Hi, Looks like you have to configure DatabaseHost, DatabaseUser and DatabasePassword properly and KRB5CCNAME environment variable. As I recall we cleanup ENV somewhere. Try putting it directly in ConnectToDatabase function in RT.pm.
On Mon, Jun 25, 2012 at 9:33 PM, Natxo Asenjo <[email protected]> wrote: > On Mon, Jun 25, 2012 at 4:32 PM, Kevin Falcone <[email protected]> > wrote: >> >> On Sat, Jun 23, 2012 at 04:49:25PM +0200, Natxo Asenjo wrote: >> > Using postgresql (or oracle possibly) it is possible to use >> > kerberos/gssapi to log in the >> > database. >> > >> > If I create a kerberos service principal >> > rt/myserver.domain.tld/MYREALM.TLD I can login the >> > postgresql database with a keytab for this principal. >> > >> > How can I tell the request tracker application it has to use this >> > keytab instead of setting a >> > username/password in clear text in a config file? This would be a >> > huge security improvement >> > IMO. >> > >> > With other apps I can use the KRB5CCNAME variable to specify where >> > the ticket cache file is >> > and use that. >> >> If DBD::Pg or DBD::Oracle can do it, then RT should be able to >> leverage that. You'll need to review the driver documentation for how >> the configuration needs to be set up. >> > > DBI with the postgres driver can do it (I suppose that is DBD::Pg, correct > me if I am wrong). > > I have created a service principal rt/webserver01.ipa.asenjo.nx and added a > postgresql login role in the postgresql server with the same name, no > passwords. > > After that I retrieved the keytab for the service principal and saved it in > a file rt.keytab. > > Then I wrote this snippet: > > use strict; > use warnings; > > use Authen::Krb5::Easy qw( kinit kdestroy kerror ); > > my $keytab = '/home/admin/rt.keytab'; > my $ccache = '/tmp/rt.ccache'; > my $principal = 'rt/webserver01.ipa.asenjo.nx'; > > print $principal, "\n"; > > $ENV{KRB5CCNAME} = $ccache; > > kinit( $keytab, $principal ) || die kerror(); > > use DBI; > > my $dbhost = "postgres.ipa.asenjo.nx"; > > my $dbh = DBI->connect( > "DBI:Pg:dbname=template1;host=$dbhost",$principal,''); > > my $sth = $dbh->prepare("select usename from pg_catalog.pg_user") ; > > $sth->execute(); > > # save the postgres roles in value of hash, key not important > my %postgres_roles; > while ( my @data = $sth->fetchrow_array() ) { > $postgres_roles{$data[0]} = $data[0]; > } > > print %postgres_roles; > > And I see the list of roles in the postgresql server, so it works using the > kerberos principal. > > So how can I tell rt to look in the kerberos cache file for its kerberos > credentials? > > TIA, > -- > natxo > -- Best regards, Ruslan.
