Request Tracker (RT) is a widely used issue tracking systems.
RT is a modern Perl application, and as such it requires lots of CPAN libraries/modules. This is a feature.
We want to integrate RT inside our IPA kerberos/ldap realm to use RT without passwords in a true SSO integrated way.
RT supports three database backends: mySQL, PostgreSQL and Oracle. mySQL does not understand kerberos or ldap, Oracle is a nice database but not OpenSource, so we will stick to PostgreSQL.
As the web application server we will use apache2 with mod_auth_kerb and fastcgi (yum install httpd mod_auth_kerb mod_fastcgi, the mod_fastcgi pakket comes from rpmforge).
- 1 Requirements
- 2 Configuration PostgreSQL
- 3 Installation RT
- We need (at least) a working ipa domain. See the instructions on how to install one: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ ; the instructions are the same for Fedora or other RHEL derivatives.
In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.
- The webserver does not necessarily have to be joined to the IPA domain but this guide assumes it is. Besides, why would you not want to use your centralized authentication/authorazation store? So go ahead and join the webserver to the IPA domain :-) (see joining clients to IPA domain
In my case, the webserver has a fqdn of webserver01.ipa.asenjo.nx. The database server is in postgresql.ipa.asenjo.nx.
RT will be reached from the cname rt.ipa.asenjo.nx which is a CNAME record to webserver01.ipa.asenjo.nx
our postgresql server is already configured to use kerberos logins (TODO: link to 'howto kerberize posgresql IPA').
kerberos service principal creation
What we require is a database login for RT. We will use a kerberos service principal. Logged in as a user with administrative privileges in the IPA domain, create the service principal (in the web interface or in the cli).
$ ipa service-add rt/webserver01.ipa.asenjo.nx ----------------------------------------------------------- Added service "rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX" ----------------------------------------------------------- Principal: rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX Managed by: webserver01.ipa.asenjo.nx
retrieve kerberos service principal
$ ipa-getkeytab -s kdc.ipa.asenjo.nx -k rt.keytab -p rt/webserver01.ipa.asenjo.nx Keytab successfully retrieved and stored in: rt.keytab
test kerberos principal
We can log in with this keytab as the rt/webserver01.ipa.asenjo.nx principal. First we verify the keytab is the right one:
$ klist -k -t rt.keytab Keytab name: WRFILE:rt.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 07/08/12 08:18:22 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX 1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX 1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX 1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
And then we can use it to log in as the service principal:
$ kinit -k -t rt.keytab rt/webserver01.ipa.asenjo.nx
If we we then run klist we will see we are logged in as the service principal:
[admin@webserver01 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_642800000_ChCiW21621 Default principal: rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX Valid starting Expires Service principal 07/08/12 17:28:57 07/09/12 17:28:57 krbtgt/IPA.ASENJO.NX@IPA.ASENJO.NX
login the postgresql server
Postgresql allows kerberized logins, but does not create database users (roles, in postgresql jargon). So using pgadmin or psql we create a role rt/webserver.ipa.asenjo.nx withouth a password. After that we may log in from the remote host using a kerberos ticket.
If you install the postgresql package you will get the cli tools to talk to it. We can log in like this with our new service principal ticket:
$ psql -h postgres.ipa.asenjo.nx -d template1 -U rt/webserver01.ipa.asenjo.nx psql (8.4.11) Type "help" for help. template1=>
I will describe how to get RT up and running with perlbrew and cpanm.
install a newer Perl with perlbrew
ON the webserver01.ipa.asenjo.nx follow these instructions to install a newer Perl in /opt/perl5. You may of course not compile anything there and distribute it with cfengine or configuration manager.
The latest RT release is always here. Copy the tarball to the webserver in case you cannot download it directly from the webserver where we will install RT.
unpack RT tarball
as root unpack the tarball somewhere. I usually do it in /root:
# tar xzvf rt.tar.gz
This gives us a new folder rt-4.0.6 (at the time of this writing, that was the latest production version). Browse to this new folder:
# cd rt-4.0.6
In this folder there is README file with plenty of info about new installations/upgrades. Please read it.
This configure step does not relate to the RT settings, but to the autotools 'configure' step.
First we tell RT we are not going to use the installed system Perl, but the perlbrew installation:
# export PERL=/opt/perl5/perls/perl-5.14.2/bin/perl [enter]From the RT unpacked folder, run
./configure --helpto get all the options you may use. This was my configure oneliner:
# ./configure --with-web-user=apache --with-web-group=apache --with-db-type=Pg --with-db-host=postgres.ipa.asenjo.nx --with-web-handler=fastcgi --with--rt-group=apache [enter]
This will generate a Makefile. We will now resolve all the dependencies with cpanm (the easiest way for this step is to have two console sessions open, one for RT make testdeps, the other one for cpanm).
