ability to see a Queue they might want to
create a ticket in, and then, they still have to have “CreateTicket”. To
“SeeTickets”, there s few rights you can grant. 1) grant the “ShowTicket”
right to see general info on a ticket. 2) grant “ShowTicketComments” to
allow the user to see any comments made on the ticket. "ShowTicket doesn’t
include this ability. 3) grant “SeeOutgoingEmail” to allow the user to see
the email that is in a ticket and 4) grant “SeeCustomField” (usually at the
group level) to see any Custom Fields in the TIcket. We usually grant all
these to user-defined groups of user with the same interest in a particular
Queue. Further, if you don’t want everyone to see everyone else’s business,
grant these rights to the Requestor’s role instead of a Users group. Of
course, you’re going to want Owners or a User-defined group of support users
(those that can “take”, “own” and “modify” a ticket in a Queue) all of those
rights as well.
Hope this helps.

Kenn
LBNLOn Wed, Sep 29, 2010 at 8:46 AM, Val Polyakov val@polyakov.me wrote:

Hi,

My RT-Authen-ExternalAuth works - as in, I can login to RT using my active
directory username/password.

however, when I login using my AD account I don’t see many things. I only
see open tickets / closed tickets / new ticket on the left side there…

how can I give the ability to view all queues to authenticated users, for
instance? I tried doing this in config → global → group rights:
SeeQueue to Everyone
but that didn’t seem to help…

also, another question:

if I go to configuration → users I only see root there. I don’t see the
LDAP account that I successfully logged in with previously. Why?

My RT_SiteConfig.pm and externalauth’s RT_SiteConfig.pm are attached

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

4

Can you log in as root?

yes

If so you should be able to search for the ldap user you logged in as and
then grant them access.

how? where do I search? the only ‘users’ that I see is in configuration →
users, and you’re saying thats the wrong place…

5

Val,

At the bottom of the COnfig->Users display page is a box you can check to
“include disabled” users in the search. Check that you should see everyone.

Kenn
LBNLOn Wed, Sep 29, 2010 at 9:11 AM, Val Polyakov val@polyakov.me wrote:

Can you log in as root?

yes

If so you should be able to search for the ldap user you logged in as and
then grant them access.

how? where do I search? the only ‘users’ that I see is in configuration →
users, and you’re saying thats the wrong place…

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

6

perfect, that worked!

few more questions:

I downloaded rtldapimport and took a look at the readme, and here’s the
thing: my users are spread out across 5 OUs - there’s no single OU to
point rtldapimpoirt to and have it import all of my users. is there a way
for me to specify the 5 bases to search in?

and another:

what would be the easiest/quickest way to make all my ldap users
priveleged, after they are imported through rtldapimport?

thanks again for all your help

–Val

7

Val,

You could set your RT_SiteConfigure.pm file with these settings:

Set($AutoCreate, ‘Privileged’=>1);

This would ensure any additions would all be privileged.

As to those that are already Users, I have no idea how to make them all
Privileged. Perhaps someone has written a program that uses the API that
will do that. Did you check the wiki?

Kenn

LBNLOn Wed, Sep 29, 2010 at 9:37 AM, Val Polyakov val@polyakov.me wrote:

perfect, that worked!

few more questions:

I downloaded rtldapimport and took a look at the readme, and here’s the
thing: my users are spread out across 5 OUs - there’s no single OU to
point rtldapimpoirt to and have it import all of my users. is there a way
for me to specify the 5 bases to search in?

and another:

what would be the easiest/quickest way to make all my ldap users
priveleged, after they are imported through rtldapimport?

thanks again for all your help

–Val

Val,

At the bottom of the COnfig->Users display page is a box you can check to
“include disabled” users in the search. Check that you should see
everyone.

Kenn
LBNL

On Wed, Sep 29, 2010 at 9:11 AM, Val Polyakov val@polyakov.me wrote:

Can you log in as root?

yes

If so you should be able to search for the ldap user you logged in as
and
then grant them access.

how? where do I search? the only ‘users’ that I see is in configuration

users, and you’re saying thats the wrong place…

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

RT Training in Washington DC, USA on Oct 25 & 26 2010
Last one this year – Learn how to get the most out of RT!

8

Val,

You could set your RT_SiteConfigure.pm file with these settings:

Set($AutoCreate, �Privileged�=>1);

This would ensure any additions would all be privileged.

awesome, thanks

As to those that are already Users, I have no idea how to make them all
Privileged.

it’s a fresh install with no users, so far I was the only one who logged
in to this thing with my AD account… and I already made that one
priveleged manually. so looks like I’m all set for now :slight_smile:

I’ve asked this before on the list, but didnt get any replies… I’ll try
my luck again here, if you don’t mind:

My users are spread across 5 OUs:

ou=users,ou=city,dc=mydomain,dc=org where “city” is the city that they
reside in. there’s no catchall OU with all of these users.

how can I set up RT-Authen-ExternalAuth to look in all 5 OUs for the user?

I have this now:

‘base’ => ‘ou=Users,ou=Yonkers,dc=mydomain,dc=org’,

Feel like I’m overlooking something simple.

perhaps I need to set up 5 ldap sections inside
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
(My_LDAP, My_LDAP1, MY_LDAP2, etc), with them being absolutely identical
aside for the city OU?

Not sure

9

Feel like I’m overlooking something simple.

perhaps I need to set up 5 ldap sections inside
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/etc/RT_SiteConfig.pm
(My_LDAP, My_LDAP1, MY_LDAP2, etc), with them being absolutely identical
aside for the city OU?

If you can’t express your base with a different OU, then you’ll need 5
stanzas.

Please note that since RT-Extension-LDAPImport does not yet support a
multi-source config, you can only use it for RT-Authen-ExternalAuth.
For the importer, you can write a few site configs and run them using
environment variables. There are a few patches in rt.cpan.org for
LDAPImporter that aren’t going to make it into master, but you may
find them interesting.

-kevin