Re: [rt-users] RT4.0.1 ExternalAuth and SSO
Hi Raphaël, this also sounds like an interesting method. I'm going to check it out today. I guess that mod_ntlm is alot easier than fumbling around with kerberos. Thanks for this interesting idea! Raphaël MOUNEYRES wrote: > > Hello, > here we'vebeen able to to SSO auth via apache using mod_ntlm > (mod_ntlm-0.2-10mdv2010.1.x86_64 ) > > Info was from > http://requesttracker.wikia.com/wiki/NtlmAuthentication > http://modntlm.sourceforge.net/ > > here is a sample of our apache config > >ServerName xx.xx.xx.xx >ServerAdmin x...@xxx.com > >AddDefaultCharset UTF-8 >DocumentRoot /opt/rt3/share/html > > >Order allow,deny >Allow from all > > # Options d’authentifications NTLM >AuthName "Request Tracker" >AuthType NTLM >NTLMAuth on >NTLMAuthoritative on >NTLMDomain xxx.local >NTLMServer xxx.xxx.local > NTLMBackup xxx.xxx.local >require valid-user > > >PerlModule Apache2::compat >PerlModule Apache::DBI >PerlRequire /opt/rt3/bin/webmux.pl > > > SetHandler perl-script > PerlHandler RT::Mason > > > #Dossiers exclus de l’authentification > > Satisfy any > Allow from all > > > Satisfy any > Allow from all > > > > > Raphaël MOUNEYRES > Ingénieur Moyens Tests > Avenue Paul Gellos 64990 Mouguerre > Phone: +33 (0)5 59 58 41 51 > > > > declaya > Envoyé par : rt-users-boun...@lists.bestpractical.com > 20/09/2011 07:45 > > A > rt-users@lists.bestpractical.com > cc > > Objet > Re: [rt-users] RT4.0.1 ExternalAuth and SSO > -- View this message in context: http://old.nabble.com/RT4.0.1-ExternalAuth-and-SSO-tp32478912p32503716.html Sent from the Request Tracker - User mailing list archive at Nabble.com. RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011
Re: [rt-users] RT4.0.1 ExternalAuth and SSO
Hello, here we'vebeen able to to SSO auth via apache using mod_ntlm (mod_ntlm-0.2-10mdv2010.1.x86_64 ) Info was from http://requesttracker.wikia.com/wiki/NtlmAuthentication http://modntlm.sourceforge.net/ here is a sample of our apache config ServerName xx.xx.xx.xx ServerAdmin x...@xxx.com AddDefaultCharset UTF-8 DocumentRoot /opt/rt3/share/html Order allow,deny Allow from all # Options d’authentifications NTLM AuthName "Request Tracker" AuthType NTLM NTLMAuth on NTLMAuthoritative on NTLMDomain xxx.local NTLMServer xxx.xxx.local NTLMBackup xxx.xxx.local require valid-user PerlModule Apache2::compat PerlModule Apache::DBI PerlRequire /opt/rt3/bin/webmux.pl SetHandler perl-script PerlHandler RT::Mason #Dossiers exclus de l’authentification Satisfy any Allow from all Satisfy any Allow from all Raphaël MOUNEYRES Ingénieur Moyens Tests Avenue Paul Gellos 64990 Mouguerre Phone: +33 (0)5 59 58 41 51 declaya Envoyé par : rt-users-boun...@lists.bestpractical.com 20/09/2011 07:45 A rt-users@lists.bestpractical.com cc Objet Re: [rt-users] RT4.0.1 ExternalAuth and SSO Thank you for the quick response! Ah, this explains a lot. No wonder why SSO was not working. I'm going to use mod_auth_kerb for apache, since this does exactly what I want to achieve. Again, thank you for giving me hints and have a nice day! -- View this message in context: http://old.nabble.com/RT4.0.1-ExternalAuth-and-SSO-tp32478912p32500288.html Sent from the Request Tracker - User mailing list archive at Nabble.com. RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011 # " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles ou ayant un caract�re priv�. S'ils ne vous sont pas destin�s, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque mani�re que ce soit le contenu. Si ce message vous a �t� transmis par erreur, merci d'en informer l'exp�diteur et de supprimer imm�diatement de votre syst�me informatique ce courriel ainsi que tous les documents qui y sont attach�s." ** " This e-mail and any attached documents may contain confidential or proprietary information. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." # RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011
Re: [rt-users] RT4.0.1 ExternalAuth and SSO
Thank you for the quick response! Ah, this explains a lot. No wonder why SSO was not working. I'm going to use mod_auth_kerb for apache, since this does exactly what I want to achieve. Again, thank you for giving me hints and have a nice day! -- View this message in context: http://old.nabble.com/RT4.0.1-ExternalAuth-and-SSO-tp32478912p32500288.html Sent from the Request Tracker - User mailing list archive at Nabble.com. RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011
Re: [rt-users] RT4.0.1 ExternalAuth and SSO
