Re: [rt-users] Certificate based access instead of username/pw

2011-07-05 Thread Thomas Sibley 
On 07/04/2011 08:11 AM, Adrian Stel wrote:
 Hi Thomas,
 
 
 I need help with this ;/
 
 How can I configure Apache to put something to the REMOTE_USER ?

Please keep replies to the list, not personal mail.  The documentation
for Apache is probably a good place to start for how to configure it.

Thomas


2011 Training: http://bestpractical.com/services/training.html

Re: [rt-users] Certificate based access instead of username/pw

2011-07-01 Thread Adrian Stel 
Hi,


when I have

Set($WebExternalAuth, 1);

I'm not able to log in using user/pass. There is missing text box ;/


Any idea ?



Best Regards
Adrian

2011/7/1 Adrian Stel adisa...@gmail.com

 Hi,


 I would like to change standard access to RT from username/pw to
 certificates authorization.

 This is what I made

 in file:
 /usr/share/request-tracker3.8/etc/RT_Config.pm


 Set($WebExternalAuth, 1);
 Set($WebExternalAuthContinuous, 1);
 Set($WebFallbackToInternalAuth , undef);


 What next ?


 I got this information:

 SSLVerifyClient require

 SSLUserName SSL_CLIENT_S_DN_UID

 %u (remote user) logs as - for me, so is no help
 other than to indicate it's not working.


 But how i should read this info ?


 Of course I have  all of the cert stuff working fine (required).

 Here is the link:

 rt.ige.psnc.pl

 https://r.ige.psnc.pl


 --
 Best Regards,
 Adrian Stelmaszyk




-- 
Pozdrawiam
Adrian Stelmaszyk


2011 Training: http://bestpractical.com/services/training.html

Re: [rt-users] Certificate based access instead of username/pw

2011-07-01 Thread Thomas Sibley 
On 07/01/2011 07:02 AM, Adrian Stel wrote:
 when I have 
 
 Set($WebExternalAuth, 1);
 
 I'm not able to log in using user/pass. There is missing text box ;/

You said you Set($WebFallbackToInternalAuth, undef) which means internal
auth should never be used.  Please read the doc for that option in
etc/RT_Config.pm.

As for your REMOTE_USER problem, you'll likely need to configure Apache
to put something unique in there so RT can key on it.

Thomas


2011 Training: http://bestpractical.com/services/training.html

Re: [rt-users] Certificate based access instead of username/pw

2011-02-22 Thread Václav Ovsík 
On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
 Hi,
 I would like to change standard access to RT from username/pw to
 certificates authorization. Is there any simple way to do that ? Or
 any additions to the RT ?

I'm testing a simple alternative to External Auth.
I have a Callback placed under
local/html/Callbacks/ICZAuth/autohandler/Auth

-snip-
%# vim:set sw=4 sts=4 ft=mason:
%init
use Crypt::OpenSSL::X509;

unless ( $session{'CurrentUser'}  $session{'CurrentUser'}-id() || 
!$ENV{'SSL_CLIENT_CERT'} )
{
my $x509 = Crypt::OpenSSL::X509-new_from_string($ENV{'SSL_CLIENT_CERT'});
my $email = lc($x509-email());

$session{'CurrentUser'} = RT::CurrentUser-new();
$session{'CurrentUser'}-LoadByEmail($email) if $email;
$RT::Logger-debug(ICZAuth Email from X509 cert: $email);
}

/%init
-snip-

You must install Crypt::OpenSSL (e.g. libcrypt-openssl-x509-perl in
Debian). An email address from the Subject Alternative Name of the X.509
certificate is extracted and a corresponding user is loaded based on
an email address.

Interesting part on Apache configuration:

SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars

Best Regards
-- 
Zito

Re: [rt-users] Certificate based access instead of username/pw

2011-02-21 Thread Kevin Falcone 
On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
 I would like to change standard access to RT from username/pw to
 certificates authorization. Is there any simple way to do that ? Or
 any additions to the RT ?

You should be able to have Apache do the auth and pass that along to
RT.  For the RT config, you want to read about WebExternalAuth in
RT_Config.pm


pgpjaSlYObL7P.pgp
Description: PGP signature

Re: [rt-users] Certificate based access instead of username/pw

2011-02-21 Thread Jeff Blaine 

If you ever get this working, please let me know.  I've
tried and failed.

On 2/21/2011 2:35 PM, Kevin Falcone wrote:

On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:

I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?


You should be able to have Apache do the auth and pass that along to
RT.  For the RT config, you want to read about WebExternalAuth in
RT_Config.pm

Re: [rt-users] Certificate based access instead of username/pw

2011-02-21 Thread Kevin Falcone 
On Mon, Feb 21, 2011 at 03:06:44PM -0500, Jeff Blaine wrote:
 On 2/21/2011 2:35 PM, Kevin Falcone wrote:
 On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
 I would like to change standard access to RT from username/pw to
 certificates authorization. Is there any simple way to do that ? Or
 any additions to the RT ?
 
