[rt-users] Problems with external auth and double prompting for authentication

Bart Bunting bart.bunting at ursys.com.au
Wed May 11 19:25:16 EDT 2016


Hi Jim,

Thanks for the quick reply.

I should have included my apache virtualhost config:

Here it is for reference.  I did have ldap auth working at one point but
it is totally commented out in the  config.

Apache is apache2                                      2.4.18-2ubuntu3
amd64 debian Xenial LTS

# ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************

<VirtualHost *:80>
  ServerName helpdesk.in.urnet.com.au

  ## Vhost docroot
  DocumentRoot "/opt/rt4/share/html"
  ## Alias declarations for resources outside the DocumentRoot
  AliasMatch /NoAuth/images/ "/opt/rt4/share/html/NoAuth/images/"

  ## Directories, there should at least be a declaration for /opt/rt4/share/html
  <Directory "/opt/rt4/share/html">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/apache2/helpdesk.in.urnet.com.au_error.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/helpdesk.in.urnet.com.au_access.log" combined 

  ## Custom fragment
  
        AddDefaultCharset UTF-8
        ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

        DocumentRoot "/opt/rt4/share/html"
        <Location />
# bart: disabled for now until we move towards SSO
#		AuthType Basic
#		AuthName "Ursys LDAP"
#		AuthBasicProvider ldap
#		AuthLDAPURL ldap://ldap.xxxx:389/cn=accounts,xxxx?uid?sub
#		AuthLDAPBindDN uid=system,cn=sysaccounts,xxx
#		AuthLDAPBindPassword xxxxx
#		Require ldap-group cn=noc,cn=groups,xxxxxx

Require all granted

                Options +ExecCGI
                AddHandler fcgid-script fcgi
        </location>
        
</VirtualHost>



Is there anything wrong with that, it pritty much mirrors the config
described in the documentation.

If there is a better way of doing things other than mod_fastcgi I'm open to trying that.


Kind regards

Bart






Jim Brandt <jbrandt at bestpractical.com> writes:

> Browser authentication is typically triggered by an Apache 
> configuration, so if your goal is to have just RT authentication, you 
> might compare your Apache configuration with the example in the docs:
>
> https://docs.bestpractical.com/rt/4.4.0/web_deployment.html
>
> On 5/11/16 3:50 AM, Bart Bunting wrote:
>>
>>
>> Hi everyone,
>>
>> I have been trying to get external authentication with ldapauth and
>> ldapimport working on a brand new rt 4.4 from the latest pull of
>> 4.4-trunk.
>>
>> I have the ldap authentication and rt-ldapimport working correctly
>> against our ldap server.
>>
>> The one issue I can not appear to resolve is that I am prompted first
>> by the browsers authentication prompt and then by the RT login screen.
>> So you need to enter your authentication credentials twice.
>>
>> I am hoping to just have the RT login screen, no browser authentication
>> prompt.
>>
>> I'm sure it's something simple but I'm pulling my hair out :).
>>
>> If someone could take a look at my config and tell me where the error is
>> I'd be eternally grateful:
>>
>> Here is the section of my rt config.
>>
>> The first few options are commented out as they are part of previous
>> attempts to make it work as expected.
>>
>> #* Authentication
>> # configure external authentication
>>
>> #Set($WebRemoteUserAuth, 1);
>> # check authentication on each request rather than just once
>> #Set($WebRemoteUserContinuous, 1);
>>
>> # fall back to rt login if external auth fails.
>> #Set($WebFallbackToRTLogin, 1);
>>
>> Set ($ExternalAuth, 1);
>> Set( $ExternalAuthPriority, ['URSYS_LDAP'] );
>> Set( $ExternalInfoPriority, ['URSYS_LDAP'] );
>>
>> # Make users created from LDAP Privileged
>> Set( $UserAutocreateDefaultsOnLogin, { Privileged => 1 } );
>>
>> # Users should still be autocreated by RT as internal users if they
>> # fail to exist in an external service; this is so requestors (who
>> # are not in LDAP) can still be created when they email in.
>> Set($AutoCreateNonExternalUsers, 1);
>>
>> # LDAP configuration; see RT::Authen::ExternalAuth::LDAP for
>> # further details and examples
>> Set($ExternalSettings, {
>>     'URSYS_LDAP'       =>  {
>> 	'type'             =>  'ldap',
>> 	    'server'           =>  'ldap.xxxxx,
>> 	    'base'             =>  'cn=users,cn=accounts,dc=xxxxxx',
>> 	    'user' => 'uid=system,cn=sysaccounts,xxxxx',
>> 	    'pass' => 'xxxxxx',
>> 	    'filter' => '(&(memberOf=cn=helpdesk-*))',
>> 	    'attr_match_list'  => [
>> 		'Name',
>> 	    ],
>> 	    'attr_map' => {
>> 		'Name' => 'uid',
>> 		'EmailAddress' => 'mail',
>> 	    },
>> 	},
>>     } );
>>
>> # * rt-ldapimport configuration
>> # enable plugin
>> Plugin( qw(RT::LDAPImport));
>>
>> Set($LDAPBase,'cn=users,cn=accounts,xxxxx');
>> Set($LDAPHost,'ldap.xxxxx');
>> Set($LDAPUser,'uid=system,cn=sysaccounts,xxxxxx');
>> Set($LDAPPassword,'xxxxxxxx');
>> Set($LDAPFilter, '(&(memberOf=cn=helpdesk-*))');
>> Set($LDAPMapping, {Name         => 'uid', # required
>> 		   EmailAddress => 'mail',
>> 		   RealName     => 'cn',
>> 		   WorkPhone    => 'telephoneNumber',
>> 		   Organization => 'departmentName'});
>> # create users as privileged
>>   Set($LDAPCreatePrivileged, 1);
>>
>> # sync Groups from LDAP into RT
>> Set($LDAPGroupBase, 'cn=accounts,xxxxx');
>> Set($LDAPGroupFilter, '(&(objectClass=groupofnames)(cn=helpdesk-*))');
>> Set($LDAPGroupMapping, {Name               => 'cn',
>> 			Description               => 'description',
>> 			Member_Attr        => 'member',
>> 			Member_Attr_Value  => 'dn',
>> });
>>
>> As above all the ldap stuff appears to work apart from the double
>> request for authentication.
>>
>>
>>
>> Kind regards
>> Bart
>>
> ---------
> RT 4.4 and RTIR Training Sessions https://bestpractical.com/training
> * Washington DC - May 23 & 24, 2016
Bart
-- 

Bart Bunting - URSYS
PH: 02 87452811
Mbl: 0409560005



More information about the rt-users mailing list