Hi,
I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?
Best Regards
Adrian
I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?
You should be able to have Apache do the auth and pass that along to
RT. For the RT config, you want to read about WebExternalAuth in
RT_Config.pm
If you ever get this working, please let me know. I’ve
tried and failed.On 2/21/2011 2:35 PM, Kevin Falcone wrote:
On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?You should be able to have Apache do the auth and pass that along to
RT. For the RT config, you want to read about WebExternalAuth in
RT_Config.pm
I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?You should be able to have Apache do the auth and pass that along to
RT. For the RT config, you want to read about WebExternalAuth in
RT_Config.pm
If you ever get this working, please let me know. I’ve
tried and failed.
You don’t say what failed, but the Apache side is just
SSLVerifyClient require
plus
SSLUserName
and I’ve worked with folks who have this set up, so it is certainly
possible.
-kevin
I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?You should be able to have Apache do the auth and pass that along to
RT. For the RT config, you want to read about WebExternalAuth in
RT_Config.pm
If you do this (WebExternalAuth) and you’re in an AD or Kerberos/LDAP
environment, you may be able to use pass-through authentication (assuming
that your users are logging in with the same credentials that they use for
authentication to your servers).
http://modauthkerb.sourceforge.net/
http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html
I have mod_auth_kerb working in this manner, authenticating against AD (not
in RT, but in a different app served through Apache). I haven’t tested
mod_auth_ldap yet, but it would only be necessary if you’re looking to
authorize your clients (versus just authenticating them).
I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?You should be able to have Apache do the auth and pass that along to
RT. For the RT config, you want to read about WebExternalAuth in
RT_Config.pm
If you ever get this working, please let me know. I’ve
tried and failed.You don’t say what failed, but the Apache side is just
SSLVerifyClient require
plus
SSLUserName
Yes, we have all of the cert stuff working fine (required).
I tried:
SSLUserName SSL_CLIENT_S_DN_UID
and turned on WebExternalAuth, et al. Restarted httpd,
closed browser, visited site, entered certificate
passphrase, and saw the same old RT login screen.
Also tried:
SSLUserName 0.9.2342.19200300.100.1.1
I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?You should be able to have Apache do the auth and pass that along to
RT. For the RT config, you want to read about WebExternalAuth in
RT_Config.pm
If you ever get this working, please let me know. I’ve
tried and failed.You don’t say what failed, but the Apache side is just
SSLVerifyClient require
plus
SSLUserNameYes, we have all of the cert stuff working fine (required).
I tried:SSLUserName SSL_CLIENT_S_DN_UIDand turned on WebExternalAuth, et al. Restarted httpd,
closed browser, visited site, entered certificate
passphrase, and saw the same old RT login screen.
This implies you didn’t turn on WebExternalAuth, or also turned on
WebFallbackToInternalAuth. Apache will log the REMOTE_USER so it is
relatively straightforward to see if the Apache is providing enough
information for RT.
-kevin
I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?You should be able to have Apache do the auth and pass that along to
RT. For the RT config, you want to read about WebExternalAuth in
RT_Config.pm
If you ever get this working, please let me know. I’ve
tried and failed.You don’t say what failed, but the Apache side is just
SSLVerifyClient require
plus
SSLUserNameYes, we have all of the cert stuff working fine (required).
I tried:SSLUserName SSL_CLIENT_S_DN_UIDand turned on WebExternalAuth, et al. Restarted httpd,
closed browser, visited site, entered certificate
passphrase, and saw the same old RT login screen.This implies you didn’t turn on WebExternalAuth, or also turned on
WebFallbackToInternalAuth. Apache will log the REMOTE_USER so it is
relatively straightforward to see if the Apache is providing enough
information for RT.
Correct. I’ve since turned off WebFallbackToInternalAuth.
Set($WebExternalAuth, 1);
Set($WebExternalAuthContinuous, 1);
Set($WebFallbackToInternalAuth , undef);
SSLVerifyClient require
SSLUserName SSL_CLIENT_S_DN_UID
%u (remote user) logs as “-” for me, so is no help
other than to indicate it’s not working.
