Problem with login when we using https://

Hi All,

RT from deb, version 3.8.8

we have strange problem, we are using certificates for authentication
to RT. User name in RT should be the same as your CN. The problem is
if we have different user name and using https://, in normal case we
should be able to use user/pass. And we are, but until we click on any
link. After that we will be automatically logged off.

Any idea what is wrong or perhaps this is not issues ?? If this is not
issues pleace tell me way this happend.

Best Regards
Adrian Stelmaszyk

we have strange problem, we are using certificates for authentication
to RT. User name in RT should be the same as your CN. The problem is
if we have different user name and using https://, in normal case we
should be able to use user/pass. And we are, but until we click on any
link. After that we will be automatically logged off.

Please provide the link before and after the click that logs you off.
You also should provide your configuration and relevant logs.

-kevin

Hi Kevin,

link after log in:
https://rt.ige.psnc.pl/rt/

link after log off depends on where I click:
https://rt.ige.psnc.pl/rt/Search/Build.html
https://rt.ige.psnc.pl/rt/Prefs/Other.html

this is log:
[Thu Jul 21 08:06:28 2011] [info]: Successful login for adisan from
150.254.149.220
(/usr/share/request-tracker3.8/lib/RT/Interface/Web.pm:430)
[Thu Jul 21 08:06:29 2011] [error]: gpg: error reading key: public key
not found (/usr/share/request-tracker3.8/lib/RT/Crypt/GnuPG.pm:2115)
[Thu Jul 21 08:06:29 2011] [error]: gpg: error reading key: public key
not found (/usr/share/request-tracker3.8/lib/RT/Crypt/GnuPG.pm:2115)
[Thu Jul 21 08:07:12 2011] [info]: Successful login for adisan from
150.254.149.220
(/usr/share/request-tracker3.8/lib/RT/Interface/Web.pm:430)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/99
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/100
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/99
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/100
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/99
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)

Adrian2011/7/20 Kevin Falcone falcone@bestpractical.com:

On Wed, Jul 20, 2011 at 01:35:22PM +0200, Adrian Stel wrote:

we have strange problem, we are using certificates for authentication
to RT. User name in RT should be the same as your CN. The problem is
if we have different user name and using https://, in normal case we
should be able to use user/pass. And we are, but until we click on any
link. After that we will be automatically logged off.

Please provide the link before and after the click that logs you off.
You also should provide your configuration and relevant logs.

-kevin


2011 Training: http://bestpractical.com/services/training.html

Pozdrawiam
Adrian Stelmaszyk

Hi,

I forgot added configuration info:

RT_SiteConfig.pm

tells RT to use the REMOTE_USER provided by the web server

Set($WebExternalAuth , 1);

tells RT to display its normal login screen if REMOTE_USER fails

Set($WebFallbackToInternalAuth , 1);

tells RT to create users automatically if no user matching

REMOTE_USER is found
Set($WebExternalAuto , 0);

Set($WebExternalAuthContinuous, 1);

httpd.conf

<VirtualHost *:443>

SSLEngine On
SSLVerifyClient require
SSLVerifyDepth 1

SSL_CLIENT_S_DN_CN = user name from cert

SSLUserName SSL_CLIENT_S_DN_CN

SSLCACertificatePath /usr/lib/ssl/certs/
SSLCADNRequestPath /usr/lib/ssl/certs/

server cert

SSLCertificateFile /etc/apache2/ssl/10563550.pem
SSLCertificateKeyFile /etc/apache2/ssl/myserver.key

CA cert

SSLCertificateChainFile /etc/apache2/ssl/ca.crt
SSLCACertificateFile /etc/apache2/ssl/ca.crt

ServerAdmin info@mydomain.com
ServerName rt.ige.psnc.pl:443
DocumentRoot /var/www/
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

Include "/etc/request-tracker3.8/apache2-modperl2.conf"
RedirectMatch ^/$ /rt/

2011/7/21 Adrian Stel adisan82@gmail.com:

Hi Kevin,

link after log in:
https://rt.ige.psnc.pl/rt/

link after log off depends on where I click:
https://rt.ige.psnc.pl/rt/Search/Build.html
https://rt.ige.psnc.pl/rt/Prefs/Other.html

this is log:
[Thu Jul 21 08:06:28 2011] [info]: Successful login for adisan from
150.254.149.220
(/usr/share/request-tracker3.8/lib/RT/Interface/Web.pm:430)
[Thu Jul 21 08:06:29 2011] [error]: gpg: error reading key: public key
not found (/usr/share/request-tracker3.8/lib/RT/Crypt/GnuPG.pm:2115)
[Thu Jul 21 08:06:29 2011] [error]: gpg: error reading key: public key
not found (/usr/share/request-tracker3.8/lib/RT/Crypt/GnuPG.pm:2115)
[Thu Jul 21 08:07:12 2011] [info]: Successful login for adisan from
150.254.149.220
(/usr/share/request-tracker3.8/lib/RT/Interface/Web.pm:430)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/99
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/100
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/99
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/100
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/99
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)

Adrian

2011/7/20 Kevin Falcone falcone@bestpractical.com:

On Wed, Jul 20, 2011 at 01:35:22PM +0200, Adrian Stel wrote:

we have strange problem, we are using certificates for authentication
to RT. User name in RT should be the same as your CN. The problem is
if we have different user name and using https://, in normal case we
should be able to use user/pass. And we are, but until we click on any
link. After that we will be automatically logged off.

