[rt-users] Re: Apache authentication, then RT authentication?

deejoe at iastate.edu deejoe at iastate.edu
Mon Aug 12 18:39:46 EDT 2002


On Mon, Aug 12, 2002 at 09:52:44AM +0100, Dave Ewart wrote:
> On Friday, 09.08.2002 at 11:33 -0700, Gretchen K. Wagner wrote:
> 
> > On Thu, 8 Aug 2002, Gretchen K. Wagner wrote:
> > 
> > > Ideas, anyone?  Perhaps I'm setting $WebExternalAuth improperly
> > > (couldn't find any relevent documentation or useful examples in
> > > mailing list archives).
> > 
> > After toying about with the WebExternalAuth setting (pointing it to
> > differing PAM libraries), I now get passed/logged directly into RT,
> > but then I get "You are not an authorized user" for any function, and
> > "logout" is now missing.
> 
> Why are you "pointing it to PAM libraries" etc.?  I thought the idea was
> that if WebExternalAuth is defined (i.e. ANYTHING other than 'undef')
> then the RT environment will use the value of REMOTE_USER as its
> authenticated user.  The actual _value_ of $WebExternalAuth is ignored,
> as far as I can tell.  The code in WebRT/html/autohandler would seem to
> support this.

The following is based on my experience with older versions of RT, and the
assumption that RT hasn't changed significantly in this regard in newer
versions.  Standard disclaimers also apply:

The point is that the session must get past the browser's authentication
mechanism first in order to proceed.  This then keeps out all
unauthenticated users whether they are authorized or not (or, to put it more
prosaically, if a person claiming to be johndoe can't demonstrate that s/he
*is* johndoe, it doesn't matter if johndoe is authorized or not, the
claimant isn't getting in).

Access is granted through PAM in the following general way:  remote user
requests introductory page from .htaccess-protected directory; apache requests
authentication credentials (username password) from remote user to satisfy
.htaccess restrictions and then passes these off to PAM via mod_auth_pam;
PAM in turn uses one of many different types of authentication modules (we
use kerberos, as it appears UCSC is also trying to use).  Once PAM, and
therefor the web server, is satisfied with the credetials, the user can then
proceed to call any links in the .htaccess protected directory.

(Apologies if this belabors the point.  Corrections, as always, welcome.)

I can confirm the earlier report that RT needs the username configured
locally in RT to match that authenticating to the web server (ie, my
kerberos principal is "deejoe" and my RT account is also named "deejoe").

The sticking point here might be that, at least with the versions of RT I've
used, a local *password* must also be configured for the account.  This may
have something to do with a restriction against empty passwords, but that's
only a guess.

The local password need never actually be used, but it does need set.  

If you have local passwords set for the accounts in question, then I'm all
out of problem-solving ideas at the moment.

Another caveat:  Cookies are used for RT's built-in authentication.  When
external authentication is configured, no cookies are generated.  Therefore
it effectively becomes impossible to log out without closing the browser
session and wiping the cache since http basic authentication can never be
canceled or expired otherwise.  This behavior (no cookies from RT) may have
changed with more recent RT versions, I don't know.

> What I don't understand is why the browser authentication is not also
> logging me into RT!

--Joe






More information about the rt-users mailing list