 You should be able to have Apache do the auth and pass that along to
 RT.  For the RT config, you want to read about WebExternalAuth in
 RT_Config.pm
 If you ever get this working, please let me know.  I've
 tried and failed.

You don't say what failed, but the Apache side is just
SSLVerifyClient require
plus
SSLUserName

and I've worked with folks who have this set up, so it is certainly
possible.

-kevin


pgp9PLvm0IQpm.pgp
Description: PGP signature

Re: [rt-users] Certificate based access instead of username/pw

2011-02-21 Thread Thomas Smith 
On Mon, Feb 21, 2011 at 12:35 PM, Kevin Falcone
falc...@bestpractical.comwrote:

 On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
  I would like to change standard access to RT from username/pw to
  certificates authorization. Is there any simple way to do that ? Or
  any additions to the RT ?

 You should be able to have Apache do the auth and pass that along to
 RT.  For the RT config, you want to read about WebExternalAuth in
 RT_Config.pm


If you do this (WebExternalAuth) and you're in an AD or Kerberos/LDAP
environment, you may be able to use pass-through authentication (assuming
that your users are logging in with the same credentials that they use for
authentication to your servers).

http://modauthkerb.sourceforge.net/
http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

I have mod_auth_kerb working in this manner, authenticating against AD (not
in RT, but in a different app served through Apache). I haven't tested
mod_auth_ldap yet, but it would only be necessary if you're looking to
authorize your clients (versus just authenticating them).

Re: [rt-users] Certificate based access instead of username/pw

2011-02-21 Thread Jeff Blaine 

On 2/21/2011 3:15 PM, Kevin Falcone wrote:

On Mon, Feb 21, 2011 at 03:06:44PM -0500, Jeff Blaine wrote:

On 2/21/2011 2:35 PM, Kevin Falcone wrote:

On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:

I would like to change standard access to RT from username/pw to
certificates authorization. Is there any simple way to do that ? Or
any additions to the RT ?


You should be able to have Apache do the auth and pass that along to
RT.  For the RT config, you want to read about WebExternalAuth in
RT_Config.pm

If you ever get this working, please let me know.  I've
tried and failed.


You don't say what failed, but the Apache side is just
SSLVerifyClient require
plus
SSLUserName


Yes, we have all of the cert stuff working fine (required).
I tried:

SSLUserName SSL_CLIENT_S_DN_UID

and turned on WebExternalAuth, et al.  Restarted httpd,
closed browser, visited site, entered certificate
passphrase, and saw the same old RT login screen.

Also tried:

SSLUserName 0.9.2342.19200300.100.1.1

Re: [rt-users] Certificate based access instead of username/pw

2011-02-21 Thread Kevin Falcone 
On Mon, Feb 21, 2011 at 03:24:37PM -0500, Jeff Blaine wrote:
 On 2/21/2011 3:15 PM, Kevin Falcone wrote:
 On Mon, Feb 21, 2011 at 03:06:44PM -0500, Jeff Blaine wrote:
 On 2/21/2011 2:35 PM, Kevin Falcone wrote:
 On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
 I would like to change standard access to RT from username/pw to
 certificates authorization. Is there any simple way to do that ? Or
 any additions to the RT ?
 
 You should be able to have Apache do the auth and pass that along to
 RT.  For the RT config, you want to read about WebExternalAuth in
 RT_Config.pm
 If you ever get this working, please let me know.  I've
 tried and failed.
 
 You don't say what failed, but the Apache side is just
 SSLVerifyClient require
 plus
 SSLUserName
 
 Yes, we have all of the cert stuff working fine (required).
 I tried:
 
 SSLUserName SSL_CLIENT_S_DN_UID
 
 and turned on WebExternalAuth, et al.  Restarted httpd,
 closed browser, visited site, entered certificate
 passphrase, and saw the same old RT login screen.

This implies you didn't turn on WebExternalAuth, or also turned on
WebFallbackToInternalAuth.  Apache will log the REMOTE_USER so it is
relatively straightforward to see if the Apache is providing enough
information for RT.

-kevin


pgpl61boePPg7.pgp
Description: PGP signature

Re: [rt-users] Certificate based access instead of username/pw

2011-02-21 Thread Kevin Falcone 
On Mon, Feb 21, 2011 at 04:11:21PM -0500, Jeff Blaine wrote:
 
 
 Set($WebExternalAuth, 1);
 Set($WebExternalAuthContinuous, 1);
 Set($WebFallbackToInternalAuth , undef);
 
 SSLVerifyClient require
 SSLUserName SSL_CLIENT_S_DN_UID
 
 %u (remote user) logs as - for me, so is no help
 other than to indicate it's not working.
 
 RT 3.8.7
 Apache httpd 2.2.3-45.el5
 
 Thanks for the help though.

Just to be clear, this seems to be an apache failure to set
REMOTE_USER rather than any issue with RT.

-kevin


pgpDfY4ODyFOl.pgp
Description: PGP signature