[rt-users] LDAP authentication best practices

Ruslan Zakirov ruz at bestpractical.com
Wed Oct 5 07:51:00 EDT 2011


To disable auth you can use location directives. For mailgate it's good to
protect path by IP or host name.

Regards, Ruslan. From phone.
05.10.2011 8:06 пользователь "declaya" <chocoboselphie at gmx.de> написал:
>
>
> Thomas Smith-12 wrote:
>>
>>
>>
>> Discovered another issue... This one isn't strictly RT-related, I don't
>> think.
>>
>> The email gateway is no longer working. When I configured Apache auth,
>> I had to do it at the /opt/rt4 level--otherwise, RT would display the
>> login page without the option to login and SSO wouldn't work. Now the
>> mail gateway is unable to insert new tickets into the database as the
>> area it's trying to access is password protected. Are there any
>> best-practices for lifting the security off of this one directory
>> (NoAuth only, right?) while maintaining SSO on the remainder of the
>> system? Every time I exclude this directory from authentication, SSO
>> breaks.
>>
>>
>>
>
> Hi Thomas,
> I was facing the same problem (and I'm still curios about how to configure
> Apache using SSO with NTLMv2, but thats another problem;) when I changed
the
> login behavior for Apache.
> You have to change the Apache config: The NoAuth directories must be
> excluded from your AD authentication, so you have to set "satisfy any" and
> "Allow from all" for that directories.
>
> So my Apache config looks like this:
>
> [...]
> <Directory "/opt/rt4/share/html">
> --->here goes your Auth config for the users
> </Directory>
>
> <Directory "/opt/rt4/share/html/REST/1.0/NoAuth">
> SetHandler modperl
> PerlResponseHandler Plack::Handler::Apache2
> satisfy any
> allow from all
> </Directory>
>
> <Directory "/opt/rt4/share/html/NoAuth">
> SetHandler modperl
> PerlResponseHandler Plack::Handler::Apache2
> satisfy any
> allow from all
> </Directory>
>
> <Location /REST/1.0/NoAuth>
> satisfy any
> allow from all
> </Location>
> [...]
>
> I'm not completely sure, which of the directories is the right one, but
> until now it works for me.
> Hope this helps a bit!
>
> Have a nice day!
> --
> View this message in context:
http://old.nabble.com/LDAP-authentication-best-practices-tp32585400p32594359.html
> Sent from the Request Tracker - User mailing list archive at Nabble.com.
>
> --------
> RT Training Sessions (http://bestpractical.com/services/training.html)
> * San Francisco, CA, USA October 18 & 19, 2011
> * Washington DC, USA October 31 & November 1, 2011
> * Barcelona, Spain November 28 & 29, 2011
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20111005/76a98dc6/attachment.htm>


More information about the rt-users mailing list