December 12, 2014 at 08:55Transparent authentication in Redmine
Today's post will be about the convenience of using Redmine in a corporate environment, and more specifically, about the transparent authorization of Redmine users in the Microsoft Active Directory domain.
We use Redmine as a single information environment in which all employees of the company work. Entering the same password twice is always inconvenient. Therefore, we have configured transparent authentication through the domain.
Firstly, in Redmine itself there is a great opportunity for authorization through LDAP (Active Directory is an add-on for LDAP). By filling out a small number of fields, you can quickly get the opportunity to authenticate users in the domain, and even create them on the fly. This feature eliminates the need for an administrator to start each new user.
But the problem is that the average user who first came to the company immediately raises the question “What password should I enter?”. This question, as a rule, delays the influence of specialists. Therefore, we wrote a small plug-in (an add-on for Redmine's native authentication mechanism) - SSO (Single sign-on) .
The main function of the plugin is to take the user’s login from the server variable and, if this login matches the Redmine user database, transparently authenticate the user or create him, and then authenticate if the login was not found.
Thus, all new users get rid of the need to enter a username and password. All they need is to open a shortcut on the desktop, and they immediately get into the corporate environment.
What actually to do so that the login of an authorized user appears in the server variable? We use Apache as a web server. The main reason we are not switching to Ngnix is the lack of a stable NTLM authentication module in the Windows domain.
Maybe someone can tell him?
In Apache, everything is configured quite simply. You need to download and compile the NTLM authentication module. About how to do this, I wrote in detail in my first article, it also describes some of the glitches of this module: habrahabr.ru/company/monandco/blog/198496
For transparent authentication to work correctly, the client’s browser must pass certain information to the north. By default, browsers do not do this and a window pops up asking you to enter a domain login and password (but we do not need this).
Firefox
You need to type “about: config” in the URL bar.
Find the “network.automatic-ntlm-auth.trusted-uris” parameter and add your domain to it.
Chrome and IE
You need to add the domain to the trusted zone.
And change the settings for the trusted zone.
Chrome for Windows picks up settings from Internet Explorer.
Of course, all this is best done using group policies.
The SSO plugin implements a number of other useful features.
The plugin implements 2-factor authentication in Redmine with sending a code via SMS. True, you need your own SMS gateway that will send SMS messages.
You can configure various parameters for 2-factor authentication. For example, you can disable authentication on specific domains or IP addresses. This is convenient when you want to get additional verification only for users working outside.
You can disable 2-factor authentication for users from certain Redmine security groups, for example, for admins.
This is a kind of crutch solution for those who do not have a normal user lock for inaction in the operating system. You can set the interval after which, in case of inactivity of the user in the browser window, instead of the Redmine interface, a screen saver from the matrix appears.
Additionally, you can enable automatic logout by timeout.
I hope my article and our plugin will be useful to you. If you have any questions about using Redmine, then write in the comments. I will try to answer.
We use Redmine as a single information environment in which all employees of the company work. Entering the same password twice is always inconvenient. Therefore, we have configured transparent authentication through the domain.
Transparent authentication
Firstly, in Redmine itself there is a great opportunity for authorization through LDAP (Active Directory is an add-on for LDAP). By filling out a small number of fields, you can quickly get the opportunity to authenticate users in the domain, and even create them on the fly. This feature eliminates the need for an administrator to start each new user.
But the problem is that the average user who first came to the company immediately raises the question “What password should I enter?”. This question, as a rule, delays the influence of specialists. Therefore, we wrote a small plug-in (an add-on for Redmine's native authentication mechanism) - SSO (Single sign-on) .
The main function of the plugin is to take the user’s login from the server variable and, if this login matches the Redmine user database, transparently authenticate the user or create him, and then authenticate if the login was not found.
Thus, all new users get rid of the need to enter a username and password. All they need is to open a shortcut on the desktop, and they immediately get into the corporate environment.
How to configure on the server side
What actually to do so that the login of an authorized user appears in the server variable? We use Apache as a web server. The main reason we are not switching to Ngnix is the lack of a stable NTLM authentication module in the Windows domain.
Maybe someone can tell him?
In Apache, everything is configured quite simply. You need to download and compile the NTLM authentication module. About how to do this, I wrote in detail in my first article, it also describes some of the glitches of this module: habrahabr.ru/company/monandco/blog/198496
How to configure on the client side
For transparent authentication to work correctly, the client’s browser must pass certain information to the north. By default, browsers do not do this and a window pops up asking you to enter a domain login and password (but we do not need this).
Firefox
You need to type “about: config” in the URL bar.
Find the “network.automatic-ntlm-auth.trusted-uris” parameter and add your domain to it.
Chrome and IE
You need to add the domain to the trusted zone.
And change the settings for the trusted zone.
Chrome for Windows picks up settings from Internet Explorer.
Of course, all this is best done using group policies.
The SSO plugin implements a number of other useful features.
2-factor authentication
The plugin implements 2-factor authentication in Redmine with sending a code via SMS. True, you need your own SMS gateway that will send SMS messages.
You can configure various parameters for 2-factor authentication. For example, you can disable authentication on specific domains or IP addresses. This is convenient when you want to get additional verification only for users working outside.
You can disable 2-factor authentication for users from certain Redmine security groups, for example, for admins.
Screen saver inside the browser window
This is a kind of crutch solution for those who do not have a normal user lock for inaction in the operating system. You can set the interval after which, in case of inactivity of the user in the browser window, instead of the Redmine interface, a screen saver from the matrix appears.
Additionally, you can enable automatic logout by timeout.
I hope my article and our plugin will be useful to you. If you have any questions about using Redmine, then write in the comments. I will try to answer.