Please provide the link before and after the click that logs you off.
You also should provide your configuration and relevant logs.

-kevin


2011 Training: http://bestpractical.com/services/training.html


Pozdrawiam
Adrian Stelmaszyk

Pozdrawiam
Adrian Stelmaszyk

Hi Kevin,

link after log in:
https://rt.ige.psnc.pl/rt/

link after log off depends on where I click:
https://rt.ige.psnc.pl/rt/Search/Build.html
https://rt.ige.psnc.pl/rt/Prefs/Other.html

Is it any link that logs you off, or in particular those two?
I also note that you say that you’re using SSL certs but falling back
to internal auth. Are the SSL certs ever working? If not, it’s
entirely possible that RT is clearing your cooking on every page
because you’ve told it to get the REMOTE_USER from your SSL certs.

-kevin

Is it any link that logs you off, or in particular those two?
I also note that you say that you’re using SSL certs but falling back
to internal auth. Are the SSL certs ever working? If not, it’s
entirely possible that RT is clearing your cooking on every page

I typically clean as I cook too! :wink:

Hi,

it does not matter where I click, RT always log me off.

this is only two of the many examples:

https://rt.ige.psnc.pl/rt/Search/Build.html
https://rt.ige.psnc.pl/rt/Prefs/Other.html

Yes certs works great. When I have CN = RT user name, I will be log in
automatically, problem appears when you try use https:// with CN <> RT
user name and use your user/pass.

Any Idea ?

Best Regards2011/7/21 Kevin Falcone falcone@bestpractical.com:

On Thu, Jul 21, 2011 at 10:10:31AM +0200, Adrian Stel wrote:

Hi Kevin,

link after log in:
https://rt.ige.psnc.pl/rt/

link after log off depends on where I click:
https://rt.ige.psnc.pl/rt/Search/Build.html
https://rt.ige.psnc.pl/rt/Prefs/Other.html

Is it any link that logs you off, or in particular those two?
I also note that you say that you’re using SSL certs but falling back
to internal auth. Are the SSL certs ever working? If not, it’s
entirely possible that RT is clearing your cooking on every page
because you’ve told it to get the REMOTE_USER from your SSL certs.

-kevin

this is log:
[Thu Jul 21 08:06:28 2011] [info]: Successful login for adisan from
150.254.149.220
(/usr/share/request-tracker3.8/lib/RT/Interface/Web.pm:430)
[Thu Jul 21 08:06:29 2011] [error]: gpg: error reading key: public key
not found (/usr/share/request-tracker3.8/lib/RT/Crypt/GnuPG.pm:2115)
[Thu Jul 21 08:06:29 2011] [error]: gpg: error reading key: public key
not found (/usr/share/request-tracker3.8/lib/RT/Crypt/GnuPG.pm:2115)
[Thu Jul 21 08:07:12 2011] [info]: Successful login for adisan from
150.254.149.220
(/usr/share/request-tracker3.8/lib/RT/Interface/Web.pm:430)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/99
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/100
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/99
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/100
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)
[Thu Jul 21 08:07:13 2011] [warning]: Resolver RT::URI::fsck_com_rt
could not parse fsck.com-rt://IGE /ticket/99
(/usr/share/request-tracker3.8/lib/RT/URI.pm:147)

Adrian

2011/7/20 Kevin Falcone falcone@bestpractical.com:

On Wed, Jul 20, 2011 at 01:35:22PM +0200, Adrian Stel wrote:

we have strange problem, we are using certificates for authentication
to RT. User name in RT should be the same as your CN. The problem is
if we have different user name and using https://, in normal case we
should be able to use user/pass. And we are, but until we click on any
link. After that we will be automatically logged off.

Please provide the link before and after the click that logs you off.
You also should provide your configuration and relevant logs.

-kevin


2011 Training: http://bestpractical.com/services/training.html


Pozdrawiam
Adrian Stelmaszyk


2011 Training: http://bestpractical.com/services/training.html


2011 Training: http://bestpractical.com/services/training.html

Pozdrawiam
Adrian Stelmaszyk

Yes certs works great. When I have CN = RT user name, I will be log in
automatically, problem appears when you try use https:// with CN <> RT
user name and use your user/pass.

I bet RT is clearing your cookie when CN <> RT on every request.
Try turning off WebExternalAuthContinuous and seeing if that helps,
but understand the consequences.

Alternately, you can provide 2 VirtualHosts for RT and just have users
who can’t use Certs log in on the other one. This is a common
solution to provide an alternate domain where you can log in as root

-kevin