logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



OTRS Apache SSO troubel

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
adabud86



Joined: 19 Nov 2018
Posts: 1
Location: Poland

PostPosted: Mon 19 Nov '18 12:19    Post subject: OTRS Apache SSO troubel Reply with quote

Hello all,

This is my very first post and Iím very excited and hope I can build up my knowledge!

I have an OTRS 6 Server running on RHEL 6.

Our OTRS Server is behind a IBM Tivoli Access Manager ( Client - > TAM (IBM Tivoli Access Manager) - > OTRS). On TAM we have a junction created https://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US/HTML/am51_webseal_guide16.htm so the client is not going via the direct link e.g. https://otrs_fqdn/otrs/index.pl but via TAM e.g. https://tam_otrs_junction/otrs/index.pl

TAM basically verifies if user A is in Active Directory group X to check whether he or she is allowed to access the junction. TAM can also be configured for SSO in such a way that it grabs the Kerberos ticket and after successful authentication it sets a custom variable iv-user in the http header and sends it to the backend application in this case OTRS. Now I would like to configure OTRS for SSO. This can be done with one line in OTRS $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth'; https://doc.otrs.com/doc/manual/admin/6.0/en/html/external-backends.html This is an example configuration for an apache ($ENV{REMOTE_USER}) auth. backend. Use it if you want to have a single login through apache http-basic-auth



I have enabled mod_log_forensic on my Apache and in fact I can see the Windows User ID being send in the iv-user variable in the header. So what I know do (and please correct my if Iím mistaken) I grab the iv-user header variable and re-write it to REMOTE_USER with the code below SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1

I put the SetEnvIf directive in httpd.conf.

The problem now is that the designated cig-bin directory contains 3 scripts (index.pl customer.pl and npg-genericinterface.pl) and as far SSO works for index.pl Iíd like to exclude nph-genericinterface.pl from SSO. I tried to set the SetEnvIf directive even per Location but still tries to SSO for the generic-interface (it is a web service backend forOTRS). How could I configure this in Apache ?
Hereís the Apache OTRS config:


Code:

# --
# added for OTRS (http://otrs.org/)
# --
ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"

<IfModule mod_perl.c>

    # Setup environment and preload modules
    Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl

    # Reload Perl modules when changed on disk
    PerlModule Apache2::Reload
    PerlInitHandler Apache2::Reload

    # general mod_perl2 options
    <Location /otrs>
#        ErrorDocument 403 /otrs/customer.pl
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

        <IfModule mod_version.c>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
            <IfVersion >= 2.4>
                Require all granted
            </IfVersion>
        </IfModule>
        <IfModule !mod_version.c>
            Order allow,deny
            Allow from all
        </IfModule>
    </Location>

    # mod_perl2 options for GenericInterface
    <Location /otrs/nph-genericinterface.pl>
        PerlOptions -ParseHeaders
    </Location>

</IfModule>

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
    Options +ExecCGI -Includes
   <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>

    <IfModule mod_filter.c>
        <IfModule mod_deflate.c>
            AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
         </IfModule>
    </IfModule>

</Directory>

<Directory "/opt/otrs/var/httpd/htdocs/">
    AllowOverride None

    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>

    <IfModule mod_filter.c>
        <IfModule mod_deflate.c>
            AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
         </IfModule>
    </IfModule>

    # Make sure CSS and JS files are read as UTF8 by the browsers.
    AddCharset UTF-8 .css
    AddCharset UTF-8 .js

    # Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
    AddType application/font-woff .woff

</Directory>

# Allow access to public interface for unauthenticated requests on systems with set-up authentication.
# Will work only for RegistrationUpdate, since page resources are still not be loaded.
# <Location /otrs/public.pl>
#     <IfModule mod_version.c>
#         <IfVersion < 2.4>
#             Order allow,deny
#             Allow from all
#         </IfVersion>
#         <IfVersion >= 2.4>
#             Require all granted
#         </IfVersion>
#     </IfModule>
#     <IfModule !mod_version.c>
#         Order allow,deny
#         Allow from all
#     </IfModule>
# </Location>

<IfModule mod_headers.c>
    # Cache css-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
        <FilesMatch "\.(css|CSS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache css thirdparty for 4 hours, including icon fonts
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
        <FilesMatch "\.(css|CSS|woff|svg)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache js-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache js thirdparty for 4 hours
    <Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>
</IfModule>

# Limit the number of requests per child to avoid excessive memory usage
MaxRequestsPerChild 4000





Thank you very much for all help in advance!

BR,
Adam

Mod note: added code tags
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1