| CC: | bug-RT-Authen-ExternalAuth [...] rt.cpan.org, rt-bugs [...] bestpractical.com |
| Subject: | RT-Authen-ExternalAuth-0.09 Patch for SSO-Auth |
| Date: | Fri, 06 Jul 2012 12:10:12 +0200 |
| To: | tsibley [...] cpan.org |
| From: | Joerg Dorchain <joerg.dorchain [...] banqueinvik.lu> |
Hello,
I am trying to use RT with single-sign-on via kerberos
(WWW-Authenticate: Negotiate method), with user details then fetched via
ldap.
There seemed to be no perl implementation of the server side, so I using
mod_auth_kerberos for apache2.
For this to work a small patch to RT-Authen-ExternalAuth is necessary,
taking the username from the apache environment (similiar to CookieAuth)
Basic idea is described at
http://requesttracker.wikia.com/wiki/Kerberos_SSO_with_Active_Directory_Integration
This could be surrounded by a config option and then replace/extend
WebExternalAuth
Bye,
Joerg
/usr/local/share/request-tracker4/plugins/RT-Authen-ExternalAuth/lib/RT/Authen#
diff -u ExternalAuth.pm.orig ExternalAuth.pm
--- ExternalAuth.pm.orig 2012-07-06 11:44:17.000000000 +0200
+++ ExternalAuth.pm 2012-07-06 11:52:26.000000000 +0200
@@ -76,13 +76,17 @@
$username =
RT::Authen::ExternalAuth::DBI::GetCookieAuth($config);
}
#############################################################
+
+ if(defined $ENV{'REMOTE_USER'}) {
+ $username = $ENV{'REMOTE_USER'};
+ }
# If $username is defined, we have a good SSO $username and can
# safely bypass the password checking later on; primarily because
# it's VERY unlikely we even have a password to check if an SSO
succeeded.
$pass_bypass = 0;
if(defined($username)) {
- $RT::Logger->debug("Pass not going to be checked, attempting
SSO");
+ $RT::Logger->debug("Pass not going to be checked, attempting
SSO for $username");
$pass_bypass = 1;
} el
--
Banque Invik IT
Parc d’Activités - CAP 2
38 rue Pafebruch
L-8308 Capellen
Telephone: + 352 27 754 497