RT ExternalAuth LDAP and Adding Local users in 3.8.2

RT Users
1

I have been reading the postings about RT-Authen-ExternalAuth
but am confused on what appears to be some conflicting setup
information.

I am using:
RT 3.8.2
RT-Authen-ExternalAuth 0.08

I would like to use LDAP for authentication and information first,
and that part seems to work OK.
But I also would like to:

  • add LOCAL users to RT internal DB (i.e; test and test-admin type
    accounts)
  • NOT autocreate a new RT account, if we receive an email from
    a user that is unknown in local RT or LDAP.
  • NOT make multiple accounts for a user’s multiple email aliases.
    (Our ldap contains several email addresses for each user (uid) )

When I try to add a local account through the Web(using Root,
Configuration->Users->Create). I receive the error “Name in Use”
The username I am trying to create is NOT in existence, but the email
for that new account IS.

My error_log shows:

[Tue Jun 2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP ) root User not found (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)
[Tue Jun 2 17:45:21 2009] [debug]: Autohandler called ExternalAuth. Response: (0, No User)
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Tue Jun 2 17:45:21 2009] [info]: Successful login for root from 168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
[Tue Jun 2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header calls old style callback, use $m->callback (/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
[Tue Jun 2 17:46:40 2009] [crit]: HasRight called with no valid object (/usr/site/rt-3.8/PROD/bin/…/lib/RT/Principal_Overlay.pm:322)
[Tue Jun 2 17:51:36 2009] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: , City: , Comments: Admin Authority Level Account for RT, ContactInfoSystem: , Country: , Disabled: 0, EmailAddress: smcclure@rice.edu, EmailEncoding: , ExternalAuthId: , ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: , Name: smcclure-admin, NickName: Smcclure-Admin,
Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure, Signature: , State: ,
WebEncoding: , WorkPhone: , Zip: (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to get user info using this external service: My_LDAP (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this canonicalization key: Name (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base: ou=People,dc=rice,dc=edu == Filter: (&(objectclass=)(uid=smcclure-admin)) == Attrs: Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this canonicalization key: EmailAddress (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base: ou=People,dc=rice,dc=edu == Filter: (&(objectclass=)(mail=smcclure@rice.edu)) == Attrs: Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
Address1: 6100 Main Street, Address2: , AuthSystem: , City: , Comments: Admin Authority Level Account for RT, ContactInfoSystem: , Country: , Disabled: 0, EmailAddress: smcclure@rice.edu, EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: , Name: smcclure, NickName: Smcclure-Admin,
Organization: 222 Mudd Building, PagerPhone: , Privileged: 1, RealName: McClure, Susan, Signature: , State: , WebEncoding: , WorkPhone: 713-348-4852, Zip: 77005 (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)

My Current RT_SiteConfig.pm for LDAP and External Auth has
Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth …

and for LDAP

special options for various plugins

Authen::ExternalAuth

Set($ExternalAuthPriority, [‘My_LDAP’] );
Set($ExternalInfoPriority, [‘My_LDAP’] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC
SECTION
‘type’
=> ‘ldap’,
‘server’
=> ‘ldap.rice.edu’,
‘user’
=> ‘cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu’,
… etc etc …

And the LDAP Attributes mappings:

RT ATTRIBUTE MATCHING SECTION

                                           # The list of RT attributes that uniquely identify a user
                                           # This example shows what you *can* specify.. I recommend reducing this
                                           # to just the Name and EmailAddress to save encountering problems later.
                                           'attr_match_list'           => [    'Name',
                                                                               'EmailAddress',
                                                                               'RealName',
                                                   			           'WorkPhone',
  								   'Address2'
                                                                           ],
                                           # The mapping of RT attributes on to LDAP attributes
                                            'attr_map'              =>  {   'Name' => 'uid',
                                                                            'EmailAddress' => 'mail',
                                                                            'Organization' => 'physicalDeliveryOfficeName',
                                                                            'RealName' => 'cn',
                                                                            'ExternalAuthId' => 'uid',
                                                                            'Gecos' => 'gecos',
                                                                            'WorkPhone' => 'telephoneNumber',
                                                                            'Address1' => 'postalAddress',
                                                                            'City' => 'Houston',
                                                                            'State' => 'TX',
                                                                            'Zip' => 'postalCode'
                                                                        }
                                                         }
                       }

);

Looking at all the postings, I am afraid that if I add:

==> Set($AutoCreateNonExternalUsers, 1);

That I will automatically MAKE a new account for users that send email
or authenticate in some way other than being in our LDAP.

Can someone clarify the different options to help me get the
setup I want please?

Thanks

Susie McClure

smcclure@rice.edu

smcclure.vcf (166 Bytes)

2

I have been reading the postings about RT-Authen-ExternalAuth
but am confused on what appears to be some conflicting setup
information.

I am using:
RT 3.8.2
RT-Authen-ExternalAuth 0.08

I would like to use LDAP for authentication and information first,
and that part seems to work OK.
But I also would like to:

  • add LOCAL users to RT internal DB (i.e; test and test-admin type
    accounts)
  • NOT autocreate a new RT account, if we receive an email from
    a user that is unknown in local RT or LDAP.
  • NOT make multiple accounts for a user’s multiple email aliases.
    (Our ldap contains several email addresses for each user (uid) )

When I try to add a local account through the Web(using Root,
Configuration->Users->Create). I receive the error “Name in Use”
The username I am trying to create is NOT in existence, but the email
for that new account IS.

