[rt-users] Certificate based access instead of username/pw

Václav Ovsík vaclav.ovsik at i.cz
Tue Feb 22 04:52:55 EST 2011


On Mon, Feb 21, 2011 at 09:24:38AM +0100, Adrian Stel wrote:
> Hi,
> I would like to change standard access to RT from username/pw to
> certificates authorization. Is there any simple way to do that ? Or
> any additions to the RT ?

I'm testing a simple alternative to External Auth.
I have a Callback placed under
local/html/Callbacks/ICZAuth/autohandler/Auth

-------------------------<snip>-------------------------
%# vim:set sw=4 sts=4 ft=mason:
<%init>
use Crypt::OpenSSL::X509;

unless ( $session{'CurrentUser'} && $session{'CurrentUser'}->id() || !$ENV{'SSL_CLIENT_CERT'} )
{
    my $x509 = Crypt::OpenSSL::X509->new_from_string($ENV{'SSL_CLIENT_CERT'});
    my $email = lc($x509->email());

    $session{'CurrentUser'} = RT::CurrentUser->new();
    $session{'CurrentUser'}->LoadByEmail($email) if $email;
    $RT::Logger->debug("ICZAuth Email from X509 cert: $email");
}

</%init>
-------------------------<snip>-------------------------

You must install Crypt::OpenSSL (e.g. libcrypt-openssl-x509-perl in
Debian). An email address from the Subject Alternative Name of the X.509
certificate is extracted and a corresponding user is loaded based on
an email address.

Interesting part on Apache configuration:

    SSLVerifyClient require
    SSLOptions +ExportCertData +StdEnvVars

Best Regards
-- 
Zito



More information about the rt-users mailing list