[rt-users] database authentication (as in RT_SiteConfig.pm) using a kerberos principal
Kevin Falcone
falcone at bestpractical.com
Mon Jun 25 10:32:33 EDT 2012
On Sat, Jun 23, 2012 at 04:49:25PM +0200, Natxo Asenjo wrote:
> Using postgresql (or oracle possibly) it is possible to use kerberos/gssapi to log in the
> database.
>
> If I create a kerberos service principal rt/myserver.domain.tld/MYREALM.TLD I can login the
> postgresql database with a keytab for this principal.
>
> How can I tell the request tracker application it has to use this keytab instead of setting a
> username/password in clear text in a config file? This would be a huge security improvement
> IMO.
>
> With other apps I can use the KRB5CCNAME variable to specify where the ticket cache file is
> and use that.
If DBD::Pg or DBD::Oracle can do it, then RT should be able to
leverage that. You'll need to review the driver documentation for how
the configuration needs to be set up.
-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120625/68cd3b1c/attachment.sig>
More information about the rt-users
mailing list