Is there any way to tie RT accounts to system accounts? I’d prefer not
to have to issue and maintain RT passwords. Ideally I’d like to be
able to create an RT user and click an “Authenticate using PAM” button
like I can with RHN. Less ideal but still workable would be to run a
script that extracts password hashes from /etc/shadow and plugs them
into RT somehow.
Right now I don’t see any alternative to generating RT-specific
passwords and distributing them to users.
-Dave
Dave Sill wrote:
Is there any way to tie RT accounts to system accounts? I’d prefer not
to have to issue and maintain RT passwords. Ideally I’d like to be
able to create an RT user and click an “Authenticate using PAM” button
like I can with RHN. Less ideal but still workable would be to run a
script that extracts password hashes from /etc/shadow and plugs them
into RT somehow.Right now I don’t see any alternative to generating RT-specific
passwords and distributing them to users.-Dave
I use Apache’s auth_pam; there is also an ldap plugin.
Perfection is just a word I use occasionally with mustard.
–Atom Powers–
Systems Administrator
DigiPen Institute of Technology
(425) 895-4443
Atom Powers apowers@digipen.edu writes:
I use Apache’s auth_pam; there is also an ldap plugin.
OK… So how does one make auth_pam work with RT?
-Dave
Dave Sill wrote:
OK… So how does one make auth_pam work with RT?
-Dave
You should be able to piece it together from the docos on the RT Wiki,
but to save you some trouble, and because the relevant sections of the
wiki can be confusing, here is what I did on FreeBSD 5.4. I’m using
FastCGI, because I’m running Apache 2. Here is the relevant section of
my httpd.conf
DocumentRoot “/usr/local/rt3/share/html/”
FastCgiIpcDir /tmp
FastCgiServer /usr/local/rt3/bin/mason_handler.fcgi -idle-timeout 60
-processes 5
AddHandler fastcgi-script fcgi fcgi fgi
AddDefaultCharset UTF-8
SetHandler fastcgi-script
<Directory / >
AuthType Basic
AuthName “Domain”
AuthPAM_Enabled on
require valid-user
Order deny,allow
AllowOverride All
Options ExecCGI FollowSymLinks
Alias /NoAuth/images/ /usr/local/rt3/share/html/NoAuth/images/
<Location /NoAuth/images >
SetHandler default-handler
ScriptAlias / /usr/local/rt3/bin/mason_handler.fcgi/
Alias /NoAuth/ /usr/local/rt3/share/html/NoAuth/
<Location /NoAuth >
satisfy any
allow from all
Alias /REST/1.0/NoAuth/ /usr/local/rt3/share/html/REST/1.0/NoAuth/
<Location /REST/1.0/NoAuth >
satisfy any
allow from all
You may also have to tell PAM what to do about Apache.
Here is my /etc/pam.d/httpd file:
auth required pam_nologin.so no_warn
auth sufficient /usr/local/lib/pam_ldap.so
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_unix.so no_warn
try_first_pass
account sufficient /usr/local/lib/pam_ldap.so
account required pam_login_access.so
account required pam_unix.so
session required pam_permit.so
password required pam_unix.so no_warn
try_first_pass
Perfection is just a word I use occasionally with mustard.
–Atom Powers–
Systems Administrator
DigiPen Institute of Technology
(425) 895-4443
Atom Powers apowers@digipen.edu writes:
I use Apache’s auth_pam; there is also an ldap plugin.
OK… So how does one make auth_pam work with RT?
You have to build mod_auth_pam yourself if your distribution
doesn’t include it and follow it’s directions for putting
the loadmodule statement into httpd.conf. Then you configure
apache for basic authentication and put something like:
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_permit.so
in /etc/pam.d/httpd
(the system-auth is a RedHat concept to use everything you
set with authconfig, and pam_permit on the account lets you
use a remote authentication method (like NT domain) for people
without local accounts. You also have to make /etc/shadow
readable by the apache group if you are using it. That’s
probably a bad idea security-wise and perhaps why it isn’t
included in the distribution.
Les Mikesell
les@futuresource.com
Has anyone been able to use ExtractCustomField add-on to update non-custom
fields? For instance, extract something from an email to update Time
Worked. i.e. Set time worked by having “TimeWorked=10” in an email, or set
the owner by “Owner=JohnDoe@domain.com”.
Any help would greatly be appreciated.
Thanks,
Jared
On the road to retirement? Check out MSN Life Events for advice on how to
get there! MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
Request Tracker Wiki ?On 9/15/05, Jared Hanks jmhanks1373@hotmail.com wrote:
Has anyone been able to use ExtractCustomField add-on to update non-custom
fields? For instance, extract something from an email to update Time
Worked. i.e. Set time worked by having “TimeWorked=10” in an email, or set
the owner by “Owner=JohnDoe@domain.com”.Any help would greatly be appreciated.
Thanks,
Jared
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Be sure to check out the RT Wiki at http://wiki.bestpractical.com
Buy your copy of our new book, RT Essentials, today!
Download a free sample chapter from http://rtbook.bestpractical.com
Best regards, Ruslan.