プロジェクト

全般

プロフィール

編集 操作
リンクをコピー

Vote #62385

未完了

Support for Linux passwords

Admin Redmine さんがほぼ2年前に追加. ほぼ2年前に更新.

ステータス:
New
優先度:
通常
担当者:
-
カテゴリ:
Accounts / authentication_7
対象バージョン:
-
開始日:
2022/05/09
期日:
進捗率:

0%

予定工数:
Redmineorg_URL:
https://www.redmine.org/issues/387
category_id:
7
version_id:
0
issue_org_id:
387
author_id:
46
assigned_to_id:
0
comments:
6
status_id:
1
tracker_id:
2
plus1:
0
affected_version:
closed_on:
affected_version_id:
ステータス-->[New]
引用

説明

In our environment, all of the people that use use redMine have Linux accounts on the machine that runs redMine. It
would be nice to be able to configure redMine to use passwords from these user's Linux accounts, rather than having
them maintain separate passwords.

journals

LDAP auth is commonly used, that's why it's natively supported
in Redmine.
But Jérôme is right, Redmine should also provide a way to rely
on the web server to authenticate users and thus allow any auth
mean to be used.

A simple hook (based on HTTP headers) in the Redmine's authentication
mechanism should do the trick.
--------------------------------------------------------------------------------
In general, this shouldn't be done by redMine, but done by the
web server, with mod_auth_pam, mod_auth_ldap, etc. and redMine
using the credentials passed to it by the web server.
This way, authentication code can stay clear, without specifics
to one or another auth mean.
--------------------------------------------------------------------------------
Has anyone hacked this together? How hard would it be? I imagine by the time someone told me how to do it, they could do it.

Trac had buggy support for mod_auth_pam. (had you restrict that area of the site in your apache.conf) So I suspect it's not dead simple. I rather it not be buggy. I'm looking into bringing up an LDAP server and populating it nightly with ypcat... A hack, but I would know where to start.

Anyone?

--------------------------------------------------------------------------------
After reading what I posted, that sounded whiny.

I would be happy to research this and code it up. I need some direction... possibly an example of this hook in another project (ruby or otherwise).

The whining sound came from thinking that people willing to help would rather just code it themselves.

Here is what I think Jean-Philippe was thinking with the simple hook based on HTTP headers. In Apache, you would make some dummy restricted area location that would use PAM. This would not be directly accessed by the user web browser. But the Login page's backend would go "hit" the server in this location with the user/pass that was entered in the login page. If it gets a ??? error in the HTTP headers, then don't authenticate.

Is this how it should be done? Thanks!

--------------------------------------------------------------------------------
There is a ruby PAM module, but it's not even included in Debian.

* http://ruby-pam.sourceforge.net/ruby-pam.html
* http://ruby-pam.sourceforge.net/pam-ruby.html
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

操作
リンクをコピー
 #1

Admin Redmine さんがほぼ2年前に更新

  • カテゴリAccounts / authentication_7 にセット
編集 操作
リンクをコピー

他の形式にエクスポート: Atom PDF

いいね!0
いいね!0

demo1.unofficial-redmine.org