Project

General

Profile

Redmine 203 with Subversion and LDAP Authentication (for Redmine and Subversion through Redmine) on Centos 6 i386 - detailed » History » Revision 22

Revision 21 (Hung Nguyen Vu, 2012-08-31 06:15) → Revision 22/24 (Hung Nguyen Vu, 2012-08-31 06:17)

h1. Redmine 2.0.3 on Centos 6.3 

 {{>toc}}  


 h2. The Goals 

 * Setup Redmine 2.0.3 running on CentOS 6.3; 
 * with MySQL backend, FastCGI to connect Redmine and Apache; 
 * integrate Redmine with Subversion; 
 * Single sign-on between Apache, Subversion and Redmine using LDAP 

 h2. Backgrounds 

 Our company was using the BITNAMI stack with Redmine and Subversion for our production environment. So the goal was about changing the server and migrating the data from Redmine 1.4 to Redmine 2.0.3 including getting all repositories and permissions preserved.  

 I've tried to avoid webrick but rather use the fastCGI Module for Apache2.  

 Second was converting the built-in accounts from the database to LDAP (ActiveDirectory). This is the result of 2 days of work and googling is this little tutorial for setting up a mentioned box doing exactly this stuff. We are using CentOS 6 for that task.  

 "vi/vim" is the editor used this in this tutorial but you can you any editor you want. If my instruction tells you to edit a file, you can find the sequence "..." which means, there is something above or below that line of text, that needs to be edited. Do not include those dots... 

 h2. Assumptions 

 * You have a CentOS 6.3 installation (minimum install) working and SSH access to your Redmine box; 
 * You can access the Internet; 
 * You are logged in as root. 

 h2. Redmine Installation Instruction 

 My personal flavour is to use as less self compiled packages as necessary to get the package up and runnning. So I try to use as many repository packages as possible. 

 h3. Turn off SELinux 

 I spent a lot of time to find out, that selinux can be a real party pooper. So I strongly recommend to disable that first before installing anything else. You can find a tutorial inside the howto section describing how to enable SELinux for your installation. 
 <pre> 
 vi /etc/selinux/config 
 </pre> 

 find the line with SELINUX and set it to 
 <pre> 
 ... 
 SELINUX=disabled 
 ... 
 </pre> 
 Do a reboot *NOW* 

 h3. Install basic services (Apache, mySQL, and several tools...) 

 Now we are good to go to install some tools that might be useful during our installation...  

 First of all, update your system, make sure it is up to date, 
 <pre> 
 yum update 
 </pre> 

 and then install some prerequisite packages to the setup, 
 <pre> 
 yum -y install wget vim \\ 
        system-config-network system-config-firewall vim openssh-clients 
 </pre> 

 anhd some packages needed for Redmine 
 <pre> 
 yum -y install httpd mysql mysql-server  
 </pre> 
 After that continue and install all packages that might be necessary during the ruby and redmine installation. 
 <pre> 
 yum -y install ruby rubygems  
 yum -y install zlib-devel curl-devel openssl-devel httpd-devel apr-devel apr-util-devel mysql-devel gcc ruby-devel \\ 
       gcc-c++ make postgresql-devel ImageMagick-devel sqlite-devel perl-LDAP mod_perl perl-Digest-SHA 
 </pre> 

 h3. Configure basic services 

 Let's configure the basic services, first of all, make mySQL and Apache to start at boot 
 <pre> 
 chkconfig httpd on --level 35 
 chkconfig mysqld on --level 35 
 </pre> 
 After configuring these, start them up 
 <pre> 
 service httpd start 
 service mysqld start 
 </pre> 
 Now configure your new mySQL Installation and follow the instructions. Please note/write down administrator password to MySQL you've just installed. 
 <pre> 
 /usr/bin/mysql_secure_installation 
 </pre> 

 h3. Configure passenger for Apache 

 You need to install Passenger for Apache using gem. Do the following on the command line 
 <pre> 
 gem install passenger 
 passenger-install-apache2-module 
 </pre> 
 Please notice the installation messages! The next .conf file might use another path or version!  
 After this you need to generate a conf file with the displayed content 
 <pre> 
 vi /etc/httpd/conf.d/ruby.conf 
 </pre> 
 During my installation the following content was displayed and needs to be entered in that file: 
 <pre> 
    LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.15/ext/apache2/mod_passenger.so 
    PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.15 
    PassengerRuby /usr/bin/ruby 
 </pre> 
 Restart your apache with 
 <pre> 
 service httpd restart 
 </pre> 

 h3. Get Redmine and install it 

 change to your home directory and download the latest version, expand it and copy it to the right place. 
 <pre> 
 cd 
 wget http://rubyforge.org/frs/download.php/76259/redmine-2.0.3.tar.gz 
 tar xvfz redmine-2.0.3.tar.gz 
 mkdir -p /var/www/redmine 
 cp redmine-2.0.3/* /var/www/redmine 
 </pre> 

 or you can do 

 <pre> 
 cd /var/www 
 wget http://rubyforge.org/frs/download.php/76259/redmine-2.0.3.tar.gz 
 tar xvfz redmine-2.0.3.tar.gz 
 ln -s redmine-2.0 redmine 
 </pre> 

