[rt-users] RT 3.8: questions on Kerberos, LDAP, and guest account setup

[Ivan Shmakov]

	I was able to successfully configure RT and Apache to use
	Kerberos for authentication, roughly as shown below.  However,
	now I'm somewhat concerned about the lack of authentication in
	rt-mailgate(1) (Debian Bug#615890 [1].)  Somehow, I feel that
	this issue could be resolved easily, and wonder if anyone's
	interested?

[1] http://bugs.debian.org/615890

	Also, I wonder, is it possible to make RT refer to LDAP for
	certain information (like: login name, real name, e-mail, etc.)
	about its users?  It could easily become a painful experience to
	either synchronize the RT user database with LDAP, or to
	maintain the informations in both of the places simultaneously.

	Additionally, I have set up an Unprivileged “guest” account.
	However, this configuration results in the user being presented
	with a somewhat “limited” Web interface (in particular, it lacks
	the Search facility.)  Should I make this account Privileged
	instead, or is there another easy way of setting up a
	“read-only” account with the Search facility being active?

	I'm using RT as of version 3.8.8 debian 7.

	TIA.

	The RT and Apache configuration files for using HTTP
	authentication with a Kerberos database were roughly as follows.

$ cat < /etc/request-tracker3.8/RT_SiteConfig.d/99-trust-webauth 
### 99-trust-webauth  -*- Default-Generic -*-

## use the REMOTE_USER provided by the web server
Set ($WebExternalAuth, 1);

## display normal login screen if REMOTE_USER fails
# Set ($WebFallbackToInternalAuth, 1);

## create users automatically if no user matching REMOTE_USER is found
Set ($WebExternalAuto, 1);

### 99-trust-webauth ends here
$ cat < /etc/apache2/sites-enabled/gray-ssl 
…
    ## /rt/ (for http://rt.am-1.org/)

    ## We use this to prevent requests for images being sent through to
    ## the RT::Mason handler
    Alias /rt/NoAuth/images /usr/share/request-tracker3.8/html/NoAuth/images

    ## Handle everything else with this
    ScriptAlias /rt /usr/share/request-tracker3.8/libexec/mason_handler.scgi

    <Directory "/usr/share/request-tracker3.8/libexec">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    <Location /rt/>
        DirectoryIndex index.html
        Order allow,deny
        Allow from all
        AuthType Kerberos
        ## FIXME: README.gz tells that the following is insecure
        # KrbVerifyKDC off
        Require valid-user
    </Location>

    ## Limit mail gateway access to localhost by default
    <Location /rt/REST/1.0/NoAuth>
        Order allow,deny
        Allow from ::1
        Allow from 127.0.0.0/8
        Satisfy any
    </Location>

    <IfModule mod_rewrite.c>
        RewriteCond %{HTTP_HOST} =rt.am-1.org
        RewriteRule ^/$ /rt/ [R=302]
    </IfModule>
…
$ 

-- 
FSF associate member #7257