Mar 14th, 2009 | Directory Service, General, Programming, Software, Technology | No Comments
Ok, here is another small script to deal with RT3 and Active Directory. If you apply the apache LDAP auth described previously to your RT3 installation, you will have no problem getting people logged in, but you will still have to adjust their names and emails. Doing this manually is not the best choice, so here is a small script, which can be run from the cron (or manually) to update user info in RT3 according to user attributes in Active Directory:
#!/usr/bin/php
< ?php
# Debug flag. Set to non-zero for verbose output
$debug = 0;
# Settings to use while connecting to active directory
$ldap_host = "10.10.10.1"; # AD server
$ldap_user = "someuser@example.com"; # User in AD with read writes
$ldap_pass = "someuser_password"; # Password for the user above
$ldap_base = "dc=example,dc=com"; # AD base to search (recursivly)
# Settings to use while connecting to rt3 MySQL DB
$sql_host = "127.0.0.1"; # MySQL server
$sql_name = "rt3"; # RT3 DB name in MySQL
$sql_user = "rt3_user"; # User to connect to above DB
$sql_pass = "rt3_pass"; # Password for the user above
# Map of RT3 -> AD attributes
$attr_map = array(
'RealName' => 'displayName',
'EmailAddress' => 'mail'
);
# Connect to AD and authenticate
$ldap = ldap_connect($ldap_host);
if (!$ldap) {
die ("Failed to connect to LDAP server: " . ldap_error() . "\n");
}
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
if (!ldap_bind($ldap,$ldap_user,$ldap_pass)) {
die ("Failed to bind to LDAP server: " . ldap_error() . "\n");
}
# Connect to MySQL
$sql = mysql_connect($sql_host,$sql_user,$sql_pass);
if (!$sql) {
die ("Failed to connect to MySQL server: " . mysql_error() . "\n");
}
if (!mysql_select_db($sql_name)) {
die ("Failed to select MySQL database: " . mysql_error() . "\n");
}
# Get a list of RT3 users from MySQL
$users = get_rt3_users();
# Update attributes for each RT3 user according to AD attributes
foreach ($users as $user) {
set_rt3_user_info($user,get_ldap_user_attr($user));
}
# Close the connections to MySQL and AD
mysql_close($sql);
ldap_unbind($ldap);
# Gets a list of RT3 users from MySQL
function get_rt3_users () {
global $sql;
# Skips the external users (the ones that look like email address)
$result = mysql_query("SELECT Name FROM Users WHERE Name NOT LIKE '%@%'",$sql);
$users = array();
while ($user = mysql_fetch_array($result)) {
array_push($users,$user[0]);
}
return $users;
}
# Gets AD attributes for the given user
function get_ldap_user_attr ($user) {
global $ldap,$ldap_base,$attr_map,$debug;
if ($debug) { print "Searching for user $user\n"; }
$result = ldap_search($ldap,$ldap_base,"(sAMAccountName=$user)");
$entries = array();
if ($result) {
$entries = ldap_get_entries($ldap,$result);
} else {
die("Failed to search LDAP: " . ldap_error($ldap) . "\n");
}
return $entries;
}
# Updates RT3 user in MySQL with given AD attributes
function set_rt3_user_info ($user,$attr) {
global $sql,$attr_map;
# Construct an update SQL query arguments
$query = "";
foreach ($attr_map as $k => $v) {
# Update field only if it is set and non empty
if (isset($attr[0][strtolower($v)][0]) and $attr[0][strtolower($v)][0] != "") {
$query .= ",$k='" . mysql_escape_string($attr[0][strtolower($v)][0]) . "'";
}
}
# Run the actual query
$query = "UPDATE Users SET ".substr($query,1)." WHERE Name='".mysql_escape_string($user)."';";
mysql_query($query);
}
?>
Now each time a new user logs in to RT3 and his username appears in RT3 database, this script will update his/her name and email. You can extend a list of mapped attributes to have more info updated if you want so.
Mar 13th, 2009 | Directory Service, Programming, Software, Technology | No Comments
I know there are plenty of methods to apache auth through active directory, but recently I found out that some of them didn’t work for me or didn’t do well. The more or less successfull one was perl Apache2::AuthenNTLM, but when you have a lot of users, this one blocks apache now and then and causes some real problems.
