Difference between revisions of "RequestTracker IPA"
m (→configure RT) |
|||
| Line 24: | Line 24: | ||
RT will be reached from the cname rt.ipa.asenjo.nx which is a CNAME record to webserver01.ipa.asenjo.nx | RT will be reached from the cname rt.ipa.asenjo.nx which is a CNAME record to webserver01.ipa.asenjo.nx | ||
| + | |||
| + | = Configuration PostgreSQL = | ||
| + | our postgresql server is already configured to use kerberos logins (TODO: link to 'howto kerberize posgresql IPA'). | ||
| + | |||
| + | == kerberos service principal creation == | ||
| + | What we require is a database login for RT. We will use a kerberos service principal. Logged in as a user with administrative privileges in the IPA domain, create the service principal (in the web interface or in the cli). | ||
| + | |||
| + | <code><pre> | ||
| + | $ ipa service-add rt/webserver01.ipa.asenjo.nx | ||
| + | ----------------------------------------------------------- | ||
| + | Added service "rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX" | ||
| + | ----------------------------------------------------------- | ||
| + | Principal: rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX | ||
| + | Managed by: webserver01.ipa.asenjo.nx | ||
| + | |||
| + | </pre></code> | ||
| + | |||
| + | == retreive kerberos service principal == | ||
| + | <code><pre> | ||
| + | $ ipa-getkeytab -s kdc.ipa.asenjo.nx -k rt.keytab -p rt/webserver01.ipa.asenjo.nx | ||
| + | Keytab successfully retrieved and stored in: rt.keytab | ||
| + | </pre</code> | ||
| + | |||
| + | == test kerberos principal == | ||
| + | <code><pre> | ||
| + | $ klist -k -t rt.keytab | ||
| + | Keytab name: WRFILE:rt.keytab | ||
| + | KVNO Timestamp Principal | ||
| + | ---- ----------------- -------------------------------------------------------- | ||
| + | 1 07/08/12 08:18:22 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX | ||
| + | 1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX | ||
| + | 1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX | ||
| + | 1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX | ||
| + | |||
| + | </pre></code> | ||
= Installation RT = | = Installation RT = | ||
Revision as of 17:24, 8 July 2012
Request Tracker (RT) is a one of the most used issue tracking systems.
RT is a modern Perl application, and as such it requires lots of CPAN libraries/modules. This is a feature.
We want to integrate RT inside our IPA kerberos/ldap realm to use RT without passwords in a true SSO integrated way.
RT supports three database backends: mySQL, PostgreSQL and Oracle. mySQL does not understand kerberos or ldap, Oracle is a nice database but not OpenSource, so we will stick to PostgreSQL.
As the web application server we will use apache2 with mod_auth_kerb and fastcgi (yum install httpd mod_auth_kerb mod_fastcgi, the mod_fastcgi pakket comes from rpmforge).
The easiest way to install RT is to ignore the system's Perl and to use [perlbrew] and [cpanm]. This way we will avoid headaches about not working modules.
Contents
Requirements
- We need (at least) a working ipa domain. See the instructions on how to install one: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ ; the instructions are the same for Fedora or other RHEL derivatives.
In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.
- The webserver does not necessarily have to be joined to the IPA domain but this guide assumes it is. Besides, why would you not want to use your centralized authentication/authorazation store? So go ahead and join the webserver to the IPA domain :-) (see joining clients to IPA domain
In my case, the webserver has a fqdn of webserver01.ipa.asenjo.nx. The database server is in postgresql.ipa.asenjo.nx.
RT will be reached from the cname rt.ipa.asenjo.nx which is a CNAME record to webserver01.ipa.asenjo.nx
Configuration PostgreSQL
our postgresql server is already configured to use kerberos logins (TODO: link to 'howto kerberize posgresql IPA').
kerberos service principal creation
What we require is a database login for RT. We will use a kerberos service principal. Logged in as a user with administrative privileges in the IPA domain, create the service principal (in the web interface or in the cli).
$ ipa service-add rt/webserver01.ipa.asenjo.nx
-----------------------------------------------------------
Added service "rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX"
-----------------------------------------------------------
Principal: rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
Managed by: webserver01.ipa.asenjo.nx
retreive kerberos service principal
$ ipa-getkeytab -s kdc.ipa.asenjo.nx -k rt.keytab -p rt/webserver01.ipa.asenjo.nx
Keytab successfully retrieved and stored in: rt.keytab
</pre</code>
== test kerberos principal ==
<code><pre>
$ klist -k -t rt.keytab
Keytab name: WRFILE:rt.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 07/08/12 08:18:22 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
Installation RT
I will describe how to get RT up and running with perlbrew and cpanm.
install a newer Perl with perlbrew
ON the webserver01.ipa.asenjo.nx follow these instructions to install a newer Perl in /opt/perl5. You may of course not compile anything there and distribute it with cfengine or configuration manager.
download RT
The latest RT release is always here. Copy the tarball to the webserver in case you cannot download it directly from the webserver where we will install RT.
unpack RT tarball
as root unpack the tarball somewhere. I usually do it in /root:
# tar xzvf rt.tar.gz
This gives us a new folder rt-4.0.6 (at the time of this writing, that was the latest production version). Browse to this new folder:
# cd rt-4.0.6
In this folder there is README file with plenty of info about new installations/upgrades. Please read it.
configure RT
This configure step does not relate to the RT settings, but to the autotools 'configure' step.
First we tell RT we are not going to use the installed system Perl, but the perlbrew installation:
# export PERL=/opt/perl5/perls/perl-5.14.2/bin/perl [enter]
./configure --help
# ./configure --with-web-user=apache --with-web-group=apache --with-db-type=Pg --with-db-host=postgres.ipa.asenjo.nx --with-web-handler=fastcgi --with--rt-group=apache [enter]
This will generate a Makefile. We will now resolve all the dependencies with cpanm (the easiest way for this step is to have two console sessions open, one for RT make testdeps, the other one for cpanm).
So in the console where we run the configure oneliner, run:
# make testdeps [enter]
