Alternate authentication methods

RT Users
1

Is it possible to setup rt 2.0 to authenticate web UI users against an
.htaccess file? We use a Kerberos domain for a variety of Windows 2000
and UNIX systems, – with the exception of rt. A good example is
netsaint. When I authenticate against the web server, the username is
passed through to netsaint and the appropriate permissions are granted.

I know that gecos can be used for rt commands from a shell, is it
possible to leverage this for the web UI?

— Gavin Adams
Promisant Ltd.
Bermuda

2

Gavin,

I asked this yesterday and Jessie invited me to send him a patch for it.

I have one that works for authenticating against an external auth source by
picking up $ENV{‘REMOTE_USER’} but there are issues with it. One of the big
advantages of RT2 (In my view) is it’s ability to let requestors look at
their tickets. The patch I currently have causes you to lose that ability.
I’m looking at modifying the user creation routines to somehow create
correct usernames to authenticate against web server auth but there are
serious issues with that. Do all your email address left hand side match
your NT/Kerberos/whatever usernames? Do you get mail from external users?
Etc., etc…

If you don’t mind not allowing requestors to be able to get in to look at
their own tickets, then this will work. There isn’t any config.pm knob or
anything, if you add this then it’s going to get the remote username from
the browser and try to load a user by that username. Warning only tested
for about 30 minutes before I decided I needed to do a lot more work before
I had what I need here.

*** autohandler.orig Thu Jun 28 13:00:35 2001
— autohandler Thu Jun 28 14:07:35 2001
*** 2,31 ****
<& /Elements/Footer &>

<%INIT>
#if it’s a noauth file, don’t ask for auth.
if ($m->base_comp->path =~ ‘^/NoAuth/’) {
$m->call_next();
$m->abort();
! }
!

If the user is loging in, let’s authenticate

! elsif (defined ($user) && defined ($pass)){

! $session{‘CurrentUser’} = RT::CurrentUser->new();
! $session{‘CurrentUser’}->Load($user);
! unless ($session{‘CurrentUser’}->id() ) {
! delete $session{‘CurrentUser’};
! $m->comp(‘/Elements/Login’, %ARGS, Error=> ‘Your username or
password is incorrect’);
! $m->abort();
! };
! unless ($session{‘CurrentUser’}->IsPassword($pass)) {
! delete $session{‘CurrentUser’};

! $m->comp(‘/Elements/Login’, Error => ‘Your username or password is
incorrect’, %ARGS);
! $m->abort();
}
! }
!

#If we’ve got credentials, lets serve the file up.
if ( (defined $session{‘CurrentUser’}) and
— 2,41 ----
<& /Elements/Footer &>

<%INIT>
#if it’s a noauth file, don’t ask for auth.
if ($m->base_comp->path =~ ‘^/NoAuth/’) {
$m->call_next();
$m->abort();
! } else {
!
! if ( defined $ENV{‘REMOTE_USER’} ) {
! $user = $ENV{‘REMOTE_USER’};
! $session{‘CurrentUser’} = RT::CurrentUser->new();
! $session{‘CurrentUser’}->Load($user);
! unless ($session{‘CurrentUser’}->id() ) {
! delete $session{‘CurrentUser’};
! $m->comp(‘/Elements/Login’, %ARGS, Error=> “In External
Authentication your username ($user) is incorrect.”);
! $m->abort();
! };

If the user is loging in, let’s authenticate

! } elsif (defined ($user) && defined ($pass)){

! $session{‘CurrentUser’} = RT::CurrentUser->new();
! $session{‘CurrentUser’}->Load($user);
! unless ($session{‘CurrentUser’}->id() ) {
! delete $session{‘CurrentUser’};
! $m->comp(‘/Elements/Login’, %ARGS, Error=> ‘Your username or
password is incorrect’);
! $m->abort();
! };
! unless ($session{‘CurrentUser’}->IsPassword($pass)) {
! delete $session{‘CurrentUser’};

! $m->comp(‘/Elements/Login’, Error => ‘Your username or
password is incorrect’, %ARGS);
! $m->abort();
! }
}
! }

#If we’ve got credentials, lets serve the file up.
if ( (defined $session{‘CurrentUser’}) and

3

One way to deal with the issue you’re running into might be to modify
your rt-mailgate to do an email->username lookup before creating new users.On Fri, Jun 29, 2001 at 12:12:55PM -0500, Hamilton, Kent wrote:

Gavin,

I asked this yesterday and Jessie invited me to send him a patch for it.

I have one that works for authenticating against an external auth source by
picking up $ENV{‘REMOTE_USER’} but there are issues with it. One of the big
advantages of RT2 (In my view) is it’s ability to let requestors look at
their tickets. The patch I currently have causes you to lose that ability.
I’m looking at modifying the user creation routines to somehow create
correct usernames to authenticate against web server auth but there are
serious issues with that. Do all your email address left hand side match
your NT/Kerberos/whatever usernames? Do you get mail from external users?
Etc., etc…

If you don’t mind not allowing requestors to be able to get in to look at
their own tickets, then this will work. There isn’t any config.pm knob or
anything, if you add this then it’s going to get the remote username from
the browser and try to load a user by that username. Warning only tested
for about 30 minutes before I decided I needed to do a lot more work before
I had what I need here.