Like always, found out about apache mod_authnz_external and ended up writing my own authentication script. Here is how to make things work:
First of all download and install mod_authnz_external (google for the package and installation instructions).
Then put the next script somewhere on the apache server (for example /etc/httpd/conf/ad_login.php):
< ?php
// AD server IP address
$ldap_host = "10.10.10.1";
// AD Base
$ldap_base = "dc=example,dc=com";
// AD domain
$ldap_domain = "example.com";
// Connect to AD server
$stderr = fopen("php://stderr","w");
$ldap = @ldap_connect($ldap_host);
if (!$ldap) {
fwrite($stderr,"AD Auth: Failed to connect to $ldap_host\n");
fclose($stderr);
exit(1);
}
@ldap_set_option($ldap, LDAP_OPT_PROTOCOLO_VERSION, 3);
@ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
// Try to login with the supplied username and password
// (using environment to pass the stuff)
if (!@ldap_bind($ldap,$_ENV['USER'] . '@' . $ldap_domain,$_ENV['PASS'])) {
fwrite($stderr,"AD Auth: Failed to authenticate " . $_ENV['USER'] . "\n");
fclose($stderr);
// if failed - exit with 1
exit(1);
}
ldap_unbind($ldap);
fclose($stderr);
// exit with 0 on success
exit(0);
?>
Next, add the following into VirtualHost (or similar) definition in apache config:
AddExternalAuth ad "/usr/bin/php -f /etc/httpd/conf/ad_login.php"
SetExternalAuthMethod ad environment
# This can go into Location or Directory sections
AuthType basic
AuthName "My Closed Zone"
AuthBasicProvider external
AuthExternal "ad"
require valid-user
Restart apache and you are done.
How does it work? Simple. Each time apache will need to authenticate a user, it will start a script (ad_login.php) and pass it username and password as environment variables. The script, in turn, will try to connect to AD and authenticate itself as given user. If that fails - login fails, otherwise - login ok. So basically, if a user has writes to connect to AD, (s)he has write to login to apache.
And of course you can extend the PHP script with some extras, like additional checks on username, caching and so on.
Mar 12th, 2009 | Personal, Programming, Technology | No Comments
Similar to the latest port, I will be putting more scripts that I use(d) here and there, since recently I found quite a few in my collection and I don’t want to lose them as well as want other people to use them if they need.
Mar 12th, 2009 | Perl, Programming, Technology | No Comments
Recently I had to do an import of mailboxes hosted in the maildirs into RT3. Looking around on the web didn’t found ready solutions. Looking some more and getting small portions of code here and there ended up writing my own script.
One thing though, I had to stop using rt-mailgate for the purpose of import since it was overloading Apache and MySQL. Through I still use rt-mailgate for normal mail aliases to pass incoming mail to RT.
The script should be started from inside of the root of the maildir which you want to import. Prior to this, few parameters needed to be adjusted like the RT queue, tickets status and log file (right at the top of the script).
Few notes:
- assuming RT is hosted on the same machine the maildir is located (alternativly copy the maildir to the same server).
- script works with files and RT modules (which work directly with MySQL) and is much lighter and more flexible than the default rt-mailgate.
- I am not a programmer, so don’t blame me for bad coding, suggestions welcome.
- All the stuff is in perl, tested to be working for me on Fedora 10 with RT3 version 3.8.2
- If you uncomment the DEBUG section of the code, it will do dry run, showing what will be imported and what not, without doing actual imports or writing to any logs.
