HTTP_Auth with rt?


#1

Hello Everyone,

i thought i read something on the list that suggested you could
have rt do authentication via http auth, but I can’t find any
documentation on how to do that.

I did see the function HTTP_AuthAvailable in lib/rt/ui/web/auth.pm, but
I don’t see it used anywhere.

Does anyone use http auth to authenticate access to rt? If so, can you
tell me how to do it? Thanks
Happy Landings,

Jon Detert
Unix System Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202


#2

i thought i read something on the list that suggested you could
have rt do authentication via http auth, but I can’t find any
documentation on how to do that.

I did see the function HTTP_AuthAvailable in lib/rt/ui/web/auth.pm, but
I don’t see it used anywhere.

Does anyone use http auth to authenticate access to rt? If so, can you
tell me how to do it? Thanks

From rt/etc/config.pm:

WEB_AUTH_MECHANISM defines what sort of authentication you’d like to use

for the web ui. Valid choices are: “cookies” and “external”. Cookies

uses http cookies to keep track of authentication. External means that

you will have configured your web server to prompt for the user’s

credentials and authenticate them before RT ever sees the request.

$web_auth_mechanism = "external";

I use mod_auth_pam with this, which is a drop-in replacement for mod_auth,
but which uses PAM instead of just /etc/passwd. The advantage is that I
can use our distributed authentication system (kerberos, via pam_krb5
etc). The disadvantage is that I have no good way of expiring logins,
like one would if one were using cookies. Because HTTP doesn’t support
logouts, once someone logs in, they stay logged in until the browser is
closed.

My wishlist for RT would include the ability to do initial authentication
via external auth mechanisms, but to have RT generate and track
authentication cookies to enable session expiry/logouts.

–Joe


#3

i thought i read something on the list that suggested you could
have rt do authentication via http auth, but I can’t find any
documentation on how to do that.

– snip –

From rt/etc/config.pm:

WEB_AUTH_MECHANISM defines what sort of authentication you’d like to use

– snip –

My wishlist for RT would include the ability to do initial authentication
via external auth mechanisms, but to have RT generate and track
authentication cookies to enable session expiry/logouts.

I’m trying to hack rt1.0.4 so that it does exactly that using an NT
domain as the external source, and the perl Authen::Smb module to
interact with the NT domain. Although I have the initial authentication
working properly, I seem to have broken the use of cookies (since now I
have to authenticate every time I click on a link).

All I did was to modify two functions in lib/rt/database/config.pm :

    is_password() and is_hash_of_password_and_ip().

These return a boolean value. I simply changed them to send the entered
password to a Authen::Smb call instead of to compare it’s hashed value
to the hashed value from the database. Any ideas why my changes broke
the use of cookies?
Happy Landings,

Jon Detert
Unix System Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202