Using Apache / Kerberos / Keytab to Authenticate Redmine Users Against Active Directory

We have a Debian (squeeze) server to which I have root access. It is running Apache, and Redmine is deployed to the server (currently using a local MySQL database for authentication).

Apache is configured to use Kerberos and a keytab file to authenticate users against Active Directory. With the current configuration, as soon as a user attempts to access anything over https, the user is prompted for a username / password, which is successfully authenticated against Active Directory.

I understand (somewhat) that Redmine has its own LDAP configuration that can be used to authenticate users against an existing Active Directory, but this would require the user to enter their credentials one time for Apache and then a second time for Redmine.

Can I somehow configure Redmine to share the Apache authentication method as opposed to requiring the user to enter their credentials a second time? (Using Apache to authenticate against Active Directory is a requirement for a separate application on the server)


Solution 1:

I'm not sure if there's built-in support in Redmine for this feature, as all the links I can find are pretty old. However, it seems like it shouldn't be too hard to add.

Basically, most Apache authentication modules will set an environment variable in the request called REMOTE_USER, which they fill with the username that the requester has proven themselves to be. If you modified Redmine to accept REMOTE_USER in lieu of an internal authentication provider as in this bug report, then you would be able to use only Apache and Kerberos to authenticate users.

It seems like somebody's already implemented a plugin that does a similar thing. This forum post also details such a solution.

Note: This method just provides authentication, not authorization; you'll be able to trust that a user is who they say they are, but you may still need to use a direct LDAP connection to Active Directory if you care about what groups a user is in or any other kind of graduated access control.