[rt-users] Certificate based access instead of username/pw

[Jeff Blaine]

On 2/21/2011 3:40 PM, Kevin Falcone wrote:
> On Mon, Feb 21, 2011 at 03:24:37PM -0500, Jeff Blaine wrote:
>> On 2/21/2011 3:15 PM, Kevin Falcone wrote:
>>> On Mon, Feb 21, 2011 at 03:06:44PM -0500, Jeff Blaine wrote:
>>>> On 2/21/2011 2:35 PM, Kevin Falcone wrote:
>>>>> On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
>>>>>> I would like to change standard access to RT from username/pw to
>>>>>> certificates authorization. Is there any simple way to do that ? Or
>>>>>> any additions to the RT ?
>>>>>
>>>>> You should be able to have Apache do the auth and pass that along to
>>>>> RT.  For the RT config, you want to read about WebExternalAuth in
>>>>> RT_Config.pm
>>>> If you ever get this working, please let me know.  I've
>>>> tried and failed.
>>>
>>> You don't say what failed, but the Apache side is just
>>> SSLVerifyClient require
>>> plus
>>> SSLUserName
>>
>> Yes, we have all of the cert stuff working fine (required).
>> I tried:
>>
>>      SSLUserName SSL_CLIENT_S_DN_UID
>>
>> and turned on WebExternalAuth, et al.  Restarted httpd,
>> closed browser, visited site, entered certificate
>> passphrase, and saw the same old RT login screen.
>
> This implies you didn't turn on WebExternalAuth, or also turned on
> WebFallbackToInternalAuth.  Apache will log the REMOTE_USER so it is
> relatively straightforward to see if the Apache is providing enough
> information for RT.

Correct.  I've since turned off WebFallbackToInternalAuth.

Set($WebExternalAuth, 1);
Set($WebExternalAuthContinuous, 1);
Set($WebFallbackToInternalAuth , undef);

SSLVerifyClient require
SSLUserName SSL_CLIENT_S_DN_UID

%u (remote user) logs as "-" for me, so is no help
other than to indicate it's not working.

RT 3.8.7
Apache httpd 2.2.3-45.el5

Thanks for the help though.