Hi. I’m trying to set up RT 4.4.2 (installed from Ubuntu packages on Ubuntu 18.04, running under Apache using fcgid), and I can’t get WebRemoteUserAuth to work.
(This is probably a dumb question and quite possibly really about the Debian package or about fcgid rather than about RT configuration itself; my apologies.)
As I understand it, in RT4, setting
Set($WebRemoteUserAuth, 1);
in RT4 should cause RT to check the REMOTE_USER environment variable for the user Apache thinks we’re authenticated as. (In this case that has the form of an email address; the RT database has email addresses as usernames.) Running a dumb Perl CGI script (but not under fcgid!) to dump the environment shows me that REMOTE_USER is being set properly by Apache, but I still get an RT login form.
Interestingly, I still get the RT login form even if I unset WebFallbackToRTLogin, or set it to false or undef. This makes me wonder whether RT is actually reading my config properly (from /etc/request-tracker4/RT_SiteConfig.d). However, it was giving me cross-site scripting warnings until I set ReferrerWhitelist in the same directory, so some changes I make are being honored.
fcgid seems to be being called with RT_SITE_CONFIG set to /etc/request-tracker4/RT_SiteConfig.pm, which is empty except for comments saying RT now reads from files in /etc/request-tracker4/RT_SiteConfig.d . I’ve been dutifully editing files in /etc/request-tracker4/RT_SiteConfig.d, but I see no difference in behavior if I concatenate them all into /etc/request-tracker4/RT_SiteConfig.pm .
(As I understand it, $WebExternalAuth, which is what we used to get this behavior in RT3.8, is no longer relevant. However, I’ve tried setting that as well as WebRemoteUserAuth with no change in behavior and no errors.)
BTW, we’re using the Apache OIDC module to set REMOTE_USER; as mentioned, that part is working (at least with a regular non-fcgid CGI script).
Relevant snippets from /etc/request-tracker4/RT_SiteConfig.d/40-csail-defaults :
Set($WebRemoteUserAuth, 1);
Set($WebFallbackToRTLogin, 1);
(but I still get the login form without WebFallbackToRTLogin).
Relevant snippets from my RT vhost config in Apache:
...
OIDCRemoteUserClaim email
...
Include /etc/request-tracker4/apache2-fcgid.conf
<Location /rt>
<RequireAll>
Require valid-user
Require ssl
Require claim iss:https://oidc.csail.mit.edu/
</RequireAll>
AuthType openid-connect
</Location>
In case it matters, I also have another vhost configured which does not use OIDC (so should fall back to RT’s native authentication), with the idea that that way we can log in as root or another administrative user, or use the REST interface via the command-line rt
tool with a password. But for testing purposes I’ve tried removing that vhost and I don’t see changed behavior.
I’m kind of fuzzy on how Apache passes environment variables to fcgid CGI scripts. But the fact that I still get the RT login form even with $WebFallbackToRTLogin unset suggests that there’s something more fundamental here that I’m missing.
(We don’t want to auto-create users; only RT admins will be able to log in this way, and they all already have accounts.)
Thanks for any advice anybody can give!
Jay