Re: [rt-users] RT4.0.1 ExternalAuth and SSO

2011-09-21 Thread declaya 

Hi Raphaël,
this also sounds like an interesting method. I'm going to check it out
today. 
I guess that mod_ntlm is alot easier than fumbling around with kerberos.
Thanks for this interesting idea!



Raphaël MOUNEYRES wrote:
 
 Hello,
 here we'vebeen able to to SSO auth via apache using mod_ntlm 
 (mod_ntlm-0.2-10mdv2010.1.x86_64 )
 
 Info was from 
 http://requesttracker.wikia.com/wiki/NtlmAuthentication
 http://modntlm.sourceforge.net/
 
 here is a sample of our apache config
 VirtualHost xx.xx.xx.xx:80
ServerName xx.xx.xx.xx
ServerAdmin x...@xxx.com
 
AddDefaultCharset UTF-8
DocumentRoot /opt/rt3/share/html
 
Directory /opt/rt3/share/html/
Order allow,deny
Allow from all 
 
 # Options d’authentifications NTLM
AuthName Request Tracker
AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain xxx.local
NTLMServer xxx.xxx.local
  NTLMBackup xxx.xxx.local
require valid-user
/Directory
  
PerlModule Apache2::compat
PerlModule Apache::DBI
PerlRequire /opt/rt3/bin/webmux.pl
 
Location /
 SetHandler perl-script
 PerlHandler RT::Mason
/Location
 
 #Dossiers exclus de l’authentification
Location /NoAuth
 Satisfy any
 Allow from all
/Location
Location /REST/1.0/NoAuth/
 Satisfy any
 Allow from all
/Location
 
 /VirtualHost
 
 Raphaël MOUNEYRES
 Ingénieur Moyens Tests
 Avenue Paul Gellos 64990 Mouguerre
 Phone: +33 (0)5 59 58 41 51
 
 
 
 declaya chocoboselp...@gmx.de 
 Envoyé par : rt-users-boun...@lists.bestpractical.com
 20/09/2011 07:45
 
 A
 rt-users@lists.bestpractical.com
 cc
 
 Objet
 Re: [rt-users] RT4.0.1 ExternalAuth and SSO
 

-- 
View this message in context: 
http://old.nabble.com/RT4.0.1-ExternalAuth-and-SSO-tp32478912p32503716.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.


RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA  September 26  27, 2011
*  San Francisco, CA, USA  October 18  19, 2011
*  Washington DC, USA  October 31  November 1, 2011
*  Melbourne VIC, Australia  November 28  29, 2011
*  Barcelona, Spain  November 28  29, 2011

Re: [rt-users] RT4.0.1 ExternalAuth and SSO

2011-09-20 Thread Raphaël MOUNEYRES 
Hello,
here we'vebeen able to to SSO auth via apache using mod_ntlm 
(mod_ntlm-0.2-10mdv2010.1.x86_64 )

Info was from 
http://requesttracker.wikia.com/wiki/NtlmAuthentication
http://modntlm.sourceforge.net/

here is a sample of our apache config
VirtualHost xx.xx.xx.xx:80
   ServerName xx.xx.xx.xx
   ServerAdmin x...@xxx.com

   AddDefaultCharset UTF-8
   DocumentRoot /opt/rt3/share/html

   Directory /opt/rt3/share/html/
   Order allow,deny
   Allow from all 

# Options d’authentifications NTLM
   AuthName Request Tracker
   AuthType NTLM
   NTLMAuth on
   NTLMAuthoritative on
   NTLMDomain xxx.local
   NTLMServer xxx.xxx.local
 NTLMBackup xxx.xxx.local
   require valid-user
   /Directory
 
   PerlModule Apache2::compat
   PerlModule Apache::DBI
   PerlRequire /opt/rt3/bin/webmux.pl

   Location /
SetHandler perl-script
PerlHandler RT::Mason
   /Location

#Dossiers exclus de l’authentification
   Location /NoAuth
Satisfy any
Allow from all
   /Location
   Location /REST/1.0/NoAuth/
Satisfy any
Allow from all
   /Location

/VirtualHost

Raphaël MOUNEYRES
Ingénieur Moyens Tests
Avenue Paul Gellos 64990 Mouguerre
Phone: +33 (0)5 59 58 41 51



declaya chocoboselp...@gmx.de 
Envoyé par : rt-users-boun...@lists.bestpractical.com
20/09/2011 07:45

A
rt-users@lists.bestpractical.com
cc

Objet
Re: [rt-users] RT4.0.1 ExternalAuth and SSO







Thank you for the quick response!

