Running redmine on Apache2 on Windows; using SSPI authentication; is it possible?

Added by Roger Lipscombe over 9 years ago

I'm currently using Trac to manage a small number of projects. I've got Trac running under Apache, using mod_python, on Windows 2003. I'm using mod_sspi to manage transparent authentication.

I've got a couple of questions:

1. Can someone point me at some documentation for running Redmine under Apache, rather than under WEBrick? Can I use mod_ruby, or should I use FCGI instead? I found a page on the Rails Wiki (http://wiki.rubyonrails.org/rails/pages/mod_ruby), that suggests that mod_ruby is a bad idea.
2. Can I get Redmine to use Apache's authn information, meaning that I can continue to use SSPI?

I'll continue to poke around, but if anyone's already done this, I'd appreciate some pointers.

Thanks in advance,
Roger.

Replies (33)

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by John Goerzen over 9 years ago

I am a strong believer in FastCGI because it does not require me to bloat the Apache process space with code for every different language in use. There is a dispatch.fcgi example out there in the code tree, and I run it with mod_fcgid.

I had to hack the .htaccess file to eliminate a situation that caused it to addhandler for the dispatch script too many times. In general, though, all you have to do is arrange to reach public/ by some means or other, and as long as .htaccess has enough permissions, it'll set up fcgi for you more or less automatically.

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Thomas Löber over 9 years ago

Did you consider running Redmine using Apache's mod_proxy_balancer and Mongrel?

http://mongrel.rubyforge.org/wiki/Apache

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Roger Lipscombe over 9 years ago

Maybe I wasn't clear enough. The big thing keeping me on Trac is the transparent authentication when using IE, and the big thing driving me towards Redmine is the multiple project support.

I thought that if I ran Redmine under Apache2, it might be possible to leverage mod_sspi to achieve this.

I don't particularly mind running mongrel as a service on its own port (I'm already running Apache on a non-standard port, so as not to interfere with IIS), so that's not the problem. The tip about getting Apache to serve the static content and forward the rest to mongrel is well-received, though, thanks.

So, the question: can I get Redmine to transparently and automatically authenticate against my domain controller? I know that I can configure the LDAP authentication to work against AD, but it still requires that the user enter their details -- it's not transparent.

RE: RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Steen Ole Andersen over 9 years ago

I am having the same considerations as Roger. I am thinking about moving from Trac to Redmine, but I would very much like the silent login, provided by SSPI. Otherwise my users will think it is a step backwards.

So anyone... Can it be done?

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Thomas Löber over 9 years ago

I managed to add single sign-on to Redmine by using Apache 2.2 and mod_auth_sspi on Windows to do the authentication - and forwarding the request to Redmine running on a Linux box.

I can post a short how-to if you are interested.

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Jason Trahan over 9 years ago

I'm interested, I would like to retain this when I convert over from Trac to Redmine.

RE: RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by gabriel scolan over 9 years ago

Would it be possible to publish on this site (wiki ?) the solution you found to share it widely ? What are the "mod" you selected ? Did you use the solution of Mongrel ? how did you set up you "location" and "directory" tags ? I'm not at all a profi on Apache but it is the server currently installed in the office.

thanks a lot

gabriel

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Thomas Löber over 9 years ago

As already said we have Redmine running on a Linux server using a Mongrel cluster with instances on port 3000-3002 and prefix /hd.

For enabling single sign-on and to do the load balancing we use Apache 2.2 on a Windows server.

You will need mod_auth_sspi.so from http://sourceforge.net/projects/mod-auth-sspi. Version 1.0.4 didn't work for me but version 1.0.3 does.

In httpd.conf add:

LoadModule sspi_auth_module modules/mod_auth_sspi.so
and load the proxy_balancer_module and rewrite_module by uncommenting the appropriate lines.

Also add these lines to your apache configuration:

<Location /hd>
    Options           +FollowSymLinks +SymLinksIfOwnerMatch
    Order             allow,deny
    Allow             from all

    ProxyPass         balancer://redmine_cluster/hd
    ProxyPassReverse  balancer://redmine_cluster/hd

    RewriteEngine     On
    RewriteCond       %{IS_SUBREQ} ^false$
    RewriteCond       %{LA-U:REMOTE_USER} (.+)
    RewriteRule       . - [E=RU:%1]
    RequestHeader     add X_REMOTE_USER_6E3RZQKX %{RU}e

    AuthName          "Redmine Authentication" 
    AuthType          SSPI
    SSPIAuth          On
    SSPIAuthoritative On
    SSPIOmitDomain    On
    SSPIUsernameCase  lower
    require           valid-user
</Location>

<Proxy balancer://redmine_cluster>
    BalancerMember http://redmine-server:3000
    BalancerMember http://redmine-server:3001
    BalancerMember http://redmine-server:3002
</Proxy>

This will add an HTTP header HTTP_X_REMOTE_USER_6E3RZQKX containing the Windows user name (without domain and in lower case due to the SSPI* options) when the request is forwarded to the Mongrel server.

The content of the header can then be used to authenticate the already existing user in Redmine. You have to change the method find_current_user in ApplicationController (app/controllers/application.rb).

    if session[:user_id]
      # existing session
      (User.find_active(session[:user_id]) rescue nil)
+   elsif (forwarded_user = request.env["HTTP_X_REMOTE_USER_6E3RZQKX"])
+     # web server authentication
+     (User.find_by_login(forwarded_user) rescue nil)
    elsif cookies[:autologin] && Setting.autologin?
      # auto-login feature
      User.find_by_autologin_key(cookies[:autologin])

The header's suffix 6E3RZQKX adds some security in case the mongrel instances can be accessed directly. This is a secret that someone has to know if he wants to fake the REMOTE_USER header.