RT 3.8.7
Apache httpd 2.2.3-45.el5
Thanks for the help though.
Set($WebExternalAuth, 1);
Set($WebExternalAuthContinuous, 1);
Set($WebFallbackToInternalAuth , undef);SSLVerifyClient require
SSLUserName SSL_CLIENT_S_DN_UID%u (remote user) logs as “-” for me, so is no help
other than to indicate it’s not working.RT 3.8.7
Apache httpd 2.2.3-45.el5Thanks for the help though.
Just to be clear, this seems to be an apache failure to set
REMOTE_USER rather than any issue with RT.
-kevin
Hi,
I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?
I’m testing a simple alternative to External Auth.
I have a Callback placed under
local/html/Callbacks/ICZAuth/autohandler/Auth
--------------------------------------------------
%# vim:set sw=4 sts=4 ft=mason:
<%init>
use Crypt::OpenSSL::X509;
unless ( $session{‘CurrentUser’} && $session{‘CurrentUser’}->id() || !$ENV{‘SSL_CLIENT_CERT’} )
{
my $x509 = Crypt::OpenSSL::X509->new_from_string($ENV{‘SSL_CLIENT_CERT’});
my $email = lc($x509->email());
$session{'CurrentUser'} = RT::CurrentUser->new();
$session{'CurrentUser'}->LoadByEmail($email) if $email;
$RT::Logger->debug("ICZAuth Email from X509 cert: $email");
}
</%init>
--------------------------------------------------
You must install Crypt::OpenSSL (e.g. libcrypt-openssl-x509-perl in
Debian). An email address from the Subject Alternative Name of the X.509
certificate is extracted and a corresponding user is loaded based on
an email address.
Interesting part on Apache configuration:
SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars
Best Regards
Zito
Hi,
I would like to change standard access to RT from username/pw to
certificates authorization.
This is what I made
in file:
/usr/share/request-tracker3.8/etc/RT_Config.pm
Set($WebExternalAuth, 1);
Set($WebExternalAuthContinuous, 1);
Set($WebFallbackToInternalAuth , undef);
What next ?
I got this information:
SSLVerifyClient require
SSLUserName SSL_CLIENT_S_DN_UID
%u (remote user) logs as “-” for me, so is no help
other than to indicate it’s not working.
But how i should read this info ?
Of course I have all of the cert stuff working fine (required).
Here is the link:
rt.ige.psnc.pl
Best Regards,
Adrian Stelmaszyk
Hi,
when I have
Set($WebExternalAuth, 1);
I’m not able to log in using user/pass. There is missing text box ;/
Any idea ?
Best Regards
Adrian2011/7/1 Adrian Stel adisan82@gmail.com
Hi,
I would like to change standard access to RT from username/pw to
certificates authorization.This is what I made
in file:
/usr/share/request-tracker3.8/etc/RT_Config.pmSet($WebExternalAuth, 1);
Set($WebExternalAuthContinuous, 1);
Set($WebFallbackToInternalAuth , undef);What next ?
I got this information:
SSLVerifyClient require
SSLUserName SSL_CLIENT_S_DN_UID
%u (remote user) logs as “-” for me, so is no help
other than to indicate it’s not working.But how i should read this info ?
Of course I have all of the cert stuff working fine (required).
Here is the link:
rt.ige.psnc.pl
–
Best Regards,
Adrian Stelmaszyk
Pozdrawiam
Adrian Stelmaszyk
when I have
Set($WebExternalAuth, 1);
I’m not able to log in using user/pass. There is missing text box ;/
You said you Set($WebFallbackToInternalAuth, undef) which means internal
auth should never be used. Please read the doc for that option in
etc/RT_Config.pm.
As for your REMOTE_USER problem, you’ll likely need to configure Apache
to put something unique in there so RT can key on it.
Thomas
Hi Thomas,
I need help with this ;/
How can I configure Apache to put something to the REMOTE_USER ?
Please keep replies to the list, not personal mail. The documentation
for Apache is probably a good place to start for how to configure it.
Thomas