[rt-users] RT3.{2|4} + Apache::AuthenNTLM = 2 problems

Jakub Turski yacoob at chruptak.plukwa.net
Fri Feb 18 13:11:06 EST 2005 

Greetings, fellow RTers.

I've just installed RT3.4, and run into some peculiar problem. Perhaps someone
was also struggling with such setup, and can give me a hand here.

Anyway: I was hoping to use WebExternalAuth and check passwords on AD controler. Thus:

---8<--------------------------------------------
Set($WebExternalAuth , 1);
Set($WebFallbackToInternalAuth , 1);
Set($WebExternalGecos , undef);
Set($WebExternalAuto , undef);
---8<--------------------------------------------

I want the fallback just in case ADC fails, so I can log in, at least with
locally defined root account.

I've also modified apache-modperl.conf to look like this:

---8<--------------------------------------------
<Directory /usr/share/request-tracker3.2/html>
        PerlAuthenHandler Apache::AuthenNTLM
        AuthType ntlm
        require valid-user

        PerlAddVar ntdomain     "DOMAIN	ADC1 ADC2"
        PerlSetVar defaultdomain DOMAIN
        PerlSetVar splitdomainprefix 1

        SetHandler perl-script
        PerlHandler RT::Mason
</Directory>

<Directory /usr/share/request-tracker3.2/html/NoAuth>
        Satisfy Any
        Allow from All
</Directory>
---8<--------------------------------------------

And voila! It works!
...but without failback.

With IE, I found no way to stop browser from sending proper NTLM auth header,
so I'm always logged. With Firefox, a window pops out to enter login/pass, so I
hoped I can get RT login page in case I enter wrong login or press esc. When I
press esc, I get 'Authorization Required' from Apache. When I supply wrong
login/pass, window is redisplayed again. Not what I want :>

It looks like this in the error log:
[Fri Feb 18 18:36:40 2005] [error] access to /rt/ failed for  , reason: Wrong password/user (rc=3/1/327681): DOMAIN\\ for /rt/
[Fri Feb 18 18:36:41 2005] [error] access to /rt/ failed for  , reason: Wrong password/user (rc=3/1/327681): DOMAIN\\ewrqwer for /rt/
[Fri Feb 18 18:36:41 2005] [error] access to /rt/ failed for  , reason: Wrong password/user (rc=3/1/327681): DOMAIN\\wqerqwe for /rt/
[Fri Feb 18 18:36:41 2005] [error] access to /rt/ failed for  , reason: Wrong password/user (rc=3/1/327681): DOMAIN\\ for /rt/
[Fri Feb 18 18:55:08 2005] [error] access to /rt/ failed for  , reason: Bad/Missing NTLM/Basic Authorization Header for /rt/

(series of wrong logins, ended with ESC)

I've tried to modify Apache::AuthenNTLM behaviour, by setting ntlmauthoritative to off:

PerlSetVar ntlmauthoritative off

But in that case, I get 500 Internal Server Error:

[Fri Feb 18 19:01:42 2005] [error] access to /rt/ failed for  , reason: Wrong password/user (rc=3/1/327681): DOMAIN\\fasfads for /rt/
[Fri Feb 18 19:01:42 2005] [crit] [client 163.242.13.190] configuration error:  couldn't check user.  No user file?: /rt/

... just after first bad login attempt.

Of course this brokes rt command line tool, which is a bit more important to me than fallback.

Exactly the same happens with Basic auth, so I guess it is rather RT related. 

Help? :)

Best regards,

KT.
-- 
   __    __.---------------------------------------------------------------.__
  (oo)  |    If God is perfect, why did He create discontinuous functions?    |
 / \/ \ |                                                                     |
 `V__V' `--.__penguin_#128720______________________________________________.--'

More information about the rt-users mailing list