My error_log shows:

[Tue Jun 2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP ) root User not found (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:318)
[Tue Jun 2 17:45:21 2009] [debug]: Autohandler called ExternalAuth. Response: (0, No User)
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Tue Jun 2 17:45:21 2009] [info]: Successful login for root from 168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
[Tue Jun 2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header calls old style callback, use $m->callback (/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
[Tue Jun 2 17:46:40 2009] [crit]: HasRight called with no valid object (/usr/site/rt-3.8/PROD/bin/…/lib/RT/Principal_Overlay.pm:322)
[Tue Jun 2 17:51:36 2009] [debug]: RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User /opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: , City: , Comments: Admin Authority Level Account for RT, ContactInfoSystem: , Country: , Disabled: 0, EmailAddress: smcclure@rice.edu, EmailEncoding: , ExternalAuthId: , ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: , Name: smcclure-admin, NickName: Smcclure-Admin,
Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure, Signature: , State: ,
WebEncoding: , WorkPhone: , Zip: (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:450)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to get user info using this external service: My_LDAP (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:458)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this canonicalization key: Name (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base: ou=People,dc=rice,dc=edu == Filter: (&(objectclass=)(uid=smcclure-admin)) == Attrs: Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this canonicalization key: EmailAddress (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base: ou=People,dc=rice,dc=edu == Filter: (&(objectclass=)(mail=smcclure@rice.edu)) == Attrs: Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,physicalDeliveryOfficeName,uid (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [info]: RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
Address1: 6100 Main Street, Address2: , AuthSystem: , City: , Comments: Admin Authority Level Account for RT, ContactInfoSystem: , Country: , Disabled: 0, EmailAddress: smcclure@rice.edu, EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: , Name: smcclure, NickName: Smcclure-Admin,
Organization: 222 Mudd Building, PagerPhone: , Privileged: 1, RealName: McClure, Susan, Signature: , State: , WebEncoding: , WorkPhone: 713-348-4852, Zip: 77005 (/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:536)

My Current RT_SiteConfig.pm for LDAP and External Auth has
Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth …

and for LDAP

special options for various plugins

Authen::ExternalAuth

Set($ExternalAuthPriority, [‘My_LDAP’] );
Set($ExternalInfoPriority, [‘My_LDAP’] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC
SECTION
‘type’
=> ‘ldap’,
‘server’
=> ‘ldap.rice.edu’,
‘user’
=> ‘cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu’,
… etc etc …

And the LDAP Attributes mappings:

RT ATTRIBUTE MATCHING SECTION

                                           # The list of RT attributes that uniquely identify a user
                                           # This example shows what you *can* specify.. I recommend reducing this
                                           # to just the Name and EmailAddress to save encountering problems later.
                                           'attr_match_list'           => [    'Name',
                                                                               'EmailAddress',
                                                                               'RealName',
                                                   			           'WorkPhone',
  								   'Address2'
                                                                           ],
                                           # The mapping of RT attributes on to LDAP attributes
                                            'attr_map'              =>  {   'Name' => 'uid',
                                                                            'EmailAddress' => 'mail',
                                                                            'Organization' => 'physicalDeliveryOfficeName',
                                                                            'RealName' => 'cn',
                                                                            'ExternalAuthId' => 'uid',
                                                                            'Gecos' => 'gecos',
                                                                            'WorkPhone' => 'telephoneNumber',
                                                                            'Address1' => 'postalAddress',
                                                                            'City' => 'Houston',
                                                                            'State' => 'TX',
                                                                            'Zip' => 'postalCode'
                                                                        }
                                                         }
                       }

);

Looking at all the postings, I am afraid that if I add:

==> Set($AutoCreateNonExternalUsers, 1);

That I will automatically MAKE a new account for users that send email
or authenticate in some way other than being in our LDAP.

Can someone clarify the different options to help me get the
setup I want please?

Thanks

Susie McClure

smcclure@rice.edu

smcclure.vcf (166 Bytes)

3

((Apologies for top-posting, but it’s just easier at the moment for me to use outlook to send email))

I can answer a few of your questsions:-

  1. Users with multiple email addresses on our system become one single user, the LDAP query finds the one user responsible for the email address, and just link the submitted ticket to the correct ID.

  2. You cannot have multiple RT accounts with the same email address in the system, we had a lot of cleanup when we migrated to 3.8.2 from a badly botched install of 3.6, and this was our biggest hassle.

  3. I have AutoCreateNonExternalUsers on, but that’s mostly because of the nature of the business my company is in :slight_smile: However, the system seems to work fine with that disabled, and it doesn’t autocreate any non-LDAP accounts unless you do so yourself.

On another level, I know you’ll hear this from a lot of angles, but it always deserves to be said… You should try this sort of thing out on a test system before setting it up in production… Especially when dealing with things like authentication, you really want to make sure youself that it does what you want it to do…

CassFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Susan McClure
Sent: Wednesday, June 03, 2009 2:30 PM
To: rt-users@lists.bestpractical.com
Cc: Susan McClure
Subject: [rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2

I have been reading the postings about RT-Authen-ExternalAuth but am confused on what appears to be some conflicting setup information.

I am using:
RT 3.8.2
RT-Authen-ExternalAuth 0.08

I would like to use LDAP for authentication and information first, and that part seems to work OK.
But I also would like to:

  • add LOCAL users to RT internal DB (i.e; test and test-admin type
    accounts)
  • NOT autocreate a new RT account, if we receive an email from a user that is unknown in local RT or LDAP.
  • NOT make multiple accounts for a user’s multiple email aliases.
    (Our ldap contains several email addresses for each user (uid) )

When I try to add a local account through the Web(using Root,
Configuration->Users->Create). I receive the error “Name in Use”
The username I am trying to create is NOT in existence, but the email for that new account IS.

