RT with external auth (was Re: [rt-users] HTTP_Auth with rt?)

Jonathan C. Detert detertj at msoe.edu
Wed Feb 14 15:28:17 EST 2001


Hello,

I found a way for RT to use an external source for initial
authentication, and still use cookies for subsequent authentication.

First, some history :

* D. Joe Anderson <deejoe at iastate.edu> [010212 11:54]:
> On Mon, 12 Feb 2001, Jonathan C. Detert wrote:
> 
> > i thought i read something on the list that suggested you could
> > have rt do authentication via http auth, but I can't find any
> > documentation on how to do that.

-- snip --

> From rt/etc/config.pm:
> 
>  # WEB_AUTH_MECHANISM defines what sort of authentication you'd like to use
>  # for the web ui.  Valid choices are: "cookies" and "external".  Cookies

-- snip --

> I use mod_auth_pam with this, which is a drop-in replacement for mod_auth,
> but which uses PAM instead of just /etc/passwd.  The advantage is that I
> can use our distributed authentication system (kerberos, via pam_krb5
> etc).  The disadvantage is that I have no good way of expiring logins,
> like one would if one were using cookies.  Because HTTP doesn't support

-- snip --

> My wishlist for RT would include the ability to do initial authentication
> via external auth mechanisms, but to have RT generate and track
> authentication cookies to enable session expiry/logouts.

Here's how I accomplished Joe's wish (i.e. initial auth via external
mechanism, subsequent "session" auth via cookies) :

    Two easy steps :

    1)
        in lib/rt/database/config.pm, added a f() to do external
    authentication.  Parameters are username and password that were
    entered by the user when they filled out the login form.  If the
    external authentication succeeds, then the password is stored in
    RT's "users" database for the indicated username.

        In my case, my external auth source is a WinNT domain
    controller.  Hence, I use the perl Authen::Smb module.  Here's the
    actual code:

        # if the user's submitted password is his MSOE NT domain password, then
        # update the rt db to have his nt password
        sub msoe_authenticate {
            my ($username, $password) = @_;
            my ($user_id, $pass) = ($dbh->quote("$username"),
            $dbh->quote("$password"));
                 
            use Authen::Smb;
            my $authResult = Authen::Smb::authen($username,
                         $password, 'yamato', 'hood', 'MSOE');
            if ( $authResult == Authen::Smb::NO_ERROR ) {
                # user submitted a valid password.  Let's put it into RT
                my $sql = qq[UPDATE users SET password = $pass WHERE user_id = $user_id];
                $dbh->Query($sql) or
                        warn "[msoe_authenticate] Sql had some problems: $Mysql::db_errstr\n$sql";
            }
        }

    2)
    in lib/rt/ui/web/auth.pm, modify AuthCheck() like so:

    after the cookies are created and sent to the browser, insert a call
    to my organization's authentication f() that I described in point 1)
    above.  That's it.  The return value of my f() is irrelevant.

Essentially what this does is this: enables RT to use its stock auth
procedure against the external auth-source password, by ensuring that the
value for the password field in the users table is the external
auth-source password.
-- 
Happy Landings,

Jon Detert
Unix System Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202




More information about the rt-users mailing list