<div dir="ltr"><div>Hi,</div><div><br></div><a href="http://www.gossamer-threads.com/lists/apache/dev/370306">http://www.gossamer-threads.com/lists/apache/dev/370306</a><br><div class="gmail_extra"><br><br><div class="gmail_quote">
On Wed, Sep 4, 2013 at 10:37 AM, Oliver Weinmann <span dir="ltr"><<a href="mailto:oliver.weinmann@telespazio-vega.de" target="_blank">oliver.weinmann@telespazio-vega.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="DE" link="blue" vlink="purple">
<div>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Hi,<u></u><u></u></span></p>
<p class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class=""><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">there are these settings in RT:<u></u><u></u></span></p>
<p class=""><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class=""><span lang="EN" style="font-size:10pt;font-family:'Courier New'"># tells RT to use the REMOTE_USER provided by the web server<u></u><u></u></span></p>
<p class=""><span lang="EN" style="font-size:10pt;font-family:'Courier New'">Set($WebExternalAuth , 1);<u></u><u></u></span></p>
<p class=""><span lang="EN" style="font-size:10pt;font-family:'Courier New'"><u></u><u></u></span></p>
<p class=""><span lang="EN" style="font-size:10pt;font-family:'Courier New'"> # tells RT to display its normal login screen if REMOTE_USER fails<u></u><u></u></span></p>
<p class=""><span lang="EN" style="font-size:10pt;font-family:'Courier New'">Set($WebFallbackToInternalAuth , 1);<u></u><u></u></span></p>
<p class=""><span lang="EN" style="font-size:10pt;font-family:'Courier New'"><u></u><u></u></span></p>
<p class=""><span lang="EN" style="font-size:10pt;font-family:'Courier New'"> # tells RT to create users automatically if no user matching REMOTE_USER is found<u></u><u></u></span></p>
<p class=""><span lang="EN" style="font-size:10pt;font-family:'Courier New'">Set($WebExternalAuto , 1);<u></u><u></u></span></p>
<p class=""><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class=""><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I have them all set except the last one as we use LDAPImport. So I would expect RT to not drop the REMOTE_USER. Or is this obsolete?<u></u><u></u></span></p>
<p class=""><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class=""><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Best Regards,<u></u><u></u></span></p>
<p class=""><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Oliver<u></u><u></u></span></p>
<p class=""><b><span lang="EN-US" style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span lang="EN-US" style="font-size:10pt;font-family:Tahoma,sans-serif"> <a href="mailto:ruslan.zakirov@gmail.com" target="_blank">ruslan.zakirov@gmail.com</a> [mailto:<a href="mailto:ruslan.zakirov@gmail.com" target="_blank">ruslan.zakirov@gmail.com</a>]
<b>On Behalf Of </b>Ruslan Zakirov<br>
<b>Sent:</b> Dienstag, 3. September 2013 21:47<br>
<b>To:</b> Oliver Weinmann<br>
<b>Cc:</b> <a href="mailto:rt-users@lists.bestpractical.com" target="_blank">rt-users@lists.bestpractical.com</a><br>
<b>Subject:</b> Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb<u></u><u></u></span></p><div><div class="h5">
<p class=""><u></u> <u></u></p>
<div>
<p class="">Hi,<u></u><u></u></p>
<div>
<p class=""><u></u> <u></u></p>
</div>
<div>
<p class="">Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn't use it for authentication.<u></u><u></u></p>
</div>
</div>
<div>
<p class="" style="margin-bottom:12pt"><u></u> <u></u></p>
<div>
<p class="">On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann <<a href="mailto:oliver.weinmann@telespazio-vega.de" target="_blank">oliver.weinmann@telespazio-vega.de</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class=""><span lang="EN-US">Hi all,</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </span><u></u><u></u></p>
<p class=""><span lang="EN-US">we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy.</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </span><u></u><u></u></p>
<p class=""><span lang="EN-US">What we have on our reverse proxy is this:</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </span><u></u><u></u></p>
<p class=""><span lang="EN-US">ProxyPass /rt/
<a href="http://hostname.local/rt/" target="_blank">http://hostname.local/rt/</a> max=100</span><u></u><u></u></p>
<p class=""><span lang="EN-US">ProxyPassReverse /rt/
<a href="http://hostname.local/rt/" target="_blank">http://hostname.local/rt/</a></span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </span><u></u><u></u></p>
<p class=""><span lang="EN-US"> RedirectMatch ^/$ /rt/</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </span><u></u><u></u></p>
<p class=""><span lang="EN-US"> # Proxy all locations</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> <Proxy *></span><u></u><u></u></p>
<p class=""><span lang="EN-US"> AddDefaultCharset off</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> Order deny,allow</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> Deny from none</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </Proxy></span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </span><u></u><u></u></p>
<p class=""><span lang="EN-US"> <Location /rt></span><u></u><u></u></p>
<p class=""><span lang="EN-US"> AuthType Kerberos</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> AuthName "Kerberos Login"</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> KrbAuthRealms KRB5.LOCAL</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> Krb5KeyTab /etc/apache2/host.keytab</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> KrbMethodNegotiate on</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> KrbAuthoritative on</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> KrbMethodK5Passwd off</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> KrbSaveCredentials on</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> require valid-user</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </span><u></u><u></u></p>
<p class=""><span lang="EN-US"> # SSO</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> RewriteEngine On</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> RewriteCond %{LA-U:REMOTE_USER} (.+)$</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> RewriteRule . - [E=RU:%1]</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> RequestHeader set REMOTE_USER %{RU}e</span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </Location></span><u></u><u></u></p>
<p class=""><span lang="EN-US"> </span><u></u><u></u></p>
<p class=""><span lang="EN-US">Running tcpdump we can see that REMOTE_USER is set and send to the host hosting RT. It looks like RT is not picking it up. As far as I understood is that my user
gets authenticated at the proxy and RT should trust these credentials and log in the user.</span><u></u><u></u></p>
</div>
</div>
</div>
<p class=""><br>
<br clear="all">
<u></u><u></u></p>
<div>
<p class=""><u></u> <u></u></p>
</div>
<p class="">-- <br>
Best regards, Ruslan. <u></u><u></u></p>
</div>
</div></div></div>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Best regards, Ruslan.
</div></div>