Mailing List Archive: RT 4.4.1 login form and 2FA

RT 4.4.1 login form and 2FA

Oct 17, 2016, 5:45 AM

Post #1 of 5 (898 views)

RT Community,
I'm trying to setup 2FA, specifically Duo, with the RT login process.
I'm having a difficult time figuring out where to place the duo perl
code in the login process. I'm using external LDAP authentication.
Once the successful login returns from LDAP, where does RT forward to
the home page. I need to put in the duo perl code before RT sends the
authenticated user to the home page. Any help would be greatly
appreciated. Thank you.

Re: RT 4.4.1 login form and 2FA [ In reply to ]

martin.wheldon at greenhills-it

Oct 17, 2016, 6:25 AM

Post #2 of 5 (892 views)

Permalink

Hi,

I'm not familiar with the DUO 2FA solution, but I think you may be
looking for callbacks in the login page.
The following should help:

https://rt-wiki.bestpractical.com/wiki/CustomizingWithCallbacks

I beleive the ones you are interested in are those below:
/Elements/Login CallbackName => 'AfterForm'
/Elements/Login CallbackName => 'BeforeForm'

Hope that helps

Best Regards

Martin

On 2016-10-17 12:45, Kem Hartley wrote:
> RT Community,
> I'm trying to setup 2FA, specifically Duo, with the RT login process.
> I'm having a difficult time figuring out where to place the duo perl
> code in the login process. I'm using external LDAP authentication.
> Once the successful login returns from LDAP, where does RT forward to
> the home page. I need to put in the duo perl code before RT sends the
> authenticated user to the home page. Any help would be greatly
> appreciated. Thank you.
>
> ---------
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training
> * Boston - October 24-26
> * Los Angeles - Q1 2017
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017

Re: RT 4.4.1 login form and 2FA [ In reply to ]

mzagrabe at d

Oct 17, 2016, 6:37 AM

Post #3 of 5 (892 views)

Permalink

On Mon, Oct 17, 2016 at 7:45 AM, Kem Hartley <kdh162@cse.psu.edu> wrote:
> RT Community,
> I'm trying to setup 2FA, specifically Duo, with the RT login process. I'm
> having a difficult time figuring out where to place the duo perl code in the
> login process. I'm using external LDAP authentication. Once the successful
> login returns from LDAP, where does RT forward to the home page. I need to
> put in the duo perl code before RT sends the authenticated user to the home
> page. Any help would be greatly appreciated. Thank you.

Are you looking to use LDAP for AUTHN or hack RT to use DUO?

I'm not sure if LDAP can use PAM for AUTHN, but if it can, you can use
a PAM RADIUS module and configure DUO on your RADIUS server.

-m
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017

Re: RT 4.4.1 login form and 2FA [ In reply to ]

martin.wheldon at greenhills-it

Oct 17, 2016, 6:58 AM

Post #4 of 5 (893 views)

Permalink

Hi,

Using the Duo ldap proxy looks like a viable option too.

https://duo.com/docs/ldap

Best Regards

Martin

On 2016-10-17 13:37, Matt Zagrabelny wrote:
> On Mon, Oct 17, 2016 at 7:45 AM, Kem Hartley <kdh162@cse.psu.edu>
> wrote:
>> RT Community,
>> I'm trying to setup 2FA, specifically Duo, with the RT login process.
>> I'm
>> having a difficult time figuring out where to place the duo perl code
>> in the
>> login process. I'm using external LDAP authentication. Once the
>> successful
>> login returns from LDAP, where does RT forward to the home page. I
>> need to
>> put in the duo perl code before RT sends the authenticated user to the
>> home
>> page. Any help would be greatly appreciated. Thank you.
>
> Are you looking to use LDAP for AUTHN or hack RT to use DUO?
>
> I'm not sure if LDAP can use PAM for AUTHN, but if it can, you can use
> a PAM RADIUS module and configure DUO on your RADIUS server.
>
> -m
> ---------
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training
> * Boston - October 24-26
> * Los Angeles - Q1 2017
---------
RT 4.4 and RTIR training sessions, and a new workshop day! https://bestpractical.com/training
* Boston - October 24-26
* Los Angeles - Q1 2017

Re: RT 4.4.1 login form and 2FA [ In reply to ]

kdh162 at cse

Oct 17, 2016, 7:10 AM

Post #5 of 5 (892 views)

Permalink

Hi Martin,
That might be a viable option as well. I might try that or switching to
apache authentication via radius as well. Thanks all for the responses!

On 10/17/16 9:58 AM, Martin Wheldon wrote:
> Hi,
>
> Using the Duo ldap proxy looks like a viable option too.
>
> https://duo.com/docs/ldap
>
> Best Regards
>
> Martin
>
> On 2016-10-17 13:37, Matt Zagrabelny wrote:
>> On Mon, Oct 17, 2016 at 7:45 AM, Kem Hartley <kdh162@cse.psu.edu> wrote:
>>> RT Community,
>>> I'm trying to setup 2FA, specifically Duo, with the RT login
>>> process. I'm
>>> having a difficult time figuring out where to place the duo perl
>>> code in the
>>> login process. I'm using external LDAP authentication. Once the
>>> successful
>>> login returns from LDAP, where does RT forward to the home page. I
>>> need to
>>> put in the duo perl code before RT sends the authenticated user to
>>> the home
>>> page. Any help would be greatly appreciated. Thank you.
>>
>> Are you looking to use LDAP for AUTHN or hack RT to use DUO?
>>
>> I'm not sure if LDAP can use PAM for AUTHN, but if it can, you can use
>> a PAM RADIUS module and configure DUO on your RADIUS server.
>>
>> -m
>> ---------
>> RT 4.4 and RTIR training sessions, and a new workshop day!
>> https://bestpractical.com/training
>> * Boston - October 24-26
>> * Los Angeles - Q1 2017
> ---------
> RT 4.4 and RTIR training sessions, and a new workshop day!
> https://bestpractical.com/training
> * Boston - October 24-26
> * Los Angeles - Q1 2017

--
Kem Hartley
Network Systems Specialist
School of EECS
The Pennsylvania State University