This redmine plugin enables authentication using SSL client certificates. This fork adds support of the REMOTE_USER environment variable set by apache for all users authenticated. In combination with the FakeBasicAuth this contains the DN of a client certificate.
The original module can be found on github.com/koke/redmine_ssl_auth.git. This fork is based on the excellent port to Redmine 2.x by github.com/tranthamp/redmine_ssl_auth.git.
It’s very simple
-
Install the plugin:
cd YOURREDMINESRC/plugins git clone git://github.com/seeraven/redmine_ssl_auth.git
-
Follow the note of tranthamp:
In order for this plugin to work correctly, you must comment out the default root and login routes in the redmine app's config/routes.rb. This is due to the fact that those routes are matched before the plugin's routes.
So edit your config/routes.rb file now!
-
Just to be on the safe side, perform the plugin migration stuff:
rake redmine:plugins:migrate RAILS_ENV=production
-
Restart your webserver:
/etc/init.d/apache2 restart
-
Configure apache for SSL authentication (see Configuration)
-
Visit YOURSITE/login and it will login automatically
-
This plugin expects the CN of the certificate to be an email address
-
A user with that email address should exist in the database
-
This doesn’t check any password, so implement certificate verification in Apache
-
You can visit /login?skip_ssl=1 to skip SSL authentication and do regular login
Nice tutorial: www.vanemery.com/Linux/Apache/apache-SSL.html
In my case, I find this to be the configuration I wanted
SSLEngine on SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key SSLCACertificateFile /etc/apache2/ssl/ca.crt SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars # <= This takes much time and is not necessary with this version! SSLOptions +FakeBasicAuth <Location /login/ssl> SSLVerifyClient require </Location> <Location /> AuthName "eBox HQ" AuthType Basic AuthUserFile /etc/apache2/passwd/team #Require valid-user </Location>
By making SSLVerifyClient optional
and commenting Require valid-user
, it’s possible to login without a certificate, using the regular login/password. A link is shown in the login form to require SSL authentication, see the Location /login/ssl
section in the apache configuration.
If you want to force your users to use certificates, change SSLVerifyClient to require and uncomment Require valid-user
To jbernal@ebox-platform.com
Please, don’t ask about apache configuration. I don’t know much more than it’s already here. Email about the plugin (bugs, patches, suggestions, …) is welcome :)