My error_log shows:

[Tue Jun 2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP )
root User not found
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:318)
[Tue Jun 2 17:45:21 2009] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Tue Jun 2 17:45:21 2009] [info]: Successful login for root from
168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
[Tue Jun 2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header
calls old style callback, use $m->callback
(/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
[Tue Jun 2 17:46:40 2009] [crit]: HasRight called with no valid
object (/usr/site/rt-3.8/PROD/bin/…/lib/RT/Principal_Overlay.pm:322)
[Tue Jun 2 17:51:36 2009] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/l
ib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: ,
City: , Comments: Admin Authority Level Account for RT,
ContactInfoSystem: , Country: , Disabled: 0, EmailAddress:
smcclure@rice.edu, EmailEncoding: , ExternalAuthId: ,
ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: ,
Lang: en, MobilePhone: , Name: smcclure-admin, NickName:
Smcclure-Admin,
Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure,
Signature: , State: ,
WebEncoding: , WorkPhone: , Zip:
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:450)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to get user info using
this external service: My_LDAP
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:458)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
canonicalization key: Name
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
ou=People,dc=rice,dc=edu == Filter:
(&(objectclass=)(uid=smcclure-admin)) == Attrs:
Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
physicalDeliveryOfficeName,uid
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
canonicalization key: EmailAddress
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
ou=People,dc=rice,dc=edu == Filter:
(&(objectclass=)(mail=smcclure@rice.edu)) == Attrs:
Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
physicalDeliveryOfficeName,uid
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
Address1: 6100 Main Street, Address2: , AuthSystem: , City: ,
Comments: Admin Authority Level Account for RT, ContactInfoSystem: ,
Country: , Disabled: 0, EmailAddress: smcclure@rice.edu,
EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: ,
FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: ,
Name: smcclure, NickName: Smcclure-Admin,
Organization: 222 Mudd Building, PagerPhone: , Privileged: 1,
RealName: McClure, Susan, Signature: , State: , WebEncoding: ,
WorkPhone: 713-348-4852, Zip: 77005
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:536)

My Current RT_SiteConfig.pm for LDAP and External Auth has ====================================
Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth …

and for LDAP

special options for various plugins

Authen::ExternalAuth

Set($ExternalAuthPriority, [‘My_LDAP’] ); Set($ExternalInfoPriority, [‘My_LDAP’] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC
SECTION
‘type’
=> ‘ldap’,
‘server’
=> ‘ldap.rice.edu’,
‘user’
=> ‘cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu’,
… etc etc …

And the LDAP Attributes mappings:

RT ATTRIBUTE MATCHING SECTION

                                           # The list of RT attributes that uniquely identify a user
                                           # This example shows what you *can* specify.. I recommend reducing this
                                           # to just the Name and EmailAddress to save encountering problems later.
                                           'attr_match_list'           => [    'Name',
                                                                               'EmailAddress',
                                                                               'RealName',
                                                   			           'WorkPhone',
  								   'Address2'
                                                                           ],
                                           # The mapping of RT attributes on to LDAP attributes
                                            'attr_map'              =>  {   'Name' => 'uid',
                                                                            'EmailAddress' => 'mail',
                                                                            'Organization' => 'physicalDeliveryOfficeName',
                                                                            'RealName' => 'cn',
                                                                            'ExternalAuthId' => 'uid',
                                                                            'Gecos' => 'gecos',
                                                                            'WorkPhone' => 'telephoneNumber',
                                                                            'Address1' => 'postalAddress',
                                                                            'City' => 'Houston',
                                                                            'State' => 'TX',
                                                                            'Zip' => 'postalCode'
                                                                        }
                                                         }
                       }

);

Looking at all the postings, I am afraid that if I add:

==> Set($AutoCreateNonExternalUsers, 1);

That I will automatically MAKE a new account for users that send email or authenticate in some way other than being in our LDAP.

Can someone clarify the different options to help me get the setup I want please?

Thanks

Susie McClure

smcclure@rice.edu

Check out the Barracuda Spam & Virus Firewall - offering the fastest
virus & malware protection in the industry: Spam, Malware, and Advanced Threat Protection | Barracuda Networks

4

Cass,

You mentioned in your response that when you went to 3.8 you had

trouble with multiple users of the same email address. I have a similar
problem.
I am on 3.6.4 and have a bunch of users out there with the email
address as the User Name due to them being added automatically as
watchers. When they sign on (Using LDAP) at a later date, they get a new
UserID, correct name, SAME Email address. Now I have 2 id’s for the same
user. I want to clean that mess up before I upgrade to 3.8.
So, how did you go about cleaning up the mess?
Also, do you have any suggestions on how to config my RT so that
when a User is added automatically as a watcher, RT will create a /real/
User Name and NOT use the Email address? Thanks.

Kenn
LBNLOn 6/3/2009 3:06 PM, Cassandra L. Brockett wrote:

((Apologies for top-posting, but it’s just easier at the moment for me to use outlook to send email))

I can answer a few of your questsions:-

  1. Users with multiple email addresses on our system become one single user, the LDAP query finds the one user responsible for the email address, and just link the submitted ticket to the correct ID.

  2. You cannot have multiple RT accounts with the same email address in the system, we had a lot of cleanup when we migrated to 3.8.2 from a badly botched install of 3.6, and this was our biggest hassle.

