On Tue, Oct 4, 2011 at 11:06 PM, declaya <chocoboselp...@gmx.de> wrote: > > > Thomas Smith-12 wrote: >> >> >> >> Discovered another issue... This one isn't strictly RT-related, I don't >> think. >> >> The email gateway is no longer working. When I configured Apache auth, >> I had to do it at the /opt/rt4 level--otherwise, RT would display the >> login page without the option to login and SSO wouldn't work. Now the >> mail gateway is unable to insert new tickets into the database as the >> area it's trying to access is password protected. Are there any >> best-practices for lifting the security off of this one directory >> (NoAuth only, right?) while maintaining SSO on the remainder of the >> system? Every time I exclude this directory from authentication, SSO >> breaks. >> >> >> > > Hi Thomas, > I was facing the same problem (and I'm still curios about how to configure > Apache using SSO with NTLMv2, but thats another problem;) when I changed the > login behavior for Apache. > You have to change the Apache config: The NoAuth directories must be > excluded from your AD authentication, so you have to set "satisfy any" and > "Allow from all" for that directories. > > So my Apache config looks like this: > > [...] > <Directory "/opt/rt4/share/html"> > --->here goes your Auth config for the users > </Directory> > > <Directory "/opt/rt4/share/html/REST/1.0/NoAuth"> > SetHandler modperl > PerlResponseHandler Plack::Handler::Apache2 > satisfy any > allow from all > </Directory> > > <Directory "/opt/rt4/share/html/NoAuth"> > SetHandler modperl > PerlResponseHandler Plack::Handler::Apache2 > satisfy any > allow from all > </Directory> > > <Location /REST/1.0/NoAuth> > satisfy any > allow from all > </Location> > [...] > > I'm not completely sure, which of the directories is the right one, but > until now it works for me. > Hope this helps a bit!
Thank you! I did something similar, just used a different method. What I found to work best, at least for my situation, was to add the following to the Directory directive for /opt/rt4. <Directory /opt/rt4> ... LDAP auth stuff omitted ... SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow Order allow,deny Allow from env=allow Satisfy Any </Directory> So far, this seems to be working and I haven't yet found any issues in the tests that I've done--LDAP authentication is triggered if one accesses any directory but the ones listed in the SetEnvIf statement. I'd welcome the input if anyone knows of a better or cleaner way to achieve this result. -------- RT Training Sessions (http://bestpractical.com/services/training.html) * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Barcelona, Spain November 28 & 29, 2011