 Next is to install bundler and let it install the production environment (with automatic resolve) 
 Now change to this directory - *this is your new Redmine application directory!* 
 <pre> 
 cd /var/www/redmine 
 gem install bundler 
 bundle install --without development test 
 </pre> 
 fetch some coffee... this might take some time... 

 h3. Create Redmine database 

 Next to generate a new database for redmine 
 Log on to your database with the following command. If prompted for a password, enter it. 
 <pre> 
 mysql -u root -p 
 </pre> 
 I tend to create a local only user for that database, change the password 'very_secret' to a better one :) 
 <pre> 
 create database redmine character set utf8; 
 create user 'redmine'@'localhost' identified by 'very_secret'; 
 grant all privileges on redmine.* to 'redmine'@'localhost';  
 quit; 
 </pre> 

 Note: If you are going to store Redmine's database to a machine that is not the server you are going to install Redmine - whose IP address is 192.168.10.100, the settings should be:  
 <pre> 
 create database redmine character set utf8; 
 create user 'redmine'@'192.168.10.100' identified by 'very_secret'; 
 grant all privileges on redmine.* to 'redmine'@'192.168.10.100';  
 quit; 
 </pre> 


 h3. Configure Redmine 

 First of all, copy the example config to a productive one and edit the config for your needs 
 <pre> 
 cd /var/www/redmine/config 
 cp database.yml.example database.yml 
 vi /var/www/redmine/config/database.yml 
 </pre> 
 Now find the production section inside this file and edit it like that 
 <pre> 
 ... 
 production: 
 # adapter = mysql2 is newer and proven to be more better than mysql 
 # adapter: mysql2 
   adapter: mysql 
   database: redmine 
   host: localhost 
   username: redmine 
   password: very_secret 
   encoding: utf8 
 ... 
 </pre> 
 Head back to your application directory and generate a secret token 
 <pre> 
 cd /var/www/redmine/ 
 rake generate_secret_token 
 </pre> 
 Now it is about time to generate the database structure (application directory!) 
 <pre> 
 cd /var/www/redmine/ 
 RAILS_ENV=production rake db:migrate 
 </pre> 
 fill the database with default values... 
 <pre> 
 cd /var/www/redmine/ 
 RAILS_ENV=production rake redmine:load_default_data 
 </pre> 
 follow the instructions to select your language. 

 h3. Mind the firewall! 

 Be aware that the firewall is enabled by default (which is good!). So if you know which ports to open, do it now or disable the firewall (just for testing purposes). I'd really recommend disabling the firewall during installation and enable it (opening ports) after you are sure that everything works. 
 <pre> 
 system-config-firewall 
 </pre> 
 use the onscreen menu to disable it or adjust the values. 

 or simply disable iptables during Redmine's setup 
 <pre> 
 service iptables stop 
 </pre> 

 h3. Do a testdrive! 

 I mentioned that I wanted not to use webrick, but for a testdrive, it'll work. This helps finding bugs and errors that might have occured before. 
 <pre> 
 cd /var/www/redmine/ 
 ruby script/rails server webrick -e production 
 </pre> 
 Open up a browser and point it to: http://yoursystemname.yourdomain.com:3000 - the default username and password is 'admin'. 
 If everything is working, you are good to go! Kill webrick by hitting Ctrl+C. 

 h3. Activate FCGI and generate plugin directory 

 To activate the fcgi module you need to copy the example file and edit the very first line. During this step it is recommended to generate the default .htaccess config as well. 
 <pre> 
 cd /var/www/redmine/public 
 mkdir plugin_assets 
 cp dispatch.fcgi.example dispatch.fcgi 
 cp htaccess.fcgi.example .htaccess 
 vi /var/www/redmine/public/dispatch.fcgi 
 </pre> 
 now edit dispatch.fcgi and change it like this... 
 <pre> 
 #!/usr/bin/ruby 
 ... 
 </pre> 

 h3. Apache permissions! 

 this one is important, so don't miss that one...  
 <pre> 
 chown -R apache:apache /var/www/redmine/ 
 </pre> 

