Login persistence

RT Users
1

I have managed to get authentication using LDAP working OK, but I seem
to have missed or misunderstood something about persistence.

When I click on Logout, I get logged out and immediately logged back in
again. I think I can see why this would happen, in the sense that the
web environment still holds the authenticated token, and presumably RT
just looks for it and finds it again.

Is there a way to stop this happening? Closing the tab doesn’t prevent
it; closing down the browser does, of course, but most users will not
want to do that (being required to close a sovereign application simply
to terminate a session in a tab is not a good practice).

After a logout from an LDAP-authenticated session, it should display
RT’s own login screen. If the user really, really, really wants another
session with different LDAP credentials (or even a repeat of her own),
then indeed closing the browser is required, but that’s an edge case.

The settings I am using are:

httpd.conf
<VirtualHost *:80>
ServerAdmin pflynn@ucc.ie
ServerName foobar.ucc.ie
ErrorLog logs/foobar.ucc.ie-error_log
LogLevel debug
CustomLog logs/foobar.ucc.ie-access_log combined
AddDefaultCharset UTF-8
FcgidMaxRequestLen 1073741824
ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/
DocumentRoot “/opt/rt4/share/html”

Order allow,deny
Allow from all
Options +ExecCGI
AddHandler fcgid-script fcgi


Order deny,allow
Deny from All
AuthType Basic
AuthBasicProvider file ldap
AuthBasicAuthoritative off
AuthUserFile /var/www/htaccess/foobar
AuthGroupFile /dev/null
AuthzLDAPAuthoritative off
AuthName “Login with your email address and password”
AuthLDAPURL ldap://aaa.bbb.ccc.ddd:ppp/DC=ad,DC=ucc,DC=ie?mail
AuthLDAPBindDN “xxxxx”
AuthLDAPBindPassword ‘yyyyy’
Require valid-user

RT_SiteConfig.pm (omitting values set at webconfig time)

allow web auth to pass login status to RT

Set($WebRemoteUserAuth, 1);

allow RT to show login screen if web auth failed

Set($WebFallbackToRTLogin, 1);

allow an hour’s inactivity (10 min for testing)

Set($AutoLogoff, 10);

standard password must be 10 chars min

Set($MinimumPasswordLength, 10);

use ISO dates

Set($DateTimeFormat, { Format => “ISO”, Seconds => 0 });

///Peter
Peter Flynn | Academic & Collaborative Technologies | University College
Cork IT Services | :phone: +353 21 490 2609 | :email: pflynn@ucc.ie | :earth_africa: www.ucc.ie

2

Hi Peter,

As you noted your web environment is essentially holding the login token.
When you click logout, Apache serves up the “you are logged out” page,
processes the authentication configuration and, because of this line:,

allow web auth to pass login status to RT

Set($WebRemoteUserAuth, 1);
RT accepts the authentication from Apache which logs the user back in.

Consider it from the point of view that the Apache based authentication
controls access to the directory on the webserver that contains the website
files. As far as RT is concerned it is piggy backing on this authentication
procedure so that it can figure out who’s logged in. In order for one of
your users to log out they need to kill the session with Apache i.e. close
the browser
So in short, your login session on RT is tied to the web browsers session
with the web server.

To make it work as you would like (clicking logout ends Apaches login
session) the website would need to make a change to the web server. This
generally is not allowed to happen as it’s a potential security flaw.

If you want the users login session to be controlled by the RT application
then you’ll need to configure LDAP authentication within the RT
Configuration.
To be able to do this you need at least these Perl modules (and maybe some
others that I’m neglecting too);
Net::LDAP
RT::Authen::ExternalAuth

You then need to add the plugin to your RT_SiteConfig.pm;
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

And set the LDAP configuration by following the example SiteConfig file in
the plugin etc directory.
Lastly you’ll need to remove the Auth config from your Apache virtual host
and change:
Set($WebRemoteUserAuth, 1);
to
Set($WebRemoteUserAuth, 0);

Kind regards,
Rory ClerkinOn 23 May 2014 09:27, Flynn, Peter pflynn@ucc.ie wrote:

I have managed to get authentication using LDAP working OK, but I seem
to have missed or misunderstood something about persistence.

