Feature #11475

closed Allow fallback to other Apache auth providers

Added by Yasin Al Farhad over 10 years ago. Updated about 10 years ago.

SCM extra
Target version:
Start date:
Due date:
% Done:


Estimated time:


The goal was to allow other auth modules to co-exist with, and thus satisfy special case requests covering global administrative/anonymous requests in addition to those allowd by Redmine based on project relationships. I tried every other possible combinations of Apache directives to achieve this goal, but it looks like by returning AUTH_REQUIRED early in the process, is becoming authoritative and preventing other modules, i.e. authn_file or authz_svn, to accept valid requests.

Replacing AUTH_REQUIRED with DECLINED seems to solve the problem:

---    2012-07-22 22:21:17.410411915 +0200
+++        2012-07-22 20:55:00.014411918 +0200
@@ -342,7 +342,8 @@
       return OK;
   } else {
-      return AUTH_REQUIRED;
+#      return AUTH_REQUIRED;
+      return DECLINED;

However, I am not very confident about whether this will satisfy all cases and not break others. Comments and/or suggestions from relevant experts are welcomed and very much appreciated.

Quoting from

Before discussing each handler in detail remember that if you use the stacked handlers feature all handlers in the chain will be run as long as they return Apache2::Const::OK or Apache2::Const::DECLINED...

Actions #1

Updated by Jean-Philippe Lang over 10 years ago

  • Category set to SCM extra
  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Target version set to 2.1.0
  • Resolution set to Fixed

Committed in r10281, thanks.

Actions #2

Updated by Raphael Kallensee over 10 years ago

I upgraded from Redmine 2.0.x to 2.1.x and I'm pretty sure this broke my (pretty much default) auth configuration (Ubuntu 10.04, Apache 2.2.14). When trying to authenticate for a Git ("dumb HTTP") repository, I got a HTTP 500 and Apache logged:

[Tue Oct 30 19:29:25 2012] [error] [client] (9)Bad file descriptor: Could not open password file: (null)
[Tue Oct 30 19:29:16 2012] [error] Internal error: pcfg_openfile() called with NULL filename

This is the relevant part of my Apache virtual host configuration:

PerlLoadModule Apache::Redmine

## GIT

Alias /git /var/www/my.domain/git

<Location /git>
    DAV on

    AuthType Basic
    AuthName "Git" 
    Require valid-user

    Options +Indexes -ExecCGI -Includes
    php_admin_flag engine off

    PerlAccessHandler Apache::Authn::Redmine::access_handler
    PerlAuthenHandler Apache::Authn::Redmine::authen_handler

    RedmineDSN "DBI:mysql:database=redmine;host=localhost" 
    RedmineDbUser "redmine" 
    RedmineDbPass "password" 

I got it working by adding

AuthName "Git" 
Require valid-user
AuthUserFile /dev/null # this was added to avoid the Apache error

But I still get some warnings in the Apache log, although authentication now works:

[Tue Oct 30 22:10:52 2012] [error] [client] user xyz not found: /git/repo-name/info/refs

If it's not just me getting this behavior we should probably at least update the documentation.

Actions #3

Updated by Mike Stromer over 10 years ago

Raphael Kallensee, I had the same issue on Redmine 2.1.2

[Wed Oct 31 03:39:20 2012] [error] [client] user USER not found: /git/info/refs
Actions #4

Updated by Mike Stromer over 10 years ago

I checked MYSQL log and I guess where is an issue with mysql query projects.identifier=NULL

 SELECT users.hashed_password, users.salt, users.auth_source_id, roles.permissions, projects.status FROM projects, users, roles WHERE users.login='USER' AND projects.identifier=NULL AND users.status=1 AND ( IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = AND members.project_id = AND = member_roles.member_id) OR (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1')) ) AND roles.permissions IS NOT NULL

Actions #5

Updated by Woody Huang about 10 years ago

Mike Stromer wrote:

I checked MYSQL log and I guess where is an issue with mysql query projects.identifier=NULL


I got the same error under redmine2.2.2(with git 1.7.9), but projects.identifier= in MySQL log is the name of the git repos. I was wondering to modify the patch to get project identifier from the repos URL, while I realized use repos name as project identifier really make sense.

The only problem may be multi-repos under a project. Actually, the patch handlers it already, comments as following:

A projet repository must be named with the projet identifier. In case
of multiple repositories for the same project, use the project identifier
and the repository identifier separated with a dot:


Also available in: Atom PDF