[rt-users] LDAP authentication best practices

Thomas Smith theitsmith at gmail.com
Wed Oct 5 02:19:13 EDT 2011 

On Tue, Oct 4, 2011 at 11:06 PM, declaya <chocoboselphie at gmx.de> wrote:
>
>
> Thomas Smith-12 wrote:
>>
>>
>>
>> Discovered another issue... This one isn't strictly RT-related, I don't
>> think.
>>
>> The email gateway is no longer working. When I configured Apache auth,
>> I had to do it at the /opt/rt4 level--otherwise, RT would display the
>> login page without the option to login and SSO wouldn't work. Now the
>> mail gateway is unable to insert new tickets into the database as the
>> area it's trying to access is password protected. Are there any
>> best-practices for lifting the security off of this one directory
>> (NoAuth only, right?) while maintaining SSO on the remainder of the
>> system? Every time I exclude this directory from authentication, SSO
>> breaks.
>>
>>
>>
>
> Hi Thomas,
> I was facing the same problem (and I'm still curios about how to configure
> Apache using SSO with NTLMv2, but thats another problem;) when I changed the
> login behavior for Apache.
> You have to change the Apache config: The NoAuth directories must be
> excluded from your AD authentication, so you have to set "satisfy any" and
> "Allow from all" for that directories.
>
> So my Apache config looks like this:
>
> [...]
> <Directory "/opt/rt4/share/html">
>  --->here goes your Auth config for the users
> </Directory>
>
> <Directory "/opt/rt4/share/html/REST/1.0/NoAuth">
>  SetHandler modperl
>  PerlResponseHandler Plack::Handler::Apache2
>  satisfy any
>  allow from all
> </Directory>
>
> <Directory "/opt/rt4/share/html/NoAuth">
>  SetHandler modperl
>  PerlResponseHandler Plack::Handler::Apache2
>  satisfy any
>  allow from all
> </Directory>
>
> <Location /REST/1.0/NoAuth>
>  satisfy any
>  allow from all
> </Location>
> [...]
>
> I'm not completely sure, which of the directories is the right one, but
> until now it works for me.
> Hope this helps a bit!

Thank you! I did something similar, just used a different method. What
I found to work best, at least for my situation, was to add the
following to the Directory directive for /opt/rt4.

<Directory /opt/rt4>
... LDAP auth stuff omitted ...

SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow
Order allow,deny
Allow from env=allow
Satisfy Any
</Directory>

So far, this seems to be working and I haven't yet found any issues in
the tests that I've done--LDAP authentication is triggered if one
accesses any directory but the ones listed in the SetEnvIf statement.

I'd welcome the input if anyone knows of a better or cleaner way to
achieve this result.

More information about the rt-users mailing list