Authentication

Is there any way to tie RT accounts to system accounts? I’d prefer not
to have to issue and maintain RT passwords. Ideally I’d like to be
able to create an RT user and click an “Authenticate using PAM” button
like I can with RHN. Less ideal but still workable would be to run a
script that extracts password hashes from /etc/shadow and plugs them
into RT somehow.

Right now I don’t see any alternative to generating RT-specific
passwords and distributing them to users.

-Dave

Dave Sill wrote:

Is there any way to tie RT accounts to system accounts? I’d prefer not
to have to issue and maintain RT passwords. Ideally I’d like to be
able to create an RT user and click an “Authenticate using PAM” button
like I can with RHN. Less ideal but still workable would be to run a
script that extracts password hashes from /etc/shadow and plugs them
into RT somehow.

Right now I don’t see any alternative to generating RT-specific
passwords and distributing them to users.

-Dave


I use Apache’s auth_pam; there is also an ldap plugin.

Perfection is just a word I use occasionally with mustard.
–Atom Powers–
Systems Administrator
DigiPen Institute of Technology
(425) 895-4443

Atom Powers apowers@digipen.edu writes:

I use Apache’s auth_pam; there is also an ldap plugin.

OK… So how does one make auth_pam work with RT?

-Dave

Dave Sill wrote:

OK… So how does one make auth_pam work with RT?

-Dave

You should be able to piece it together from the docos on the RT Wiki,
but to save you some trouble, and because the relevant sections of the
wiki can be confusing, here is what I did on FreeBSD 5.4. I’m using
FastCGI, because I’m running Apache 2. Here is the relevant section of
my httpd.conf

Request Tracker Web Interface Settings

DocumentRoot "/usr/local/rt3/share/html/"
FastCgiIpcDir /tmp
FastCgiServer /usr/local/rt3/bin/mason_handler.fcgi -idle-timeout 60
-processes 5
AddHandler fastcgi-script fcgi fcgi fgi
AddDefaultCharset UTF-8
SetHandler fastcgi-script

<Directory / >
AuthType Basic
AuthName "Domain"
AuthPAM_Enabled on
require valid-user
Order deny,allow
AllowOverride All
Options ExecCGI FollowSymLinks

For No-Auth testing (comment above Auth )

Order allow,deny

Allow from All

Alias /NoAuth/images/ /usr/local/rt3/share/html/NoAuth/images/
<Location /NoAuth/images >
SetHandler default-handler

ScriptAlias / /usr/local/rt3/bin/mason_handler.fcgi/

Alias /NoAuth/ /usr/local/rt3/share/html/NoAuth/
<Location /NoAuth >
satisfy any
allow from all

Alias /REST/1.0/NoAuth/ /usr/local/rt3/share/html/REST/1.0/NoAuth/
<Location /REST/1.0/NoAuth >
satisfy any
allow from all

You may also have to tell PAM what to do about Apache.
Here is my /etc/pam.d/httpd file:

auth

auth required pam_nologin.so no_warn
auth sufficient /usr/local/lib/pam_ldap.so
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_unix.so no_warn
try_first_pass

account

account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required pam_unix.so

session

session required pam_permit.so

password

password required pam_unix.so no_warn
try_first_pass

Perfection is just a word I use occasionally with mustard.
–Atom Powers–
Systems Administrator
DigiPen Institute of Technology
(425) 895-4443

Atom Powers apowers@digipen.edu writes:

I use Apache’s auth_pam; there is also an ldap plugin.

OK… So how does one make auth_pam work with RT?

You have to build mod_auth_pam yourself if your distribution
doesn’t include it and follow it’s directions for putting
the loadmodule statement into httpd.conf. Then you configure
apache for basic authentication and put something like:
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_permit.so
in /etc/pam.d/httpd
(the system-auth is a RedHat concept to use everything you
set with authconfig, and pam_permit on the account lets you
use a remote authentication method (like NT domain) for people
without local accounts. You also have to make /etc/shadow
readable by the apache group if you are using it. That’s
probably a bad idea security-wise and perhaps why it isn’t
included in the distribution.

Les Mikesell
les@futuresource.com

Has anyone been able to use ExtractCustomField add-on to update non-custom
fields? For instance, extract something from an email to update Time
Worked. i.e. Set time worked by having “TimeWorked=10” in an email, or set
the owner by "Owner=JohnDoe@domain.com".

Any help would greatly be appreciated.

Thanks,
Jared

On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

http://wiki.bestpractical.com/index.cgi?SetTicketPropertiesViaMail ?On 9/15/05, Jared Hanks jmhanks1373@hotmail.com wrote:

Has anyone been able to use ExtractCustomField add-on to update non-custom
fields? For instance, extract something from an email to update Time
Worked. i.e. Set time worked by having “TimeWorked=10” in an email, or set
the owner by "Owner=JohnDoe@domain.com".

Any help would greatly be appreciated.

Thanks,
Jared


On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Buy your copy of our new book, RT Essentials, today!

Download a free sample chapter from http://rtbook.bestpractical.com

Best regards, Ruslan.