[rt-users] RT3.{2|4} + Apache::AuthenNTLM = 2 problems

Jakub Turski yacoob at chruptak.plukwa.net
Sat Feb 19 19:28:32 EST 2005


 ._         The little penguin sat on the shore,
_ at __        watching Jakub Turski write the letter
    ~~~~~   on the memorable day of 2005/02/18 19:20

> Greetings, fellow RTers.
 [cut]

 Not quite happy to answer to myself, but still... perhaps someone will also
 think wrong in the same way as me.

 Anyway, I was mistaken about 'WebFallbackToInternalAuth' - I was hoping that
it internal auth will be displayed if external one fails. In fact, internal
auth (and its login box) is kicked into action only if external auth succeed,
but REMOTE_USER set by apache doesn't exist in RT database.

> I want the fallback just in case ADC fails, so I can log in, at least with
> locally defined root account.

 ... and thus, I think that this kind of fallback won't be possible :(

> Of course this brokes rt command line tool, which is a bit more important to
> me than fallback.

 This one still remains a mistery to me.

 I've investigated the code of bin/rt, and found that no user/pass is passed to
 LWP. Therefore, once any AuthType is in place, I get 401 while using any 'rt
 command' :(

 Simple workaround would be something like this:

 <Location /rt/REST>
 	Satisfy any
	allow from localhost
 </Location>

 ...but it is not always possible/plausible.

 According to wiki, bin/rt should not be affected by web auth, but apparently
 (judging from code, and sheer fact of usage of LWP :) this is not the case.
I've modified bin/rt to parse .rtrc for three additional arguments in .rtrc:

 webuser - user used for web auth
 webpass - password used for web auth
 webrealm - auth realm set up in apache

The patch itself looks like this:

--------8<-------------------------------------------------------
72a73,75
>               webuser => undef,
>               webpass => undef,
>               webrealm => undef
749a753,761
> 
>       # handle web auth
>       if (defined $config{'webuser'}) {
>               my $serv;
>               ($serv = $config{'server'}) =~ s{[^:]+://([^/]+)/?.*}{$1};      # try to get server:port from $config{server}
>               $serv .= ":80" if ($serv !~ m{\w+:\d+});                        # add ':80' if port is missing
>               $ua->credentials($serv, $config{'webrealm'}, $config{'webuser'} => $config{'webpass'}); # set creds for LWP
>       }
> 
1182c1194
<             if (/^(user|passwd|server|query|orderby)\s+(.*)\s?$/) {
---
>             if (/^(user|passwd|webuser|webpass|webrealm|server|query|orderby)\s+(.*)\s?$/) {
--------8<-------------------------------------------------------

 ... and basically works for me ;>

 So far I have only tested this with Basic auth, but as there's LWP::Auth::NTLM
 module, it should also work with NTLM auth (I'll test it on Monday)

 Please drop me a line if you find this patch useful. If not, drop mi line as
well, perhaps I'm missing something here? :>

Best regards,

KT.
-- 
   __    __.---------------------------------------------------------------.__
  (oo)  |    If God is perfect, why did He create discontinuous functions?    |
 / \/ \ |                                                                     |
 `V__V' `--.__penguin_#128720______________________________________________.--'



More information about the rt-users mailing list