Exceptions for some users

[giner]

Hello Adam,

First thank you for the plugin. This is only one I managed to find to use for Kerberos authenticaion.
As I use it for Kerberos I'd like also to have some exceptions, for exaple, for admin user or for people who don't have an account in LDAP/AD.

1. On the one hand it's a security reason (if someone created "admin" account in LDAP/AD he could logon to redmine with it).
2. On the other hand it's reliability reason (if Kerberos/LDAP server was down It would be good to be able to logon using local admin and reconfigure it).

Regards,
Stanislav

[AdamLantos]

Hi Stanislav,

the exception list is a good idea! If I can finally spend some time working on this project, I'll definitely implement it! You can always log in with local accounts / passwords, so the configuration is not needed in the second use case of yours.

cheers,
Adam

[giner]

Hi Adam,

Thanks for the quick reply!
Second use case doesn't work for me. If I enable http auth:

1. it authenticates me automatically with Kerberos and I can't logout (yes, exception list won't help in that case);
2. if "no such user" I can't logon with another one. I don't know why but redmine internal authentication doesn't work until I disable http authentication in apache configuration.

Have a nice day,
Stas

[giner]

When I try to login as admin I get an error 500 and that in logs:

Processing WelcomeController#index (for 10.133.27.68 at 2012-03-11 09:54:36) [GET]
Parameters: {"action"=>"index", "controller"=>"welcome"}
Rendering template within layouts/base
Rendering welcome/index
Completed in 280ms (View: 175, DB: 50) | 200 OK [http://10.133.26.184/]

Processing WelcomeController#index (for 10.133.27.68 at 2012-03-11 10:00:19) [GET]
Parameters: {"action"=>"index", "controller"=>"welcome"}
Rendering template within layouts/base
Rendering welcome/index
Completed in 29ms (View: 20, DB: 2) | 200 OK [http://10.133.26.184/httpauth-login]

Processing WelcomeController#index (for 10.133.27.68 at 2012-03-11 10:04:53) [GET]
Parameters: {"action"=>"index", "controller"=>"welcome"}
Rendering template within layouts/base
Rendering welcome/index
Completed in 209ms (View: 140, DB: 46) | 200 OK [http://10.133.26.184/]

Processing AccountController#login (for 10.133.27.68 at 2012-03-11 10:04:56) [GET]
Parameters: {"action"=>"login", "controller"=>"account"}
Rendering template within layouts/base
Rendering account/login
Completed in 19ms (View: 12, DB: 1) | 200 OK [http://10.133.26.184/login]

Processing AccountController#login (for 10.133.27.68 at 2012-03-11 10:05:02) [POST]
Parameters: {"back_url"=>"http%3A%2F%2F10.133.26.184%2F", "username"=>"admin", "password"=>"[FILTERED]", "action"=>"login", "authenticity_token"=>"3UJALYfGMoWBBS9OTwcZXudLCh3A04mfPcJH64nAyCI=", "login"=>"Login »", "controller"=>"account"}

