[rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb

Ruslan Zakirov ruz at bestpractical.com
Wed Sep 4 07:18:48 EDT 2013


Hi,

http://www.gossamer-threads.com/lists/apache/dev/370306


On Wed, Sep 4, 2013 at 10:37 AM, Oliver Weinmann <
oliver.weinmann at telespazio-vega.de> wrote:

>  Hi,****
>
> ** **
>
> there are these settings in RT:****
>
> ** **
>
> # tells RT to use the REMOTE_USER provided by the web server****
>
> Set($WebExternalAuth , 1);****
>
> ****
>
>  # tells RT to display its normal login screen if REMOTE_USER fails****
>
> Set($WebFallbackToInternalAuth , 1);****
>
> ****
>
>  # tells RT to create users automatically if no user matching REMOTE_USER
> is found****
>
> Set($WebExternalAuto , 1);****
>
> ** **
>
> I have them all set except the last one as we use LDAPImport. So I would
> expect RT to not drop the REMOTE_USER. Or is this obsolete?****
>
> ** **
>
> Best Regards,****
>
> Oliver****
>
> *From:* ruslan.zakirov at gmail.com [mailto:ruslan.zakirov at gmail.com] *On
> Behalf Of *Ruslan Zakirov
> *Sent:* Dienstag, 3. September 2013 21:47
> *To:* Oliver Weinmann
> *Cc:* rt-users at lists.bestpractical.com
> *Subject:* Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with
> mod_auth_kerb****
>
> ** **
>
> Hi,****
>
> ** **
>
> Why do you expect remote server where you host RT to respect REMOTE_USER
> and not to drop it? If a web server would pass remotely provided
> REMOTE_USER further to an app without additional configuration then we
> wouldn't use it for authentication.****
>
> ** **
>
> On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann <
> oliver.weinmann at telespazio-vega.de> wrote:****
>
> Hi all,****
>
>  ****
>
> we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb.
> Now we need to get the setup running through our reverse proxy.****
>
>  ****
>
> What we have on our reverse proxy is this:****
>
>  ****
>
> ProxyPass        /rt/             http://hostname.local/rt/ max=100****
>
> ProxyPassReverse /rt/             http://hostname.local/rt/****
>
>  ****
>
>         RedirectMatch ^/$ /rt/****
>
>  ****
>
>         # Proxy all locations****
>
>         <Proxy *>****
>
>                 AddDefaultCharset off****
>
>                 Order deny,allow****
>
>                 Deny from none****
>
>         </Proxy>****
>
>  ****
>
>  ****
>
>         <Location /rt>****
>
>         AuthType Kerberos****
>
>         AuthName "Kerberos Login"****
>
>         KrbAuthRealms KRB5.LOCAL****
>
>         Krb5KeyTab /etc/apache2/host.keytab****
>
>         KrbMethodNegotiate on****
>
>         KrbAuthoritative on****
>
>         KrbMethodK5Passwd off****
>
>         KrbSaveCredentials on****
>
>         require valid-user****
>
>  ****
>
>         # SSO****
>
>         RewriteEngine On****
>
>         RewriteCond %{LA-U:REMOTE_USER} (.+)$****
>
>         RewriteRule . - [E=RU:%1]****
>
>         RequestHeader set REMOTE_USER %{RU}e****
>
>  ****
>
>         </Location>****
>
>  ****
>
> Running tcpdump we can see that REMOTE_USER is set and send to the host
> hosting RT. It looks like RT is not picking it up. As far as I understood
> is that my user gets authenticated at the proxy and RT should trust these
> credentials and log in the user.****
>
>
>
> ****
>
> ** **
>
> --
> Best regards, Ruslan. ****
>



-- 
Best regards, Ruslan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130904/65890760/attachment.htm>


More information about the rt-users mailing list