[rt-users] Problems with external auth and double prompting for authentication
Bart Bunting
bart.bunting at ursys.com.au
Wed May 11 19:25:16 EDT 2016
Hi Jim,
Thanks for the quick reply.
I should have included my apache virtualhost config:
Here it is for reference. I did have ldap auth working at one point but
it is totally commented out in the config.
Apache is apache2 2.4.18-2ubuntu3
amd64 debian Xenial LTS
# ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName helpdesk.in.urnet.com.au
## Vhost docroot
DocumentRoot "/opt/rt4/share/html"
## Alias declarations for resources outside the DocumentRoot
AliasMatch /NoAuth/images/ "/opt/rt4/share/html/NoAuth/images/"
## Directories, there should at least be a declaration for /opt/rt4/share/html
<Directory "/opt/rt4/share/html">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/apache2/helpdesk.in.urnet.com.au_error.log"
ServerSignature Off
CustomLog "/var/log/apache2/helpdesk.in.urnet.com.au_access.log" combined
## Custom fragment
AddDefaultCharset UTF-8
ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/
DocumentRoot "/opt/rt4/share/html"
<Location />
# bart: disabled for now until we move towards SSO
# AuthType Basic
# AuthName "Ursys LDAP"
# AuthBasicProvider ldap
# AuthLDAPURL ldap://ldap.xxxx:389/cn=accounts,xxxx?uid?sub
# AuthLDAPBindDN uid=system,cn=sysaccounts,xxx
# AuthLDAPBindPassword xxxxx
# Require ldap-group cn=noc,cn=groups,xxxxxx
Require all granted
Options +ExecCGI
AddHandler fcgid-script fcgi
</location>
</VirtualHost>
Is there anything wrong with that, it pritty much mirrors the config
described in the documentation.
If there is a better way of doing things other than mod_fastcgi I'm open to trying that.
Kind regards
Bart
Jim Brandt <jbrandt at bestpractical.com> writes:
> Browser authentication is typically triggered by an Apache
> configuration, so if your goal is to have just RT authentication, you
> might compare your Apache configuration with the example in the docs:
>
> https://docs.bestpractical.com/rt/4.4.0/web_deployment.html
>
> On 5/11/16 3:50 AM, Bart Bunting wrote:
>>
>>
>> Hi everyone,
>>
>> I have been trying to get external authentication with ldapauth and
>> ldapimport working on a brand new rt 4.4 from the latest pull of
>> 4.4-trunk.
>>
>> I have the ldap authentication and rt-ldapimport working correctly
>> against our ldap server.
>>
>> The one issue I can not appear to resolve is that I am prompted first
>> by the browsers authentication prompt and then by the RT login screen.
>> So you need to enter your authentication credentials twice.
>>
>> I am hoping to just have the RT login screen, no browser authentication
>> prompt.
>>
>> I'm sure it's something simple but I'm pulling my hair out :).
>>
>> If someone could take a look at my config and tell me where the error is
>> I'd be eternally grateful:
>>
>> Here is the section of my rt config.
>>
>> The first few options are commented out as they are part of previous
>> attempts to make it work as expected.
>>
>> #* Authentication
>> # configure external authentication
>>
>> #Set($WebRemoteUserAuth, 1);
>> # check authentication on each request rather than just once
>> #Set($WebRemoteUserContinuous, 1);
>>
>> # fall back to rt login if external auth fails.
>> #Set($WebFallbackToRTLogin, 1);
>>
>> Set ($ExternalAuth, 1);
>> Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
>> Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
>>
>> # Make users created from LDAP Privileged
>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>
>> # Users should still be autocreated by RT as internal users if they
>> # fail to exist in an external service; this is so requestors (who
>> # are not in LDAP) can still be created when they email in.
>> Set($AutoCreateNonExternalUsers, 1);
>>
>> # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
>> # further details and examples
>> Set($ExternalSettings, {
>> 'URSYS_LDAP' => {
>> 'type' => 'ldap',
>> 'server' => 'ldap.xxxxx,
>> 'base' => 'cn=users,cn=accounts,dc=xxxxxx',
>> 'user' => 'uid=system,cn=sysaccounts,xxxxx',
>> 'pass' => 'xxxxxx',
>> 'filter' => '(&(memberOf=cn=helpdesk-*))',
>> 'attr_match_list' => [
>> 'Name',
>> ],
>> 'attr_map' => {
>> 'Name' => 'uid',
>> 'EmailAddress' => 'mail',
>> },
>> },
>> } );
>>
>> # * rt-ldapimport configuration
>> # enable plugin
>> Plugin( qw(RT::LDAPImport));
>>
>> Set($LDAPBase,'cn=users,cn=accounts,xxxxx');
>> Set($LDAPHost,'ldap.xxxxx');
>> Set($LDAPUser,'uid=system,cn=sysaccounts,xxxxxx');
>> Set($LDAPPassword,'xxxxxxxx');
>> Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
>> Set($LDAPMapping, {Name => 'uid', # required
>> EmailAddress => 'mail',
>> RealName => 'cn',
>> WorkPhone => 'telephoneNumber',
>> Organization => 'departmentName'});
>> # create users as privileged
>> Set($LDAPCreatePrivileged, 1);
>>
>> # sync Groups from LDAP into RT
>> Set($LDAPGroupBase, 'cn=accounts,xxxxx');
>> Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
>> Set($LDAPGroupMapping, {Name => 'cn',
>> Description => 'description',
>> Member_Attr => 'member',
>> Member_Attr_Value => 'dn',
>> });
>>
>> As above all the ldap stuff appears to work apart from the double
>> request for authentication.
>>
>>
>>
>> Kind regards
>> Bart
>>
> ---------
> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
> * Washington DC - May 23 & 24, 2016
Bart
--
Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005
More information about the rt-users
mailing list