Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi, there are these settings in RT: # tells RT to use the REMOTE_USER provided by the web server Set($WebExternalAuth , 1); # tells RT to display its normal login screen if REMOTE_USER fails Set($WebFallbackToInternalAuth , 1); # tells RT to create users automatically if no user matching REMOTE_USER is found Set($WebExternalAuto , 1); I have them all set except the last one as we use LDAPImport. So I would expect RT to not drop the REMOTE_USER. Or is this obsolete? Best Regards, Oliver From: ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] On Behalf Of Ruslan Zakirov Sent: Dienstag, 3. September 2013 21:47 To: Oliver Weinmann Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb Hi, Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn't use it for authentication. On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann oliver.weinm...@telespazio-vega.demailto:oliver.weinm...@telespazio-vega.de wrote: Hi all, we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy. What we have on our reverse proxy is this: ProxyPass/rt/ http://hostname.local/rt/ max=100 ProxyPassReverse /rt/ http://hostname.local/rt/ RedirectMatch ^/$ /rt/ # Proxy all locations Proxy * AddDefaultCharset off Order deny,allow Deny from none /Proxy Location /rt AuthType Kerberos AuthName Kerberos Login KrbAuthRealms KRB5.LOCAL Krb5KeyTab /etc/apache2/host.keytab KrbMethodNegotiate on KrbAuthoritative on KrbMethodK5Passwd off KrbSaveCredentials on require valid-user # SSO RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+)$ RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e /Location Running tcpdump we can see that REMOTE_USER is set and send to the host hosting RT. It looks like RT is not picking it up. As far as I understood is that my user gets authenticated at the proxy and RT should trust these credentials and log in the user. -- Best regards, Ruslan.
Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi, http://www.gossamer-threads.com/lists/apache/dev/370306 On Wed, Sep 4, 2013 at 10:37 AM, Oliver Weinmann oliver.weinm...@telespazio-vega.de wrote: Hi, ** ** there are these settings in RT: ** ** # tells RT to use the REMOTE_USER provided by the web server Set($WebExternalAuth , 1); # tells RT to display its normal login screen if REMOTE_USER fails Set($WebFallbackToInternalAuth , 1); # tells RT to create users automatically if no user matching REMOTE_USER is found Set($WebExternalAuto , 1); ** ** I have them all set except the last one as we use LDAPImport. So I would expect RT to not drop the REMOTE_USER. Or is this obsolete? ** ** Best Regards, Oliver *From:* ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] *On Behalf Of *Ruslan Zakirov *Sent:* Dienstag, 3. September 2013 21:47 *To:* Oliver Weinmann *Cc:* rt-users@lists.bestpractical.com *Subject:* Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb ** ** Hi, ** ** Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn't use it for authentication. ** ** On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann oliver.weinm...@telespazio-vega.de wrote: Hi all, we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy. What we have on our reverse proxy is this: ProxyPass/rt/ http://hostname.local/rt/ max=100 ProxyPassReverse /rt/ http://hostname.local/rt/ RedirectMatch ^/$ /rt/ # Proxy all locations Proxy * AddDefaultCharset off Order deny,allow Deny from none /Proxy Location /rt AuthType Kerberos AuthName Kerberos Login KrbAuthRealms KRB5.LOCAL Krb5KeyTab /etc/apache2/host.keytab KrbMethodNegotiate on KrbAuthoritative on KrbMethodK5Passwd off KrbSaveCredentials on require valid-user # SSO RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+)$ RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e /Location Running tcpdump we can see that REMOTE_USER is set and send to the host hosting RT. It looks like RT is not picking it up. As far as I understood is that my user gets authenticated at the proxy and RT should trust these credentials and log in the user. ** ** -- Best regards, Ruslan. -- Best regards, Ruslan.
Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi, thanks for the hint, but this doesn’t solve the issue yet. I have done the following. I have tested the KRB5 setup on the host directly. This works fine. I see this in the logs on the RT host. Accessing the RT host directly: [Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1628): [client ] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1240): [client ] Acquiring creds for HTTP@gedadvl05-clone [Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1385): [client ] Verifying client data using KRB5 GSS-API [Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1401): [client ] Client didn't delegate us their credential [Wed Sep 04 14:00:10 2013] [debug] src/mod_auth_kerb.c(1420): [client ] GSS-API token of length 181 bytes will be sent back [Wed Sep 04 14:00:11 2013] [debug] mod_deflate.c(615): [client ] Zlib: Compressed 43435 to 6091 : URL /rt/ Accessing via the reverse proxy: [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1628): [client ] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1240): [client ] Acquiring creds for HTTP@gedadvl05-clone [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1385): [client ] Verifying client data using KRB5 GSS-API [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1401): [client ] Client didn't delegate us their credential [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1420): [client ] GSS-API token of length 9 bytes will be sent back [Wed Sep 04 14:02:55 2013] [debug] src/mod_auth_kerb.c(1101): [client ] GSS-API major_status:000d, minor_status:000186a5 [Wed Sep 04 14:02:55 2013] [error] [client ] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ) [Wed Sep 04 14:02:55 2013] [debug] mod_deflate.c(615): [client ] Zlib: Compressed 482 to 326 : URL /rt/ I’m also not sure about the configuration of the RT host itself. Does it have to be Kerberos enabled too? I have this in /etc/apache2/httpd.conf: #Directory /usr/share/request-tracker4/html # AuthType Kerberos # AuthName Request Tracker # KrbMethodNegotiate On # KrbMethodK5Passwd On # KrbVerifyKDC On # Krb5Keytab /etc/apache2/rtkeytab # KrbAuthoritative On # KrbSaveCredentials On # Require valid-user # AllowOverride None #/Directory If I disable this I’m not logged in but there is also not login (username/password) displayed, but the RT website is shown also when accessing via the proxy. From: ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.com] On Behalf Of Ruslan Zakirov Sent: Mittwoch, 4. September 2013 13:19 To: Oliver Weinmann Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb Hi, http://www.gossamer-threads.com/lists/apache/dev/370306 On Wed, Sep 4, 2013 at 10:37 AM, Oliver Weinmann oliver.weinm...@telespazio-vega.demailto:oliver.weinm...@telespazio-vega.de wrote: Hi, there are these settings in RT: # tells RT to use the REMOTE_USER provided by the web server Set($WebExternalAuth , 1); # tells RT to display its normal login screen if REMOTE_USER fails Set($WebFallbackToInternalAuth , 1); # tells RT to create users automatically if no user matching REMOTE_USER is found Set($WebExternalAuto , 1); I have them all set except the last one as we use LDAPImport. So I would expect RT to not drop the REMOTE_USER. Or is this obsolete? Best Regards, Oliver From: ruslan.zaki...@gmail.commailto:ruslan.zaki...@gmail.com [mailto:ruslan.zaki...@gmail.commailto:ruslan.zaki...@gmail.com] On Behalf Of Ruslan Zakirov Sent: Dienstag, 3. September 2013 21:47 To: Oliver Weinmann Cc: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com Subject: Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb Hi, Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn't use it for authentication. On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann oliver.weinm...@telespazio-vega.demailto:oliver.weinm...@telespazio-vega.de wrote: Hi all, we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy. What we have on our reverse proxy is this: ProxyPass/rt/ http://hostname.local/rt/ max=100 ProxyPassReverse /rt/ http://hostname.local/rt/ RedirectMatch ^/$ /rt/ # Proxy all locations Proxy * AddDefaultCharset off Order deny,allow Deny from none /Proxy Location /rt AuthType Kerberos AuthName Kerberos Login KrbAuthRealms
Re: [rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi, Why do you expect remote server where you host RT to respect REMOTE_USER and not to drop it? If a web server would pass remotely provided REMOTE_USER further to an app without additional configuration then we wouldn't use it for authentication. On Mon, Sep 2, 2013 at 5:14 PM, Oliver Weinmann oliver.weinm...@telespazio-vega.de wrote: Hi all, ** ** we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy. ** ** What we have on our reverse proxy is this: ** ** ProxyPass/rt/ http://hostname.local/rt/ max=100 ProxyPassReverse /rt/ http://hostname.local/rt/ ** ** RedirectMatch ^/$ /rt/ ** ** # Proxy all locations Proxy * AddDefaultCharset off Order deny,allow Deny from none /Proxy ** ** ** ** Location /rt AuthType Kerberos AuthName Kerberos Login KrbAuthRealms KRB5.LOCAL Krb5KeyTab /etc/apache2/host.keytab KrbMethodNegotiate on KrbAuthoritative on KrbMethodK5Passwd off KrbSaveCredentials on require valid-user ** ** # SSO RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+)$ RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e ** ** /Location ** ** Running tcpdump we can see that REMOTE_USER is set and send to the host hosting RT. It looks like RT is not picking it up. As far as I understood is that my user gets authenticated at the proxy and RT should trust these credentials and log in the user. -- Best regards, Ruslan.
[rt-users] RT 4.0.4 behind Apache Reverse Proxy with mod_auth_kerb
Hi all, we have successfully setup RT 4.0.4 with ldap_import and mod_auth_kerb. Now we need to get the setup running through our reverse proxy. What we have on our reverse proxy is this: ProxyPass/rt/ http://hostname.local/rt/ max=100 ProxyPassReverse /rt/ http://hostname.local/rt/ RedirectMatch ^/$ /rt/ # Proxy all locations Proxy * AddDefaultCharset off Order deny,allow Deny from none /Proxy Location /rt AuthType Kerberos AuthName Kerberos Login KrbAuthRealms KRB5.LOCAL Krb5KeyTab /etc/apache2/host.keytab KrbMethodNegotiate on KrbAuthoritative on KrbMethodK5Passwd off KrbSaveCredentials on require valid-user # SSO RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+)$ RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e /Location Running tcpdump we can see that REMOTE_USER is set and send to the host hosting RT. It looks like RT is not picking it up. As far as I understood is that my user gets authenticated at the proxy and RT should trust these credentials and log in the user.