Скачиваем RT последней версии http://bestpractical.com/rt/ и разворачиваем в /opt/rt3
1. Ставим CPAN NET::LDAP, CPAN ExternalAuth
2. Настраиваем RT_SiteConfig.pm:
Set($rtname , "rt.training.int"); Set($Organization , "training.int"); Set($CorrespondAddress , 'rt@rt.training.int'); Set($CommentAddress , 'rt-comment@rt.training.int'); Set($$ Set($DatabaseType, 'mysql'); Set($DatabaseUser , 'rt_user'); Set($DatabasePassword , '<db_password>'); Set($DatabaseName , 'rt3'); Set($WebPath , ""); #Set($WebPath , "/rt"); Set($WebBaseURL , "http://rt.training.int"); Set(@Plugins,qw(RT::FM)); Set($AutoCreate, { Privileged => 1, }); # Absolute file name or relative to path in LogDir option. Set($LogToFileNamed , "rt.log"); # Log level Set($LogToFile , 'debug'); Set( @Plugins, qw(RT::Authen::ExternalAuth) ); Set($ExternalAuthPriority, [ 'My_LDAP' ] ); Set($ExternalInfoPriority, [ 'My_LDAP' ] ); Set($ExternalServiceUsesSSLorTLS, 0); Set($AutoCreateNonExternalUsers, 1); Set($ExternalSettings, { # AN EXAMPLE DB SERVICE 'My_MySQL' => { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' => 'db', # The server hosting the service 'server' => '127.0.0.1', ## SERVICE-SPECIFIC SECTION # The database name 'database' => 'rt3', # The database table 'table' => 'Users', # The user to connect to the database as 'user' => 'rt_user', # The password to use to connect with 'pass' => '<db_password>', # The port to use to connect with (e.g. 3306) 'port' => '3306', # The name of the Perl DBI driver to use (e.g. mysql) 'dbi_driver' => 'mysql', # The field in the table that holds usernames 'u_field' => 'Name', # The field in the table that holds passwords 'p_field' => 'Password', # The Perl package & subroutine used to encrypt passwords # e.g. if the passwords are stored using the MySQL v3.23 "PASSWORD" # function, then you will need Crypt::MySQL::password, but for the # MySQL4+ password function you will need Crypt::MySQL::password41 # Alternatively, you could use Digest::MD5::md5_hex or any other # encryption subroutine you can load in your perl installation 'p_enc_pkg' => 'Crypt::MySQL', 'p_enc_sub' => 'password', # If your p_enc_sub takes a salt as a second parameter, # uncomment this line to add your salt #'p_salt' => 'SALT', # # The field and values in the table that determines if a user should # be disabled. For example, if the field is 'user_status' and the values # are ['0','1','2','disabled'] then the user will be disabled if their # user_status is set to '0','1','2' or the string 'disabled'. # Otherwise, they will be considered enabled. 'd_field' => 'disabled', 'd_values' => ['0'], ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user 'attr_match_list' => [ 'Gecos', 'Name' ], # The mapping of RT attributes on to field names 'attr_map' => { 'Name' => 'username', 'EmailAddress' => 'email', 'ExternalAuthId' => 'username', 'Gecos' => 'userID' } }, # AN EXAMPLE LDAP SERVICE 'My_LDAP' => { ## GENERIC SECTION # The type of service (db/ldap/cookie) 'type' => 'ldap', # The server hosting the service 'server' => '172.16.0.10', ## SERVICE-SPECIFIC SECTION # If you can bind to your LDAP server anonymously you should # remove the user and pass config lines, otherwise specify them here: # # The username RT should use to connect to the LDAP server 'user' => 'administrator@poligon.local', # The password RT should use to connect to the LDAP server 'pass' => 'secret', # # The LDAP search base 'base' => 'cn=Users,dc=poligon,dc=local', # # ALL FILTERS MUST BE VALID LDAP FILTERS ENCASED IN PARENTHESES! # YOU **MUST** SPECIFY A filter AND A d_filter!! # # The filter to use to match RT-Users 'filter' => '(objectclass=*)', # A catch-all example filter: '(objectClass=*)' # # The filter that will only match disabled users 'd_filter' => '(objectClass=FooBarBaz)', # A catch-none example d_filter: '(objectClass=FooBarBaz)' # # Should we try to use TLS to encrypt connections? 