RT and Kerberos SSO

jm130794 · October 10, 2011, 6:31am

Hello,

I try to authenticate my users with Kerberos. In my RT_SiteConfig.pm, I have
:

…
Set($ExternalInfoPriority, [ ‘LDAP_DEPTINFO_ST’, ‘LDAP_Luke’, ‘LDAP_Wesson’
]);
Set($ExternalServiceUsesSSLorTLS, 0);
Set($AutoCreateNonExternalUsers, 0);
Set(@Plugins,(qw(RT::Authen::ExternalAuth)));
Set($AutoCreate, {Privileged => 1});
Set($LogToFile, ‘debug’);
Set($LogToFileNamed, ‘rt.log’);
Set($WebExternalAuth, ‘1’);
Set($WebFallbackToInternalAuth , ‘1’);
Set($WebExternalGecos, undef);
Set($WebExternalAuto, ‘1’);
#Set($LdapMailSearchAttr, ‘mail’);

Set($ExternalAuthPriority, [ MY_LDAP’ ]);

Set($ExternalSettings, {
‘MY_LDAP’ => {
‘type’ => ‘ldap’,
…

When a user send a message, RT create his account in database. Great

My problem : now, I can’t connect to RT (Web interface) with my account
which is already created. I get this :

Error
Cannot create user : Name in use

Any ideas ?

Thanks,

JM

Kevin_Falcone · October 11, 2011, 3:34pm

Hello,

I try to authenticate my users with Kerberos. In my RT_SiteConfig.pm, I have :

Kerberos usually implies mod_auth_kerb, not RT::Authen::ExternalAuth.

…

My problem : now, I can’t connect to RT (Web interface) with my account which is already
created. I get this :

Error
Cannot create user : Name in use

What’s in your error logs? Make sure you turn your logging up to debug.

-kevin

jm130794 · October 11, 2011, 6:29pm

Le 11/10/2011 17:34, Kevin Falcone a ï¿½crit :> On Mon, Oct 10, 2011 at 08:31:14AM +0200, jm130794 wrote:

Hello,

I try to authenticate my users with Kerberos. In my RT_SiteConfig.pm, I have :
Kerberos usually implies mod_auth_kerb, not RT::Authen::ExternalAuth.
...

My problem : now, I can't connect to RT (Web interface) with my account which is already
created. I get this :

Error
Cannot create user : Name in use
What’s in your error logs? Make sure you turn your logging up to debug.

-kevin

RT Training Sessions (http://bestpractical.com/services/training.html)

San Francisco, CA, USA — October 18& 19, 2011

Washington DC, USA — October 31& November 1, 2011

Barcelona, Spain — November 28& 29, 2011
Hello,

I use mod_auth_kerb to authenticate users. I also have a LDAP server to
store my users informations(email, gecos, …).

In Apache configuration, I have :

SetHandler perl-script PerlResponseHandler RT::Mason AuthType Kerberos AuthName "RT Kerberos Login" Krb5Keytab /etc/apache2/apache2_krb5.keytab KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms UNIV-FCOMTE.FR KrbServiceName Any KrbVerifyKDC Off KrbAuthoritative Off KrbSaveCredentials On #KrbLocalUserMapping On #Doesn't work for me ! ==> I remove @univ-fcomte.fr in local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm require valid-user

log’s contents after having tried me to log into RT :

[Tue Oct 11 18:23:10 2011] [debug]: ENTRE DANS CanonicalizeUserInfo:
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:434)
[Tue Oct 11 18:23:10 2011] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm 20
with: Disabled: 0, EmailAddress: , Gecos: jmcarica@univ-fcomte.fr, Name:
jmcarica@univ-fcomte.fr, Privileged: 1
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:453)
[Tue Oct 11 18:23:10 2011] [debug]: Attempting to get user info using
this external service: LDAP_DEPTINFO_ST
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:464)
[Tue Oct 11 18:23:10 2011] [debug]: Attempting to use this
canonicalization key: Name
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:478)
[Tue Oct 11 18:23:10 2011] [debug]: LDAP Search === Base:
ou=people,dc=univ-fcomte,dc=fr == Filter:
(&(objectClass=posixAccount)(uid=jmcarica)) == Attrs:
cn,mail,uid,gecos,uid
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth/LDAP.pm:195)
[Tue Oct 11 18:23:10 2011] [info]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: 0,
EmailAddress: jean-michel.caricand@univ-fcomte.fr, ExternalAuthId:
jmcarica, Gecos: jmcaricand, Name: jmcarica, Privileged: 1, RealName:
caricand jean-michel
(/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:542)
[Tue Oct 11 18:23:11 2011] [debug]: RT’s GnuPG libraries couldn’t
successfully read your configured GnuPG home directory
(/opt/rt3/var/data/gpg). PGP support has been disabled
(/opt/rt3/bin/…/lib/RT/Config.pm:339)
[Tue Oct 11 18:23:11 2011] [debug]: RT’s GnuPG libraries couldn’t
successfully read your configured GnuPG home directory
(/opt/rt3/var/data/gpg). PGP support has been disabled
(/opt/rt3/bin/…/lib/RT/Config.pm:339)

