Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb

Tue, 03 Sep 2013 23:38:14 -0700 

Hi,

there are these settings in RT:

# tells RT to use the REMOTE_USER provided by the web server
Set($WebExternalAuth , 1);
 # tells RT to display its normal login screen if REMOTE_USER fails
Set($WebFallbackToInternalAuth , 1);
 # tells RT to create users automatically if no user matching REMOTE_USER is 
found
Set($WebExternalAuto , 1);

I have them all set except the last one as we use LDAPImport. So I would expect 
RT to not drop the REMOTE_USER. Or is this obsolete?

Best Regards,
Oliver
From: ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] On Behalf Of 
Ruslan Zakirov
Sent: Dienstag, 3. September 2013 21:47
To: Oliver Weinmann
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb

Hi,

Why do you expect remote server where you host RT to respect REMOTE_USER and 
not to drop it? If a web server would pass remotely provided REMOTE_USER 
further to an app without additional configuration then we wouldn't use it for 
authentication.

On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann 
<oliver.weinm...@telespazio-vega.de<mailto:oliver.weinm...@telespazio-vega.de>> 
wrote:
Hi all,

we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we 
need to get the setup running through our reverse proxy.

What we have on our reverse proxy is this:

ProxyPass        /rt/             http://hostname.local/rt/ max=100
ProxyPassReverse /rt/             http://hostname.local/rt/

        RedirectMatch ^/$ /rt/

        # Proxy all locations
        <Proxy *>
                AddDefaultCharset off
                Order deny,allow
                Deny from none
        </Proxy>


        <Location /rt>
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbAuthRealms KRB5.LOCAL
        Krb5KeyTab /etc/apache2/host.keytab
        KrbMethodNegotiate on
        KrbAuthoritative on
        KrbMethodK5Passwd off
        KrbSaveCredentials on
        require valid-user

        # SSO
        RewriteEngine On
        RewriteCond %{LA-U:REMOTE_USER} (.+)$
        RewriteRule . - [E=RU:%1]
        RequestHeader set REMOTE_USER %{RU}e

        </Location>

Running tcpdump we can see that REMOTE_USER is set and send to the host hosting 
RT. It looks like RT is not picking it up. As far as I understood is that my 
user gets authenticated at the proxy and RT should trust these credentials and 
log in the user.



--
Best regards, Ruslan.

Reply via email to