[rt-users] Fwd: Login persistence

Flynn, Peter pflynn at ucc.ie
Fri May 23 10:57:14 EDT 2014 

On 23/05/14 10:20, Rory wrote:
> Hi Peter,
>
> As you noted your web environment is essentially holding the login token.
> When you click logout, Apache serves up the "you are logged out" page,
> processes the authentication configuration and, because of this line:,
> # allow web auth to pass login status to RT
> Set($WebRemoteUserAuth, 1);
> RT accepts the authentication from Apache which logs the user back in.
[...]
> So in short, your login session on RT is tied to the web browsers
> session with the web server.

Right.

> To make it work as you would like (clicking logout ends Apaches login
> session) the website would need to make a change to the web server. This
> generally is not allowed to happen as it's a potential security flaw.

Indeed.

> If you want the users login session to be controlled by the RT
> application then you'll need to configure LDAP authentication within the
> RT Configuration.

Thank you: I must have misread this. I didn't think RT could do LDAP 
auth itself. I wouldn't have bothered with the Apache route otherwise.

> To be able to do this you need at least these Perl modules (and maybe
> some others that I'm neglecting too);
> Net::LDAP
> RT::Authen::ExternalAuth

Done. CPAN complained about a dependency:
 >> No tests defined for RT::Authen::ExternalAuth extension
but I used -f :-)

> You then need to add the plugin to your RT_SiteConfig.pm;
> Set( @Plugins, qw(RT::Authen::ExternalAuth) );

OK.

> And set the LDAP configuration by following the example SiteConfig file
> in the plugin etc directory.

I'll need to get some more local LDAP help with that.

> Lastly you'll need to remove the Auth config from your Apache virtual
> host and change:
> Set($WebRemoteUserAuth, 1);
> to
> Set($WebRemoteUserAuth, 0);

Should the RT user record still contain the user's (LDAP) email address 
as the Username to log in with?

///Peter
-- 
Peter Flynn | Academic & Collaborative Technologies | University College 
Cork IT Services | ☎ +353 21 490 2609 | ✉ pflynn at ucc.ie | 🌍 www.ucc.ie

More information about the rt-users mailing list