Sign in via HTTP-Auth doesn't do anything

[mallorn]

Hi,

I'm running Redmine 1.3.1 with the latest http_auth (0.3.0-dev). I am also running Apache 2.2.15 with mod_ssl and mod_proxy; you need to authenticate to Apache using BASIC AUTH, then your connection is proxied through to the webrick server using /redmine as the URI. The user's login is set in the environment variable REMOTE_USER_LHS.

http_auth is configured to use REMOTE_USER_LHS as the variable and the login name is used fro local user lookup.

When I configure http_auth in Redmine I get a link to a blank page with a URI of

/redmine/httpauth-login

Am I misunderstanding how this is supposed to work or missing any key information?

Thanks for any advice,

Chris

[kevinfoote]

In your httpd.conf file you need to protect that location with whatever you are using to authenticate. I am using a sso module but what ever you are using should work fine.

<Location ~ "/httpauth-*"> AuthType basic Require valid-user

Other apache directives might have to be included with your particular Authn/z choice..

[mallorn]

Hi Kevin,

I wonder if I'm SOL. I'm using mod_auth_kerb which sets the AuthType to KerberosV5.

So although it's using HTTP BASIC AUTH as described in RFC 1945, is http_auth not recognizing it properly because of the AuthType? Here's the Apache section:

 Redirect /redmine https://secure.example.com/redmine/
 ProxyPass /redmine/ http://localhost:3000/
 ProxyPassReverse /redmine/ http://localhost:3000/
 <Location /redmine/>
     RewriteEngine On
     RewriteCond %{LA-U:REMOTE_USER} ^([^@]+)@EXAMPLE.COM
     RewriteRule ^ - [E=REMOTE_USER_LHS:%1]
     AuthType KerberosV5
     AuthName "Secure (SSL) Kerberos Login"
     KrbAuthRealm EXAMPLE.COM
     require valid-user
</Location>

I was hoping that it would essentially see that $REMOTE_USER_LHS was set and would just login with that user, but I'm a Perl guy (not Ruby), so it's going to take me a while to figure out what's going on in the code. :)

My main goal is to make webrick unavailable to the outside world via iptables and force all access through Apache to minimize security risks. Right now you can log in through Apache and then log in again to Redmine, but we'd like to remove locally-stored passwords entirely from the Web server to tighten up security further. Using the Apache authentication only would allow us to do that.

Thanks for the reply!

[kevinfoote]

Chris.. sorry my formatting example was messed up .. before

No you should be good.. substitute your auth mechanics for the AuthType line.. I was just giving an example ..

Mine is not Basic .. I use my local auth type which is a separate SSO product..

I could envision yours looking like

<Location ~ "/httpauth-*">
 AuthType KerberosV5
 Require valid-user
</Location>

[mallorn]

Hi Kevin,

Mine has a path of /redmine/httpauth-login, so it's covered under that AuthType section above.

Unfortunately, it doesn't seem to make a difference. For giggles' sake I added your configuration file changes too, but I get the same results. Does the path have to be /httpauth* (and not proxied?)

[kevinfoote]

Do something like this ..honestly I don't know the kerb module though..

 <Location /redmine/>
     RewriteEngine On
     RewriteCond %{LA-U:REMOTE_USER} ^([^@]+)@EXAMPLE.COM
     RewriteRule ^ - [E=REMOTE_USER_LHS:%1]
     AuthType KerberosV5
     AuthName "Secure (SSL) Kerberos Login"
     KrbAuthRealm EXAMPLE.COM
     ## require valid-user
</Location>

<Location ~ "/redmine/httpauth-*">
 AuthType KerberosV5
 Require valid-user
</Location>

[mallorn]

Hi Kevin,

Still no difference with those changes.

I'll try messing around with the code over the weekend to see if I can add some kind of logging to http_auth to track what's going on.

I appreciate the input (and any new ideas you come up with)!

[AdamLantos]

Hi,

I didn't have the time to check the plugin against redmine-1.3. The plugin itself does not care which actual authentication method you are using, it just looks up the configured variable from the CGI/HTTP environment, and logs the user in if this information is there. The white page would suggest that something crashed. Are there any suspicious entries in apache or webrick logs?

Also the plugin was not yet checked against latest redmine releases, so I would expect some major API changes there :(

regards, Adam

[mallorn]

Hi Adam,

Thanks for you reply!

Unfortunately, no, there are no errors in any of the logs for Apache or webrick.

I haven't had time to play with the source and try tracking this down yet, but I plan to. Since I'm the only one using Redmine at this point having me log in twice isn't a big deal, so it's been low priority. :)

I appreciate that you confirmed what the plugin does for me; it will help with my debugging. Who knows; I could be losing all of the environment variables in my proxy or webrick could fail to pick them up for all I know.

Thanks,

Chris

[mallorn]

Adding to my comment... It looks like the loss of environment variables is the problem. REMOTE_USER isn't set when it gets to webrick.

I turned on debugging and added this to http_auth_patch.rb:

  remote_username = remote_user
  if logger && logger.info
    logger.info request.headers
  end

It logs some things, but REMOTE_USER is empty.

I'll keep messing around. Experienced perl programmer here, but I've only been using ruby for all of one hour. :D But as far as I can tell, this is an Apache failing.

EDIT: changed it to display all headers.

[mallorn]

Success! This appears to be a known issue; one has to explicitly set the header, such as:

  Redirect /redmine https://secure.example.com/redmine/
  ProxyPass /redmine/ http://localhost:3000/
  ProxyPassReverse /redmine/ http://localhost:3000/
  <Location /redmine/>
      RewriteEngine On
      RewriteCond %{LA-U:REMOTE_USER} ^([^@]+)@EXAMPLE.COM
      RewriteRule ^ - [E=REMOTE_USER_LHS:%1]
      RequestHeader add REMOTE_USER %{REMOTE_USER_LHS}e
      AuthType KerberosV5
      AuthName "Secure (SSL) Kerberos Login"
      KrbAuthRealm EXAMPLE.COM
      require valid-user
 </Location>

Note the RequestHeader add line; that creates an environment variable named HTTP_REMOTE_USER which you can then configure http_auth to use as the server environment variable for authentication.

Sorry to have taken everyone's time! Hopefully this process will help someone else.