I just started seriously hacking an RT to use either cert based auth,
or password auth. (via WebExternalAuth and apache) In doing so, I
discovered a couple things that bring me to needing a new feature in rt.
mod_ssl passes cert information to cgi programs really nastily. I
could only come up with 2 ways of getting information to the cgi
programs (perhaps complicated by my need for alternative basic auth)
With a lot of kludging mod_ssl can dump the cert’s subject into
REMOTE_USER, but this is a horrible bit of information to use (it’s
the full LDAP string including O, OU, CN, etc)
with much less kludging, mod_ssl will set a bunch of cert specific
variables based on what’s in the cert. The most useful looks like
it’ll be SSL_CLIENT_S_DN_Email, but I imagine that’s site
dependent. and no, I was unable to get mod_setenv to be useful
My conclusion is that my life would be great if I could set
WebExternalAuth and create an equivalent to CanonicalizeAddress that
worked on the apache variables. In my case, I’d have
WebCanonicalizeAddress return either REMOTE_USER or
SSL_CLIENT_S_DN_Email depending on which is defined, and along the way
to massage the domain names a little.
I’ve included my patch, though I’m ashamed to admit it’s untested. It
probably won’t get tested till the other person I’m working with
installs a fresh rt. But it simple enough, I figure it’ll work. And
since I’m sure folk are wondering, I’ve also included the snippet from
my apache.conf file that does the dual auth bit.
comments are welcome.
seph
canonicalizeweb.patch (1.43 KB)
apache.conf-dual (891 Bytes)