Ah, this explains a lot. No wonder why SSO was not working. I'm going to 
use
mod_auth_kerb for apache, since this does exactly what I want to achieve.
Again, thank you for giving me hints and have a nice day!
-- 
View this message in context: 
http://old.nabble.com/RT4.0.1-ExternalAuth-and-SSO-tp32478912p32500288.html

Sent from the Request Tracker - User mailing list archive at Nabble.com.


RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA  September 26  27, 2011
*  San Francisco, CA, USA  October 18  19, 2011
*  Washington DC, USA  October 31  November 1, 2011
*  Melbourne VIC, Australia  November 28  29, 2011
*  Barcelona, Spain  November 28  29, 2011



#
 Ce courriel et les documents qui lui sont joints peuvent contenir des
informations confidentielles ou ayant un caract�re priv�. S'ils ne vous sont
pas destin�s, nous vous signalons qu'il est strictement interdit de les
divulguer, de les reproduire ou d'en utiliser de quelque mani�re que ce
soit le contenu. Si ce message vous a �t� transmis par erreur, merci d'en
informer l'exp�diteur et de supprimer imm�diatement de votre syst�me
informatique ce courriel ainsi que tous les documents qui y sont attach�s.


   **

 This e-mail and any attached documents may contain confidential or
proprietary information. If you are not the intended recipient, you are
notified that any dissemination, copying of this e-mail and any attachments
thereto or use of their contents by any means whatsoever is strictly
prohibited. If you have received this e-mail in error, please advise the
sender immediately and delete this e-mail and all attached documents
from your computer system.
#


RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA — September 26  27, 2011
*  San Francisco, CA, USA — October 18  19, 2011
*  Washington DC, USA — October 31  November 1, 2011
*  Melbourne VIC, Australia — November 28  29, 2011
*  Barcelona, Spain — November 28  29, 2011

[rt-users] RT4.0.1 ExternalAuth and SSO

2011-09-19 Thread declaya 

Hi all,

my RT installation is just a little step away from being absolutely perfect.

I'm currently trying to get a single sign-on behavior for all users in our
network. 
Until now, ExternalAuth is working fine, all users can log in with their
credentials, they are recognized in our AD. My problem now is the SSO
config. I have no idea what I have to set in the RT_SiteConfig.pm.
As far as now my config looks like this:

# An example SSO cookie service
'My_SSO_Cookie'  = {   # # The type of
service (db/ldap/cookie)
'type'  
   
=  'cookie',
'name'  
   
=  '', (commented out)
'u_table'   
   
=  'Users',
# The username field
in the users table
'u_field'   
   
=  'Name',
'u_match_key'   
   
=  'id',

This is the part where I don't know what to write in:

# The cookies table
'c_table'   
   
=  'login_cookie',
# The field that
stores cookie values
'c_field'   
   
=  'loginCookieValue',
# The field in the
cookies table that uniquely identifies a user
# and also exists in
the users table
'c_match_key'   
   
=  'loginCookieUserID',
# The DB service in
this configuration to use to lookup the cookie information
'db_service_name'   
   
=  'My_MySQL'
}
}

So now my question is: Where can I find out how the table, field and the
match key of the cookie is called? Or is this a misunderstanding from my
side?
Do I have to make a cookie by myself? I think I can use the cookie I get
when visiting the RT interface, don't I?

The log file says that ExternalAuth is able to find the cookie, but then it
fails to authenticate (No user was authenticated by browser cookie. SSO
failed and no user to test with.). I think this comes from the wrong config
so that ExternalAuth tries to read but fails because of the wrong table name
and/or field and match key. 

If I look at the cookie, it only contains a hash value. Maybe there is also
something wrong with the cookie itself. 


