[rt-users] database authentication (as in RT_SiteConfig.pm) using a kerberos principal

Kevin Falcone falcone at bestpractical.com
Mon Jun 25 10:32:33 EDT 2012


On Sat, Jun 23, 2012 at 04:49:25PM +0200, Natxo Asenjo wrote:
>    Using postgresql (or oracle possibly) it is possible to use kerberos/gssapi to log in the
>    database.
> 
>    If I create a kerberos service principal rt/myserver.domain.tld/MYREALM.TLD I can login the
>    postgresql database with a keytab for this principal.
> 
>    How can I tell the request tracker application it has to use this keytab instead of setting a
>    username/password in clear text in a config file? This would be a huge security improvement
>    IMO.
> 
>    With other apps I can use the KRB5CCNAME variable to specify where the ticket cache file is
>    and use that.

If DBD::Pg or DBD::Oracle can do it, then RT should be able to
leverage that.  You'll need to review the driver documentation for how
the configuration needs to be set up.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120625/68cd3b1c/attachment.sig>


More information about the rt-users mailing list