Redmine PAM authentication plugin

That recipe shows how to configure redmine to use PAM authentication. It includes the PAM authentication plugin code.

Ingredients

  • a working redmine installation
  • libpam0g-dev (debian package)
  • rpam (gem)

Install dependences

$ sudo aptitude install libpam0g-dev
$ sudo gem install rpam

Testing rpam

Write that in a auth.rb file:

#!/usr/bin/ruby
 
require 'rubygems'
require 'rpam'
include Rpam
 
user = ARGV[0]
system "stty -echo"
pass = STDIN.gets.strip
system "stty echo"
 
if authpam(user, pass) == true
      puts "Authenticate Successful"
else
      puts "Authenticate Failure"
end

And run it with:

$ ruby ./auth.rb peter
{write password here}
Authenticate Successful

The plugin

Following the instruction of Alternative (custom) Authentication HowTo, I wrote that trivial (but working) plugin:

[ auth_source_pam.rb]

require 'rubygems'
require 'rpam'
include Rpam
 
class AuthSourcePam < AuthSource
 
  def authenticate(login, password)
    logger.debug "replacement PAM auth called" if logger && logger.debug?
 
    return nil if login.blank? or password.blank? or not authpam(login, password)
 
    return [:firstname => login]
  end
 
  def auth_method_name
    "PAM"
  end
 
end

Put that file in /usr/share/redmine/app/models/ (in the case of Debian)

Register the plugin

Like the Authentication HowTo say, you must insert a record in the auth_sources database table. I use sqlite3 so in my case I did:

$ sqlite3 /var/lib/dbconfig-common/sqlite3/redmine/instances/default/redmine_default
sqlite> insert into auth_sources values (NULL, 'AuthSourcePam', 'Pam', 'localhost', 1, 'user', 'pass', 'app', 'name', 'firstname', 'lastname', 'email', 1, 0);

Selecting authentication method

Now, you must restart redmine and go to the user administration page. In the “Authentication” section there is now a new option called “Authentication mode” and you may select among “internal” or “Pam”. That is all.


redmine-pam

Comments

I’m sorry if the plugin code contains errors, but it is my very first Ruby program. Please, comment if you have some suggestion or problem.

References

AdjuntoTamaño
redmine-pam.png168.33 KB

Comentarios

Opciones de visualización de comentarios

Seleccione la forma que prefiera para mostrar los comentarios y haga clic en «Guardar las opciones» para activar los cambios.

Authentication mode not available in page

I've done everything as described above but I use MySQL instead of SQlite.

Here's the proof that the information is there:
mysql> select * from auth_sources;
+----+---------------+------+-----------+------+---------+------------------+---------+------------+----------------+---------------+-----------+-------------------+-----+
| id | type | name | host | port | account | account_password | base_dn | attr_login | attr_firstname | attr_lastname | attr_mail | onthefly_register | tls |
+----+---------------+------+-----------+------+---------+------------------+---------+------------+----------------+---------------+-----------+-------------------+-----+
| 1 | AuthSourcePam | Pam | localhost | 1 | user | pass | app | name | firstname | lastname | email | 1 | 0 |
+----+---------------+------+-----------+------+---------+------------------+---------+------------+----------------+---------------+-----------+-------------------+-----+
1 row in set (0.00 sec)

I don't know why, I have no new option for setting Authentication mode. Any hints?

Tks,
PP

Authentication mode is available

I was fighting with the same problem. After an hour I give up and decided to create users by hand and...

Go to /users/new and you will see that this settings (Auth mode) is a per user option, non system wide:

http://cl.ly/0y2X0k3A1K3e1k3k1k1o

Change option from Internal to Pam and all should works OK.

Imagen de david.villa

Yes, the module works this

Yes, the module works this way. This PAM module does not map system users on redmine. This plugin support only authentication for already existing users. Sorry if the post does not clarify that point.

No soy portavoz de ningún colectivo, grupo o facción. Mi opinión es personal e intransferible.

Good, but don't know why it does not work

Hi,

I have followed your post, but it seams that is does not work.

The auth.rb test is working fine, but the plugin does not authenticate.

The plugin is registered, user created with "PAM" authentication, and in remine production log, it shows "Failed login...".

I even added the login/password to the log, they are fine, but the function "authpam" does not seam to work when used in redmine through apache.

I'm hosting using Ubuntu 11.10 x86_64, ruby 1.8, apache 2.2 with passenger, redmine 1.1.3.stable (MySQL).

Thanks Smiling

Imagen de david.villa

Do you test it with the

Do you test it with the auth.rb program here above?

No soy portavoz de ningún colectivo, grupo o facción. Mi opinión es personal e intransferible.

Hi, Yes I have, it is

Hi,

Yes I have, it is working.

I have made another try : I have made a "su nobody", to start a shell as the apache user. Then I ran auth.rb. This time, it has failled. It seams that the "nobody" user can't use PAM authentication in a ruby script.

Maybe this can help you...

Thanks.