Re: [rt-users] Certificate based access instead of username/pw
On 07/04/2011 08:11 AM, Adrian Stel wrote: Hi Thomas, I need help with this ;/ How can I configure Apache to put something to the REMOTE_USER ? Please keep replies to the list, not personal mail. The documentation for Apache is probably a good place to start for how to configure it. Thomas 2011 Training: http://bestpractical.com/services/training.html
Re: [rt-users] Certificate based access instead of username/pw
Hi, when I have Set($WebExternalAuth, 1); I'm not able to log in using user/pass. There is missing text box ;/ Any idea ? Best Regards Adrian 2011/7/1 Adrian Stel adisa...@gmail.com Hi, I would like to change standard access to RT from username/pw to certificates authorization. This is what I made in file: /usr/share/request-tracker3.8/etc/RT_Config.pm Set($WebExternalAuth, 1); Set($WebExternalAuthContinuous, 1); Set($WebFallbackToInternalAuth , undef); What next ? I got this information: SSLVerifyClient require SSLUserName SSL_CLIENT_S_DN_UID %u (remote user) logs as - for me, so is no help other than to indicate it's not working. But how i should read this info ? Of course I have all of the cert stuff working fine (required). Here is the link: rt.ige.psnc.pl https://r.ige.psnc.pl -- Best Regards, Adrian Stelmaszyk -- Pozdrawiam Adrian Stelmaszyk 2011 Training: http://bestpractical.com/services/training.html
Re: [rt-users] Certificate based access instead of username/pw
On 07/01/2011 07:02 AM, Adrian Stel wrote: when I have Set($WebExternalAuth, 1); I'm not able to log in using user/pass. There is missing text box ;/ You said you Set($WebFallbackToInternalAuth, undef) which means internal auth should never be used. Please read the doc for that option in etc/RT_Config.pm. As for your REMOTE_USER problem, you'll likely need to configure Apache to put something unique in there so RT can key on it. Thomas 2011 Training: http://bestpractical.com/services/training.html
Re: [rt-users] Certificate based access instead of username/pw
On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote: Hi, I would like to change standard access to RT from username/pw to certificates authorization. Is there any simple way to do that ? Or any additions to the RT ? I'm testing a simple alternative to External Auth. I have a Callback placed under local/html/Callbacks/ICZAuth/autohandler/Auth -snip- %# vim:set sw=4 sts=4 ft=mason: %init use Crypt::OpenSSL::X509; unless ( $session{'CurrentUser'} $session{'CurrentUser'}-id() || !$ENV{'SSL_CLIENT_CERT'} ) { my $x509 = Crypt::OpenSSL::X509-new_from_string($ENV{'SSL_CLIENT_CERT'}); my $email = lc($x509-email()); $session{'CurrentUser'} = RT::CurrentUser-new(); $session{'CurrentUser'}-LoadByEmail($email) if $email; $RT::Logger-debug(ICZAuth Email from X509 cert: $email); } /%init -snip- You must install Crypt::OpenSSL (e.g. libcrypt-openssl-x509-perl in Debian). An email address from the Subject Alternative Name of the X.509 certificate is extracted and a corresponding user is loaded based on an email address. Interesting part on Apache configuration: SSLVerifyClient require SSLOptions +ExportCertData +StdEnvVars Best Regards -- Zito
Re: [rt-users] Certificate based access instead of username/pw
On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote: I would like to change standard access to RT from username/pw to certificates authorization. Is there any simple way to do that ? Or any additions to the RT ? You should be able to have Apache do the auth and pass that along to RT. For the RT config, you want to read about WebExternalAuth in RT_Config.pm pgpjaSlYObL7P.pgp Description: PGP signature
Re: [rt-users] Certificate based access instead of username/pw
If you ever get this working, please let me know. I've tried and failed. On 2/21/2011 2:35 PM, Kevin Falcone wrote: On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote: I would like to change standard access to RT from username/pw to certificates authorization. Is there any simple way to do that ? Or any additions to the RT ? You should be able to have Apache do the auth and pass that along to RT. For the RT config, you want to read about WebExternalAuth in RT_Config.pm
Re: [rt-users] Certificate based access instead of username/pw
