Categories
Main Security Tech

How to Password Protect Redmine with Apache, mod_perl, and Redmine.pm

Today I needed to password-protect a Redmine installation. I’ve typically used mod_auth_mysql for similar projects, but Redmine uses a salted password format that’s incompatible with mod_auth_mysql. So, I turned to Apache/Perl authentication, a first for me (I rarely touch Perl) and was able to make it work.

  1. Install mod_perl, and the DBI, MySQL, and Digest (SHA1) Perl modules.
    $ apt-get install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl
    
  2. Copy Redmine.pm to the appropriate Perl location.
    $ cd /path/to/redmine
    $ mkdir -p /usr/lib/perl5/Apache/Authn
    $ cp extra/svn/Redmine.pm /usr/lib/perl5/Apache/Authn/
    
  3. Perhaps I’m not using Redmine’s projects/members/permissions correctly, but I had to patch Redmine.pm to get it to work for me. I greatly simplified the SQL statement used to authenticate a user. There’s no sense of permissions; it’s simply a yes/no for authenticated users.
    --- Redmine.pm	2011-11-12 17:33:10.000000000 -0700
    +++ Redmine.richardkmiller.pm	2011-11-12 17:37:26.000000000 -0700
    @@ -148,16 +148,11 @@
       my ($self, $parms, $arg) = @_;
       $self->{RedmineDSN} = $arg;
       my $query = "SELECT 
    -                 hashed_password, salt, auth_source_id, permissions
    -              FROM members, projects, users, roles, member_roles
    +                 hashed_password, salt
    +              FROM users
                   WHERE 
    -                projects.id=members.project_id
    -                AND member_roles.member_id=members.id
    -                AND users.id=members.user_id 
    -                AND roles.id=member_roles.role_id
    -                AND users.status=1 
    -                AND login=? 
    -                AND identifier=? ";
    +                    users.status=1 
    +                AND login=?";
       $self->{RedmineQuery} = trim($query);
     }
     
    @@ -336,11 +331,12 @@
       }
       my $query = $cfg->{RedmineQuery};
       my $sth = $dbh->prepare($query);
    -  $sth->execute($redmine_user, $project_id);
    +  $sth->execute($redmine_user);
     
       my $ret;
    -  while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) {
    -
    +  while (my ($hashed_password, $salt) = $sth->fetchrow_array) {
    +      my $permissions = ":commit_access";
    +      my $auth_source_id = 0;
           unless ($auth_source_id) {
     	  			my $method = $r->method;
               my $salted_password = Digest::SHA1::sha1_hex($salt.$pass_digest);
    
  4. Configure and restart Apache.
    <virtualhost *:80>
        ServerName example.com
        DocumentRoot "/var/www/sites/example.com/public"
        RailsEnv production
    
        PerlLoadModule Apache::Authn::Redmine
    
        <directory "/var/www/sites/example.com/public">
            AuthType basic
            AuthName "Private Area"
            Require valid-user
            PerlAccessHandler Apache::Authn::Redmine::access_handler
            PerlAuthenHandler Apache::Authn::Redmine::authen_handler
            RedmineDSN "DBI:mysql:database=my_database;host=localhost"
            RedmineDbUser my_db_user
            RedmineDbPass my_db_password
        </directory>
    </virtualhost>
    

By the way, I’m running Ubuntu 11.10 (oneiric), Apache 2.2, MySQL 5.1, and Redmine 1.2.2.