[rt-users] Certificate based access instead of username/pw
Václav Ovsík
vaclav.ovsik at i.cz
Tue Feb 22 04:52:55 EST 2011
On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
> Hi,
> I would like to change standard access to RT from username/pw to
> certificates authorization. Is there any simple way to do that ? Or
> any additions to the RT ?
I'm testing a simple alternative to External Auth.
I have a Callback placed under
local/html/Callbacks/ICZAuth/autohandler/Auth
-------------------------<snip>-------------------------
%# vim:set sw=4 sts=4 ft=mason:
<%init>
use Crypt::OpenSSL::X509;
unless ( $session{'CurrentUser'} && $session{'CurrentUser'}->id() || !$ENV{'SSL_CLIENT_CERT'} )
{
my $x509 = Crypt::OpenSSL::X509->new_from_string($ENV{'SSL_CLIENT_CERT'});
my $email = lc($x509->email());
$session{'CurrentUser'} = RT::CurrentUser->new();
$session{'CurrentUser'}->LoadByEmail($email) if $email;
$RT::Logger->debug("ICZAuth Email from X509 cert: $email");
}
</%init>
-------------------------<snip>-------------------------
You must install Crypt::OpenSSL (e.g. libcrypt-openssl-x509-perl in
Debian). An email address from the Subject Alternative Name of the X.509
certificate is extracted and a corresponding user is loaded based on
an email address.
Interesting part on Apache configuration:
SSLVerifyClient require
SSLOptions +ExportCertData +StdEnvVars
Best Regards
--
Zito
More information about the rt-users
mailing list