Is PAM authentication possible?

I was wondering if I could use PAM authentication with RT. I don’t
have a problem with MySQL but if I could set it up to use PAM then
everyone with a login could be automatically configured (at least as
far as thier password and e-mail address goes).

Josh Kuperman
josh@saratoga.lib.ny.us

Josh Kuperman wrote:

I was wondering if I could use PAM authentication with RT. I don’t
have a problem with MySQL but if I could set it up to use PAM then
everyone with a login could be automatically configured (at least as
far as thier password and e-mail address goes).

set $WebExternalAuth in config.pm and get Apache to auth against PAM?
�|� http://www.bestpractical.com/rt – Trouble Ticketing. Free.

Josh Kuperman wrote:

I was wondering if I could use PAM authentication with RT. I don’t
have a problem with MySQL but if I could set it up to use PAM then
everyone with a login could be automatically configured (at least as
far as thier password and e-mail address goes).

set $WebExternalAuth in config.pm and get Apache to auth against PAM?

I started off this way, but you also need to have users in the RT
database. I wanted to try authentication to afs via PAM, and if that
fails, try RT’s database.

Here is what I’ve put in local/WebRT/html/autohandler for RT2.0.15

http://www.midnightlinux.com/~jo2y/autohandler.diff

It’s not a drop-in replacement, but it should give some ideas, and if
someone who is good at perl skim over my change and let me know if there
is a better way, I’d appriciate it.

-james

Josh Kuperman wrote:

I was wondering if I could use PAM authentication with RT. I don’t
have a problem with MySQL but if I could set it up to use PAM then
everyone with a login could be automatically configured (at least as
far as thier password and e-mail address goes).

set $WebExternalAuth in config.pm and get Apache to auth against PAM?

But what do I set it to. The name of the module,
“pam_external_auth_module”, or just PAM, or do I just set it by
removing the undef?

Also, what changes would I have to make to the database. I’d assume if
someone had one user name for RT and another to login on the system
I’d need to change that.

I started off this way, but you also need to have users in the RT
database. I wanted to try authentication to afs via PAM, and if that
fails, try RT’s database.

Here is what I’ve put in local/WebRT/html/autohandler for RT2.0.15

http://www.midnightlinux.com/~jo2y/autohandler.diff

I looked at this and it’s interesting but the reason I want to use PAM
is that I have so many things that are simply accessible to the staff
here and no one else (web sites, directories, etc) that making RT
another one of those things would be desirable. I’d likely everyone to
actually be in by default and able to view specified queues and add
tickets to specified queues.

Obviously I’d need database entries for this, but since they’d need to
log in wouldn’t simply defining what I want for all users and only
having accounts for staff mean I was defining things for staff.

I’m only using RT2.0.14 - I’ve been meaning to update - I might even
consider the latest beta if it would make any of this easier.

Josh Kuperman
josh@saratoga.lib.ny.us

I’m only using RT2.0.14 - I’ve been meaning to update - I might even
consider the latest beta if it would make any of this easier.

Sure, I’ve written the support code for RT3. In etc/RT_SiteLocal.pm:

$WebExternalAuth = 1;
$WebFallbackToInternalAuth = undef;
$WebExternalAuto = 1;

and voila, it works; RT will create users under the same name as
REMOTE_USER upon login, if it’s missing in the Users table.

Thanks,
/Autrijus/