Skip to content

SteveSimpson/redmine_ssl_auth_cn

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
app
app
 
 
config
config
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.rdoc
README.rdoc
 
 
init.rb
init.rb
 
 

Repository files navigation

Redmine SSL Auth CN Plugin

This redmine plugin enables authentication using SSL client certificates

Original code by Jorge Bernal: github.com/koke/redmine_ssl_auth

Usage

  • Install the plugin

  • Configure apache for SSL authentication (see Configuration)

  • Visit YOURSITE/login/ssl and it will login automatically

Notes

  • This plugin expects the (common name) CN of the certificate to be your username, & CN must be unique

  • A user with that username should exist in the database or can register

  • This doesn’t check any password, so implement certificate verification in Apache

  • Tested with Redmine 5.0

  • © 2016 Steve Simpson, Licensed under GLPv2

Plugin Installation

These are for my installation. Your mileage may vary, but should be adaptable.

cd redmine/plugins/
git clone https://github.com/SteveSimpson/redmine_ssl_auth_cn.git
chgrp -R apache redmine_ssl_auth_cn
find redmine_ssl_auth_cn -type f -print0 | xargs -0 chmod 640
find redmine_ssl_auth_cn -type d -print0 | xargs -0 chmod 750
export RAILS_ENV=production
/path/to/rake redmine:plugins:migrate
service httpd restart

Redmine’s comments: www.redmine.org/projects/redmine/wiki/Plugins

Configuration

Tutorial: www.vanemery.com/Linux/Apache/apache-SSL.html (I haven’t reviewed it myself. But there is a lot of good information on the web about this.)

Here are some example settings, but I suggest that you dig in a little:

SSLEngine on
SSLProtocol all 
SSLCipherSuite HIGH:MEDIUM

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/apache2/ssl/ca.crt

RequestHeader set X-Proxy-Forwarded-CN "%{SSL_CLIENT_S_DN_CN}s"

SSLOptions +StdEnvVars

SSLVerifyDepth 3
SSLVerifyClient required
# SSLVerifyClient optional	
#<Location /login/ssl>
#  SSLVerifyClient require
#</Location>

  • By making SSLVerifyClient optional, it’s possible to login without a certificate, using the regular login/password. A link is shown in the login form to require SSL authentication, see the Location /login/ssl section in the apache configuration.

  • If you want to force your users to use certificates, change SSLVerifyClient to require.

  • The RequestHeader line is absolutely required. That is what passes the cert to Redmine. Passenger was doing some sort of caching of ENV passed by Apache, but it did not cache the headers.

About

Enable authentication in Redmine using SSL client certificates

Resources

Readme

License

GPL-2.0 license
Activity

Stars

3 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases 2

Redmine 3 SSL Auth CN Latest
Oct 28, 2016
+ 1 release

Packages

No packages published

Languages

  • Ruby 55.1%
  • HTML 44.9%