[rt-users] Certificate based access instead of username/pw

Kevin Falcone falcone at bestpractical.com
Mon Feb 21 15:40:47 EST 2011


On Mon, Feb 21, 2011 at 03:24:37PM -0500, Jeff Blaine wrote:
> On 2/21/2011 3:15 PM, Kevin Falcone wrote:
> >On Mon, Feb 21, 2011 at 03:06:44PM -0500, Jeff Blaine wrote:
> >>On 2/21/2011 2:35 PM, Kevin Falcone wrote:
> >>>On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
> >>>>I would like to change standard access to RT from username/pw to
> >>>>certificates authorization. Is there any simple way to do that ? Or
> >>>>any additions to the RT ?
> >>>
> >>>You should be able to have Apache do the auth and pass that along to
> >>>RT.  For the RT config, you want to read about WebExternalAuth in
> >>>RT_Config.pm
> >>If you ever get this working, please let me know.  I've
> >>tried and failed.
> >
> >You don't say what failed, but the Apache side is just
> >SSLVerifyClient require
> >plus
> >SSLUserName
> 
> Yes, we have all of the cert stuff working fine (required).
> I tried:
> 
>     SSLUserName SSL_CLIENT_S_DN_UID
> 
> and turned on WebExternalAuth, et al.  Restarted httpd,
> closed browser, visited site, entered certificate
> passphrase, and saw the same old RT login screen.

This implies you didn't turn on WebExternalAuth, or also turned on
WebFallbackToInternalAuth.  Apache will log the REMOTE_USER so it is
relatively straightforward to see if the Apache is providing enough
information for RT.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20110221/797385e0/attachment.sig>


More information about the rt-users mailing list