This redmine plugin enables authentication using SSL client certificates
Original code by Jorge Bernal: github.com/koke/redmine_ssl_auth
-
Install the plugin
-
Configure apache for SSL authentication (see Configuration)
-
Visit YOURSITE/login/ssl and it will login automatically
-
This plugin expects the (common name) CN of the certificate to be your username, & CN must be unique
-
A user with that username should exist in the database or can register
-
This doesn’t check any password, so implement certificate verification in Apache
-
Tested with Redmine 2.6.4, 3.3.0
-
© 2016 Steve Simpson, Licensed under GLPv2
These are for my installation. Your mileage may vary, but should be adaptable.
cd redmine/plugins/ git clone https://github.com/SteveSimpson/redmine_ssl_auth_cn.git chgrp -R apache redmine_ssl_auth_cn find redmine_ssl_auth_cn -type f -print0 | xargs -0 chmod 640 find redmine_ssl_auth_cn -type d -print0 | xargs -0 chmod 750 export RAILS_ENV=production /path/to/rake redmine:plugins:migrate service httpd restart
Redmine’s comments: www.redmine.org/projects/redmine/wiki/Plugins
Tutorial: www.vanemery.com/Linux/Apache/apache-SSL.html (I haven’t reviewed it myself. But there is a lot of good information on the web about this.)
Here are some example settings, but I suggest that you dig in a little:
SSLEngine on SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key SSLCACertificateFile /etc/apache2/ssl/ca.crt RequestHeader set X-Proxy-Forwarded-CN "%{SSL_CLIENT_S_DN_CN}s" SSLOptions +StdEnvVars SSLVerifyDepth 3 SSLVerifyClient required # SSLVerifyClient optional #<Location /login/ssl> # SSLVerifyClient require #</Location>
-
By making
SSLVerifyClient optional
, it’s possible to login without a certificate, using the regular login/password. A link is shown in the login form to require SSL authentication, see theLocation /login/ssl
section in the apache configuration. -
If you want to force your users to use certificates, change SSLVerifyClient to require.
-
The
RequestHeader
line is absolutely required. That is what passes the cert to Redmine. Passenger was doing some sort of caching of ENV passed by Apache, but it did not cache the headers.