Mailing List Archive: Request Tracker: Users

Ldap groups and queues permissions

Index | Next | Previous | View Threaded

cristo at foton

Apr 11, 2012, 3:31 AM

Post #1 of 6 (518 views)
Permalink

Ldap groups and queues permissions

Hello,

I'm using request tracker at work (succesfully!!) but got some problems
when tried to manage queues permission using groups.

I've googled about it, read documentation on wiki, tried request tracker
web interface and direct sql database changes taking as example already
working queues, but I can't get any success.

Scenario:

- I create a group on LDAP and request tracker.
- I create a user on LDAP and request tracker.
- I assign this user to group on LDAP and request tracker.
- I assign every role on group to a queue.

User can login to request tracker, get limited privileges, but user can't
see queue: it doesn't appear on the select next to "New ticket".

I tried restarting apache, memcached, closing user web session and
restarting, but didn't get any success.

¿May be I've missed any step?

Any help is very appreciated :)

Thanks a lot in advance.

falcone at bestpractical

Apr 11, 2012, 7:48 AM

Post #2 of 6 (490 views)
Permalink

Re: Ldap groups and queues permissions [In reply to]

On Wed, Apr 11, 2012 at 11:31:59AM +0100, Cristo Bolaños Trujillo wrote:
> Hello,
> I'm using request tracker at work (succesfully!!) but got some problems when tried to manage
> queues permission using groups.
> I've googled about it, read documentation on wiki, tried request tracker web interface and
> direct sql database changes taking as example already working queues, but I can't get any
> success.
> Scenario:
> - I create a group on LDAP and request tracker.
> - I create a user on LDAP and request tracker.
> - I assign this user to group on LDAP and request tracker.
> - I assign every role on group to a queue.
> User can login to request tracker, get limited privileges, but user can't see queue: it
> doesn't appear on the select next to "New ticket".
> I tried restarting apache, memcached, closing user web session and restarting, but didn't get
> any success.
> *May be I've missed any step?

Seeing the Queue is controlled by SeeQueue and you'll also need
CreateTicket there. Is the user Privileged?

-kevin

cristo at foton

Apr 11, 2012, 10:30 AM

Post #3 of 6 (481 views)
Permalink

Re: Ldap groups and queues permissions [In reply to]

Hello,

>
> Seeing the Queue is controlled by SeeQueue and you'll also need
> CreateTicket there. Is the user Privileged?
>
>
Yup, it's right.

All problem come from cachedgroupmembers table: it looks there was a record
for that user.

I manually created a record and it works :)

Thanks a lot for your help.

> -kevin
>

trs at bestpractical

Apr 11, 2012, 10:38 AM

Post #4 of 6 (482 views)
Permalink

Re: Ldap groups and queues permissions [In reply to]

On 04/11/2012 01:30 PM, Cristo BolaÃ±os Trujillo wrote:
> Yup, it's right.
>
> All problem come from cachedgroupmembers table: it looks there was a
> record for that user.
>
> I manually created a record and it works :)

You manually created a CachedGroupMembers record? If so, you're doing
it really really wrong. Don't use the database to manage if users are
priv/unpriv in RT; use the RT user admin page.

trs at bestpractical

Apr 11, 2012, 10:52 AM

Post #5 of 6 (484 views)
Permalink

Re: Ldap groups and queues permissions [In reply to]

Please keep replies on the list.

On 04/11/2012 01:43 PM, Cristo BolaÃ±os Trujillo wrote:
> This is interesting: I created user on RT user admin page, but didn't
> see any change on user permissing.

Take note of the checkbox "Let this user be granted rights (Privileged)"
which turns a user Privileged or not (Unprivileged).

> After sometime (I don't know really how many and when), user get right
> permission.

Permissions come from RT's internal system groups, ticket/queue roles,
and your own custom user groups. You can grant rights to these globally
or on a specific queue/article/custom field level.

> It looks like cachedgroupmembers table get updated periodically, so, is
> there any way to force it to refresh immediatelly?

No, it doesn't get updated periodically. It gets updated immediately.
There's no "refresh". Futzing with the database is the really wrong way
to go about what you want and will almost certainly lead to you breaking RT.

kenn.crocker at gmail

Apr 12, 2012, 6:26 PM

Post #6 of 6 (462 views)
Permalink

Re: Ldap groups and queues permissions [In reply to]

Cristo,

There are several tables that work in conjunction with privileges, The ACL,
Group, GroupMembers, CacheGroupMembers, Principals, etc.

If you get them out of sync, you are in a world of hurt.

I'd suggest reading about privileges and more about the framework of rights
before putzing around in the database and doing damage you will regret.

There are a couple books out there you can get to help you with this.

Kenn

On Wed, Apr 11, 2012 at 10:52 AM, Thomas Sibley <trs [at] bestpractical>wrote:

> Please keep replies on the list.
>
> On 04/11/2012 01:43 PM, Cristo Bolaños Trujillo wrote:
> > This is interesting: I created user on RT user admin page, but didn't
> > see any change on user permissing.
>
> Take note of the checkbox "Let this user be granted rights (Privileged)"
> which turns a user Privileged or not (Unprivileged).
>
> > After sometime (I don't know really how many and when), user get right
> > permission.
>
> Permissions come from RT's internal system groups, ticket/queue roles,
> and your own custom user groups. You can grant rights to these globally
> or on a specific queue/article/custom field level.
>
> > It looks like cachedgroupmembers table get updated periodically, so, is
> > there any way to force it to refresh immediatelly?
>
> No, it doesn't get updated periodically. It gets updated immediately.
> There's no "refresh". Futzing with the database is the really wrong way
> to go about what you want and will almost certainly lead to you breaking
> RT.
>

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads