Cool Solution - Install Redmine and setup ldap authentication

From Univention Wiki

Revision as of 16:40, 28 October 2013 by Orrego (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 3.1

This article will explain, how to setup redmine with ldap authentication in UCS 3.1


Activate unmaintained packages

First activate the unmaintained repository with

ucr set repository/online/unmaintained='yes'

Hint: Unmaintained packages are not covered by security updates.

Install packages

A lot of packages are required:

univention-install univention-postgresql apache2 rake rubygems \
libopenssl-ruby libpgsql-ruby libmagickcore-dev libmagickwand-dev \
libpq-dev libapache2-mod-passenger libapache-dbi-perl

Download current version

Go to and download the current version.

Unpack it and move it to /var/lib/redmine

tar xzf redmine-2.3.3.tar.gz 
mv redmine-2.3.3 /var/lib/redmine
cd /var/lib/redmine/

gem install

The next step we have to install blundler packages (to manage dependencies for ruby applications) with gem.

gem install bundler

Prepare database connection

In this setup we use postgresql. You have to create a username and a database.

Switch to the postgres database superuser.

su postgres

and execute


to connect you to postgres. Execute the following command to create a user redmine. Please set <password> to your favorit.


Create the database redmine and set the owner to redmine with the following command:


close the postgres connection with


and exit the postgres session with


Now you should have a user named redmine which own a database named also redmine. The next step is to edit the database settings in redmine config file. Copy the example file to config/database.yml

cp config/database.yml.example config/database.yml
vim config/database.yml

Only the following settings are required:

# PostgreSQL configuration
  adapter: postgresql
  database: redmine
  host: localhost
  username: redmine
  password: "<password>"

Replace <password> with your password and beware the two spaces in front of the lines after production. Save the file and reexecute the following commands: bundle will install all dependencies with:

/var/lib/gems/1.8/bin/bundle install --without development test mysql sqlite
/var/lib/gems/1.8/bin/rake generate_secret_token RAILS_ENV=production
/var/lib/gems/1.8/bin/rake config/initializers/secret_token.rb RAILS_ENV=production
/var/lib/gems/1.8/bin/rake db:migrate RAILS_ENV=production

Load the default data:

/var/lib/gems/1.8/bin/rake redmine:load_default_data RAILS_ENV=production

(Press enter to confirm the default language [en])

Apache-passenger module

We have to install the last version of the apache 2 module for passenger application server (aware of Rails 3). See dispatcher load error For more details

apt-get install build-essential libcurl4-openssl-dev apache2-threaded-dev libapr1-dev libaprutil1-dev
gem install passenger

after successful installation execute following command and follow the onscreen instructions:

Welcome to the Phusion Passenger Apache 2 module installer, v4.X
Press Enter to continue, or Ctrl-C to abort
Are you sure you want to install against Apache 2.Y (/usr/bin/apxs2)? [y/n]: y
The Apache 2 module was successfully installed.
Press ENTER to continue.

Once the module is installed, add the path to the module in apache.

Edit the file /etc/apache2/mods-available/passenger.load (insert the correct version number of passenger - e.g. passenger-4.0.20):

LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-4.X/buildout/apache2/

also edit the file /etc/apache2/mods-available/passenger.conf to:

<IfModule mod_passenger.c>
  PassengerRoot /var/lib/gems/1.8/gems/passenger-4.X
  PassengerDefaultRuby /usr/bin/ruby1.8
  PassengerDefaultUser www-data

and enable passenger module with:

a2enmod passenger

Configure apache

Set a symlink to redmine and change the owner:

ln -s /var/lib/redmine/public /var/www/redmine
chown -R www-data:www-data /var/www/redmine

also create folder, change owner and file permissions

mkdir -p public/plugin_assets
chown -R www-data:www-data files log tmp public/plugin_assets
chmod -R 755 files log tmp public/plugin_assets

create a new file in sites-available and activate it:

echo "RailsBaseURI /redmine" > /etc/apache2/sites-available/redmine
a2ensite redmine

the last command, restart apache:

/etc/init.d/apache2 restart

That's it. You will find redmine at either: localhost/redmine your-ip/redmine or your-domain/redmine

Login with username=admin and password=admin

Go to Administration -> Users -> admin and create a new password for the admin users in the Authentication (Internal) box. Click Save to set.