  3. I have AutoCreateNonExternalUsers on, but that’s mostly because of the nature of the business my company is in :slight_smile: However, the system seems to work fine with that disabled, and it doesn’t autocreate any non-LDAP accounts unless you do so yourself.

On another level, I know you’ll hear this from a lot of angles, but it always deserves to be said… You should try this sort of thing out on a test system before setting it up in production… Especially when dealing with things like authentication, you really want to make sure youself that it does what you want it to do…


Cass

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Susan McClure
Sent: Wednesday, June 03, 2009 2:30 PM
To: rt-users@lists.bestpractical.com
Cc: Susan McClure
Subject: [rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2

I have been reading the postings about RT-Authen-ExternalAuth but am confused on what appears to be some conflicting setup information.

I am using:
RT 3.8.2
RT-Authen-ExternalAuth 0.08

I would like to use LDAP for authentication and information first, and that part seems to work OK.
But I also would like to:

  • add LOCAL users to RT internal DB (i.e; test and test-admin type
    accounts)
  • NOT autocreate a new RT account, if we receive an email from a user that is unknown in local RT or LDAP.
  • NOT make multiple accounts for a user’s multiple email aliases.
    (Our ldap contains several email addresses for each user (uid) )

When I try to add a local account through the Web(using Root,
Configuration->Users->Create). I receive the error “Name in Use”
The username I am trying to create is NOT in existence, but the email for that new account IS.

My error_log shows:

[Tue Jun 2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP )
root User not found
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:318)
[Tue Jun 2 17:45:21 2009] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Tue Jun 2 17:45:21 2009] [info]: Successful login for root from
168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
[Tue Jun 2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header
calls old style callback, use $m->callback
(/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
[Tue Jun 2 17:46:40 2009] [crit]: HasRight called with no valid
object (/usr/site/rt-3.8/PROD/bin/…/lib/RT/Principal_Overlay.pm:322)
[Tue Jun 2 17:51:36 2009] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/l
ib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: ,
City: , Comments: Admin Authority Level Account for RT,
ContactInfoSystem: , Country: , Disabled: 0, EmailAddress:
smcclure@rice.edu, EmailEncoding: , ExternalAuthId: ,
ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: ,
Lang: en, MobilePhone: , Name: smcclure-admin, NickName:
Smcclure-Admin,
Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure,
Signature: , State: ,
WebEncoding: , WorkPhone: , Zip:
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:450)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to get user info using
this external service: My_LDAP
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:458)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
canonicalization key: Name
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
ou=People,dc=rice,dc=edu == Filter:
(&(objectclass=)(uid=smcclure-admin)) == Attrs:
Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
physicalDeliveryOfficeName,uid
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
canonicalization key: EmailAddress
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
ou=People,dc=rice,dc=edu == Filter:
(&(objectclass=)(mail=smcclure@rice.edu)) == Attrs:
Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
physicalDeliveryOfficeName,uid
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
Address1: 6100 Main Street, Address2: , AuthSystem: , City: ,
Comments: Admin Authority Level Account for RT, ContactInfoSystem: ,
Country: , Disabled: 0, EmailAddress: smcclure@rice.edu,
EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: ,
FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: ,
Name: smcclure, NickName: Smcclure-Admin,
Organization: 222 Mudd Building, PagerPhone: , Privileged: 1,
RealName: McClure, Susan, Signature: , State: , WebEncoding: ,
WorkPhone: 713-348-4852, Zip: 77005
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:536)

==============

My Current RT_SiteConfig.pm for LDAP and External Auth has ====================================
Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth …

and for LDAP

special options for various plugins

Authen::ExternalAuth

Set($ExternalAuthPriority, [‘My_LDAP’] ); Set($ExternalInfoPriority, [‘My_LDAP’] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC
SECTION
‘type’
=> ‘ldap’,
‘server’
=> ‘ldap.rice.edu’,
‘user’
=> ‘cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu’,
… etc etc …

And the LDAP Attributes mappings:

RT ATTRIBUTE MATCHING SECTION

                                           # The list of RT attributes that uniquely identify a user
                                           # This example shows what you *can* specify.. I recommend reducing this
                                           # to just the Name and EmailAddress to save encountering problems later.
                                           'attr_match_list'           => [    'Name',
                                                                               'EmailAddress',
                                                                               'RealName',
                                                   			           'WorkPhone',
  								   'Address2'
                                                                           ],
                                           # The mapping of RT attributes on to LDAP attributes
                                            'attr_map'              =>  {   'Name' => 'uid',
                                                                            'EmailAddress' => 'mail',
                                                                            'Organization' => 'physicalDeliveryOfficeName',
                                                                            'RealName' => 'cn',
                                                                            'ExternalAuthId' => 'uid',
                                                                            'Gecos' => 'gecos',
                                                                            'WorkPhone' => 'telephoneNumber',
                                                                            'Address1' => 'postalAddress',
                                                                            'City' => 'Houston',
                                                                            'State' => 'TX',
                                                                            'Zip' => 'postalCode'
                                                                        }
                                                         }
                       }

);

===================

Looking at all the postings, I am afraid that if I add:

==> Set($AutoCreateNonExternalUsers, 1);

That I will automatically MAKE a new account for users that send email or authenticate in some way other than being in our LDAP.

Can someone clarify the different options to help me get the setup I want please?

Thanks

Susie McClure

smcclure@rice.edu

Check out the Barracuda Spam & Virus Firewall - offering the fastest
virus & malware protection in the industry: Spam, Malware, and Advanced Threat Protection | Barracuda Networks

The rt-users Archives

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

5

Ken, to cleanup the mess you can use MergeUsersHistory extesion. From
the beginning I want to note that it’s been tested only on RT 3.8 and
it’s recommended to check changes it makes very carefully. I suggest
you to do it as part of migration from 3.6 to 3.8 with careful testing
of everything.

