[rt-users] database authentication (as in RT_SiteConfig.pm) using a kerberos principal

Natxo Asenjo natxo.asenjo at gmail.com
Mon Jun 25 14:33:38 EDT 2012

On Mon, Jun 25, 2012 at 4:32 PM, Kevin Falcone <falcone at bestpractical.com>wrote:

> On Sat, Jun 23, 2012 at 04:49:25PM +0200, Natxo Asenjo wrote:
> >    Using postgresql (or oracle possibly) it is possible to use
> kerberos/gssapi to log in the
> >    database.
> >
> >    If I create a kerberos service principal
> rt/myserver.domain.tld/MYREALM.TLD I can login the
> >    postgresql database with a keytab for this principal.
> >
> >    How can I tell the request tracker application it has to use this
> keytab instead of setting a
> >    username/password in clear text in a config file? This would be a
> huge security improvement
> >    IMO.
> >
> >    With other apps I can use the KRB5CCNAME variable to specify where
> the ticket cache file is
> >    and use that.
> If DBD::Pg or DBD::Oracle can do it, then RT should be able to
> leverage that.  You'll need to review the driver documentation for how
> the configuration needs to be set up.
DBI with the postgres driver can do it (I suppose that is DBD::Pg, correct
me if I am wrong).

I have created a service principal rt/webserver01.ipa.asenjo.nx and added a
postgresql login role in the postgresql server with the same name, no

After that I retrieved the keytab for the service principal and saved it in
a file rt.keytab.

Then I wrote this snippet:

use strict;
use warnings;

use Authen::Krb5::Easy qw( kinit kdestroy kerror );

my $keytab = '/home/admin/rt.keytab';
my $ccache = '/tmp/rt.ccache';
my $principal = 'rt/webserver01.ipa.asenjo.nx';

print $principal, "\n";

$ENV{KRB5CCNAME} = $ccache;

kinit( $keytab, $principal ) || die kerror();

use DBI;

my $dbhost = "postgres.ipa.asenjo.nx";

my $dbh = DBI->connect(

my $sth = $dbh->prepare("select usename from pg_catalog.pg_user") ;


# save the postgres roles in value of hash, key not important
my %postgres_roles;
while ( my @data = $sth->fetchrow_array() ) {
        $postgres_roles{$data[0]} = $data[0];

print %postgres_roles;

And I see the list of roles in the postgresql server, so it works using the
kerberos principal.

So how can I tell rt to look in the kerberos cache file for its kerberos

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120625/58e76a07/attachment.htm>

More information about the rt-users mailing list