*** autohandler.orig Thu Jun 28 13:00:35 2001
— autohandler Thu Jun 28 14:07:35 2001

*** 2,31 ****
<& /Elements/Footer &>

<%INIT>
#if it’s a noauth file, don’t ask for auth.
if ($m->base_comp->path =~ ‘^/NoAuth/’) {
$m->call_next();
$m->abort();
! }
!

If the user is loging in, let’s authenticate

! elsif (defined ($user) && defined ($pass)){

! $session{‘CurrentUser’} = RT::CurrentUser->new();
! $session{‘CurrentUser’}->Load($user);
! unless ($session{‘CurrentUser’}->id() ) {
! delete $session{‘CurrentUser’};
! $m->comp(‘/Elements/Login’, %ARGS, Error=> ‘Your username or
password is incorrect’);
! $m->abort();
! };
! unless ($session{‘CurrentUser’}->IsPassword($pass)) {
! delete $session{‘CurrentUser’};

! $m->comp(‘/Elements/Login’, Error => ‘Your username or password is
incorrect’, %ARGS);
! $m->abort();
}
! }
!

#If we’ve got credentials, lets serve the file up.
if ( (defined $session{‘CurrentUser’}) and
— 2,41 ----
<& /Elements/Footer &>

<%INIT>
+
#if it’s a noauth file, don’t ask for auth.
if ($m->base_comp->path =~ ‘^/NoAuth/’) {
$m->call_next();
$m->abort();
! } else {
!
! if ( defined $ENV{‘REMOTE_USER’} ) {
! $user = $ENV{‘REMOTE_USER’};
! $session{‘CurrentUser’} = RT::CurrentUser->new();
! $session{‘CurrentUser’}->Load($user);
! unless ($session{‘CurrentUser’}->id() ) {
! delete $session{‘CurrentUser’};
! $m->comp(‘/Elements/Login’, %ARGS, Error=> “In External
Authentication your username ($user) is incorrect.”);
! $m->abort();
! };

If the user is loging in, let’s authenticate

! } elsif (defined ($user) && defined ($pass)){

! $session{‘CurrentUser’} = RT::CurrentUser->new();
! $session{‘CurrentUser’}->Load($user);
! unless ($session{‘CurrentUser’}->id() ) {
! delete $session{‘CurrentUser’};
! $m->comp(‘/Elements/Login’, %ARGS, Error=> ‘Your username or
password is incorrect’);
! $m->abort();
! };
! unless ($session{‘CurrentUser’}->IsPassword($pass)) {
! delete $session{‘CurrentUser’};

! $m->comp(‘/Elements/Login’, Error => ‘Your username or
password is incorrect’, %ARGS);
! $m->abort();
! }
}
! }

#If we’ve got credentials, lets serve the file up.
if ( (defined $session{‘CurrentUser’}) and

-----Original Message-----
From: Adams, Gavin [mailto:gadams@promisant.com]
Sent: Friday, June 29, 2001 7:38 AM
To: rt-users@lists.fsck.com
Subject: [rt-users] Alternate authentication methods

Is it possible to setup rt 2.0 to authenticate web UI users against an
.htaccess file? We use a Kerberos domain for a variety of Windows 2000
and UNIX systems, – with the exception of rt. A good example is
netsaint. When I authenticate against the web server, the username is
passed through to netsaint and the appropriate permissions
are granted.

I know that gecos can be used for rt commands from a shell, is it
possible to leverage this for the web UI?

— Gavin Adams
Promisant Ltd.
Bermuda

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

jesse reed vincent – root@eruditorum.orgjesse@fsck.com
70EBAC90: 2A07 FC22 7DB4 42C1 9D71 0108 41A3 3FB3 70EB AC90

“Mary had a crypto key / She kept it in escrow
And everything that Mary said / The Feds were sure to know” – Sam Simpson

4

Hello everyone, newbie to the list here…

CONTEXT:
Please refer to mail-list posting “Alternate authentication methods”,
Fri, 29 Jun 2001: http://lists.fsck.com/pipermail/rt-users/2001-June/002716.html

Also referencing mail-list-subject: “Creating Ticket Externally in RT2”,
Aug, 2001…

QUESTION:
I’m looking for confirmation that if I set the following line found in
‘etc/config.pm’:

If $WebExternalAuth is defined, RT will defer to the environment’s

REMOTE_USER variable.

$WebExternalAuth = undef;

…that I can gain access to write a ticket from a remote cgi application
(sending the correct param’s naturally to /Tickets/Display.html)…?

Further, is it required to send any user/pass fields to authenticate, or
will all credentials come from a lookup for the $ENV{‘REMOTE_USER’}

I’m not interested in displaying the ticket, just want to post the
fields, and I’m having access problems due to the login/session/cookie thing…

apologies if this seems like I haven’t tried it, (I haven’t), but our
sys-admin is fiercely protective and won’t let me edit the script until
I’ve got ‘da proof’ (or reasonable facsimile)…

has anyone successfully tried this? any suggestions appreciated…
thanks for your time,