At 08:52 AM 11/8/2002, Dave Ewart wrote:
In short, if your system uses crypt() passwords then you should be
able to cut and paste from the passwd file, otherwise no.
Or, you could set RT to use “external” authentication, which means that
the authenticated user passed by Apache is accepted and used by RT. You
can then create a password file, for use by Apache, containing the MD5
passwords from elsewhere. If you’d like more details, let me know.
Yeah could you go into more detail?
Thanks for the info
A couple of people have asked about this so … try the following:
Set $WebExternalAuth = ‘on’;
in etc/config.pm
This will make Apache responsible for providing RT with an authenticated
username - “external” means external to RT, not necessarily on another
server, for example, as I understand.
in httpd.conf:
Alias /rt2/ /opt/rt2/WebRT/html/
PerlRequire /opt/rt2/bin/webmux.pl
<Location /rt2>
SetHandler perl-script
PerlHandler RT::Mason
AuthType Basic
AuthUserFile /usr/local/apache/conf/htpasswd.users
AuthName “Use normal password”
require valid-user
Note the “AuthUserFile” - this is a file which is only used by RT and I
populate it and keep it up-to-date by using ‘scp’ to pull across the
shadow password file from our main central server (RT is installed on a
different box).
I have the following script run every 15 minutes or so, which updates
the file htpasswd.users from the shadow password file on the other box:
----------------------------------------------------------------------
#!/bin/bash
Copy /etc/shadow and build password file for RT access
HERE=/usr/local/apache/conf
SCP=/usr/local/bin/scp
SHADOW_TARGET=root@centralserver.blah.com:/etc/shadow
SHADOW_LOCAL=$HERE/shadow.tmp
PASSWD_FILE=$HERE/htpasswd.users
$SCP -q $SHADOW_TARGET $SHADOW_LOCAL
cat $SHADOW_LOCAL | cut -f1-2 -d ‘:’ | grep ‘$1$’ > $PASSWD_FILE
rm $SHADOW_LOCAL
----------------------------------------------------------------------
Note that only the username and shadow password are required, hence the
‘cut’ - the ‘grep’ filters out only those password that are valid - they
all start ‘$1$’ on my system, at least.
Hope that helps someone. Don’t forget, stop and then restart Apache
etc.
Dave.
Dave Ewart
Dave.Ewart@cancer.org.uk
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370