So in the console where we run the configure oneliner, run:
# make testdeps [enter]
Which will probably give us a lot of output like this:
Net::CIDR ...MISSING Can't locate Net/CIDR.pm in @INC (@INC contains: /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0 /opt/perl5/perls/perl-5.16.0/lib/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/5.16.0 /root/rt-4.0.6) Log::Dispatch ...MISSING Can't locate Log/Dispatch.pm in @INC (@INC contains: /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0 /opt/perl5/perls/perl-5.16.0/lib/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/5.16.0 /root/rt-4.0.6) UNIVERSAL::require ...MISSING Can't locate UNIVERSAL/require.pm in @INC (@INC contains: /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0 /opt/perl5/perls/perl-5.16.0/lib/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/5.16.0 /root/rt-4.0.6) Email::Address ...MISSING Can't locate Email/Address.pm in @INC (@INC contains: /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0 /opt/perl5/perls/perl-5.16.0/lib/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/5.16.0 /root/rt-4.0.6) make: *** [testdeps] Error 1
For each of this '....MISSING' the awesome cpanm will get the library and eventual dependencies right from the CPAN (I usually start by the last one and walk my way up):
]$ cpanm Email::Address --> Working on Email::Address Fetching http://www.cpan.org/authors/id/R/RJ/RJBS/Email-Address-1.895.tar.gz ... OK Configuring Email-Address-1.895 ... OK Building and testing Email-Address-1.895 ... OK Successfully installed Email-Address-1.895 1 distribution installed
After this, running make testdeps again shows that this library no longer is missing. Repeat the process until make testdeps tells us that all dependencies are resolved.
All dependencies have been found
I only got a little trouble with DBD::Pg, the library providing the database driver:
$ cpanm DBD::Pg --> Working on DBD::Pg Fetching http://www.cpan.org/authors/id/T/TU/TURNSTEP/DBD-Pg-2.19.2.tar.gz ... OK Configuring DBD-Pg-2.19.2 ... N/A ! Configure failed for DBD-Pg-2.19.2. See /home/admin/.cpanm/build.log for details.
I needed to install the postgresql-devel package, necessary to compile the driver, after which the installation of the library succeeded. You may remove the package postgresql-devel later if you want.
install the software
After the tedious process of dependency solving (which, believe me, is much nicer to solve with cpanm), we run as root:
# make install
If all goes as planned, you will see this after a few instants:
Congratulations. RT is now installed. You must now configure RT by editing /opt/rt4/etc/RT_SiteConfig.pm. (You will definitely need to set RT's database password in /opt/rt4/etc/RT_SiteConfig.pm before continuing. Not doing so could be very dangerous. Note that you do not have to manually add a database user or set up a database for RT. These actions will be taken care of in the next step.) After that, you need to initialize RT's database by running 'make initialize-database'
Now we need to tell RT how and where to find its database. We need to edit the file /opt/rt4/etc/RT_SiteConfig.pm
This is mine:
my $rt_principal = 'rt/webserver01.ipa.asenjo.nx'; Set( $DatabaseUser, $rt_principal ); Set( $CorrespondAddress, 'email@example.com' ); Set( $rtname, 'asenjo.nx' ); Set( $DatabaseRequireSSL, '0' ); Set( $WebPort, '80' ); Set( $Organization, 'asenjo.nx' ); Set( $DatabaseType, 'Pg' ); Set( $DatabasePort, '' ); Set( $DatabasePassword, '' ); Set( $DatabaseAdmin, 'admin' ); Set( $SendmailPath, '/usr/sbin/sendmail' ); Set( $WebDomain, 'rt.ipa.asenjo.nx' ); Set( $DatabaseAdminPassword, '' ); Set( $CommentAddress, 'firstname.lastname@example.org' ); Set( $DatabaseHost, 'postgres.ipa.asenjo.nx' ); Set( $DatabaseName, 'rt4' ); Set( $OwnerEmail, '' );
After this changes, go to /opt/rt4/sbin. You need to have a kerberos ticket from rt/webserver01.ipa.asenjo.nx before creating the database like this (when prompted for a password, just press enter):
[root@webserver01 sbin]# ./rt-setup-database --action init --dba rt/webserver01.ipa.asenjo.nx In order to create or update your RT database, this script needs to connect to your Pg instance on postgres.ipa.asenjo.nx as rt/webserver01.ipa.asenjo.nx Please specify that user's database password below. If the user has no database password, just press return. Password: Working with: Type: Pg Host: postgres.ipa.asenjo.nx Name: rt4 User: rt/webserver01.ipa.asenjo.nx DBA: rt/webserver01.ipa.asenjo.nx Now creating a Pg database rt4 for RT. Done. Now populating database schema. Done. Now inserting database ACLs. Done. Now inserting RT core system objects. Done. Now inserting data. Done inserting data. Done. [root@webserver01 sbin]#
If you need to start afresh, you may drop the database like this (this will nuke your database, so do it only if you mean to drop it):
[root@webserver01 sbin]# ./rt-setup-database --action drop --dba rt/webserver01.ipa.asenjo.nx In order to create or update your RT database, this script needs to connect to your Pg instance on postgres.ipa.asenjo.nx as rt/webserver01.ipa.asenjo.nx Please specify that user's database password below. If the user has no database password, just press return. Password: Working with: Type: Pg Host: postgres.ipa.asenjo.nx Name: rt4 User: rt/webserver01.ipa.asenjo.nx DBA: rt/webserver01.ipa.asenjo.nx Dropping Pg database rt4. About to drop Pg database rt4 on postgres.ipa.asenjo.nx. WARNING: This will erase all data in rt4. Proceed [y/N]:y Done.
kerberos 5 credentials cache
Right now we could access the database server and create a database because we hade a ticket for the service principal rt/webserver01.ipa.asenjo.nx. The ticket will obviously expire after a couple of hours. We do not want that, or we will not be able to access the database again.
What we can do is use kinit with the -c switch to specify a file where we want to save the credentials cache. Then we tell RT to look for the credentials cache in there. We need to renew the cache from cron before it expires. The user apache needs to read this file.
kinit -k -t /path/to/rt.keytab -c /var/cache/rt_rccache rt/webserver01.ipa.asenjo.nx chmod 640 /var/cache/rt_rccache chown root:apache /var/cache/rt_rccache