[rt-users] RT and Kerberos SSO

declaya chocoboselphie at gmx.de
Thu Oct 20 02:56:31 EDT 2011



jm130794 wrote:
> 
> 
> Hello,
> 
> I use mod_auth_kerb to authenticate users. I also have a LDAP server to 
> store my users  informations(email, gecos, ...).
> 
> In Apache configuration, I have :
> 
> <Location />
>          SetHandler perl-script
>          PerlResponseHandler RT::Mason
>          AuthType Kerberos
>          AuthName "RT Kerberos Login"
>          Krb5Keytab /etc/apache2/apache2_krb5.keytab
>          KrbMethodNegotiate On
>          KrbMethodK5Passwd On
>          KrbAuthRealms UNIV-FCOMTE.FR
>          KrbServiceName Any
>          KrbVerifyKDC Off
>          KrbAuthoritative Off
>          KrbSaveCredentials On
>     #KrbLocalUserMapping On
>     #Doesn't work for me ! ==> I remove @univ-fcomte.fr in 
> local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm
>          require valid-user
> </Location>
> l
> 

Hi jm130794,
I know this has nothing to do with RT directly, 
but apparently you are not using your Kerberos authentication yet. You set
in your httpd.conf the following line:
KrbVerifyKDC Off 
which means that the Kerberos tickets are never checked against your KDC.  
You can also read about it at
http://modauthkerb.sourceforge.net/configure.html.
It says: 
This option can be used to disable the verification tickets against local
keytab to prevent KDC spoofing atacks. It should be used only for testing
purposes. You have been warned. 
Although mod_auth_kerb gave me a lot fewer headaches with a disabled
KrbVerifyKDC I knew that it would only show me how RT would behave if
mod_auth_kerb really worked.

Now, I have a working Kerberos auth here and would like to share it with
others, but I'm currently checking if I could improve the authentication
behavior somehow because my config is really a shambles now. ;)

I hope that this could help you a bit. 
Have a nice day!



-- 
View this message in context: http://old.nabble.com/RT-and-Kerberos-SSO-tp32622384p32687466.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.




More information about the rt-users mailing list