RE: RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Anonymous over 9 years ago

Is there a way to achieve something similar using AuthType Basic? I've tried you example on apache 2.2 using basic auth from a password file, but still get redirected to login page after authenticating in apache.

Cheers

Russell

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Anonymous over 8 years ago

Thomas Löber wrote:

As already said we have Redmine running on a Linux server using a Mongrel cluster with instances on port 3000-3002 and prefix /hd.

For enabling single sign-on and to do the load balancing we use Apache 2.2 on a Windows server.

You will need mod_auth_sspi.so from http://sourceforge.net/projects/mod-auth-sspi. Version 1.0.4 didn't work for me but version 1.0.3 does.

Hi Thomas, I've just put this on our test WinXP/Apache installation of Redmine-0.8.2 to authenticate against our domain. The only issue we have is 'sign out' no longer works (because the web-browser current user still stands).

Is there anyway to make sign-out still work? Any pointers on where I could start to get this working would be much appreciated.

Thanks

Russell

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Thomas Löber over 8 years ago

AccountController#logout redirects the user to home_url, so the user will be immediately logged in again due to single sign-on.

(See http://www.redmine.org/projects/redmine/repository/entry/trunk/app/controllers/account_controller.rb#L62)

If you change the line from

    redirect_to home_url

to
    redirect_to signin_url

the login page will be displayed and user will be able to login as another user.

However, a user cannot logout permanently because on almost all Redmine pages he will be logged in again automatically.

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Anonymous over 8 years ago

Thanks Thomas, I've found in Firefox I can clear authenticated sessions which will log us out for now. I don't want to re-direct back to the sign-in page as we're not using that any more as we're using SSPI for auth.

Maybe at some point I'll have a look at getting Redmine to authenticate from the sign-in page against the domain controller but not sure how easy that will be.

Cheers

Russell

SPAM deleted - Added by Enlable Enlable over 8 years ago

SPAM deleted

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Marcel Nadje about 8 years ago

With current trunk the sspi configuration of Thomas Löber is not working. Is there any change to do, to get is working?

RE: RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Akiko Takano about 8 years ago

Hello!
Thanks to this thread, I could managed to work Redmine under SSO.
(Though I'm using not Apache env but cookie generated SSO system.)

But I found that lockeout user can pass authentication and make some actions such as create tickets, update tickets and so on...
I think we'd better to add check code if the user is locked or not.
Like this:

u = User.find_by_login(forwarded_user) rescue nil
if u.islocked?
return nil
return u

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Thomas Löber about 8 years ago

You're right! I didn't consider the status of the user.

This should work:

     (User.active.find_by_login(forwarded_user) rescue nil)

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Matías Halles over 7 years ago

I managed to get running SSPI auth on apache/windows proxiing towards mongrel (redmine), but i haven't been able to make the autologin on redmine work. The only diference besides the configuration showed here (besides having redmine on mongrel which somebody pointed out works) is that i'm using Basic auth for nonIE clients. When authenticating agains SSPI i just land on redmine's home page.

Any tips?

Matías.

RE: RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Matías Halles over 7 years ago

I was asumming SSPIOmitDomain was for disabling SSPIDomain directive, hence i never used them together so i never got authetication correctly.

SSPIOmitDomain is for removing the domain from the credentials passed to redmine and SSPIDomain... no idea but on windows + apache -> mongrel seems to do the job. I suppose it'll be useful for someone.

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Joe Bram over 7 years ago

Hey Guys!

I'm just trying to implement autologin on the newest redmine version and apache 2, but i got some problems.

i think, that my request is not passed on to the right mongrel cluster.

What is the est way to find out?

since I'm not so familiar with ruby i would be very glad if someone could tell me a simple way to "print" the HTTP_X_REMOTE_USER environment variable in redmine application controller.

thx

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Thomas Löber over 7 years ago

You could try something like this in the method find_current_user:

logger.info request.inspect

Then your log file will contain the whole request hash.

In "production" environment you will have to use "logger.warn" or "logger.error" to get the output.

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by sam sam over 7 years ago

This thread is very interesting.

But is there a way to autocreate the user account at first login, based on some HTTP headers ? I saw the CAS SSO plugin can do that, but it's a very complicated plugin (as CAS is) and I do not know ruby to work on this.

Does someone know a simple way to achieve autoprovisioning based on HTTP headers ?

Regards,
Sam.

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by Akiko Takano over 7 years ago

How about HTTP Authentication plugin?

After Redmine1.0 and with above plugin, I don't have to modify redmine's application.rb itself.
I think this plugin has an option for Automatic registration and this will be helpful.

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by rine Joseph about 7 years ago

i tried u r configuration with latest version of redmine 1.03 but its not working now.could you please help me to configure SSo on latest version of redmine

RE: Running redmine on Apache2 on Windows; using SSPI authentication; is it possible? - Added by haroonie haroonie almost 7 years ago

I followed Thomas's guide using mod_auth_sspi.so v1.0.3 and Adam's HTTP Authentication plugin v.0.3.0 and it worked for me. By using the plugin, I did not need to modify the application.rb and this worked on Redmine v.1.0.4.

1 2 (1-25/33)