If you know that later you wouldn’t have duplicates because of
canonicalization (LDAP or some other way) then it’s all you need. You
even can delete duplicates from DB using shredder.

Otherwise MergeUsers extension can be used to make two accounts in
RT’s Users table behave like one.On Thu, Jun 4, 2009 at 8:24 PM, Ken Crocker kfcrocker@lbl.gov wrote:

Cass,

You mentioned in your response that when you went to 3.8 you had trouble

with multiple users of the same email address. I have a similar problem.
I am on 3.6.4 and have a bunch of users out there with the email address
as the User Name due to them being added automatically as watchers. When
they sign on (Using LDAP) at a later date, they get a new UserID, correct
name, SAME Email address. Now I have 2 id’s for the same user. I want to
clean that mess up before I upgrade to 3.8.
So, how did you go about cleaning up the mess?
Also, do you have any suggestions on how to config my RT so that when a
User is added automatically as a watcher, RT will create a real User Name
and NOT use the Email address? Thanks.

Kenn
LBNL

On 6/3/2009 3:06 PM, Cassandra L. Brockett wrote:

((Apologies for top-posting, but it’s just easier at the moment for me to
use outlook to send email))

I can answer a few of your questsions:-

  1. Users with multiple email addresses on our system become one single user,
    the LDAP query finds the one user responsible for the email address, and
    just link the submitted ticket to the correct ID.

  2. You cannot have multiple RT accounts with the same email address in the
    system, we had a lot of cleanup when we migrated to 3.8.2 from a badly
    botched install of 3.6, and this was our biggest hassle.

  3. I have AutoCreateNonExternalUsers on, but that’s mostly because of the
    nature of the business my company is in :slight_smile: However, the system seems to
    work fine with that disabled, and it doesn’t autocreate any non-LDAP
    accounts unless you do so yourself.

On another level, I know you’ll hear this from a lot of angles, but it
always deserves to be said… You should try this sort of thing out on a
test system before setting it up in production… Especially when dealing
with things like authentication, you really want to make sure youself that
it does what you want it to do…


Cass

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Susan McClure
Sent: Wednesday, June 03, 2009 2:30 PM
To: rt-users@lists.bestpractical.com
Cc: Susan McClure
Subject: [rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2

I have been reading the postings about RT-Authen-ExternalAuth but am
confused on what appears to be some conflicting setup information.

I am using:
RT 3.8.2
RT-Authen-ExternalAuth 0.08

I would like to use LDAP for authentication and information first, and that
part seems to work OK.
But I also would like to:

  • add LOCAL users to RT internal DB (i.e; test and test-admin type
    accounts)
  • NOT autocreate a new RT account, if we receive an email from a user that
    is unknown in local RT or LDAP.
  • NOT make multiple accounts for a user’s multiple email aliases.
    (Our ldap contains several email addresses for each user (uid) )

When I try to add a local account through the Web(using Root,
Configuration->Users->Create). I receive the error “Name in Use”
The username I am trying to create is NOT in existence, but the email for
that new account IS.

My error_log shows:

[Tue Jun 2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP )
root User not found
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:318)
[Tue Jun 2 17:45:21 2009] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Tue Jun 2 17:45:21 2009] [info]: Successful login for root from
168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
[Tue Jun 2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header
calls old style callback, use $m->callback
(/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
[Tue Jun 2 17:46:40 2009] [crit]: HasRight called with no valid
object (/usr/site/rt-3.8/PROD/bin/…/lib/RT/Principal_Overlay.pm:322)
[Tue Jun 2 17:51:36 2009] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/l
ib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: ,
City: , Comments: Admin Authority Level Account for RT,
ContactInfoSystem: , Country: , Disabled: 0, EmailAddress:
smcclure@rice.edu, EmailEncoding: , ExternalAuthId: ,
ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: ,
Lang: en, MobilePhone: , Name: smcclure-admin, NickName:
Smcclure-Admin,
Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure,
Signature: , State: ,
WebEncoding: , WorkPhone: , Zip:
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:450)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to get user info using
this external service: My_LDAP
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:458)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
canonicalization key: Name
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
ou=People,dc=rice,dc=edu == Filter:
(&(objectclass=)(uid=smcclure-admin)) == Attrs:
Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
physicalDeliveryOfficeName,uid
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
canonicalization key: EmailAddress
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
ou=People,dc=rice,dc=edu == Filter:
(&(objectclass=)(mail=smcclure@rice.edu)) == Attrs:
Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
physicalDeliveryOfficeName,uid
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
Address1: 6100 Main Street, Address2: , AuthSystem: , City: ,
Comments: Admin Authority Level Account for RT, ContactInfoSystem: ,
Country: , Disabled: 0, EmailAddress: smcclure@rice.edu,
EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: ,
FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: ,
Name: smcclure, NickName: Smcclure-Admin,
Organization: 222 Mudd Building, PagerPhone: , Privileged: 1,
RealName: McClure, Susan, Signature: , State: , WebEncoding: ,
WorkPhone: 713-348-4852, Zip: 77005
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:536)

==============

My Current RT_SiteConfig.pm for LDAP and External Auth has

Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth …

and for LDAP

special options for various plugins

Authen::ExternalAuth

Set($ExternalAuthPriority, [‘My_LDAP’] ); Set($ExternalInfoPriority,
[‘My_LDAP’] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC
SECTION
‘type’
=> ‘ldap’,
‘server’
=> ‘ldap.rice.edu’,
‘user’
=> ‘cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu’,
… etc etc …

