Re: [rt-users] RT 3.8: questions on Kerberos, LDAP, and guest account setup
On Thu, Jun 09, 2011 at 09:57:49PM +0700, Ivan Shmakov wrote: I was able to successfully configure RT and Apache to use Kerberos for authentication, roughly as shown below. However, now I'm somewhat concerned about the lack of authentication in rt-mailgate(1) (Debian Bug#615890 [1].) Somehow, I feel that this issue could be resolved easily, and wonder if anyone's interested? We'd certainly consider patches Also, I wonder, is it possible to make RT refer to LDAP for certain information (like: login name, real name, e-mail, etc.) about its users? It could easily become a painful experience to either synchronize the RT user database with LDAP, or to maintain the informations in both of the places simultaneously. Sounds like you want RT-Extension-LDAPImport Additionally, I have set up an Unprivileged “guest” account. However, this configuration results in the user being presented with a somewhat “limited” Web interface (in particular, it lacks the Search facility.) Should I make this account Privileged instead, or is there another easy way of setting up a “read-only” account with the Search facility being active? If you want the advanced search, you want a Privileged user. Unprivileged users are only going to see tickets that they're the Requestor of. -kevin pgpuQPyn90IBN.pgp Description: PGP signature
Re: [rt-users] RT 3.8: questions on Kerberos, LDAP, and guest account setup
Kevin Falcone falc...@bestpractical.com writes: On Thu, Jun 09, 2011 at 09:57:49PM +0700, Ivan Shmakov wrote: […] Also, I wonder, is it possible to make RT refer to LDAP for certain information (like: login name, real name, e-mail, etc.) about its users? It could easily become a painful experience to either synchronize the RT user database with LDAP, or to maintain the informations in both of the places simultaneously. Sounds like you want RT-Extension-LDAPImport I'll check it, thanks. Additionally, I have set up an Unprivileged “guest” account. However, this configuration results in the user being presented with a somewhat “limited” Web interface (in particular, it lacks the Search facility.) Should I make this account Privileged instead, or is there another easy way of setting up a “read-only” account with the Search facility being active? If you want the advanced search, you want a Privileged user. Is it merely a limitation of the implementation, or something deeper? The inconvenience of setting up a Privileged guest account is that it will be necessary to maintain a separate group, whose members (which are all the Privileged users except the guest account) are actually granted “write access” to the tickets. With guest account now being Unprivileged, the Privileged group fulfills this role. Unprivileged users are only going to see tickets that they're the Requestor of. Apparently, it's not the case: I was able to see all the tickets belonging to the queues for which Everyone is granted SeeQueue and ShowTicket permissions. (RT 3.8.8 debian 7.) -- FSF associate member #7257
[rt-users] RT 3.8: questions on Kerberos, LDAP, and guest account setup
I was able to successfully configure RT and Apache to use
Kerberos for authentication, roughly as shown below. However,
now I'm somewhat concerned about the lack of authentication in
rt-mailgate(1) (Debian Bug#615890 [1].) Somehow, I feel that
this issue could be resolved easily, and wonder if anyone's
interested?
[1] http://bugs.debian.org/615890
Also, I wonder, is it possible to make RT refer to LDAP for
certain information (like: login name, real name, e-mail, etc.)
about its users? It could easily become a painful experience to
either synchronize the RT user database with LDAP, or to
maintain the informations in both of the places simultaneously.
Additionally, I have set up an Unprivileged “guest” account.
However, this configuration results in the user being presented
with a somewhat “limited” Web interface (in particular, it lacks
the Search facility.) Should I make this account Privileged
instead, or is there another easy way of setting up a
“read-only” account with the Search facility being active?
I'm using RT as of version 3.8.8 debian 7.
TIA.
The RT and Apache configuration files for using HTTP
authentication with a Kerberos database were roughly as follows.
$ cat /etc/request-tracker3.8/RT_SiteConfig.d/99-trust-webauth
### 99-trust-webauth -*- Default-Generic -*-
## use the REMOTE_USER provided by the web server
Set ($WebExternalAuth, 1);
## display normal login screen if REMOTE_USER fails
# Set ($WebFallbackToInternalAuth, 1);
## create users automatically if no user matching REMOTE_USER is found
Set ($WebExternalAuto, 1);
### 99-trust-webauth ends here
$ cat /etc/apache2/sites-enabled/gray-ssl
…
## /rt/ (for http://rt.am-1.org/)
## We use this to prevent requests for images being sent through to
## the RT::Mason handler
Alias /rt/NoAuth/images /usr/share/request-tracker3.8/html/NoAuth/images
## Handle everything else with this
ScriptAlias /rt /usr/share/request-tracker3.8/libexec/mason_handler.scgi
Directory /usr/share/request-tracker3.8/libexec
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
/Directory
Location /rt/
DirectoryIndex index.html
Order allow,deny
Allow from all
AuthType Kerberos
## FIXME: README.gz tells that the following is insecure
# KrbVerifyKDC off
Require valid-user
/Location
## Limit mail gateway access to localhost by default
Location /rt/REST/1.0/NoAuth
Order allow,deny
Allow from ::1
Allow from 127.0.0.0/8
Satisfy any
/Location
IfModule mod_rewrite.c
RewriteCond %{HTTP_HOST} =rt.am-1.org
RewriteRule ^/$ /rt/ [R=302]
/IfModule
…
$
--
FSF associate member #7257