 Note: "apache" is the user that runs httpd (apache) service, as defined in /etc/password and /etc/httpd/conf/httpd.conf  

 h3. Getting Apache to work with FastCGI 

 Unfortunately the default Repo from CentOS cannot deliver the fcgid module so it is important to include a replo, that can deliver this package. I use the Fedora Repo so it is time to activate this... Again - this can change so please take care which repository to use. 
 <pre> 
 rpm --import https://fedoraproject.org/static/0608B895.txt 
 wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm 
 rpm -ivh epel-release-6-7.noarch.rpm 
 yum -y install mod_fcgid 
 </pre> 

 h3. Set the file path for Redmine 

 I wanted to move the files to another location, so I decided to move them to /opt/redmine 
 <pre> 
 mkdir -p /opt/redmine/files 
 chown -R apache:apache /opt/redmine 
 </pre> 
 now edit the configuration 
 <pre> 
 cd /var/www/redmine/config 
 cp configuration.yml.example configuration.yml 
 vi /var/www/redmine/config/configuration.yml 
 </pre> 
 edit the path settings inside this file... 
 <pre> 
 ... 
   attachments_storage_path: /opt/redmine/files 
 ... 
 </pre> 

 h3. Telling Apache to serve REDMINE 

 The final step is to tell apache, where to find Redmine and what to do with it. Generate a new conf file for your virtual host to serve redmine... 
 <pre> 
 vi /etc/httpd/conf.d/redmine.conf 
 </pre> 
 and enter the following config (adjust to your needs ;) ) 
 <pre> 
 <VirtualHost *:80> 
         ServerName yoursystemname.yourdomain.com 
         ServerAdmin yourmail@yourdomain.com 
         DocumentRoot /var/www/redmine/public/ 
         ErrorLog logs/redmine_error_log 

         MaxRequestLen 20971520 

         <Directory "/var/www/redmine/public/"> 

                 Options Indexes ExecCGI FollowSymLinks 
                 Order allow,deny 
                 Allow from all 
                 AllowOverride all 
         </Directory> 
 </VirtualHost> 
 </pre> 
 Restart Apache and cross your fingers, wheter you can access http://yoursystemname.yourdomain.com - redmine should be available right now... 
 <pre> 
 service httpd restart 
 </pre> 

 h3. Additional Config: E-Mail System 

 in order to get emails sent to your clients, edit the configuration.yml and enter your server settings... 
 <pre> 
 vi /var/www/redmine/config/configuration.yml 
 </pre> 
 now find the settings for your server... the following settings describe an anonymous relay on an internal server. You need to remove the username and password line if you use anonymous sign on. 
 <pre> 
 ... 
 default: 
   # Outgoing emails configuration (see examples above) 
   email_delivery: 
     delivery_method: :smtp 
     smtp_settings: 
       address: mailserver.yourdomain.com 
       port: 25 
       domain: yourdomain.com 
 ... 
 </pre> 

 Here is the configration if you use Google's SMTP server 

 <pre> 
 production: 
   email_delivery: 
     delivery_method: :smtp 
     smtp_settings: 
 #        tls: true 
       enable_starttls_auto: true 
       address: "smtp.gmail.com" 
       port: '587' 
       domain: "smtp.gmail.com" 
       authentication: :plain 
       user_name: "google-account-name@domain-name.domain-extension" 
       password: "password" 
 </pre> 

 h2. Getting Subversion working 

 After getting Redmine working, it is time to get Subversion working... The goal is to integrate the repositories inside Redmine and host them on the same server... 

 h3. Installing Packages for Subversion 

 Install the following packages 
 <pre> 
 yum -y install mod_dav_svn subversion subversion-ruby 
 </pre> 

 h3. Linking authentication for Redmine 

 Redmine provides a perl module to handle Apache authentication on SVN DAV repositories. First step is to link that module into the search path 
 <pre> 
 mkdir /usr/lib/perl5/vendor_perl/Apache 
 ln -s /var/www/redmine/extra/svn/Redmine.pm /usr/lib/perl5/vendor_perl/Apache/Redmine.pm 
 </pre> 

 h3. Creating a path for subversion repositories 

 create a path and set permissions for your SVN repo... 
 <pre> 
 mkdir /opt/subversion 
 chown -R apache:apache /opt/subversion 
 </pre> 

 h3. Edit virtual host for apache to serve SVN with redmine 

 to get Apache working with subversion, you need to adjust (create) the virtual host file 
 <pre> 
 vi /etc/httpd/conf.d/subversion.conf 
 </pre> 
 now enter/edit the following 
 <pre> 
 PerlLoadModule Apache::Redmine 
 <Location /svn> 
         DAV svn 
         SVNParentPath "/opt/subversion" 
         SVNListParentPath on 
         Order deny,allow 
         Deny from all 
         Satisfy any 
         LimitXMLRequestBody 0 
         SVNPathAuthz off 

