Skip to content
Enable authentication in Redmine using SSL client certificates
Branch: master
Clone or download
Pull request Compare This branch is 1 commit ahead, 1 commit behind koke:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
app/views/account
config
lib/ext
test
README.rdoc
init.rb

README.rdoc

Redmine SSL auth plugin

This redmine plugin enables authentication using SSL client certificates

Usage

It's very simple

  • Install the plugin: ruby script/plugin install git://github.com/koke/redmine_ssl_auth.git

  • Configure apache for SSL authentication (see Configuration)

  • Visit YOURSITE/login and it will login automatically

Notes

  • This plugin expects the CN of the certificate to be an email address

  • A user with that email address should exist in the database

  • This doesn't check any password, so implement certificate verification in Apache

  • You can visit /login?skip_ssl=1 to skip SSL authentication and do regular login

Configuration

Nice tutorial: www.vanemery.com/Linux/Apache/apache-SSL.html

In my case, I find this to be the configuration I wanted

SSLEngine on
SSLProtocol all 
SSLCipherSuite HIGH:MEDIUM

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/apache2/ssl/ca.crt

SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
SSLOptions +FakeBasicAuth

<Location /login/ssl>
  SSLVerifyClient require
</Location>

<Location />
   AuthName "eBox HQ"
   AuthType Basic
   AuthUserFile /etc/apache2/passwd/team
   #Require valid-user
</Location>

By making SSLVerifyClient optional and commenting Require valid-user, it's possible to login without a certificate, using the regular login/password. A link is shown in the login form to require SSL authentication, see the Location /login/ssl section in the apache configuration.

If you want to force your users to use certificates, change SSLVerifyClient to require and uncomment Require valid-user

Questions

To jbernal@ebox-platform.com

Please, don't ask about apache configuration. I don't know much more than it's already here. Email about the plugin (bugs, patches, suggestions, …) is welcome :)

You can’t perform that action at this time.