Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: OTRS Apache SSO troubel |
|
Author |
|
adabud86
Joined: 19 Nov 2018 Posts: 1 Location: Poland
|
Posted: Mon 19 Nov '18 12:19 Post subject: OTRS Apache SSO troubel |
|
|
Hello all,
This is my very first post and I’m very excited and hope I can build up my knowledge!
I have an OTRS 6 Server running on RHEL 6.
Our OTRS Server is behind a IBM Tivoli Access Manager ( Client - > TAM (IBM Tivoli Access Manager) - > OTRS). On TAM we have a junction created https://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US/HTML/am51_webseal_guide16.htm so the client is not going via the direct link e.g. https://otrs_fqdn/otrs/index.pl but via TAM e.g. https://tam_otrs_junction/otrs/index.pl
TAM basically verifies if user A is in Active Directory group X to check whether he or she is allowed to access the junction. TAM can also be configured for SSO in such a way that it grabs the Kerberos ticket and after successful authentication it sets a custom variable iv-user in the http header and sends it to the backend application in this case OTRS. Now I would like to configure OTRS for SSO. This can be done with one line in OTRS $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth'; https://doc.otrs.com/doc/manual/admin/6.0/en/html/external-backends.html This is an example configuration for an apache ($ENV{REMOTE_USER}) auth. backend. Use it if you want to have a single login through apache http-basic-auth
I have enabled mod_log_forensic on my Apache and in fact I can see the Windows User ID being send in the iv-user variable in the header. So what I know do (and please correct my if I’m mistaken) I grab the iv-user header variable and re-write it to REMOTE_USER with the code below SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1
I put the SetEnvIf directive in httpd.conf.
The problem now is that the designated cig-bin directory contains 3 scripts (index.pl customer.pl and npg-genericinterface.pl) and as far SSO works for index.pl I’d like to exclude nph-genericinterface.pl from SSO. I tried to set the SetEnvIf directive even per Location but still tries to SSO for the generic-interface (it is a web service backend forOTRS). How could I configure this in Apache ?
Here’s the Apache OTRS config:
Code: |
# --
# added for OTRS (http://otrs.org/)
# --
ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"
<IfModule mod_perl.c>
# Setup environment and preload modules
Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl
# Reload Perl modules when changed on disk
PerlModule Apache2::Reload
PerlInitHandler Apache2::Reload
# general mod_perl2 options
<Location /otrs>
# ErrorDocument 403 /otrs/customer.pl
ErrorDocument 403 /otrs/index.pl
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
PerlOptions +ParseHeaders
PerlOptions +SetupEnv
<IfModule mod_version.c>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</IfModule>
<IfModule !mod_version.c>
Order allow,deny
Allow from all
</IfModule>
</Location>
# mod_perl2 options for GenericInterface
<Location /otrs/nph-genericinterface.pl>
PerlOptions -ParseHeaders
</Location>
</IfModule>
<Directory "/opt/otrs/bin/cgi-bin/">
AllowOverride None
Options +ExecCGI -Includes
<IfModule mod_version.c>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</IfModule>
<IfModule !mod_version.c>
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_filter.c>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
</IfModule>
</IfModule>
</Directory>
<Directory "/opt/otrs/var/httpd/htdocs/">
AllowOverride None
<IfModule mod_version.c>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</IfModule>
<IfModule !mod_version.c>
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_filter.c>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
</IfModule>
</IfModule>
# Make sure CSS and JS files are read as UTF8 by the browsers.
AddCharset UTF-8 .css
AddCharset UTF-8 .js
# Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
AddType application/font-woff .woff
</Directory>
# Allow access to public interface for unauthenticated requests on systems with set-up authentication.
# Will work only for RegistrationUpdate, since page resources are still not be loaded.
# <Location /otrs/public.pl>
# <IfModule mod_version.c>
# <IfVersion < 2.4>
# Order allow,deny
# Allow from all
# </IfVersion>
# <IfVersion >= 2.4>
# Require all granted
# </IfVersion>
# </IfModule>
# <IfModule !mod_version.c>
# Order allow,deny
# Allow from all
# </IfModule>
# </Location>
<IfModule mod_headers.c>
# Cache css-cache for 30 days
<Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
<FilesMatch "\.(css|CSS)$">
Header set Cache-Control "max-age=2592000 must-revalidate"
</FilesMatch>
</Directory>
# Cache css thirdparty for 4 hours, including icon fonts
<Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
<FilesMatch "\.(css|CSS|woff|svg)$">
Header set Cache-Control "max-age=14400 must-revalidate"
</FilesMatch>
</Directory>
# Cache js-cache for 30 days
<Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
<FilesMatch "\.(js|JS)$">
Header set Cache-Control "max-age=2592000 must-revalidate"
</FilesMatch>
</Directory>
# Cache js thirdparty for 4 hours
<Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">
<FilesMatch "\.(js|JS)$">
Header set Cache-Control "max-age=14400 must-revalidate"
</FilesMatch>
</Directory>
</IfModule>
# Limit the number of requests per child to avoid excessive memory usage
MaxRequestsPerChild 4000
|
Thank you very much for all help in advance!
BR,
Adam
Mod note: added code tags |
|
Back to top |
|
|
|
|
|
|