On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote: > Hi, > I would like to change standard access to RT from username/pw to > certificates authorization. Is there any simple way to do that ? Or > any additions to the RT ?
I'm testing a simple alternative to External Auth. I have a Callback placed under local/html/Callbacks/ICZAuth/autohandler/Auth -------------------------<snip>------------------------- %# vim:set sw=4 sts=4 ft=mason: <%init> use Crypt::OpenSSL::X509; unless ( $session{'CurrentUser'} && $session{'CurrentUser'}->id() || !$ENV{'SSL_CLIENT_CERT'} ) { my $x509 = Crypt::OpenSSL::X509->new_from_string($ENV{'SSL_CLIENT_CERT'}); my $email = lc($x509->email()); $session{'CurrentUser'} = RT::CurrentUser->new(); $session{'CurrentUser'}->LoadByEmail($email) if $email; $RT::Logger->debug("ICZAuth Email from X509 cert: $email"); } </%init> -------------------------<snip>------------------------- You must install Crypt::OpenSSL (e.g. libcrypt-openssl-x509-perl in Debian). An email address from the Subject Alternative Name of the X.509 certificate is extracted and a corresponding user is loaded based on an email address. Interesting part on Apache configuration: SSLVerifyClient require SSLOptions +ExportCertData +StdEnvVars Best Regards -- Zito