When I click on Logout, I get logged out and immediately logged back in
again. I think I can see why this would happen, in the sense that the
web environment still holds the authenticated token, and presumably RT
just looks for it and finds it again.

Is there a way to stop this happening? Closing the tab doesn’t prevent
it; closing down the browser does, of course, but most users will not
want to do that (being required to close a sovereign application simply
to terminate a session in a tab is not a good practice).

After a logout from an LDAP-authenticated session, it should display
RT’s own login screen. If the user really, really, really wants another
session with different LDAP credentials (or even a repeat of her own),
then indeed closing the browser is required, but that’s an edge case.

The settings I am using are:

httpd.conf

<VirtualHost *:80>
ServerAdmin pflynn@ucc.ie
ServerName foobar.ucc.ie
ErrorLog logs/foobar.ucc.ie-error_log
LogLevel debug
CustomLog logs/foobar.ucc.ie-access_log combined
AddDefaultCharset UTF-8
FcgidMaxRequestLen 1073741824
ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/
DocumentRoot “/opt/rt4/share/html”

Order allow,deny
Allow from all
Options +ExecCGI
AddHandler fcgid-script fcgi


Order deny,allow
Deny from All
AuthType Basic
AuthBasicProvider file ldap
AuthBasicAuthoritative off
AuthUserFile /var/www/htaccess/foobar
AuthGroupFile /dev/null
AuthzLDAPAuthoritative off
AuthName “Login with your email address and password”
AuthLDAPURL ldap://aaa.bbb.ccc.ddd:ppp/DC=ad,DC=ucc,DC=ie?mail
AuthLDAPBindDN “xxxxx”
AuthLDAPBindPassword ‘yyyyy’
Require valid-user

RT_SiteConfig.pm (omitting values set at webconfig time)

allow web auth to pass login status to RT

Set($WebRemoteUserAuth, 1);

allow RT to show login screen if web auth failed

Set($WebFallbackToRTLogin, 1);

allow an hour’s inactivity (10 min for testing)

Set($AutoLogoff, 10);

standard password must be 10 chars min

Set($MinimumPasswordLength, 10);

use ISO dates

Set($DateTimeFormat, { Format => “ISO”, Seconds => 0 });

///Peter

Peter Flynn | Academic & Collaborative Technologies | University College
Cork IT Services | :phone: +353 21 490 2609 | :email: pflynn@ucc.ie | :earth_africa: www.ucc.ie

RT Training - Boston, September 9-10
http://bestpractical.com/training

3

Hi Peter,

As you noted your web environment is essentially holding the login token.
When you click logout, Apache serves up the “you are logged out” page,
processes the authentication configuration and, because of this line:,

allow web auth to pass login status to RT

Set($WebRemoteUserAuth, 1);
RT accepts the authentication from Apache which logs the user back in.
[…]
So in short, your login session on RT is tied to the web browsers
session with the web server.

Right.

To make it work as you would like (clicking logout ends Apaches login
session) the website would need to make a change to the web server. This
generally is not allowed to happen as it’s a potential security flaw.

Indeed.

If you want the users login session to be controlled by the RT
application then you’ll need to configure LDAP authentication within the
RT Configuration.

Thank you: I must have misread this. I didn’t think RT could do LDAP
auth itself. I wouldn’t have bothered with the Apache route otherwise.

To be able to do this you need at least these Perl modules (and maybe
some others that I’m neglecting too);
Net::LDAP
RT::Authen::ExternalAuth

Done. CPAN complained about a dependency:

No tests defined for RT::Authen::ExternalAuth extension
but I used -f :slight_smile:

You then need to add the plugin to your RT_SiteConfig.pm;
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

OK.

And set the LDAP configuration by following the example SiteConfig file
in the plugin etc directory.

I’ll need to get some more local LDAP help with that.

Lastly you’ll need to remove the Auth config from your Apache virtual
host and change:
Set($WebRemoteUserAuth, 1);
to
Set($WebRemoteUserAuth, 0);

Should the RT user record still contain the user’s (LDAP) email address
as the Username to log in with?

