[rt-users] database authentication (as in RT_SiteConfig.pm) using a kerberos principal
Natxo Asenjo
natxo.asenjo at gmail.com
Mon Jun 25 14:33:38 EDT 2012
On Mon, Jun 25, 2012 at 4:32 PM, Kevin Falcone <falcone at bestpractical.com>wrote:
> On Sat, Jun 23, 2012 at 04:49:25PM +0200, Natxo Asenjo wrote:
> > Using postgresql (or oracle possibly) it is possible to use
> kerberos/gssapi to log in the
> > database.
> >
> > If I create a kerberos service principal
> rt/myserver.domain.tld/MYREALM.TLD I can login the
> > postgresql database with a keytab for this principal.
> >
> > How can I tell the request tracker application it has to use this
> keytab instead of setting a
> > username/password in clear text in a config file? This would be a
> huge security improvement
> > IMO.
> >
> > With other apps I can use the KRB5CCNAME variable to specify where
> the ticket cache file is
> > and use that.
>
> If DBD::Pg or DBD::Oracle can do it, then RT should be able to
> leverage that. You'll need to review the driver documentation for how
> the configuration needs to be set up.
>
>
DBI with the postgres driver can do it (I suppose that is DBD::Pg, correct
me if I am wrong).
I have created a service principal rt/webserver01.ipa.asenjo.nx and added a
postgresql login role in the postgresql server with the same name, no
passwords.
After that I retrieved the keytab for the service principal and saved it in
a file rt.keytab.
Then I wrote this snippet:
use strict;
use warnings;
use Authen::Krb5::Easy qw( kinit kdestroy kerror );
my $keytab = '/home/admin/rt.keytab';
my $ccache = '/tmp/rt.ccache';
my $principal = 'rt/webserver01.ipa.asenjo.nx';
print $principal, "\n";
$ENV{KRB5CCNAME} = $ccache;
kinit( $keytab, $principal ) || die kerror();
use DBI;
my $dbhost = "postgres.ipa.asenjo.nx";
my $dbh = DBI->connect(
"DBI:Pg:dbname=template1;host=$dbhost",$principal,'');
my $sth = $dbh->prepare("select usename from pg_catalog.pg_user") ;
$sth->execute();
# save the postgres roles in value of hash, key not important
my %postgres_roles;
while ( my @data = $sth->fetchrow_array() ) {
$postgres_roles{$data[0]} = $data[0];
}
print %postgres_roles;
And I see the list of roles in the postgresql server, so it works using the
kerberos principal.
So how can I tell rt to look in the kerberos cache file for its kerberos
credentials?
TIA,
--
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120625/58e76a07/attachment.htm>
More information about the rt-users
mailing list