WebExternalAuth

From Request Tracker Wiki
Revision as of 16:39, 6 April 2016 by Admin (talk | contribs) (3 revisions imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search



This page 'WebExternalAuth' is tagged as OUTDATED
This page contains out of date and possibly misleading information or instructions such as installation methods or configuration examples that no longer apply. Please consider this warning when reading the page below.
If you have checked or updated this page and found the content to be suitable, please remove this notice by editing the page and remove the Outdated template tag.


From the RT_Config.pm file:

If $WebExternalAuth is defined, RT will defer to the environment's REMOTE_USER variable.

---

Just add the following lines to your RT_SiteConfig.pm file: 

# tells RT to use the REMOTE_USER provided by the web server
 Set($WebExternalAuth , 1);
 
 # tells RT to display its normal login screen if REMOTE_USER fails
 Set($WebFallbackToInternalAuth , 1);
 
 # tells RT to create users automatically if no user matching REMOTE_USER is found
 Set($WebExternalAuto , 1);

and then configure Apache to not authenticate the /NoAuth directory, so the rt-mailgate program can submit tickets.

For example (using pwauth and mod_perl): 

AddExternalAuth pwauth /usr/local/sbin/pwauth
SetExternalAuthMethod pwauth pipe

<Location />
  SetHandler perl-script
  PerlHandler RT::Mason

  AuthType Basic
  AuthName rtauth
  AuthExternal pwauth
  require valid-user
</Location>

<LocationMatch "/NoAuth">
    Satisfy Any
    Allow from all
</LocationMatch>

Adjust for your particular authentication method and webserver configuration.

Notes that has been added to the [FAQ] where they don't belong

TODO: refactor me into good looking combined text

Q: I use WebExternalAuth to authenticate my users. When I turn it on E-Mail to queues stop working with a "401 Authorization Required" error. How can I make the mail gateway authenticate to the web server?

A: Turn off the authentication requirement for all "NoAuth" directories. For Apache edit the server-wide httpd.conf file and add the following in RT's VirtualHost section (change the "/opt/rt3" to point to your installation): 

<Directory /opt/rt3/share/html/REST/1.0/NoAuth>
    SetHandler perl-script
    PerlHandler RT::Mason
    satisfy any
    allow from all
</Directory>
<Directory /opt/rt3/share/html/NoAuth>
    SetHandler perl-script
    PerlHandler RT::Mason
    satisfy any
    allow from all
</Directory>

A2: You may find that you need to use Location directives within the virtual host instead. This worked for me whereas Directory did not. (using fastcgi, obviously, on apache 2.0.x, under mod_auth_kerberos.) 

<Location /REST/1.0/NoAuth>
    SetHandler fastcgi-script
    allow from all
    satisfy any
</Location>
<Location /NoAuth>
    SetHandler fastcgi-script
    allow from all
    satisfy any
</Location>
Retrieved from "https://rt-wiki.bestpractical.com/index.php?title=WebExternalAuth&oldid=4190"