jm130794 wrote: > > > Hello, > > I use mod_auth_kerb to authenticate users. I also have a LDAP server to > store my users informations(email, gecos, ...). > > In Apache configuration, I have : > > <Location /> > SetHandler perl-script > PerlResponseHandler RT::Mason > AuthType Kerberos > AuthName "RT Kerberos Login" > Krb5Keytab /etc/apache2/apache2_krb5.keytab > KrbMethodNegotiate On > KrbMethodK5Passwd On > KrbAuthRealms UNIV-FCOMTE.FR > KrbServiceName Any > KrbVerifyKDC Off > KrbAuthoritative Off > KrbSaveCredentials On > #KrbLocalUserMapping On > #Doesn't work for me ! ==> I remove @univ-fcomte.fr in > local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm > require valid-user > </Location> > l >
Hi jm130794, I know this has nothing to do with RT directly, but apparently you are not using your Kerberos authentication yet. You set in your httpd.conf the following line: KrbVerifyKDC Off which means that the Kerberos tickets are never checked against your KDC. You can also read about it at http://modauthkerb.sourceforge.net/configure.html. It says: This option can be used to disable the verification tickets against local keytab to prevent KDC spoofing atacks. It should be used only for testing purposes. You have been warned. Although mod_auth_kerb gave me a lot fewer headaches with a disabled KrbVerifyKDC I knew that it would only show me how RT would behave if mod_auth_kerb really worked. Now, I have a working Kerberos auth here and would like to share it with others, but I'm currently checking if I could improve the authentication behavior somehow because my config is really a shambles now. ;) I hope that this could help you a bit. Have a nice day! -- View this message in context: http://old.nabble.com/RT-and-Kerberos-SSO-tp32622384p32687466.html Sent from the Request Tracker - User mailing list archive at Nabble.com. -------- RT Training Sessions (http://bestpractical.com/services/training.html) * Washington DC, USA October 31 & November 1, 2011 * Barcelona, Spain November 28 & 29, 2011