And the LDAP Attributes mappings:

RT ATTRIBUTE MATCHING SECTION

                                           # The list of RT attributes

that uniquely identify a user
# This example shows what you
can specify… I recommend reducing this
# to just the Name and
EmailAddress to save encountering problems later.
‘attr_match_list’
=> [ ‘Name’,

‘EmailAddress’,

‘RealName’,

‘WorkPhone’,
‘Address2’

],
# The mapping of RT
attributes on to LDAP attributes
‘attr_map’ =>
{ ‘Name’ => ‘uid’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘uid’,

‘Gecos’ => ‘gecos’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘postalAddress’,

‘City’ => ‘Houston’,

‘State’ => ‘TX’,

‘Zip’ => ‘postalCode’

}
}
}

);

===================

Looking at all the postings, I am afraid that if I add:

==> Set($AutoCreateNonExternalUsers, 1);

That I will automatically MAKE a new account for users that send email or
authenticate in some way other than being in our LDAP.

Can someone clarify the different options to help me get the setup I want
please?

Thanks

Susie McClure

smcclure@rice.edu

Check out the Barracuda Spam & Virus Firewall - offering the fastest
virus & malware protection in the industry: Spam, Malware, and Advanced Threat Protection | Barracuda Networks

The rt-users Archives

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

The rt-users Archives

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Best regards, Ruslan.

6

Sorry, always something coming up, finally got around to my email today… only 9 hours late :slight_smile:

Unfortunately, my “solution” is one that really only works in larger-IT organizations… I had one of my helpdesk people sit down and manually fix all the db entries for multiple users… I saw a message regarding a plugin for RT, and that would probably have been a better idea :slight_smile:

In terms of the watcher situation, the account is created correctly for us, but the display name is the username unless the user has rights in RT. We did have it not creating correctly originally, but with the new system and the new ExternalAuth version, I re-configured the LDAP query, so it’s likely the new one we use works right for us… we’re AD backed here, so just in case, here’s a RT_SiteConfig.pm snippet for you:-

                    # The filter to use to match RT-Users
                    'filter'                =>  '(&(objectClass=User)(objectCategory=Person))',
                    # The filter that will only match disabled users
                    'd_filter'              =>  '(&(objectClass=User)(objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=2))',
                    # Should we try to use TLS to encrypt connections?
                    'tls'                   =>  0,
                    # What other args should I pass to Net::LDAP->new($host,@args)?
                    'net_ldap_args'         => [ version =>  3 ],
                    # Does authentication depend on group membership? What group name?
                    #'group'                =>  'GROUP_NAME',
                    # What is the attribute for the group object that determines membership?
                    #'group_attr'           =>  'GROUP_ATTR',
                    ## RT ATTRIBUTE MATCHING SECTION
                    # The list of RT attributes that uniquely identify a user
                    #'attr_match_list'         => [ 'Name',
                    #                               'EmailAddress',
                    #                               'RealName',
                    #                               'WorkPhone',
                    #                               'Address2'
                    #                               ],
                    'attr_match_list'          => [ 'Name',
                                                    'EmailAddress',
                                                    ],
                    # The mapping of RT attributes on to LDAP attributes
                    'attr_map'                =>  {         'Name'                  => 'sAMAccountName',
                                                            'EmailAddress'          => 'mail',
                                                            'Organization'          => 'physicalDeliveryOfficeName',
                                                            'RealName'              => 'cn',
                                                            'ExternalAuthId'        => 'sAMAccountName',
                                                            'Gecos'                 => 'sAMAccountName',
                                                            'WorkPhone'             => 'telephoneNumber',
                                                            'Address1'              => 'streetAddress',
                                                            'City'                  => 'l',
                                                            'State'                 => 'st',
                                                            'Zip'                   => 'postalCode',
                                                            'Country'               => 'co'
                                                    }
                }

I’ve also included the section for enabled/disabled users as it took me a while to get that working as we wanted… I just haven’t had the time to put it in the RT wiki, maybe someone else will be nice and include it for me :slight_smile:

The above was worked out over a few weeks to work perfectly for our environment, so YMMV, but I suspect it should handle any standard AD “ldap” :slight_smile:

CassFrom: Ken Crocker [mailto:kfcrocker@lbl.gov]
Sent: Thursday, June 04, 2009 9:24 AM
To: Cassandra L. Brockett
Cc: ‘Susan McClure’; rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2

Cass,

You mentioned in your response that when you went to 3.8 you had trouble with multiple users of the same email address. I have a similar problem.
I am on 3.6.4 and have a bunch of users out there with the email address as the User Name due to them being added automatically as watchers. When they sign on (Using LDAP) at a later date, they get a new UserID, correct name, SAME Email address. Now I have 2 id's for the same user. I want to clean that mess up before I upgrade to 3.8.
So, how did you go about cleaning up the mess?
Also, do you have any suggestions on how to config my RT so that when a User is added automatically as a watcher, RT will create a real User Name and NOT use the Email address? Thanks.

Kenn
LBNL

7

Ruslan,

That's a good suggestion. In fact, I'm going upstairs to talk to my

guy who is building our new DEV environment in a few minutes. We’re
going to start by installing 3.8.3 in that environment, so these ideas
will make for good testing scripts. OH! I reserve the right to recall
you as a witness (ha ha) when testing this stuff. Just joking. Thanks a
heap.
By the way. Thanks to your help, I got that scrip working for
parsing CC’s to a ticket on a queue-by-queue basis.