- If, by some chance, you lost your log of previous import, or want to import only a portion of emails in the current maildir, you can use unix find instead of perl glob in the for statement. (For example, put the next statement as a condition for for loop to find messages that were changed within last day: split /\n/,`find new cur tmp .*/cur .*/new .*/tmp -mtime -1 -type f`)
Ok, here is the code:
#!/usr/bin/perl -w
use RT;
use Email::MIME;
use Data::Dumper;
# RT Queue to import email to
my $desired_queue = "my_rt_queue_name_here";
# Log file to write update (and read old data from)
my $log_file = "/tmp/rt3_import_log-$desired_queue.txt";
# Status of the tickets created
my $status = 'resolved';
# Get connected to RT
RT::LoadConfig();
RT::Init();
RT::ConnectToDatabase();
# Store already imported emails here
my $imported = {};
# If the log file already exists
if (-f $log_file) {
# Try to read it and get all email ids
# that were already imported
open LOG, "< $log_file";
while (my $line = ) {
if (my $id = get_msgid($line)) {
$imported->{$id} = 1;
}
}
close LOG;
}
open LOG, ">>$log_file";
my $total = 0;
# Find all files in current dir (recursivly
for my $file (glob "cur/* tmp/* new/* .*/cur/* .*/tmp/* .*/new/*") {
$total++;
print "$file: ";
# Try to get message ID
my $msgid = get_msgid($file);
if ($msgid) {
# Skip if already imported
if (defined($imported->{$msgid}) && $imported->{$msgid} == 1) {
print "skipping\n";
next;
}
} else {
# Skip of no message ID
print "no message id\n";
next;
}
# DEBUG!!!
# print "fetching\n";
# next;
# !DEBUG
# Try to create a ticket
my ($id,$error) = create_ticket($desired_queue,$file,$status);
if ($id) {
# Log to STDOUT and log file on success
print " $id\n";
print LOG "$file: $id\n";
$imported->{$msgid} = 1;
} else {
# Log to STDOUT on failure
print "$error\n";
}
# Sleep for 30 secs each 50 msgs not to overload MySQL
# (Adjust if needed, this is for heavy production systems)
if ($total == 50) {
$total = 0;
sleep 30;
}
}
close LOG;
# Parse message ID from file name
sub get_msgid {
my $msg = shift;
if ($msg =~ /^.*\/([0-9A-Z]+)\.([0-9A-Z]+)\.[^\/]+?:.*$/) {
# Return only the first two portions of msg ID
# (works file with Exim/Dovecot IDs)
return "$1.$2";
}
return 0;
}
# Create a ticket in RT
sub create_ticket {
my ($queue,$filename,$ticket_status) = @_;
# Read the content of the msg file
open FH,"< $filename";
my $message = "";
my $subject = "";
while (my $line = ) {
$message .= "$line";
# Try to find out the subject
if ($line =~ /^Subject: (.*)\n$/ && $subject eq "") {
$subject = $1;
}
}
close FH;
# Create MIME entity (RT wants it like this)
my $entity = new Email::MIME($message);
# Parse it the way RT wants
my $parser = RT::EmailParser->new();
$parser->SmartParseMIMEEntityFromScalar(Message => $entity->as_string);
# Create the ticket
my $ticket = new RT::Ticket($RT::SystemUser);
my ($t_id,$transaction,$error_str) = $ticket->Create(
Queue => $queue,
Requestor => $entity->header('From'),
Subject => $subject,
MIMEObj => $parser->Entity,
Status => $ticket_status,
);
# Give back ID and message
return ($t_id,$error_str);
}
Jul 9th, 2007 | Personal, Programming, Software, Technology | 2 Comments
I see more and more people are starting to do web programming (including HTML, JavaScript, PHP/Perl) in kind of IDEs like Dreamwaver, Frontpage, Nvu and so on. It looks a bit weired for me. First of all coding in proper text editor (like Vim) gives you all kinds of features like text highlighting, tags auto completion, multi-file editing and so on. Second, while writing your code directly in editor you specify proper names of styles/classes/whatever from the beginning instead of your IDE assigning some stupid names like style1, id15 and similar and than you going over to correct them (or sometimes navigating through 100 GUI menus to change them or even leaving them like that). Third, you can write all-browsers-compatible code from the start instead of dropping elements here/there which will perfectly work in let’s say Internet Explorer and then trying understand what code was generated by IDE and adjust it. Finally, coding with text editors makes you think more and thus make better code then just letting things go as they done automatically and then correct a bunch of problems and not taking into consideration other bunch of problems because your IDE couldn’t do it well and you haven’t thought about it since you even haven’t seen the code.