With reverse proxy it can be used to use SSL certificate to login. Plugin checks HTTP header Remote-User-Email. If user with such email exists he/she will be logged in.
Redmine 2.x
Before installing make sure to stop redmine.
cd [redmine-install-dir]/plugins export RAILS_ENV=production git clone git://XXXX cd .. rake redmine:plugins:migrate bundle install --without development test
After this steps you can switch back on redmine. Existing users will gain Remote User auth method (Look at Administration > Users).
Reverse proxy must:
-
check certificate
-
unset Remote-User_email
-
header an set it to DN_Email from certificate
Apache example:
SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/apache2/ssl/ca.crt
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
RequestHeader unset Remote-User-Email RequestHeader set Remote-User-Email “%{SSL_CLIENT_S_DN_Email}e”
SSLVerifyClient require
Nginx example:
server {
#....
proxy_pass http://127.0.0.1:3000/$1...;
proxy_set_header Remote-User-Email $ssl_client_s_dn;
}
With valid certificate you can still log-in as users with normal Auth Method.
Before installing make sure to stop redmine and before that to disable Remote User auth method for all users (Look at Administration > Users)
cd [redmine-install-dir] export RAILS_ENV=production rake redmine:plugins:migrate NAME=redmine_remote_user_auth VERSION=0 rm -Rf plugins/redmine_cert_auth
After this steps you can switch back on redmine.