External authentication

Hi all,

Can RT use external username/password authentication modules?

I’ve got an AIX4.2 system that everyone has an account on. I’m developing an
in-house inetd based authentication system so that I can then use it in a
number of distributed systems we have within the group - one
username/password per user regardless of which system or app they are using.

I (will) have a small perl script that will sit on the client systems and
using Net::Telnet interrogate the AIX box. Can I then get RT to use this
script to check that the password is correct.

I have no problem with actually creating user accounts within RT for each
user (I asume I can do this from the command line using rt or rtadmin), but I
don’t want to have to replicate passwords every time they are changed.

Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000

Can RT use external username/password authentication modules?

Yes. You will need to write a bit of code (to call your other code) to
sit within your config.pm to do so, flip the appropriate clearly-labled
switches within there, and it should work.

I’ve got an AIX4.2 system that everyone has an account on. I’m developing an
in-house inetd based authentication system so that I can then use it in a
number of distributed systems we have within the group - one
username/password per user regardless of which system or app they are using.

Urm. Do not pass passwords in the clear. Basic security. Run your RT
instance over SSL if possible, interface with your external authentication
using shared keys between the RT box and the auth box, apply limits on
your auth boxes on the number of password attempts per time unit, but do
not repeat the problems of telnet, imap, pop, etc etc :wink:

Regards,

                         Bruce Campbell                            RIPE
               Systems/Network Engineer                             NCC
             www.ripe.net - PGP562C8B1B                      Operations

Can RT use external username/password authentication modules?

Yes. You will need to write a bit of code (to call your other code) to
sit within your config.pm to do so, flip the appropriate clearly-labled
switches within there, and it should work.

I’ve got an AIX4.2 system that everyone has an account on. I’m developing an
in-house inetd based authentication system so that I can then use it in a
number of distributed systems we have within the group - one
username/password per user regardless of which system or app they are using.

Urm. Do not pass passwords in the clear. Basic security.

What he said, though I’m not sure that what you said implied cleartext
passwords.

We’re aiming for the one user, one password paradigm, too; we’re
standardizing around the UNIX passwd file (as served via YP/NIS/NIS+).
We’ve chosen to have RT sync itself from our NIS server’s passwd map
whenever the passwd map changes. It took a little scripting and some
Makefile work, but it’s proved effective.

Cheers!

–j
Jim Meyer, Geek At Large purp@wildbrain.com

We’re aiming for the one user, one password paradigm, too; we’re
standardizing around the UNIX passwd file (as served via YP/NIS/NIS+).
We’ve chosen to have RT sync itself from our NIS server’s passwd map
whenever the passwd map changes. It took a little scripting and some
Makefile work, but it’s proved effective.

I’d love to see your code for this, if you’d be willing to share.

srl
Shane Landrum (srl AT boston DOT com) Software Engineer, boston.com

We’re aiming for the one user, one password paradigm, too; we’re
standardizing around the UNIX passwd file (as served via YP/NIS/NIS+).
We’ve chosen to have RT sync itself from our NIS server’s passwd map
whenever the passwd map changes. It took a little scripting and some
Makefile work, but it’s proved effective.

I’d love to see your code for this, if you’d be willing to share.

srl

Once I do it, I’ll let everyone know, but I’m on holiday at the moment, so it
won’t be for a week or so.

However, when I had a look at the comfig.pm, I couldn’t see where I needed to
put the code (I did only have a quick look) so if someone could point me to
the appropriate section I’d appreciate it.

Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000

I am brand new to RT, and am having a problem configuring external
authentication.

I am trying to set things up so that users can authenticate to RT using
their Windows NT Domain credentials. (Don’t say it. It is the environment
we operate in and that’s what I have to work with.) I have installed
Apache::AuthenNTLM and it works. I have the cgi-bin directory set to
require authentication through NT and it does just that. A good set of
credentials allows access. A bad set does not. The REMOTE_USER environment
variable is set to NTDomain\username as you would expect.

To accomplish the same with RT I set $WebExternalAuth to “external” (or
anything) and configure Apache to require NTLM authentication at the root of
the rt2 directory. When I try to hit the RT page, as expected, I am
prompted for credentials which I supply. I then get back a blank page. No
error messages on the browser. In the apache error_log is the expected
message that access failed because of a bad or missing authentication
header. Immediately after that in the log is the RT generated HTML for the
page I should see at the browser. If I save that HTML to a file and open it
in a browser it is exactly what I would have expected at the browser. It
shows that I am logged in with the NT domain credentials I supplied
(NTDomain\usrname) and the content of the page is just what I should see.
But, it’s in the apache error_log and not being sent to the browser.

I am not Mr. Mod_Perl so this may be something everyone knows the answer to
except me. I would appreciate any pointers.

Thanks

Tommy Wagner
Assoc Professor
Director of Support
Dept of EE&CS
United States Military Academy

Has anyone had any luck getting external
authentication to work? I have a script that I want
to try, and I know that you are supposed to use
SetExternalAuth in config.pm. Am I supposed to define
that to point to the script? When I do that, all RT
says is ‘Error -> You are not an authorized user.’ I
think a window is supposed to popup or something, and
I have made changes to httpd.conf (AllowOverride
AuthConfig) and .htaccess (require valid-user), but to
no avail.

Thanks,
Aaron

Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

Aaron Bryant wrote:

Has anyone had any luck getting external
authentication to work? I have a script that I want
to try, and I know that you are supposed to use
SetExternalAuth in config.pm. Am I supposed to define
that to point to the script? When I do that, all RT
says is ‘Error -> You are not an authorized user.’ I
think a window is supposed to popup or something, and
I have made changes to httpd.conf (AllowOverride
AuthConfig) and .htaccess (require valid-user), but to
no avail.

If you’re requiring “valid-user” but not seeing Apache
prompting you for username and password, your problem
lies in your Apache config, not RT. $WebExternalAuth
simply tells RT to let Apache handle the authentication.
Phil Homewood, Systems Janitor, www.SnapGear.com
pdh@snapgear.com Ph: +61 7 3435 2810 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances