External Authentication: HowTo - Help needed

I would like to use external Authentication for RT in order to be able to use it within a “Intranet” environment. Authentication is done through PHP authentication against a Postgres DB. RT runs un the same server using Postgres as well. I am using RT 3.4.2

So far I understand the following:

  1. in RT_SiteConfig.pm set: Set($WebExternalAuth , 1);
  2. During the PHP login on the intranet I set “Remote_User” environment variable to the name of the user logging in. This user actually exists in RT and has rights.
  3. I call the RT url, and I should automatically be logged in and presented with the usual RT Homepage.

The problem is that it does not work. All I get is the login page, without the actual fields where to put the login name and password.

Looking at the code in …/share/html/Elements/login this behavior is explainable, but I don’t know why I don’t get properly logged in.
Checking the code in …/share/html/autohandler, which may (should?) have some code like "$user = $ENV{‘REMOTE_USER’}; " I can’t find it nor can I figure out how it is supposed to read the environment variable at all.

I do appreciate any help from anyone, on how to get this going.

Thanks in Advance,

Manfred Koroschetz

Manfred Koroschetz wrote:

Checking the code in …/share/html/autohandler, which may (should?) have
some code like "$user = $ENV{‘REMOTE_USER’}; " I can’t find it nor can
I figure out how it is supposed to read the environment variable at all.

It’s in lib/RT/Interface/Web.pm.

I would like to use external Authentication for RT in order to be able
to use it within a “Intranet” environment. Authentication is done
through PHP authentication against a Postgres DB. RT runs un the same
server using Postgres as well. I am using RT 3.4.2

So far I understand the following:

  1. in RT_SiteConfig.pm set: Set($WebExternalAuth , 1);
  2. During the PHP login on the intranet I set "Remote_User"
    environment variable to the name of the user logging in. This user
    actually exists in RT and has rights.
  3. I call the RT url, and I should automatically be logged in and
    presented with the usual RT Homepage.

The problem is that it does not work. All I get is the login page,
without the actual fields where to put the login name and password.

Web requests are stateless. Setting Remote_User in a PHP page isn’t
going to affect subsequent requests to other pages. If you use
http basic authentication the login appears to ‘stick’ because the
brower automatically resends the credentials on subsequent pages in
the same authentication domain. Web application frameworks often use
their own login concepts with cookies or rewritten URLs to make the
browser send back a token that can be used to retrieve prior state on
the server side - but you’ll have to do a lot of work to integrate this
between php and a perl app.

Les Mikesell
les@futuresource.com

Thank you for pointing me to … Web.pm. Indeed it has the expected code.
Nevertheless and unfortunately it still does not work. I tried hardcoding my username (RT as per name field in user table) to check if it would work, but it definitely does not. I end up at the login screen with an empty (gray) box without a username / password input box. My understanding would be that I should get to the RT Homepage.

from …/web.pm

sub WebCanonicalizeInfo {
my $user;

if ( defined $ENV{'REMOTE_USER'} ) {
     $user = lc ( $ENV{'REMOTE_USER'} ) if( length($ENV{'REMOTE_USER'}) );
}
# For troubleshooting and Testing only
$user = 'manfred';
return $user;

I am on RT 3.4.2.

thank you in advance for any additional suggestions and steps to take to get it going.

Regards,

Manfred Koroschetz

Phil Homewoodpdh@bestpractical.com 7/22/2005 1:00:40 AM >>>

Manfred Koroschetz wrote:

Checking the code in …/share/html/autohandler, which may (should?) have
some code like "$user = $ENV{‘REMOTE_USER’}; " I can’t find it nor can
I figure out how it is supposed to read the environment variable at all.

It’s in lib/RT/Interface/Web.pm.

|<< http://www.bestpractical.com/rt – Trouble Ticketing. Free.
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Thank you for pointing me to … Web.pm. Indeed it has the expected
code.
Nevertheless and unfortunately it still does not work. I tried
hardcoding my username (RT as per name field in user table) to check
if it would work, but it definitely does not.

Did you restart apache to pick up the change?

thank you in advance for any additional suggestions and steps to take
to get it going.

The usual way is to either use Apache’s basic authentication or load
an apache module that authenticates the way you want and sets
REMOTE_USER accordingly. I am using mod_auth_pam on a RedHat box
which is configured to use either local system accounts or check
against a Windows domain but anything that works with apache should
work with RT.

Les Mikesell
les@futuresource.com

Les Mikesellles@futuresource.com 7/22/2005 4:40:25 PM >>>

Thank you for pointing me to … Web.pm. Indeed it has the expected
code.
Nevertheless and unfortunately it still does not work. I tried
hardcoding my username (RT as per name field in user table) to check
if it would work, but it definitely does not.

Did you restart apache to pick up the change?

A: Yes I did.

thank you in advance for any additional suggestions and steps to take
to get it going.

The usual way is to either use Apache’s basic authentication or load
an apache module that authenticates the way you want and sets
REMOTE_USER accordingly. I am using mod_auth_pam on a RedHat box
which is configured to use either local system accounts or check
against a Windows domain but anything that works with apache should
work with RT.

A: I understand, but am not sure that any mod_auth_pam would work for our project. Now from your description it seems that you don’t have a problem with your environment and you use REMOTE_USER through mod_auth_pam and a Windows domain controller.
My questions arer:

—>Are you using RT 3.4.2 ?
—>Did you have to do anything else, other then change your RT_Siteconfig.pm ?

Les Mikesell
les@futuresource.com

Thanks

Manfred Koroschetz

The usual way is to either use Apache’s basic authentication or load
an apache module that authenticates the way you want and sets
REMOTE_USER accordingly. I am using mod_auth_pam on a RedHat box
which is configured to use either local system accounts or check
against a Windows domain but anything that works with apache should
work with RT.

A: I understand, but am not sure that any mod_auth_pam would work for
our project. Now from your description it seems that you don’t have a
problem with your environment and you use REMOTE_USER through
mod_auth_pam and a Windows domain controller.

There are a variety of mod_auth_xxx modules that might work for
you. Mod_auth_pam isn’t included with the RH/fedora distributions
but meshes nicely with the system authentication for email accounts,
etc. and can stack several different methods. The point is that
using basic authentication at the apache level works because it sets
REMOTE_USER on every page because the browser resends the credentials.
Your earlier comments made me think you expected a php application
session login to work with subsequent perl pages. It won’t, unless you
do something to duplicate the session mechanism on the perl side.

My questions arer:

—>Are you using RT 3.4.2 ?

I have a 2.x and a 3.2.2 installation working this way. My 3.4.2
isn’t completely working yet but does get to the point of showing the
logged in user correctly in the top right. Basic authentication
is pretty generic and the same also works with some other web apps
that I have configured for external authentication.

—>Did you have to do anything else, other then change your
RT_Siteconfig.pm ?

Part of configuring basic authentication for apache is to
require valid-user
for the relevant location in httpd.conf. That makes the
browser prompt for the login and resend it for subsequent
pages.

Les Mikesell
les@futuresource.com