///Peter
Peter Flynn | Academic & Collaborative Technologies | University College
Cork IT Services | :phone: +353 21 490 2609 | :email: pflynn@ucc.ie | :earth_africa: www.ucc.ie

4

Should the RT user record still contain the user’s (LDAP) email address
as the Username to log in with?

I’m not quite sure, maybe somebody else can weigh in here.
On my own install I have I’ve tried a few different changes in the
RT_SiteConfig.pm but wasn’t able to log in with an email address (we
normally use the user account name). It may be that the username is saved
in the RT database on the first login.

‘attr_match_list’ => [‘Name’, ‘EmailAddress’],
‘attr_map’ => {

'Name'          =>      'sAMAccountName',

'EmailAddress'  =>      'mail',

'Organization'  =>      'company',

'RealName'      =>      'cn',

'NickName'      =>      'extensionAttribute1',

'ExternalAuthId'=>      'sAMAccountName',

'Gecos'         =>      'sAMAccountName',

'WorkPhone'     =>      'telephoneNumber',

'Address1'      =>      'streetAddress',

'City'          =>      'l',

'State'         =>      'st',

'Zip'           =>      'postalCode',

'Country'       =>      'co'

}
                                            },

I’ve tried different combinations of removing ‘Name’ from the
‘attr_match_list’ and changing ‘ExternalAuthId’ to use ‘mail’ in the
‘attr_map’.

Kind regards,
Rory

RoryOn 23 May 2014 15:57, Flynn, Peter pflynn@ucc.ie wrote:

On 23/05/14 10:20, Rory wrote:

Hi Peter,

As you noted your web environment is essentially holding the login token.
When you click logout, Apache serves up the “you are logged out” page,
processes the authentication configuration and, because of this line:,

allow web auth to pass login status to RT

Set($WebRemoteUserAuth, 1);
RT accepts the authentication from Apache which logs the user back in.
[…]
So in short, your login session on RT is tied to the web browsers
session with the web server.

Right.

To make it work as you would like (clicking logout ends Apaches login
session) the website would need to make a change to the web server. This
generally is not allowed to happen as it’s a potential security flaw.

Indeed.

If you want the users login session to be controlled by the RT
application then you’ll need to configure LDAP authentication within the
RT Configuration.

Thank you: I must have misread this. I didn’t think RT could do LDAP
auth itself. I wouldn’t have bothered with the Apache route otherwise.

To be able to do this you need at least these Perl modules (and maybe
some others that I’m neglecting too);
Net::LDAP
RT::Authen::ExternalAuth

Done. CPAN complained about a dependency:

No tests defined for RT::Authen::ExternalAuth extension
but I used -f :slight_smile:

You then need to add the plugin to your RT_SiteConfig.pm;
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

OK.

And set the LDAP configuration by following the example SiteConfig file
in the plugin etc directory.

I’ll need to get some more local LDAP help with that.

Lastly you’ll need to remove the Auth config from your Apache virtual
host and change:
Set($WebRemoteUserAuth, 1);
to
Set($WebRemoteUserAuth, 0);

Should the RT user record still contain the user’s (LDAP) email address
as the Username to log in with?

///Peter

Peter Flynn | Academic & Collaborative Technologies | University College
Cork IT Services | :phone: +353 21 490 2609 | :email: pflynn@ucc.ie | :earth_africa: www.ucc.ie

RT Training - Boston, September 9-10
http://bestpractical.com/training

5

Should the RT user record still contain the user’s (LDAP) email address
as the Username to log in with?

Normally users configure RT::Authen::ExternalAuth to map the LDAP
username to the RT username field. You could map Name => ‘email’ in
your attr_map if you wanted.

I suggest being sure to review all of the documentation in
RT::Authen::ExternalAuth::LDAP.pm and in the example config shipped
with the extension.

https://metacpan.org/source/FALCONE/RT-Authen-ExternalAuth-0.20/etc/RT_SiteConfig.pm

-kevin