RT3.{2|4} + Apache::AuthenNTLM = 2 problems

Greetings, fellow RTers.

I’ve just installed RT3.4, and run into some peculiar problem. Perhaps someone
was also struggling with such setup, and can give me a hand here.

Anyway: I was hoping to use WebExternalAuth and check passwords on AD controler. Thus:

—8<--------------------------------------------
Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalGecos , undef);
Set($WebExternalAuto , undef);
—8<--------------------------------------------

I want the fallback just in case ADC fails, so I can log in, at least with
locally defined root account.

I’ve also modified apache-modperl.conf to look like this:

—8<--------------------------------------------
<Directory /usr/share/request-tracker3.2/html>
PerlAuthenHandler Apache::AuthenNTLM
AuthType ntlm
require valid-user

    PerlAddVar ntdomain     "DOMAIN	ADC1 ADC2"
    PerlSetVar defaultdomain DOMAIN
    PerlSetVar splitdomainprefix 1

    SetHandler perl-script
    PerlHandler RT::Mason

<Directory /usr/share/request-tracker3.2/html/NoAuth>
Satisfy Any
Allow from All

—8<--------------------------------------------

And voila! It works!
…but without failback.

With IE, I found no way to stop browser from sending proper NTLM auth header,
so I’m always logged. With Firefox, a window pops out to enter login/pass, so I
hoped I can get RT login page in case I enter wrong login or press esc. When I
press esc, I get ‘Authorization Required’ from Apache. When I supply wrong
login/pass, window is redisplayed again. Not what I want :>

It looks like this in the error log:
[Fri Feb 18 18:36:40 2005] [error] access to /rt/ failed for , reason: Wrong password/user (rc=3/1/327681): DOMAIN\ for /rt/
[Fri Feb 18 18:36:41 2005] [error] access to /rt/ failed for , reason: Wrong password/user (rc=3/1/327681): DOMAIN\ewrqwer for /rt/
[Fri Feb 18 18:36:41 2005] [error] access to /rt/ failed for , reason: Wrong password/user (rc=3/1/327681): DOMAIN\wqerqwe for /rt/
[Fri Feb 18 18:36:41 2005] [error] access to /rt/ failed for , reason: Wrong password/user (rc=3/1/327681): DOMAIN\ for /rt/
[Fri Feb 18 18:55:08 2005] [error] access to /rt/ failed for , reason: Bad/Missing NTLM/Basic Authorization Header for /rt/

(series of wrong logins, ended with ESC)

I’ve tried to modify Apache::AuthenNTLM behaviour, by setting ntlmauthoritative to off:

PerlSetVar ntlmauthoritative off

But in that case, I get 500 Internal Server Error:

[Fri Feb 18 19:01:42 2005] [error] access to /rt/ failed for , reason: Wrong password/user (rc=3/1/327681): DOMAIN\fasfads for /rt/
[Fri Feb 18 19:01:42 2005] [crit] [client 163.242.13.190] configuration error: couldn’t check user. No user file?: /rt/

… just after first bad login attempt.

Of course this brokes rt command line tool, which is a bit more important to me than fallback.

Exactly the same happens with Basic auth, so I guess it is rather RT related.

Help?

Best regards,

KT.
__ .---------------------------------------------------------------.
(oo) | If God is perfect, why did He create discontinuous functions? |
/ / \ | |
V__V'–.penguin#128720_____________________________________________.–’

._ The little penguin sat on the shore,
@_ watching Jakub Turski write the letter
~~~~~ on the memorable day of 2005/02/18 19:20

Greetings, fellow RTers.
[cut]

Not quite happy to answer to myself, but still… perhaps someone will also
think wrong in the same way as me.

Anyway, I was mistaken about ‘WebFallbackToInternalAuth’ - I was hoping that
it internal auth will be displayed if external one fails. In fact, internal
auth (and its login box) is kicked into action only if external auth succeed,
but REMOTE_USER set by apache doesn’t exist in RT database.

I want the fallback just in case ADC fails, so I can log in, at least with
locally defined root account.

… and thus, I think that this kind of fallback won’t be possible

Of course this brokes rt command line tool, which is a bit more important to
me than fallback.

This one still remains a mistery to me.

I’ve investigated the code of bin/rt, and found that no user/pass is passed to
LWP. Therefore, once any AuthType is in place, I get 401 while using any ‘rt
command’

Simple workaround would be something like this:

<Location /rt/REST>
Satisfy any
allow from localhost

…but it is not always possible/plausible.

According to wiki, bin/rt should not be affected by web auth, but apparently
(judging from code, and sheer fact of usage of LWP this is not the case.
I’ve modified bin/rt to parse .rtrc for three additional arguments in .rtrc:

webuser - user used for web auth
webpass - password used for web auth
webrealm - auth realm set up in apache

The patch itself looks like this:

--------8<-------------------------------------------------------
72a73,75

          webuser => undef,
          webpass => undef,
          webrealm => undef

749a753,761

  # handle web auth
  if (defined $config{'webuser'}) {
          my $serv;
          ($serv = $config{'server'}) =~ s{[^:]+://([^/]+)/?.*}{$1};      # try to get server:port from $config{server}
          $serv .= ":80" if ($serv !~ m{\w+:\d+});                        # add ':80' if port is missing
          $ua->credentials($serv, $config{'webrealm'}, $config{'webuser'} => $config{'webpass'}); # set creds for LWP
  }

1182c1194
< if (/^(user|passwd|server|query|orderby)\s+(.*)\s?$/) {

        if (/^(user|passwd|webuser|webpass|webrealm|server|query|orderby)\s+(.*)\s?$/) {

--------8<-------------------------------------------------------

… and basically works for me ;>

So far I have only tested this with Basic auth, but as there’s LWP::Auth::NTLM
module, it should also work with NTLM auth (I’ll test it on Monday)

Please drop me a line if you find this patch useful. If not, drop mi line as
well, perhaps I’m missing something here? :>

Best regards,

KT.
__ .---------------------------------------------------------------.
(oo) | If God is perfect, why did He create discontinuous functions? |
/ / \ | |
V__V' –.penguin#128720_____________________________________________.–’