<div class="gmail_quote">On Mon, Jun 25, 2012 at 4:32 PM, Kevin Falcone <span dir="ltr"><<a href="mailto:falcone@bestpractical.com" target="_blank">falcone@bestpractical.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Sat, Jun 23, 2012 at 04:49:25PM +0200, Natxo Asenjo wrote:<br>
> Using postgresql (or oracle possibly) it is possible to use kerberos/gssapi to log in the<br>
> database.<br>
><br>
> If I create a kerberos service principal rt/myserver.domain.tld/MYREALM.TLD I can login the<br>
> postgresql database with a keytab for this principal.<br>
><br>
> How can I tell the request tracker application it has to use this keytab instead of setting a<br>
> username/password in clear text in a config file? This would be a huge security improvement<br>
> IMO.<br>
><br>
> With other apps I can use the KRB5CCNAME variable to specify where the ticket cache file is<br>
> and use that.<br>
<br>
</div>If DBD::Pg or DBD::Oracle can do it, then RT should be able to<br>
leverage that. You'll need to review the driver documentation for how<br>
the configuration needs to be set up.<br>
<span class="HOEnZb"></span><br></blockquote></div><br>DBI with the postgres driver can do it (I suppose that is DBD::Pg, correct me if I am wrong).<br><br>I have created a service principal rt/webserver01.ipa.asenjo.nx and added a postgresql login role in the postgresql server with the same name, no passwords.<br>
<br>After that I retrieved the keytab for the service principal and saved it in a file rt.keytab.<br><br>Then I wrote this snippet:<br><br>use strict;<br>use warnings;<br><br>use Authen::Krb5::Easy qw( kinit kdestroy kerror );<br>
<br>my $keytab = '/home/admin/rt.keytab';<br>my $ccache = '/tmp/rt.ccache';<br>my $principal = 'rt/webserver01.ipa.asenjo.nx';<br><br>print $principal, "\n";<br><br>$ENV{KRB5CCNAME} = $ccache;<br>
<br>kinit( $keytab, $principal ) || die kerror();<br><br>use DBI;<br><br>my $dbhost = "postgres.ipa.asenjo.nx";<br><br>my $dbh = DBI->connect(<br> "DBI:Pg:dbname=template1;host=$dbhost",$principal,'');<br>
<br>my $sth = $dbh->prepare("select usename from pg_catalog.pg_user") ;<br><br>$sth->execute();<br><br># save the postgres roles in value of hash, key not important<br>my %postgres_roles;<br>while ( my @data = $sth->fetchrow_array() ) {<br>
$postgres_roles{$data[0]} = $data[0];<br>}<br><br>print %postgres_roles;<br><br>And I see the list of roles in the postgresql server, so it works using the kerberos principal.<br><br>So how can I tell rt to look in the kerberos cache file for its kerberos credentials?<br>
<br>TIA,<br>-- <br>natxo<br><br>