Kenn
LBNLOn 6/4/2009 4:04 PM, Ruslan Zakirov wrote:

Ken, to cleanup the mess you can use MergeUsersHistory extesion. From
the beginning I want to note that it’s been tested only on RT 3.8 and
it’s recommended to check changes it makes very carefully. I suggest
you to do it as part of migration from 3.6 to 3.8 with careful testing
of everything.

If you know that later you wouldn’t have duplicates because of
canonicalization (LDAP or some other way) then it’s all you need. You
even can delete duplicates from DB using shredder.

Otherwise MergeUsers extension can be used to make two accounts in
RT’s Users table behave like one.

On Thu, Jun 4, 2009 at 8:24 PM, Ken Crocker kfcrocker@lbl.gov wrote:

Cass,

You mentioned in your response that when you went to 3.8 you had trouble

with multiple users of the same email address. I have a similar problem.
I am on 3.6.4 and have a bunch of users out there with the email address
as the User Name due to them being added automatically as watchers. When
they sign on (Using LDAP) at a later date, they get a new UserID, correct
name, SAME Email address. Now I have 2 id’s for the same user. I want to
clean that mess up before I upgrade to 3.8.
So, how did you go about cleaning up the mess?
Also, do you have any suggestions on how to config my RT so that when a
User is added automatically as a watcher, RT will create a real User Name
and NOT use the Email address? Thanks.

Kenn
LBNL

On 6/3/2009 3:06 PM, Cassandra L. Brockett wrote:

((Apologies for top-posting, but it’s just easier at the moment for me to
use outlook to send email))

I can answer a few of your questsions:-

  1. Users with multiple email addresses on our system become one single user,
    the LDAP query finds the one user responsible for the email address, and
    just link the submitted ticket to the correct ID.

  2. You cannot have multiple RT accounts with the same email address in the
    system, we had a lot of cleanup when we migrated to 3.8.2 from a badly
    botched install of 3.6, and this was our biggest hassle.

  3. I have AutoCreateNonExternalUsers on, but that’s mostly because of the
    nature of the business my company is in :slight_smile: However, the system seems to
    work fine with that disabled, and it doesn’t autocreate any non-LDAP
    accounts unless you do so yourself.

On another level, I know you’ll hear this from a lot of angles, but it
always deserves to be said… You should try this sort of thing out on a
test system before setting it up in production… Especially when dealing
with things like authentication, you really want to make sure youself that
it does what you want it to do…


Cass

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Susan McClure
Sent: Wednesday, June 03, 2009 2:30 PM
To: rt-users@lists.bestpractical.com
Cc: Susan McClure
Subject: [rt-users] RT ExternalAuth LDAP and Adding Local users in 3.8.2

I have been reading the postings about RT-Authen-ExternalAuth but am
confused on what appears to be some conflicting setup information.

I am using:
RT 3.8.2
RT-Authen-ExternalAuth 0.08

I would like to use LDAP for authentication and information first, and that
part seems to work OK.
But I also would like to:

  • add LOCAL users to RT internal DB (i.e; test and test-admin type
    accounts)
  • NOT autocreate a new RT account, if we receive an email from a user that
    is unknown in local RT or LDAP.
  • NOT make multiple accounts for a user’s multiple email aliases.
    (Our ldap contains several email addresses for each user (uid) )

When I try to add a local account through the Web(using Root,
Configuration->Users->Create). I receive the error “Name in Use”
The username I am trying to create is NOT in existence, but the email for
that new account IS.

My error_log shows:

[Tue Jun 2 17:45:21 2009] [debug]: User Check Failed :: ( My_LDAP )
root User not found
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:318)
[Tue Jun 2 17:45:21 2009] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Tue Jun 2 17:45:21 2009] [info]: Successful login for root from
168.7.56.227 (/usr/site/rt-3.8/PROD/share/html/autohandler:276)
[Tue Jun 2 17:46:40 2009] [debug]: /ServiceUpdate/Elements/Header
calls old style callback, use $m->callback
(/usr/site/rt-3.8/PROD/share/html/Elements/Callback:51)
[Tue Jun 2 17:46:40 2009] [crit]: HasRight called with no valid
object (/usr/site/rt-3.8/PROD/bin/…/lib/RT/Principal_Overlay.pm:322)
[Tue Jun 2 17:51:36 2009] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/l
ib/RT/User_Vendor.pm 20 with: Address1: , Address2: , AuthSystem: ,
City: , Comments: Admin Authority Level Account for RT,
ContactInfoSystem: , Country: , Disabled: 0, EmailAddress:
smcclure@rice.edu, EmailEncoding: , ExternalAuthId: ,
ExternalContactInfoId: , FreeformContactInfo: , Gecos: , HomePhone: ,
Lang: en, MobilePhone: , Name: smcclure-admin, NickName:
Smcclure-Admin,
Organization: , PagerPhone: , Privileged: 1, RealName: Susan McClure,
Signature: , State: ,
WebEncoding: , WorkPhone: , Zip:
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:450)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to get user info using
this external service: My_LDAP
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:458)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
canonicalization key: Name
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
ou=People,dc=rice,dc=edu == Filter:
(&(objectclass=)(uid=smcclure-admin)) == Attrs:
Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
physicalDeliveryOfficeName,uid
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [debug]: Attempting to use this
canonicalization key: EmailAddress
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:472)
[Tue Jun 2 17:51:36 2009] [debug]: LDAP Search === Base:
ou=People,dc=rice,dc=edu == Filter:
(&(objectclass=)(mail=smcclure@rice.edu)) == Attrs:
Houston,cn,TX,mail,gecos,postalAddress,postalCode,telephoneNumber,uid,
physicalDeliveryOfficeName,uid
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Jun 2 17:51:36 2009] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning
Address1: 6100 Main Street, Address2: , AuthSystem: , City: ,
Comments: Admin Authority Level Account for RT, ContactInfoSystem: ,
Country: , Disabled: 0, EmailAddress: smcclure@rice.edu,
EmailEncoding: , ExternalAuthId: smcclure, ExternalContactInfoId: ,
FreeformContactInfo: , Gecos: , HomePhone: , Lang: en, MobilePhone: ,
Name: smcclure, NickName: Smcclure-Admin,
Organization: 222 Mudd Building, PagerPhone: , Privileged: 1,
RealName: McClure, Susan, Signature: , State: , WebEncoding: ,
WorkPhone: 713-348-4852, Zip: 77005
(/opt/opt.CORE/rt-3.8/rhel4/PROD/local/plugins/RT-Authen-ExternalAuth/
lib/RT/Authen/ExternalAuth.pm:536)

