RT with external auth (was Re: [rt-users] HTTP_Auth with rt?)

D. Joe Anderson deejoe at iastate.edu
Wed Feb 14 18:25:35 EST 2001 

On Wed, 14 Feb 2001, Eric Goodman wrote:

> Date: Wed, 14 Feb 2001 13:54:47 -0800
> From: Eric Goodman <ericg at cats.ucsc.edu>
> To: rt-users at fsck.com
> Subject: Re: RT with external auth (was Re: [rt-users] HTTP_Auth with rt?)
> 
> >         # if the user's submitted password is his MSOE NT domain 
> >password, then
> >         # update the rt db to have his nt password
> >         sub msoe_authenticate {
> >             my ($username, $password) = @_;
> >             my ($user_id, $pass) = ($dbh->quote("$username"),
> >             $dbh->quote("$password"));
> >                 
> >             use Authen::Smb;
> >             my $authResult = Authen::Smb::authen($username,
> >                          $password, 'yamato', 'hood', 'MSOE');
> >             if ( $authResult == Authen::Smb::NO_ERROR ) {
> >                 # user submitted a valid password.  Let's put it into RT
> >                 my $sql = qq[UPDATE users SET password = $pass WHERE 
> >user_id = $user_id];
> >                 $dbh->Query($sql) or
> >                         warn "[msoe_authenticate] Sql had some 
> >problems: $Mysql::db_errstr\n$sql";
> >             }
> >         }
> 
> Hmm. Doesn't this stick the users password into the DB in cleartext?
> 
> Seems like you might do better to add a one-time password into the 
> mix. You could essentially call your msoe_authenticate() function 
> passing in the one-time password. If the MSOE authentication 
> succeeds, the onetime password could get stored in the database (in 
> place of the domain password).
> 
> Still, a very nifty hack/patch!

yes, pretty nifty.  That helps me fill out what I might try if I ever get
my head around Authen::Krb5-1.2, which is what I'll use in place of the
recent mod_auth_pam that's been giving me trouble in RedHat 7.0/Mandrake
7.2 environments.  Would have the advantage of being more portable too,
since Apache+Perl is more widely available than Apache+PAM+Perl.

I'd probably want to at least work off of some kind of one-way hash of the
passwords themselves, rather than use them unencrypted.  But, I don't have
any working code, either now, do I? ;-)

--Joe

More information about the rt-users mailing list