[rt-users] LDAP authentication best practices

declaya chocoboselphie at gmx.de
Wed Oct 5 02:06:09 EDT 2011



Thomas Smith-12 wrote:
> 
> 
> 
> Discovered another issue... This one isn't strictly RT-related, I don't
> think.
> 
> The email gateway is no longer working. When I configured Apache auth,
> I had to do it at the /opt/rt4 level--otherwise, RT would display the
> login page without the option to login and SSO wouldn't work. Now the
> mail gateway is unable to insert new tickets into the database as the
> area it's trying to access is password protected. Are there any
> best-practices for lifting the security off of this one directory
> (NoAuth only, right?) while maintaining SSO on the remainder of the
> system? Every time I exclude this directory from authentication, SSO
> breaks.
> 
> 
> 
 
Hi Thomas,
I was facing the same problem (and I'm still curios about how to configure
Apache using SSO with NTLMv2, but thats another problem;) when I changed the
login behavior for Apache.
You have to change the Apache config: The NoAuth directories must be
excluded from your AD authentication, so you have to set "satisfy any" and
"Allow from all" for that directories.

So my Apache config looks like this:

[...]
<Directory "/opt/rt4/share/html">
  --->here goes your Auth config for the users
</Directory>

<Directory "/opt/rt4/share/html/REST/1.0/NoAuth">
  SetHandler modperl
  PerlResponseHandler Plack::Handler::Apache2
  satisfy any
  allow from all
</Directory>

<Directory "/opt/rt4/share/html/NoAuth">
  SetHandler modperl
  PerlResponseHandler Plack::Handler::Apache2
  satisfy any
  allow from all
</Directory>

<Location /REST/1.0/NoAuth>
  satisfy any
  allow from all
</Location>
[...]

I'm not completely sure, which of the directories is the right one, but
until now it works for me.
Hope this helps a bit!

Have a nice day!
-- 
View this message in context: http://old.nabble.com/LDAP-authentication-best-practices-tp32585400p32594359.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.




More information about the rt-users mailing list