[rt-users] RT works with CAS - was "WebNoAuthRegex - what is this?"

Duncan Napier napier at napiersys.bc.ca
Wed Feb 8 13:13:33 EST 2006 

Hello,

I have RT working with the Central Authentication System (CAS) for 
Web-based single sign-on/automation using an implementation of the 
Apache2 mod_cas add-on:

http://www.ja-sig.org/wiki/display/CAS/Home

Turns out the Central Authentication "?ticket" parameter, appended onto 
every  URL can be eliminated by setting up ticket caching on the Apache2 
server (mod_cas directive CASLocalCacheFile enabled). After that only the 
first access appends the ticket string. Once the ticket parameter is 
gone, the MySQL autocommits (which the ticket parameter was breaking) 
works fine. CAS users may experience a problem attempting to alter the 
database on the first re-login after their ticket expires, but I have not 
personally encountered this.  

			Duncan. 



On Thu, 2 Feb 2006, Duncan Napier wrote:

> Hello,
> 
> I am having a problem with deploying RT on a Web-based authentication 
> system that appends a ticket string
> 
> "?ticket=xxxxxxx"
> 
> to every URL that lies below the rt-doc root (ie the one that has the 
> .htaccess restriction). I see 
> 
> "WebNoAuthRegex - What portion of RT's URLspace should not require
> authentication." and wonder if that can fix it. I only need RT users to 
> authenticate to my RT home page (index.html). How do you specify the 
> non-authenticated URL space?
> 
> Here are the details:
> 
> I successfully have deployed RT 3.4.5-1 on Fedora Core
> kernel-smp-2.6.14-1.1656_FC4 running with Apache 2.0.54/55, MySQL
> 4.1.16-1, PHP 5.1.2, mod_perl-2.0.2 and it works great.
> 
> I set up and tested Apache Basic authentication (ie .htpasswd/password 
> file, AuthMySQLEnable off) and setting
> 
> Set($WebExternalAuth , '1');
> Set($WebFallbackToInternalAuth , 'true');
> Set($WebExternalAuto , '1');
> 
> in RT_SiteConfig.pm. Again, RT works as expected.
> 
> The university campus on which I work deploys Central Authentication
> Service (CAS) a web-based, single-sign on authentication/authorization
> system originally developed at Yale University:
> 
> http://www.ja-sig.org/wiki/display/CAS/Home
> 
> Users can authenticate and log on correctly (letting users use their 
> University computing services account login/password). I can browse RT 
> correctly, but whenever I try to make any  changes, I get errors like
> 
> RTWeb: Unable to load queue ''
> RTWeb: Unable to load user ''
> 
> etc ('' is a null string). I believe the URL ticket appending on the URL 
> is  messing up transactions on the system. I've compared full logs of 
> MySQL with CAS turned on and Basic authentication turned on, and can see 
> differences in the way queries are run. For example, the transactions 
> run under CAS never do an autocommit. I'm pretty sure it is the 
> "?ticket=xxxx" string at the end that is causing the problem. Can anyone 
> suggest a fix otherwise?
> 
> 			Regards,
> 
> 			Duncan.  
> 
> 
> 
> 
> 

-- 
--------------------------------------------------------------------------
Duncan Napier                                   email:napier at napiersys.com
Napier Systems Research                         Ph:(604) 812-8321
http://www.napiersys.bc.ca

More information about the rt-users mailing list