Thanks in advance for your help!




PS: Another (small, compared to the problem above) problem: Is the value for
'd_field' that has to be specified for ExternalAuth to connect to the MySQL
database of RT4.0.1 still there? I had trouble to find it and thus I
commented it out. It still works, but it would be nice to know how it is
called now. Thank you. :)  


-- 
View this message in context: 
http://old.nabble.com/RT4.0.1-ExternalAuth-and-SSO-tp32478912p32478912.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.


RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA  September 26  27, 2011
*  San Francisco, CA, USA  October 18  19, 2011
*  Washington DC, USA  October 31  November 1, 2011
*  Melbourne VIC, Australia  November 28  29, 2011
*  Barcelona, Spain  November 28  29, 2011

Re: [rt-users] RT4.0.1 ExternalAuth and SSO

2011-09-19 Thread Thomas Sibley 
On 09/19/2011 04:51 AM, declaya wrote:
 
 Hi all,
 
 my RT installation is just a little step away from being absolutely perfect.
 
 I'm currently trying to get a single sign-on behavior for all users in our
 network. 
 Until now, ExternalAuth is working fine, all users can log in with their
 credentials, they are recognized in our AD. My problem now is the SSO
 config. I have no idea what I have to set in the RT_SiteConfig.pm.
 As far as now my config looks like this:

For AD SSO, you very likely want to use mod_auth_krb or similar
commercial products to do the authentication at the Apache level.  RT
can then trust Apache's auth with the right configuration, and you won't
really need ExternalAuth anymore since RT has the WebExternalAuth settings.

Thomas

RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA  September 26  27, 2011
*  San Francisco, CA, USA  October 18  19, 2011
*  Washington DC, USA  October 31  November 1, 2011
*  Melbourne VIC, Australia  November 28  29, 2011
*  Barcelona, Spain  November 28  29, 2011

Re: [rt-users] RT4.0.1 ExternalAuth and SSO

2011-09-19 Thread Kevin Falcone 
On Mon, Sep 19, 2011 at 01:51:45AM -0700, declaya wrote:
 Until now, ExternalAuth is working fine, all users can log in with their
 credentials, they are recognized in our AD. My problem now is the SSO
 config. I have no idea what I have to set in the RT_SiteConfig.pm.
 As far as now my config looks like this:

I think you've misunderstood what SSO RT-Authen-ExternalAuth supports.

 So now my question is: Where can I find out how the table, field and the
 match key of the cookie is called? Or is this a misunderstanding from my
 side?
 Do I have to make a cookie by myself? I think I can use the cookie I get
 when visiting the RT interface, don't I?

This module supports doing SSO using cookies that you're setting from
another application.  It is telling RT how to reach into the remote
database to confirm the cookie it receives.

If you want AD SPNEGO SSO, you want mod_auth_kerb or one of the
related web server extensions.

-kevin


pgpD3BZMt6jAi.pgp
Description: PGP signature

RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA — September 26  27, 2011
*  San Francisco, CA, USA — October 18  19, 2011
*  Washington DC, USA — October 31  November 1, 2011
*  Melbourne VIC, Australia — November 28  29, 2011
*  Barcelona, Spain — November 28  29, 2011

Re: [rt-users] RT4.0.1 ExternalAuth and SSO

2011-09-19 Thread declaya 

Thank you for the quick response!

Ah, this explains a lot. No wonder why SSO was not working. I'm going to use
mod_auth_kerb for apache, since this does exactly what I want to achieve.
Again, thank you for giving me hints and have a nice day!
-- 
View this message in context: 
http://old.nabble.com/RT4.0.1-ExternalAuth-and-SSO-tp32478912p32500288.html
Sent from the Request Tracker - User mailing list archive at Nabble.com.


RT Training Sessions (http://bestpractical.com/services/training.html)
*  Chicago, IL, USA  September 26  27, 2011
*  San Francisco, CA, USA  October 18  19, 2011
*  Washington DC, USA  October 31  November 1, 2011
*  Melbourne VIC, Australia  November 28  29, 2011
*  Barcelona, Spain  November 28  29, 2011