RequestTracker IPA
Request Tracker (RT) is a one of the most used issue tracking systems.
RT is a modern Perl application, and as such it requires lots of CPAN libraries/modules. This is a feature.
We want to integrate RT inside our IPA kerberos/ldap realm to use RT without passwords in a true SSO integrated way.
RT supports three database backends: mySQL, PostgreSQL and Oracle. mySQL does not understand kerberos or ldap, Oracle is a nice database but not OpenSource, so we will stick to PostgreSQL.
As the web application server we will use apache2 with mod_auth_kerb and fastcgi (yum install httpd mod_auth_kerb mod_fastcgi, the mod_fastcgi pakket comes from rpmforge).
The easiest way to install RT is to ignore the system's Perl and to use [perlbrew] and [cpanm]. This way we will avoid headaches about not working modules.
Requirements
- We need (at least) a working ipa domain. See the instructions on how to install one: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ ; the instructions are the same for Fedora or other RHEL derivatives.
In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.
- The webserver does not necessarily have to be joined to the IPA domain but this guide assumes it is. Besides, why would you not want to use your centralized authentication/authorazation store? So go ahead and join the webserver to the IPA domain :-) (see joining clients to IPA domain
In my case, the webserver has a fqdn of webserver01.ipa.asenjo.nx. The database server is in postgresql.ipa.asenjo.nx.
RT will be reached from the cname rt.ipa.asenjo.nx which is a CNAME record to webserver01.ipa.asenjo.nx
Configuration PostgreSQL
our postgresql server is already configured to use kerberos logins (TODO: link to 'howto kerberize posgresql IPA').
kerberos service principal creation
What we require is a database login for RT. We will use a kerberos service principal. Logged in as a user with administrative privileges in the IPA domain, create the service principal (in the web interface or in the cli).
$ ipa service-add rt/webserver01.ipa.asenjo.nx
-----------------------------------------------------------
Added service "rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX"
-----------------------------------------------------------
Principal: rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
Managed by: webserver01.ipa.asenjo.nx
retrieve kerberos service principal
$ ipa-getkeytab -s kdc.ipa.asenjo.nx -k rt.keytab -p rt/webserver01.ipa.asenjo.nx
Keytab successfully retrieved and stored in: rt.keytab
test kerberos principal
We can log in with this keytab as the rt/webserver01.ipa.asenjo.nx principal. First we verify the keytab is the right one:
$ klist -k -t rt.keytab
Keytab name: WRFILE:rt.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 07/08/12 08:18:22 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
1 07/08/12 08:18:23 rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
And then we can use it to log in as the service principal:
$ kinit -k -t rt.keytab rt/webserver01.ipa.asenjo.nx
If we we then run klist we will see we are logged in as the service principal:
[admin@webserver01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_642800000_ChCiW21621
Default principal: rt/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
Valid starting Expires Service principal
07/08/12 17:28:57 07/09/12 17:28:57 krbtgt/IPA.ASENJO.NX@IPA.ASENJO.NX
login the postgresql server
Postgresql allows kerberized logins, but does not create database users (roles, in postgresql jargon). So using pgadmin or psql we create a role rt/webserver.ipa.asenjo.nx withouth a password. After that we may log in from the remote host using a kerberos ticket.
If you install the postgresql package you will get the cli tools to talk to it. We can loggin like this with our new service principal ticket:
$ psql -h postgres.ipa.asenjo.nx -d template1 -U rt/webserver01.ipa.asenjo.nx
psql (8.4.11)
Type "help" for help.
template1=>
Installation RT
I will describe how to get RT up and running with perlbrew and cpanm.
install a newer Perl with perlbrew
ON the webserver01.ipa.asenjo.nx follow these instructions to install a newer Perl in /opt/perl5. You may of course not compile anything there and distribute it with cfengine or configuration manager.
download RT
The latest RT release is always here. Copy the tarball to the webserver in case you cannot download it directly from the webserver where we will install RT.
unpack RT tarball
as root unpack the tarball somewhere. I usually do it in /root:
# tar xzvf rt.tar.gz
This gives us a new folder rt-4.0.6 (at the time of this writing, that was the latest production version). Browse to this new folder:
# cd rt-4.0.6
In this folder there is README file with plenty of info about new installations/upgrades. Please read it.
configure RT
This configure step does not relate to the RT settings, but to the autotools 'configure' step.
First we tell RT we are not going to use the installed system Perl, but the perlbrew installation:
# export PERL=/opt/perl5/perls/perl-5.14.2/bin/perl [enter]
./configure --help
# ./configure --with-web-user=apache --with-web-group=apache --with-db-type=Pg --with-db-host=postgres.ipa.asenjo.nx --with-web-handler=fastcgi --with--rt-group=apache [enter]
This will generate a Makefile. We will now resolve all the dependencies with cpanm (the easiest way for this step is to have two console sessions open, one for RT make testdeps, the other one for cpanm).
resolve dependencies
So in the console where we run the configure oneliner, run:
# make testdeps [enter]
Which will probably give us a lot of output like this:
Net::CIDR ...MISSING
Can't locate Net/CIDR.pm in @INC (@INC contains: /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0 /opt/perl5/perls/perl-5.16.0/lib/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/5.16.0 /root/rt-4.0.6)
Log::Dispatch ...MISSING
Can't locate Log/Dispatch.pm in @INC (@INC contains: /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0 /opt/perl5/perls/perl-5.16.0/lib/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/5.16.0 /root/rt-4.0.6)
UNIVERSAL::require ...MISSING
Can't locate UNIVERSAL/require.pm in @INC (@INC contains: /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0 /opt/perl5/perls/perl-5.16.0/lib/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/5.16.0 /root/rt-4.0.6)
Email::Address ...MISSING
Can't locate Email/Address.pm in @INC (@INC contains: /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/site_perl/5.16.0 /opt/perl5/perls/perl-5.16.0/lib/5.16.0/i686-linux /opt/perl5/perls/perl-5.16.0/lib/5.16.0 /root/rt-4.0.6)
make: *** [testdeps] Error 1
For each of this '....MISSING' the awesome cpanm will get the library and eventual dependencies right from the CPAN (I usually start by the last one and walk my way up):
]$ cpanm Email::Address
--> Working on Email::Address
Fetching http://www.cpan.org/authors/id/R/RJ/RJBS/Email-Address-1.895.tar.gz ... OK
Configuring Email-Address-1.895 ... OK
Building and testing Email-Address-1.895 ... OK
Successfully installed Email-Address-1.895
1 distribution installed
After this, running make testdeps again shows that this library no longer is missing. Repeat the process until make testdeps tells us that all dependencies are resolved.
All dependencies have been found
I only got a little trouble with DBD::Pg, the library providing the database driver:
$ cpanm DBD::Pg
--> Working on DBD::Pg
Fetching http://www.cpan.org/authors/id/T/TU/TURNSTEP/DBD-Pg-2.19.2.tar.gz ... OK
Configuring DBD-Pg-2.19.2 ... N/A
! Configure failed for DBD-Pg-2.19.2. See /home/admin/.cpanm/build.log for details.
I needed to install the postgresql-devel package, after which the installation of the library succeeded. You may remove the package postgresql-devel later if you want.
