2016-02-14

Redmine AD SSO setup

Hello, world!

I was looking for a place to post my journey to setup AD SSO in a Redmine instance I manage and...
After almost 10 years, I found out I still have this blog!
So, let's go!

Objective


Our goal is basically setup the single_auth plugin with the most recently available software. This plugin mentions a mod_ntlm apache module, but I simply couldn't compile it or find a version that works.


My Redmine setup


I have a Redmine 3.1-stable checkout, with a lot of custom plugins, running on CentOS 7 and Apache 2.4. It uses mod_passenger module to serve the app.

Requirements


I don't have any idea of what the requirements really are ;) Follows the list of the softwares I'm currently using (all of them currently available on CentOS repos, rubygems or redmine repo):
CentOS 7.2.1511
Samba 4.2.3
Apache 2.4.6
Ruby 2.2.1p85
Passenger 5.0.18
Redmine 3.1-stable with single_auth plugin installed and LDAP auth already configured

SSO Setup


The idea here is to follow the default setup of the single_auth plugin, but using the mod_auth_ntlm_winbind apache module, which is maintained and currently available on CentOS.

Samba domain join

The mod_auth_ntlm_winbind module requires that samba is installed and joined the domain you want to single-sign-on. It acts just as a bridge between Apache and ntlm_auth program. Thus, the first step is to install and join samba to the domain.

yum install samba-winbind-clients realmd
realm join --verbose --client-software=winbind --user=some_join_privileged_user mydomain.com

To test, execute the following on the shell to test you are able to authenticate a user:

ntlm_auth --username=some_user
Password: *********
NT_STATUS_OK: Success (0x0)

Windind configuration

Depending on your Redmine LDAP configuration, it may expect the username without the domain prefix when looking for new users. In this case (it was mine), the easiest way is to setup winbind to return the user without the domain prefix. Just check it won't affect other systems in the same machine before changing.

vim /etc/samba/smb.conf
# make sure "winbind use default domain" is set to "yes"
systemctl restart winbind

To test, execute the follwing command to check how a user is listed by samba.

wbinfo -u | head -n 1
first_user # (there should be no "DOMAIN\" prefix)

Install the single_auth plugin


This is the last step here, which is a slightly modified version of what is said in the original plugin. Make sure the redmine side is configured as said in this plugin page.

First, install the module package and add the apache user to the group allowed to use the ntlm_auth private pipe.

yum install mod_auth_ntlm_winbind
usermod apache -a -G wbpriv 


The apache site /etc/httpd/conf.d/yoursite.conf should be set up as following:

  <Location "/login">
    AuthName "MySite NTLM Authentication"
    NTLMAuth on
    NegotiateAuth on
    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NegotiateAuthHelper "/usr/bin/ntlm_auth --helper-protocol=gss-spnego"
    NTLMBasicAuthoritative on
    AuthType NTLM
    AuthType Negotiate
    Require valid-user
  </Location>

After that, restart Apache.

service httpd restart

That's it!

All the requests to any Redmine resource should be redirected to /login, which will require a valid user on apache side before handing forward the request to Redmine. When Redmine receives the request, the single_auth plugin will read the REMOTE_USER env var filled by Apache and will auto login the user by searching it on the LDAP auth source, without any user interaction. Single Sign On!

Improvements


It's working ok so far, but I'm looking for one big improvement to this setup: As the apache side requires a valid-user, all users must be on LDAP. Otherwise, Apache keeps asking for a user and password. I would like to foward the request to Redmine even if the login on apache side fails.

My first obvious try was to remove the "valid-user" require, but it failed because Apache detects there is no requirement and doesn't even try to reach the NTLM auth mechanism, making the SSO stop working.

If you have any idea, fell free to post!

[]'s

2 comments:

Aleksandar Pavic said...

I am getting broken helper package, then after I fixed that error, it just displays "this page cannot be displayed" after users try to login...

Without any trace in Apache :(

Any ideas?

Metli said...

This solution does not work for me. The login works, I can sign to redmine with LDAP user identity without any problem. After I try to create an issue, it gives me error 422, invalid form authenticity token.

I've tried redmine 3.2.9, 3.4.4, 3.4.5 without any difference. I also cannot add a comment under the issue, the browser gives me 404 error.

There are no problems, if I use LDAP account with form login. I suppose the NTLM or Single_auth somehow breaks the redmine request routing. For sso I used uses only IE11 (the costomer use only this browser in his company for SSO), it may be a part of the problem also.

Have you ever expirenced such bahavior? Is there any solution?