[rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Ruslan Zakirov
ruz at bestpractical.com
Wed Sep 4 07:18:48 EDT 2013
Hi,
http://www.gossamer-threads.com/lists/apache/dev/370306
On Wed, Sep 4, 2013 at 10:37 AM, Oliver Weinmann <
oliver.weinmann at telespazio-vega.de> wrote:
> Hi,****
>
> ** **
>
> there are these settings in RT:****
>
> ** **
>
> # tells RT to use the REMOTE_USER provided by the web server****
>
> Set($WebExternalAuth , 1);****
>
> ****
>
> # tells RT to display its normal login screen if REMOTE_USER fails****
>
> Set($WebFallbackToInternalAuth , 1);****
>
> ****
>
> # tells RT to create users automatically if no user matching REMOTE_USER
> is found****
>
> Set($WebExternalAuto , 1);****
>
> ** **
>
> I have them all set except the last one as we use LDAPImport. So I would
> expect RT to not drop the REMOTE_USER. Or is this obsolete?****
>
> ** **
>
> Best Regards,****
>
> Oliver****
>
> *From:* ruslan.zakirov at gmail.com [mailto:ruslan.zakirov at gmail.com] *On
> Behalf Of *Ruslan Zakirov
> *Sent:* Dienstag, 3. September 2013 21:47
> *To:* Oliver Weinmann
> *Cc:* rt-users at lists.bestpractical.com
> *Subject:* Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with
> mod_auth_kerb****
>
> ** **
>
> Hi,****
>
> ** **
>
> Why do you expect remote server where you host RT to respect REMOTE_USER
> and not to drop it? If a web server would pass remotely provided
> REMOTE_USER further to an app without additional configuration then we
> wouldn't use it for authentication.****
>
> ** **
>
> On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann <
> oliver.weinmann at telespazio-vega.de> wrote:****
>
> Hi all,****
>
> ****
>
> we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb.
> Now we need to get the setup running through our reverse proxy.****
>
> ****
>
> What we have on our reverse proxy is this:****
>
> ****
>
> ProxyPass /rt/ http://hostname.local/rt/ max=100****
>
> ProxyPassReverse /rt/ http://hostname.local/rt/****
>
> ****
>
> RedirectMatch ^/$ /rt/****
>
> ****
>
> # Proxy all locations****
>
> <Proxy *>****
>
> AddDefaultCharset off****
>
> Order deny,allow****
>
> Deny from none****
>
> </Proxy>****
>
> ****
>
> ****
>
> <Location /rt>****
>
> AuthType Kerberos****
>
> AuthName "Kerberos Login"****
>
> KrbAuthRealms KRB5.LOCAL****
>
> Krb5KeyTab /etc/apache2/host.keytab****
>
> KrbMethodNegotiate on****
>
> KrbAuthoritative on****
>
> KrbMethodK5Passwd off****
>
> KrbSaveCredentials on****
>
> require valid-user****
>
> ****
>
> # SSO****
>
> RewriteEngine On****
>
> RewriteCond %{LA-U:REMOTE_USER} (.+)$****
>
> RewriteRule . - [E=RU:%1]****
>
> RequestHeader set REMOTE_USER %{RU}e****
>
> ****
>
> </Location>****
>
> ****
>
> Running tcpdump we can see that REMOTE_USER is set and send to the host
> hosting RT. It looks like RT is not picking it up. As far as I understood
> is that my user gets authenticated at the proxy and RT should trust these
> credentials and log in the user.****
>
>
>
> ****
>
> ** **
>
> --
> Best regards, Ruslan. ****
>
--
Best regards, Ruslan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20130904/65890760/attachment.htm>
More information about the rt-users
mailing list