[rt-users] RT 3.8 and Kerberos SSO

Joachim Thuau Joachim.Thuau at spacex.com
Mon Oct 10 14:20:00 EDT 2011


Are you using apache mod_kerb_auth for authentication? (webexternalauth
seems to suggest you do).

I believe that if you do that, by default, the "login" of the user will be
the kerberos principal used, including the realm. Ldap and/or the mail
gateway might not get the same value (depending on your mapping). Since
the email address has to be unique, if the "remote_user" doesn't match the
name the rt username, it won't work (creating 2 users with the same email
address is not possible, if I'm not mistaken)

One thing you can do is add to your apache config the following directive:
"KrbLocalUserMapping On". That will set "REMOTE_USER" to just the username
part of the principal (no realm). That should make it match between the
two (kern and ldap)

I hope this puts you on the right track...
Jok

-- 
| Joachim Thuau | Linux Systems Administrator / SpaceX |
| Cell: 310-890-7937 | Office: 310-363-6153 |




More information about the rt-users mailing list