[rt-users] Fwd: Login persistence

Rory rclerkin at gmail.com
Fri May 23 05:20:05 EDT 2014

Hi Peter,

As you noted your web environment is essentially holding the login token.
When you click logout, Apache serves up the "you are logged out" page,
processes the authentication configuration and, because of this line:,
# allow web auth to pass login status to RT
Set($WebRemoteUserAuth, 1);
RT accepts the authentication from Apache which logs the user back in.

Consider it from the point of view that the Apache based authentication
controls access to the directory on the webserver that contains the website
files. As far as RT is concerned it is piggy backing on this authentication
procedure so that it can figure out who's logged in. In order for one of
your users to log out they need to kill the session with Apache i.e. close
the browser
So in short, your login session on RT is tied to the web browsers session
with the web server.

To make it work as you would like (clicking logout ends Apaches login
session) the website would need to make a change to the web server. This
generally is not allowed to happen as it's a potential security flaw.

If you want the users login session to be controlled by the RT application
then you'll need to configure LDAP authentication within the RT
To be able to do this you need at least these Perl modules (and maybe some
others that I'm neglecting too);

You then need to add the plugin to your RT_SiteConfig.pm;
Set( @Plugins, qw(RT::Authen::ExternalAuth) );

And set the LDAP configuration by following the example SiteConfig file in
the plugin etc directory.
Lastly you'll need to remove the Auth config from your Apache virtual host
and change:
Set($WebRemoteUserAuth, 1);
Set($WebRemoteUserAuth, 0);

Kind regards,
Rory Clerkin

On 23 May 2014 09:27, Flynn, Peter <pflynn at ucc.ie> wrote:

> I have managed to get authentication using LDAP working OK, but I seem
> to have missed or misunderstood something about persistence.
> When I click on Logout, I get logged out and immediately logged back in
> again. I think I can see why this would happen, in the sense that the
> web environment still holds the authenticated token, and presumably RT
> just looks for it and finds it again.
> Is there a way to stop this happening? Closing the tab doesn't prevent
> it; closing down the browser does, of course, but most users will not
> want to do that (being required to close a sovereign application simply
> to terminate a session in a tab is not a good practice).
> After a logout from an LDAP-authenticated session, it should display
> RT's own login screen. If the user really, really, really wants another
> session with different LDAP credentials (or even a repeat of her own),
> then indeed closing the browser is required, but that's an edge case.
> The settings I am using are:
> httpd.conf
> ----------
> <VirtualHost *:80>
>      ServerAdmin pflynn at ucc.ie
>      ServerName foobar.ucc.ie
>      ErrorLog logs/foobar.ucc.ie-error_log
>      LogLevel debug
>      CustomLog logs/foobar.ucc.ie-access_log combined
>      AddDefaultCharset UTF-8
>      FcgidMaxRequestLen 1073741824
>      ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/
>      DocumentRoot "/opt/rt4/share/html"
>      <Location />
>         Order allow,deny
>         Allow from all
>         Options +ExecCGI
>         AddHandler fcgid-script fcgi
>      </Location>
>      <Directory />
>         Order deny,allow
>         Deny from All
>         AuthType Basic
>         AuthBasicProvider file ldap
>         AuthBasicAuthoritative  off
>         AuthUserFile /var/www/htaccess/foobar
>         AuthGroupFile /dev/null
>         AuthzLDAPAuthoritative off
>         AuthName "Login with your email address and password"
>         AuthLDAPURL ldap://aaa.bbb.ccc.ddd:ppp/DC=ad,DC=ucc,DC=ie?mail
>         AuthLDAPBindDN "xxxxx"
>         AuthLDAPBindPassword 'yyyyy'
>         Require valid-user
>      </Directory>
> </VirtualHost>
> RT_SiteConfig.pm (omitting values set at webconfig time)
> ----------------
> # allow web auth to pass login status to RT
> Set($WebRemoteUserAuth, 1);
> # allow RT to show login screen if web auth failed
> Set($WebFallbackToRTLogin, 1);
> # allow an hour's inactivity (10 min for testing)
> Set($AutoLogoff, 10);
> # standard password must be 10 chars min
> Set($MinimumPasswordLength, 10);
> # use ISO dates
> Set($DateTimeFormat, { Format => "ISO", Seconds => 0 });
> ///Peter
> --
> Peter Flynn | Academic & Collaborative Technologies | University College
> Cork IT Services | ☎ +353 21 490 2609 | ✉ pflynn at ucc.ie | 🌍 www.ucc.ie
> --
> RT Training - Boston, September 9-10
> http://bestpractical.com/training
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140523/151f1a18/attachment.htm>

More information about the rt-users mailing list