Kevin_Falcone · October 11, 2011, 6:43pm

[Tue Oct 11 18:23:10 2011] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm
20 with: Disabled: 0, EmailAddress: , Gecos:
jmcarica@univ-fcomte.fr, Name: jmcarica@univ-fcomte.fr, Privileged:

Did you mean to stash your email address in the Gecos or in the
EmailAddress field? I suspect you’re failing because you can’t have
two users with the empty email address in your unique index.

-kevin

jm130794 · October 11, 2011, 6:59pm

Le 11/10/2011 20:43, Kevin Falcone a ï¿½crit :> On Tue, Oct 11, 2011 at 08:29:20PM +0200, jm130794 wrote:

[Tue Oct 11 18:23:10 2011] [debug]:
RT::Authen::ExternalAuth::CanonicalizeUserInfo called by RT::User
/opt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/User_Vendor.pm
20 with: Disabled: 0, EmailAddress: , Gecos:
jmcarica@univ-fcomte.fr, Name: jmcarica@univ-fcomte.fr, Privileged:
Did you mean to stash your email address in the Gecos or in the
EmailAddress field? I suspect you’re failing because you can’t have
two users with the empty email address in your unique index.

-kevin

RT Training Sessions (http://bestpractical.com/services/training.html)

San Francisco, CA, USA — October 18& 19, 2011

Washington DC, USA — October 31& November 1, 2011

Barcelona, Spain — November 28& 29, 2011
I use EmailAddress to store my email. Only two users don’t have email :
RT_System and Nobody.

rt3=# select Name,EmailAddress,gecos from users where Name like ‘jmcarica’;
name | emailaddress | gecos
jmcarica | jean-michel.caricand@univ-fcomte.fr | jmcaricand
(1 ligne)

Jean-Michel

Kevin_Falcone · October 11, 2011, 7:08pm

I use EmailAddress to store my email. Only two users don’t have
email : RT_System and Nobody.

rt3=# select Name,EmailAddress,gecos from users where Name like ‘jmcarica’;
name | emailaddress | gecos
----------±------------------------------------±-----------
jmcarica | jean-michel.caricand@univ-fcomte.fr | jmcaricand

I suggest you do like ‘%jmcarica%’ so it does the search you intended.
I suggest you also compare email addresses.

You didn’t provide any of your mappings for your 3 canonicalization
lookups, so unfortunately we’re just guessing back and forth at what
happens, but at least one of yours appeared to have a Gecos mismatch.

-kevin

declaya · October 20, 2011, 6:56am

jm130794 wrote:

Hello,

I use mod_auth_kerb to authenticate users. I also have a LDAP server to
store my users informations(email, gecos, …).

In Apache configuration, I have :
SetHandler perl-script PerlResponseHandler RT::Mason AuthType Kerberos AuthName "RT Kerberos Login" Krb5Keytab /etc/apache2/apache2_krb5.keytab KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms UNIV-FCOMTE.FR KrbServiceName Any KrbVerifyKDC Off KrbAuthoritative Off KrbSaveCredentials On #KrbLocalUserMapping On #Doesn't work for me ! ==> I remove @univ-fcomte.fr in local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm require valid-user l

Hi jm130794,
I know this has nothing to do with RT directly,
but apparently you are not using your Kerberos authentication yet. You set
in your httpd.conf the following line:
KrbVerifyKDC Off
which means that the Kerberos tickets are never checked against your KDC.
You can also read about it at
Kerberos Module for Apache.
It says:
This option can be used to disable the verification tickets against local
keytab to prevent KDC spoofing atacks. It should be used only for testing
purposes. You have been warned.
Although mod_auth_kerb gave me a lot fewer headaches with a disabled
KrbVerifyKDC I knew that it would only show me how RT would behave if
mod_auth_kerb really worked.

Now, I have a working Kerberos auth here and would like to share it with
others, but I’m currently checking if I could improve the authentication
behavior somehow because my config is really a shambles now.

I hope that this could help you a bit.
Have a nice day!

View this message in context: http://old.nabble.com/RT-and-Kerberos-SSO-tp32622384p32687466.html