NoMethodError (undefined method destroy' for {:_csrf_token=>"KEEBICWfNZNw0rBET3G/ncPOGjZBezxdA6Y+KGQlqKc="}:Hash): passenger (3.0.11) lib/phusion_passenger/rack/request_handler.rb:96:inprocess_request'
passenger (3.0.11) lib/phusion_passenger/abstract_request_handler.rb:513:in accept_and_process_next_request' passenger (3.0.11) lib/phusion_passenger/abstract_request_handler.rb:274:inmain_loop'
passenger (3.0.11) lib/phusion_passenger/classic_rails/application_spawner.rb:321:in start_request_handler' passenger (3.0.11) lib/phusion_passenger/classic_rails/application_spawner.rb:275:insend'
passenger (3.0.11) lib/phusion_passenger/classic_rails/application_spawner.rb:275:in handle_spawn_application' passenger (3.0.11) lib/phusion_passenger/utils.rb:479:insafe_fork'
passenger (3.0.11) lib/phusion_passenger/classic_rails/application_spawner.rb:270:in handle_spawn_application' passenger (3.0.11) lib/phusion_passenger/abstract_server.rb:357:insend'
passenger (3.0.11) lib/phusion_passenger/abstract_server.rb:357:in server_main_loop' passenger (3.0.11) lib/phusion_passenger/abstract_server.rb:206:instart_synchronously'
passenger (3.0.11) lib/phusion_passenger/abstract_server.rb:180:in start' passenger (3.0.11) lib/phusion_passenger/classic_rails/application_spawner.rb:149:instart'
passenger (3.0.11) lib/phusion_passenger/spawn_manager.rb:219:in spawn_rails_application' passenger (3.0.11) lib/phusion_passenger/abstract_server_collection.rb:132:inlookup_or_add'
passenger (3.0.11) lib/phusion_passenger/spawn_manager.rb:214:in spawn_rails_application' passenger (3.0.11) lib/phusion_passenger/abstract_server_collection.rb:82:insynchronize'
passenger (3.0.11) lib/phusion_passenger/abstract_server_collection.rb:79:in synchronize' passenger (3.0.11) lib/phusion_passenger/spawn_manager.rb:213:inspawn_rails_application'
passenger (3.0.11) lib/phusion_passenger/spawn_manager.rb:132:in spawn_application' passenger (3.0.11) lib/phusion_passenger/spawn_manager.rb:275:inhandle_spawn_application'
passenger (3.0.11) lib/phusion_passenger/abstract_server.rb:357:in __send__' passenger (3.0.11) lib/phusion_passenger/abstract_server.rb:357:inserver_main_loop'
passenger (3.0.11) lib/phusion_passenger/abstract_server.rb:206:in `start_synchronously'
passenger (3.0.11) helper-scripts/passenger-spawn-server:99

Rendering /opt/redmine/redmine-1.2/public/500.html (500 Internal Server Error)

[giner]

Adam,

Could you tell me what "Sign in via HTTP-Auth" exactly means? I thought it was going to work as:

1. browser http login
2. than choose: a) click "Sign in" for the internal authentication or b) click "Sign in via HTTP-Auth" to login using http auth
   but actually after I put login/password to a browser redmine automatically tries to login using http-authentication and link "Sign in via HTTP-Auth" disappears.

Stas

[AdamLantos]

Hi,

unfortunately I can't help with the exception, it seems that it happens somewhere in the redmine core.

The "Sign in via HTTP-Auth" link points to a new abstract URL, and only works well, if the HTTP authentication method handles lazy / location specific authentication enforcement. That is, forcing authentication on one URL, but providing REMOTE_USER on all URLs, if it's present in the request. So the user does not need to authenticate themself until they actually reach the special URL, but then every subsequent request is authenticated, regardless of the location.

I'm not sure if the Kerberos method provides this behavior, it is intended to be used with more complex SSO solutions, like Shibboleth.

[giner]

Adam,

Do you mean I can try to authenticate users on http://redminehost/httpauth-login instead of http://redminehost ?

Stas

[giner]

Yes, I think I've got it. It won't help with the security question but will probably help with unsing unternal authentication!

Thanks a lot!

[giner]

Hello Adam,

I've tried to make it work but didn't manage. This configuration authenticates me on http://redminehost/httpauth-login but using URLs outside http://redminehost/httpauth-login makes me unauthenticated again. Could you give me any hints how I can fix it?

<VirtualHost *:80>

        # Passenger
        PassengerUser www-data
        LoadModule passenger_module /home/redmine/.rvm/gems/ruby-1.8.7-p358-gems162@redmine1.2/gems/passenger-3.0.11/ext/apache2/mod_passenger.so
        PassengerRoot /home/redmine/.rvm/gems/ruby-1.8.7-p358-gems162@redmine1.2/gems/passenger-3.0.11
        PassengerRuby /home/redmine/.rvm/wrappers/ruby-1.8.7-p358-gems162@redmine1.2/ruby

        # Public directory
        DocumentRoot /opt/redmine/redmine-1.2/public
        <Directory /opt/redmine/redmine-1.2/public>
                AllowOverride None
                Options -MultiViews
                # test
                AuthType Basic
                AuthName "By Invitation Only"
                AuthUserFile /etc/_morpho/redmine.users
                Require valid-user
                Satisfy Any
        </Directory>

        <Location /httpauth-login>
                Satisfy All
        </Location>

</VirtualHost>

Regards,
Stas