How to Password Protect Redmine with Apache, mod_perl, and Redmine.pm

Today I needed to password-protect a Redmine installation. I’ve typically used mod_auth_mysql for similar projects, but Redmine uses a salted password format that’s incompatible with mod_auth_mysql. So, I turned to Apache/Perl authentication, a first for me (I rarely touch Perl) and was able to make it work.

1. Install mod_perl, and the DBI, MySQL, and Digest (SHA1) Perl modules.

   1	$ apt-get install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl

2. Copy Redmine.pm to the appropriate Perl location.

   1 2 3

   $ cd /path/to/redmine $ mkdir -p /usr/lib/perl5/Apache/Authn $ cp extra/svn/Redmine.pm /usr/lib/perl5/Apache/Authn/

3. Perhaps I’m not using Redmine’s projects/members/permissions correctly, but I had to patch Redmine.pm to get it to work for me. I greatly simplified the SQL statement used to authenticate a user. There’s no sense of permissions; it’s simply a yes/no for authenticated users.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

   --- Redmine.pm  2011-11-12 17:33:10.000000000 -0700 +++ Redmine.richardkmiller.pm   2011-11-12 17:37:26.000000000 -0700 @@ -148,16 +148,11 @@    my ($self, $parms, $arg) = @_;    $self->{RedmineDSN} = $arg;    my $query = "SELECT -                 hashed_password, salt, auth_source_id, permissions -              FROM members, projects, users, roles, member_roles +                 hashed_password, salt +              FROM users                WHERE -                projects.id=members.project_id -                AND member_roles.member_id=members.id -                AND users.id=members.user_id -                AND roles.id=member_roles.role_id -                AND users.status=1 -                AND login=? -                AND identifier=? "; +                    users.status=1 +                AND login=?";    $self->{RedmineQuery} = trim($query);  }    @@ -336,11 +331,12 @@    }    my $query = $cfg->{RedmineQuery};    my $sth = $dbh->prepare($query); -  $sth->execute($redmine_user, $project_id); +  $sth->execute($redmine_user);       my $ret; -  while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) { - +  while (my ($hashed_password, $salt) = $sth->fetchrow_array) { +      my $permissions = ":commit_access"; +      my $auth_source_id = 0;        unless ($auth_source_id) {                 my $method = $r->method;            my $salted_password = Digest::SHA1::sha1_hex($salt.$pass_digest);

4. Configure and restart Apache.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

   <virtualhost *:80>     ServerName example.com     DocumentRoot "/var/www/sites/example.com/public"     RailsEnv production       PerlLoadModule Apache::Authn::Redmine       <directory "/var/www/sites/example.com/public">         AuthType basic         AuthName "Private Area"         Require valid-user         PerlAccessHandler Apache::Authn::Redmine::access_handler         PerlAuthenHandler Apache::Authn::Redmine::authen_handler         RedmineDSN "DBI:mysql:database=my_database;host=localhost"         RedmineDbUser my_db_user         RedmineDbPass my_db_password     </directory> </virtualhost>

By the way, I’m running Ubuntu 11.10 (oneiric), Apache 2.2, MySQL 5.1, and Redmine 1.2.2.