[rt-users] Certificate based access instead of username/pw
Kevin Falcone
falcone at bestpractical.com
Mon Feb 21 15:40:47 EST 2011
On Mon, Feb 21, 2011 at 03:24:37PM -0500, Jeff Blaine wrote:
> On 2/21/2011 3:15 PM, Kevin Falcone wrote:
> >On Mon, Feb 21, 2011 at 03:06:44PM -0500, Jeff Blaine wrote:
> >>On 2/21/2011 2:35 PM, Kevin Falcone wrote:
> >>>On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
> >>>>I would like to change standard access to RT from username/pw to
> >>>>certificates authorization. Is there any simple way to do that ? Or
> >>>>any additions to the RT ?
> >>>
> >>>You should be able to have Apache do the auth and pass that along to
> >>>RT. For the RT config, you want to read about WebExternalAuth in
> >>>RT_Config.pm
> >>If you ever get this working, please let me know. I've
> >>tried and failed.
> >
> >You don't say what failed, but the Apache side is just
> >SSLVerifyClient require
> >plus
> >SSLUserName
>
> Yes, we have all of the cert stuff working fine (required).
> I tried:
>
> SSLUserName SSL_CLIENT_S_DN_UID
>
> and turned on WebExternalAuth, et al. Restarted httpd,
> closed browser, visited site, entered certificate
> passphrase, and saw the same old RT login screen.
This implies you didn't turn on WebExternalAuth, or also turned on
WebFallbackToInternalAuth. Apache will log the REMOTE_USER so it is
relatively straightforward to see if the Apache is providing enough
information for RT.
-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110221/797385e0/attachment.sig>
More information about the rt-users
mailing list