==============

My Current RT_SiteConfig.pm for LDAP and External Auth has

Set(@Plugins,qw(RT::FM RT::IR RT::Authen::ExternalAuth …

and for LDAP

special options for various plugins

Authen::ExternalAuth

Set($ExternalAuthPriority, [‘My_LDAP’] ); Set($ExternalInfoPriority,
[‘My_LDAP’] );
Set($ExternalServiceUsesSSLorTLS, 1);
Set($ExternalSettings, {
‘My_LDAP’ => { ## GENERIC
SECTION
‘type’
=> ‘ldap’,
‘server’
=> ‘ldap.rice.edu’,
‘user’
=> ‘cn=requesttracker,ou=Service Accounts,dc=rice,dc=edu’,
… etc etc …

And the LDAP Attributes mappings:

RT ATTRIBUTE MATCHING SECTION

                                           # The list of RT attributes

that uniquely identify a user
# This example shows what you
can specify… I recommend reducing this
# to just the Name and
EmailAddress to save encountering problems later.
‘attr_match_list’
=> [ ‘Name’,

‘EmailAddress’,

‘RealName’,

‘WorkPhone’,
‘Address2’

],
# The mapping of RT
attributes on to LDAP attributes
‘attr_map’ =>
{ ‘Name’ => ‘uid’,

‘EmailAddress’ => ‘mail’,

‘Organization’ => ‘physicalDeliveryOfficeName’,

‘RealName’ => ‘cn’,

‘ExternalAuthId’ => ‘uid’,

‘Gecos’ => ‘gecos’,

‘WorkPhone’ => ‘telephoneNumber’,

‘Address1’ => ‘postalAddress’,

‘City’ => ‘Houston’,

‘State’ => ‘TX’,

‘Zip’ => ‘postalCode’

}
}
}

);

===================

Looking at all the postings, I am afraid that if I add:

==> Set($AutoCreateNonExternalUsers, 1);

That I will automatically MAKE a new account for users that send email or
authenticate in some way other than being in our LDAP.

Can someone clarify the different options to help me get the setup I want
please?

Thanks

Susie McClure

smcclure@rice.edu

Check out the Barracuda Spam & Virus Firewall - offering the fastest
virus & malware protection in the industry: Spam, Malware, and Advanced Threat Protection | Barracuda Networks

The rt-users Archives

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

The rt-users Archives

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

8

Per AT 1.2.3’s AT_Config.pm file…

{{{ Miscellaneous AT Settings

You can define new statuses and even reorder existing statuses here.

WARNING. DO NOT DELETE ANY OF THE DEFAULT STATUSES. If you do, RT

will break horribly.

@ActiveStatus = qw(production development qa dr pilot test) unless @ActiveStatus;

@InactiveStatus = qw(retired) unless @InactiveStatus;

We use a different standard and would like to change the default statuses AT comes with. I do not recall RT using them (production development qa dr pilot test). Will RT REALLY break horribly if these are changed or is this warning old/deprecated?

I cannot find them in the Custom Fields section or in the DB dump or in phpmyadmin (while searching) so how/where would I change them if it is ok to do so? Or, would I have to change them in AT_Config.pm prior to installing AT.

Thanks.

-Jeff

9

It is depending on your setup, if you have a new, clean install without any
asset, i think it will work, but if you already have assets with old status
values, it will break i think2009/6/5 Jeff Lucas jlucas@eagleinvsys.com

Per AT 1.2.3’s AT_Config.pm file…

{{{ Miscellaneous AT Settings

You can define new statuses and even reorder existing statuses here.

# WARNING. DO NOT DELETE ANY OF THE DEFAULT STATUSES. If you do, RT

# will break horribly.

@ActiveStatus = qw(production development qa dr pilot test) unless
@ActiveStatus;

@InactiveStatus = qw(retired) unless @InactiveStatus;

We use a different standard and would like to change the default statuses
AT comes with. I do not recall RT using them (production development qa dr
pilot test). Will RT REALLY break horribly if these are changed or is this
warning old/deprecated?

I cannot find them in the Custom Fields section or in the DB dump or in
phpmyadmin (while searching) so how/where would I change them if it is ok to
do so? Or, would I have to change them in AT_Config.pm prior to installing
AT.

Thanks.

-Jeff

The rt-users Archives

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

MFG

Torsten Brumm

http://www.torsten-brumm.de