Configuration of redmine

Create a simple authentication account

First, a simple authentication account should be created using the UDM.

udm users/user create --option ldap_pwd --set lastname=redmine --set username=redmine --set password=<password> --position cn=users,<ldap/base>

Change <password> with your favorit and <ldap/base> with the output from ucr get ldap/base This account can then be used for an authenticated bind. To find the DN of the account issue the following command on the command line:

udm users/user list --filter name=<NAME of the account> | grep DN

Configuration of redmine for ldap authentication

Go to redmine (http://server-ip/redmine/login) and login with admin. Go to administration -> LDAP authentication. Create a new authentication mode with the following settings.

Name     = My Directory
Host     = (get with: ''hostname -f'')
Port     = 7389
LDAPS    = no
Account  = <DN of the authentication account>
Password = <password of the authentication account>
Base DN  = CN=users,DC=host,DC=domain,DC=org (get with: ''ucs get ldap/base'')

On-the-fly user creation = yes
  Login     = uid
  Firstname = givenName
  Lastname  = sn
  Email     = mail

By checking on-the-fly user creation, any LDAP user will have his redmine account automatically created the first time he logs into redmine. For that, you have to specify the LDAP attributes name (firstname, lastname, email) that will be used to create their redmine accounts. see RedmineLDAP for further information

Note: When creating a redmine user in UCS, the email address goes in the Contact tab of the User creation form. User data will be retrieved the first time the user logs in. Changes in UCS do not get automatically updated to redmine DB.

Integration of subversion with ldap auth

Install packages

Now we have to install some packages for subversion and perl:

apt-get install subversion libapache2-svn libdbd-pg-perl libpg-perl \
libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl \

Create Folder for repositories

Next we have to create a folder for our repositories. Don't create a folder under /var/www, it will generate some errors. We choose /var/svn for this example. Also set the right permissions.

mkdir /var/svn
chown www-data:www-data /var/svn

Automating repository creation

Enable WS for repository management option in your redmine settings. Open yourdomain/redmine and login with admin account. Go to Administration -> Settings -> Repositories. Enable [X] WS for repository management. Notice the API key for the next step.

"Generate a key"

You can now add this line in your crontab (replace yourdomain and yourAPIkey):

ucr set cron/redmine/time='10 * * * *' cron/redmine/command='/usr/bin/ruby /var/lib/redmine/extra/svn/reposman.rb --redmine --svn-dir /var/svn --owner www-data --group www-data --url --verbose --key=yourAPIkey --command="/usr/bin/svnadmin create" >> /var/log/reposman.log'

Now every 10 minutes reposman.rb will look for new projects and create a repository for it.

Apache configuration for Subversion repositories

Enabling apache modules:

a2enmod dav
a2enmod dav_svn
a2enmod perl

Add the following location directives to your apache configuration in /etc/apache2/conf.d/subversion.conf(replace your.redmine.server.ip and yourDatabasePassword)

# /svn location for users
PerlLoadModule Apache::Redmine
PerlLoadModule Authen::Simple::LDAP

<Location /sys>
   Order deny,allow
   Allow from your.redmine.server.ip
   Deny from all

<Location /svn>
    DAV svn
    LimitXMLRequestBody 0
    SVNPathAuthz off
    SVNParentPath "/var/svn"
    AuthType Basic
    AuthName "Redmine Subversion Repository"
    Require valid-user
    PerlAccessHandler Apache::Authn::Redmine::access_handler
    PerlAuthenHandler Apache::Authn::Redmine::authen_handler
    AuthUserFile /dev/null
    # postgresqlconnection
    RedmineDSN "DBI:Pg:dbname=redmine;host=localhost"
    RedmineDbUser "redmine"
    RedmineDbPass "yourDatabasePassword"
    #Cache the last 50 auth entries
    RedmineCacheCredsMax 50

Link and fix

If it's not there, you have to link to perl5/Apache folder:

ln -s /var/lib/redmine/extra/svn/ /usr/lib/perl5/Apache/

We have to fix the code in

Change line 490 to the following:

host    =>      ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]:$rowldap[1]" : "ldap://$rowldap[0]:$rowldap[1]",

and comment line 491 like shown:

#port    =>      $rowldap[1],

This code change is required, because Authen::Simple::LDAP ignore the port number and connect always to 389 (standart ldap port).

Finish the setup

after all execute:

service apache2 restart

Now you can access your repositories under http://yourdomain/svn/myproject and your redmine under http://yourdomain/redmine

Further links

Personal tools