On Mon, Sep 19, 2011 at 01:51:45AM -0700, declaya wrote: > Until now, ExternalAuth is working fine, all users can log in with their > credentials, they are recognized in our AD. My problem now is the SSO > config. I have no idea what I have to set in the RT_SiteConfig.pm. > As far as now my config looks like this: I think you've misunderstood what SSO RT-Authen-ExternalAuth supports. > So now my question is: Where can I find out how the table, field and the > match key of the cookie is called? Or is this a misunderstanding from my > side? > Do I have to make a cookie by myself? I think I can use the cookie I get > when visiting the RT interface, don't I? This module supports doing SSO using cookies that you're setting from another application. It is telling RT how to reach into the remote database to confirm the cookie it receives. If you want AD SPNEGO SSO, you want mod_auth_kerb or one of the related web server extensions. -kevin pgpD3BZMt6jAi.pgp Description: PGP signature RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011
Re: [rt-users] RT4.0.1 ExternalAuth and SSO
On 09/19/2011 04:51 AM, declaya wrote: > > Hi all, > > my RT installation is just a little step away from being absolutely perfect. > > I'm currently trying to get a single sign-on behavior for all users in our > network. > Until now, ExternalAuth is working fine, all users can log in with their > credentials, they are recognized in our AD. My problem now is the SSO > config. I have no idea what I have to set in the RT_SiteConfig.pm. > As far as now my config looks like this: For AD SSO, you very likely want to use mod_auth_krb or similar commercial products to do the authentication at the Apache level. RT can then trust Apache's auth with the right configuration, and you won't really need ExternalAuth anymore since RT has the WebExternalAuth settings. Thomas RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011
[rt-users] RT4.0.1 ExternalAuth and SSO
Hi all, my RT installation is just a little step away from being absolutely perfect. I'm currently trying to get a single sign-on behavior for all users in our network. Until now, ExternalAuth is working fine, all users can log in with their credentials, they are recognized in our AD. My problem now is the SSO config. I have no idea what I have to set in the RT_SiteConfig.pm. As far as now my config looks like this: # An example SSO cookie service 'My_SSO_Cookie' => { # # The type of service (db/ldap/cookie) 'type' => 'cookie', 'name' => '', (commented out) 'u_table' => 'Users', # The username field in the users table 'u_field' => 'Name', 'u_match_key' => 'id', This is the part where I don't know what to write in: # The cookies table 'c_table' => 'login_cookie', # The field that stores cookie values 'c_field' => 'loginCookieValue', # The field in the cookies table that uniquely identifies a user # and also exists in the users table 'c_match_key' => 'loginCookieUserID', # The DB service in this configuration to use to lookup the cookie information 'db_service_name' => 'My_MySQL' } } So now my question is: Where can I find out how the table, field and the match key of the cookie is called? Or is this a misunderstanding from my side? Do I have to make a cookie by myself? I think I can use the cookie I get when visiting the RT interface, don't I? The log file says that ExternalAuth is able to find the cookie, but then it fails to authenticate ("No user was authenticated by browser cookie. SSO failed and no user to test with."). I think this comes from the wrong config so that ExternalAuth tries to read but fails because of the wrong table name and/or field and match key. If I look at the cookie, it only contains a hash value. Maybe there is also something wrong with the cookie itself. Thanks in advance for your help! PS: Another (small, compared to the problem above) problem: Is the value for 'd_field' that has to be specified for ExternalAuth to connect to the MySQL database of RT4.0.1 still there? I had trouble to find it and thus I commented it out. It still works, but it would be nice to know how it is called now. Thank you. :) -- View this message in context: http://old.nabble.com/RT4.0.1-ExternalAuth-and-SSO-tp32478912p32478912.html Sent from the Request Tracker - User mailing list archive at Nabble.com. RT Training Sessions (http://bestpractical.com/services/training.html) * Chicago, IL, USA September 26 & 27, 2011 * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Melbourne VIC, Australia November 28 & 29, 2011 * Barcelona, Spain November 28 & 29, 2011