         PerlAccessHandler Apache::Authn::Redmine::access_handler 
         PerlAuthenHandler Apache::Authn::Redmine::authen_handler 
         AuthType Basic 
         AuthName "Redmine SVN Repository" 

         Require valid-user 
         RedmineDSN "DBI:mysql:database=redmine;host=localhost:3306" 
         RedmineDbUser "redmine" 
         RedmineDbPass "very_secret" 

         # cache max. 50 passwords 
         RedmineCacheCredsMax 50 
 </Location> 
 </pre> 

 h3. Achievements 

 What we've done at this point: 
 * A running Redmine v2.0.3 installation using Apache Passenger 
 * Working authentication with Redmine's builtin database 
 * Working Subversion with Apache's WebDav 
 * Subversion authentication against redmine's builtin database 

 h2. Authentication against Active Directory 

 The last step requires some knowledge how to authenticate against your Active directory. First of all, open up Redmine in a web interface and enter the Administration dialogue. Select LDAP-Authentication adn create a new authentication entry. 

 * Name: Enter a NAME for your entry, this can be anything...  
 * Host: Enter the IP address of a domain controler unless you are really sure, that DNS is working correctly 
 * Port: 389 
 * Account: This one is kind of a pitfall. Enter the DN of the user object that can authenticate against the Active Directory. 
 ??EXAMPLE??: Assume that you have a domain that is called: mynetwork.local and an organizational unit that is named: myUsers. The DN of this organizational unit is: @OU=myUsers, DC=mynetwork, DC=local@ If you create a user, which Display name is like ??ldap authentication user?? then the Account you need to enter is: @CN=ldap authentication user, OU=myUsers, DC=mynetwork, DC=local@. I'd recommend using a tool like Sysinternals ADExplorer if you are unsure about the distinguished name of your authentication user. 
 * Base DN: This is the entry point, where Redmine tries to find users. In the example above you want to enter: @OU=myUsers, DC=mynetwork, DC=local@ 
 * LDAP Filter: You can enter any filter you like here, a valid filter for finding users is: @(&(objectClass=user)(objectCategory=person))@.  
 * On-the-fly Usercreation: I tend to check this.. This allows the initial creation of a new user when the user logs on redmine. 

 Attributes: _(I am not sure, whether the fields below are correctly tranlsated... please correct if necessary)_ 
 * member name: sAMAccountName 
 * first name: givenname 
 * surname: sn 
 * E-Mail: mail 

 Save it, try it :) 

 You should be able to log on with your windows logon name and your windows passwort. If you've never logged on a new account should have been created within the redmine built in database. 

 

 h2. Authenticate Last step - authenticate Subversion against Active Directory  

 Note: Using active directory (by using the builtin built in database provided by Redmine. from redmine!) 

 This one is tricky, you want the authentication data from Active Directory but you also want the group permissions from Redmine. redmine. So you need to tell the logon mechanism to authenticate against AD and check inside the database, whether the user is SVN editor or not. Finally most of the work is done here with the redmine.pm script (remember, we've linked that already).  

 Fortunatelly But unfortunatelly the CentOS Perl implementation includes no module for Simple::LDAP. So we need to do some compiler work...  

 First of all, fetch the packages needed for building the necessary Perl modules. perl module(s). 
 <pre> 
 yum -y install perl-CPAN perl-YAML 
 </pre> 

 There are a lot of dependencies when trying to build the module, so I recommend to turn on automatic dependency handling inside the CPAN shell.... 
 Start up the shell: 
 <pre> 
 perl -MCPAN -e shell 
 </pre> 
 and then run the following two commands: 
 <pre> 
 o conf prerequisites_policy follow 
 o conf commit 
 </pre> 
 Now it is time, to install the module, still inside the shell. Enter 
 <pre> 
 install Authen::Simple::LDAP 
 </pre> 
 This takes some time... If queried for any dependencies or defaults, just acknowledge them with their default values - this should work. 
 Close the shell after everything is done by entering 
 <pre> 
 exit 
 </pre> 

 Now we need to tell Apache where to find the authentication data, this is simple by editing the subversion.conf 
 <pre> 
 vi /etc/httpd/conf.d/subversion.conf 
 </pre> 
 just add the Simple::LDAP Perl module by editing it this way: 
 <pre> 
    ... 
    PerlLoadModule Apache::Redmine 
    PerlLoadModule    Authen::Simple::LDAP 
    <Location /svn> 
      DAV svn 
      ... 
 </pre> 

 Restart Apache and LDAP Authentication should work now 
 <pre> 
 service httpd restart 
 </pre>