On Mon, Feb 21, 2011 at 03:06:44PM -0500, Jeff Blaine wrote: On 2/21/2011 2:35 PM, Kevin Falcone wrote: On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote: I would like to change standard access to RT from username/pw to certificates authorization. Is there any simple way to do that ? Or any additions to the RT ? You should be able to have Apache do the auth and pass that along to RT. For the RT config, you want to read about WebExternalAuth in RT_Config.pm If you ever get this working, please let me know. I've tried and failed. You don't say what failed, but the Apache side is just SSLVerifyClient require plus SSLUserName and I've worked with folks who have this set up, so it is certainly possible. -kevin pgp9PLvm0IQpm.pgp Description: PGP signature
Re: [rt-users] Certificate based access instead of username/pw
On Mon, Feb 21, 2011 at 12:35 PM, Kevin Falcone falc...@bestpractical.comwrote: On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote: I would like to change standard access to RT from username/pw to certificates authorization. Is there any simple way to do that ? Or any additions to the RT ? You should be able to have Apache do the auth and pass that along to RT. For the RT config, you want to read about WebExternalAuth in RT_Config.pm If you do this (WebExternalAuth) and you're in an AD or Kerberos/LDAP environment, you may be able to use pass-through authentication (assuming that your users are logging in with the same credentials that they use for authentication to your servers). http://modauthkerb.sourceforge.net/ http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html I have mod_auth_kerb working in this manner, authenticating against AD (not in RT, but in a different app served through Apache). I haven't tested mod_auth_ldap yet, but it would only be necessary if you're looking to authorize your clients (versus just authenticating them).
Re: [rt-users] Certificate based access instead of username/pw
On 2/21/2011 3:15 PM, Kevin Falcone wrote: On Mon, Feb 21, 2011 at 03:06:44PM -0500, Jeff Blaine wrote: On 2/21/2011 2:35 PM, Kevin Falcone wrote: On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote: I would like to change standard access to RT from username/pw to certificates authorization. Is there any simple way to do that ? Or any additions to the RT ? You should be able to have Apache do the auth and pass that along to RT. For the RT config, you want to read about WebExternalAuth in RT_Config.pm If you ever get this working, please let me know. I've tried and failed. You don't say what failed, but the Apache side is just SSLVerifyClient require plus SSLUserName Yes, we have all of the cert stuff working fine (required). I tried: SSLUserName SSL_CLIENT_S_DN_UID and turned on WebExternalAuth, et al. Restarted httpd, closed browser, visited site, entered certificate passphrase, and saw the same old RT login screen. Also tried: SSLUserName 0.9.2342.19200300.100.1.1
Re: [rt-users] Certificate based access instead of username/pw
On Mon, Feb 21, 2011 at 03:24:37PM -0500, Jeff Blaine wrote: On 2/21/2011 3:15 PM, Kevin Falcone wrote: On Mon, Feb 21, 2011 at 03:06:44PM -0500, Jeff Blaine wrote: On 2/21/2011 2:35 PM, Kevin Falcone wrote: On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote: I would like to change standard access to RT from username/pw to certificates authorization. Is there any simple way to do that ? Or any additions to the RT ? You should be able to have Apache do the auth and pass that along to RT. For the RT config, you want to read about WebExternalAuth in RT_Config.pm If you ever get this working, please let me know. I've tried and failed. You don't say what failed, but the Apache side is just SSLVerifyClient require plus SSLUserName Yes, we have all of the cert stuff working fine (required). I tried: SSLUserName SSL_CLIENT_S_DN_UID and turned on WebExternalAuth, et al. Restarted httpd, closed browser, visited site, entered certificate passphrase, and saw the same old RT login screen. This implies you didn't turn on WebExternalAuth, or also turned on WebFallbackToInternalAuth. Apache will log the REMOTE_USER so it is relatively straightforward to see if the Apache is providing enough information for RT. -kevin pgpl61boePPg7.pgp Description: PGP signature
Re: [rt-users] Certificate based access instead of username/pw
On Mon, Feb 21, 2011 at 04:11:21PM -0500, Jeff Blaine wrote: Set($WebExternalAuth, 1); Set($WebExternalAuthContinuous, 1); Set($WebFallbackToInternalAuth , undef); SSLVerifyClient require SSLUserName SSL_CLIENT_S_DN_UID %u (remote user) logs as - for me, so is no help other than to indicate it's not working. RT 3.8.7 Apache httpd 2.2.3-45.el5 Thanks for the help though. Just to be clear, this seems to be an apache failure to set REMOTE_USER rather than any issue with RT. -kevin pgpDfY4ODyFOl.pgp Description: PGP signature