Transparent authentication in Redmine
Today's post will be about the convenience of using Redmine in a corporate environment, and to be more precise, about the transparent authorization of Redmine users in the Microsoft Active Directory domain.
We use Redmine as a unified information environment in which all company employees work. Entering the same password twice is always inconvenient. Therefore, we configured transparent authentication through the domain.
')
Firstly, Redmine itself has an excellent possibility of authorization through LDAP (Active Directory is a superstructure over LDAP). By filling in a small number of fields, you can quickly get the opportunity to authenticate users in the domain, and even create them on the fly. This feature eliminates the need for an administrator to start each new user.
But the problem is that the average user, who first came to the company, instantly has the question "What password should I enter?". This question, as a rule, delays the influence of specialists. Therefore, we wrote a small plugin (add-on over the native Redmine authentication mechanism) - SSO (Single sign-on) .
The main function of the plug-in is to take the user’s login from the server variable and, if this login matches the Redmine user base, transparently authenticate the user or create it and then authenticate if the login was not found.
Thus, all new users get rid of the need to enter a username and password. All they need is to open a shortcut on the desktop, and they immediately get into the corporate environment.
What should I do to make the login of an authorized user appear in the server variable? We use Apache as a web server. The main reason why we do not switch to Ngnix is the lack of a stable NTLM authentication module in the Windows domain.
Can someone be able to suggest it?
In Apache, everything is quite simple. You need to download and compile the NTLM authentication module. On how to do this, I wrote in detail in my first article, there are also described some glitches of the work of this module: habrahabr.ru/company/monandco/blog/198496
For transparent authentication to work correctly, the client’s browser must pass certain information to the north. By default, browsers do not do this and a window pops up asking to enter the domain login and password (but we do not need it).
Firefox
It is necessary in the URL line to type "about: config"
Find the "network.automatic-ntlm-auth.trusted-uris" option and add your domain to it.
Chrome and IE
You need to add the domain to the trusted zone.
And change the settings for the trusted zone.
Chrome for Windows picks up settings from Internet Explorer.
Of course, all this is better done using group policies.
The SSO plugin implements a number of other useful features.
The plugin implements 2-factor authentication in Redmine with sending the code via SMS. True, you need your own SMS gateway, which will send SMS messages.
You can configure various parameters for 2-factor authentication. For example, you can disable authentication on specific domains or IP addresses. This is useful when you want to get an additional check only for users working outside.
You can disable 2-factor authentication for users from certain Redmine security groups, for example, for admins.
This is a kind of crutch solution for those who do not have a normal user blocking due to inactivity in the operating system. You can set the interval, after which, in cases of user inactivity in the browser window, instead of the Redmine interface, a splash screen appears from the matrix.
Additionally, you can enable automatic logout by timeout.
I hope my article and our plugin will be useful to you. If you have any questions about the use of Redmine, then write in the comments. I will try to answer.
We use Redmine as a unified information environment in which all company employees work. Entering the same password twice is always inconvenient. Therefore, we configured transparent authentication through the domain.
')
Transparent authentication
Firstly, Redmine itself has an excellent possibility of authorization through LDAP (Active Directory is a superstructure over LDAP). By filling in a small number of fields, you can quickly get the opportunity to authenticate users in the domain, and even create them on the fly. This feature eliminates the need for an administrator to start each new user.
But the problem is that the average user, who first came to the company, instantly has the question "What password should I enter?". This question, as a rule, delays the influence of specialists. Therefore, we wrote a small plugin (add-on over the native Redmine authentication mechanism) - SSO (Single sign-on) .
The main function of the plug-in is to take the user’s login from the server variable and, if this login matches the Redmine user base, transparently authenticate the user or create it and then authenticate if the login was not found.
Thus, all new users get rid of the need to enter a username and password. All they need is to open a shortcut on the desktop, and they immediately get into the corporate environment.
How to configure server side
What should I do to make the login of an authorized user appear in the server variable? We use Apache as a web server. The main reason why we do not switch to Ngnix is the lack of a stable NTLM authentication module in the Windows domain.
Can someone be able to suggest it?
In Apache, everything is quite simple. You need to download and compile the NTLM authentication module. On how to do this, I wrote in detail in my first article, there are also described some glitches of the work of this module: habrahabr.ru/company/monandco/blog/198496
How to configure on the client side
For transparent authentication to work correctly, the client’s browser must pass certain information to the north. By default, browsers do not do this and a window pops up asking to enter the domain login and password (but we do not need it).
Firefox
It is necessary in the URL line to type "about: config"
Find the "network.automatic-ntlm-auth.trusted-uris" option and add your domain to it.
Chrome and IE
You need to add the domain to the trusted zone.
And change the settings for the trusted zone.
Chrome for Windows picks up settings from Internet Explorer.
Of course, all this is better done using group policies.
The SSO plugin implements a number of other useful features.
2 factor authentication
The plugin implements 2-factor authentication in Redmine with sending the code via SMS. True, you need your own SMS gateway, which will send SMS messages.
You can configure various parameters for 2-factor authentication. For example, you can disable authentication on specific domains or IP addresses. This is useful when you want to get an additional check only for users working outside.
You can disable 2-factor authentication for users from certain Redmine security groups, for example, for admins.
Screen saver inside browser window
This is a kind of crutch solution for those who do not have a normal user blocking due to inactivity in the operating system. You can set the interval, after which, in cases of user inactivity in the browser window, instead of the Redmine interface, a splash screen appears from the matrix.
Additionally, you can enable automatic logout by timeout.
I hope my article and our plugin will be useful to you. If you have any questions about the use of Redmine, then write in the comments. I will try to answer.
Source: https://habr.com/ru/post/245661/
All Articles