'tls' => 0, # SSL Version to provide to Net::SSLeay *if* using SSL 'ssl_version' => 3, # What other args should I pass to Net::LDAP->new($host,@args)? 'net_ldap_args' => [ version => 3 ], # Does authentication depend on group membership? What group name? 'group' => '', # What is the attribute for the group object that determines membership? 'group_attr' => '', ## RT ATTRIBUTE MATCHING SECTION # The list of RT attributes that uniquely identify a user # This example shows what you *can* specify.. I recommend reducing this # to just the Name and EmailAddress to save encountering problems later. 'attr_match_list' => [ 'Name', 'EmailAddress', 'RealName', 'WorkPhone', 'Address2' ], # The mapping of RT attributes on to LDAP attributes 'attr_map' => { 'Name' => 'sAMAccountName', 'EmailAddress' => 'mail', 'Organization' => 'physicalDeliveryOfficeName', 'RealName' => 'cn', 'ExternalAuthId' => 'sAMAccountName', 'Gecos' => 'sAMAccountName', 'WorkPhone' => 'telephoneNumber', 'Address1' => 'streetAddress', 'City' => 'l', 'State' => 'st', 'Zip' => 'postalCode', 'Country' => 'co' } }, # An example SSO cookie service 'My_SSO_Cookie' => { # # The type of service (db/ldap/cookie) 'type' => 'cookie', # The name of the cookie to be used 'name' => 'loginCookieValue', # The users table 'u_table' => 'users', # The username field in the users table 'u_field' => 'username', # The field in the users table that uniquely identifies a user # and also exists in the cookies table 'u_match_key' => 'userID', # The cookies table 'c_table' => 'login_cookie', # The field that stores cookie values 'c_field' => 'loginCookieValue', # The field in the cookies table that uniquely identifies a user # and also exists in the users table 'c_match_key' => 'loginCookieUserID', # The DB service in this configuration to use to lookup the cookie information 'db_service_name' => 'My_MySQL' } } ); 1;
Создаем каталог
mkdir -p /opt/rt3/var/data/RT-Shredder
Вешаем права
cd /opt/rt3/var
chown -R www-data:www-data ./data/RT-Shredder
При удалении пользователя:
Утилиты -> Зачистка -> Select Plugin = Users -> Заполнить поля status = <enabled или disabled>, name = <логин>,
replace_relations = <имя юзера которому присвоются тикеты удаляемого пользователя>
replace_relations = <имя юзера которому присвоются тикеты удаляемого пользователя>
При удалении группы:
Утилиты -> Зачистка -> Select Plugin = Objects -> Заполнить поле Group, ID номером группы
Для отображения графиков:
apt-get install libgd-graph-perl apt-get install libgraphviz-perl
Автоматическое создание привилегированных аккаунтов при аутентифицировании пользователя по логину и паролю AD
Добавить в RT_SiteConfig.pm:
Set($AutoCreate, { Privileged => 1, });
Пример настройки очереди в которой любой пользователь может создать тикет и видит его, но не видит тикеты созданные другими пользователями:
В "правах группы" в очереди повесить галочки в
Системные группы - Everyone: ПросматриватьОчередь, СоздаватьЗаявку
Псевдо-группы - Автор Заявки: ПоказыватьЗаявку
В "правах группы" в очереди повесить галочки в
Системные группы - Everyone: ПросматриватьОчередь, СоздаватьЗаявку
Псевдо-группы - Автор Заявки: ПоказыватьЗаявку
При именование учетных записей в AD на кириллице при каждой аутентификации пользователя в history его аккаунта в RT будет появлятся отметка о том что изменилось его имя, даже если оно не менялось. При именовании учеток в AD на английском, лишних записей в хистори не будет.
Комментариев нет:
Отправить комментарий