[rt-users] PATCHES: Allow RT to authenticate against PAM (updated)

Thu Nov 29 12:47:41 EST 2007

Hi all

(For those on -devel, this is essentially the same post as late last
week but with minor changes)

PAM - http://www.kernel.org/pub/linux/libs/pam/ - can authenticate
against a multitude of sources (backends) - an LDAP system, Active
Directory, Kerberos, local passwd/shadow files, a separate MySQL
instance... you name it, it's probably got a module for it somewhere.
This will allow RT admins to use a flexible authentication source
*without* having to modify RT beyond a couple of configuration options.

The changes made are principally to the "IsPassword" function in
lib/RT/CurrentUser.pm such that it can use PAM to check a password, can
use the RT database to check a password, or fall through from PAM to
database if PAM fails.

Additionally, if PAM succeeds and the RT database differs from that
password, there's the option to set the RT password (thus keeping them
in sync).

In combination, if the PAM source goes away, the system can still
authenticate against the RT database using the most recently successful
PAM password. It's possible to turn off the password change and fallback
options, too.

There are both changes to CurrentUser.pm and some additional sections to
RT_SiteConfig.pm. Some of the logging statements could be changed (it's
a bit verbose at the moment) but otherwise it's all as functional as it
can be.

The array defining modules (see below) currently contains one module
name - rt-krb5-auth - but can contain several in order to authenticate
against multiple backends.

NOTE: Any module name passed in this way containing the word "dummy" is
skipped - it's there purely for reference, to see that the code looped
as I wanted it to.

We now have this in production for our support staff within the
department and several other University departments without error.

The example pam.d file included here is for authentication against an
AD. You could just as easily test against the local system, or something
else, given the right config.

Please feel free to give this a try (where relevant). If anyone needs a
hand making PAM fire off against an AD, please feel free to contact me
off list - there's a bit of extra config to make Kerberos work properly.

Graeme
-- 
Graeme Fowler
Team Manager (ISSS), Computing Services
Loughborough University - http://www.lboro.ac.uk/
T: +44 1509 228226
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rt-krb5-auth.patch
Type: text/x-patch
Size: 197 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20071129/2d416fbc/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CurrentUser.pm.patch
Type: text/x-patch
Size: 2583 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20071129/2d416fbc/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RT_SiteConfig.pm.patch
Type: text/x-patch
Size: 1421 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20071129/2d416fbc/attachment-0002.bin>