Noah Kantrowitz skrev 14. sep. 2010 19:51: >> -----Original Message----- >> From: trac-users@googlegroups.com [mailto:trac-us...@googlegroups.com] >> On Behalf Of Jon Hadley >> Sent: Tuesday, September 14, 2010 12:41 AM >> To: trac-users@googlegroups.com >> Subject: [Trac] Trac + Ldap - Restricted mode error >> >> I'm trying to setup Trac, using mod_wsgi, LDAP and a xml theming proxy >> called collective.xdv. >> (...) >> >> 2) LDAP on Trac only works via port 8202, not via 8022. Fairly >> obviously because that's where the rule is set-up. But the rest of the >> site on 8022 doesn't need to be LDAP protected. How do I apply the >> LDAP authentication behind the proxy? Can the proxy somehow inherit >> the authentication rule when Trac is requested? (More detail regarding >> this problem is also here: http://serverfault.com/questions/180845 ) > > To answer #2, HTTP authentication is a local system only, it does not > work with proxies like that. >
I first thought you wanted the following:
,-------- ldap auth -- < trac
user <- (xml theme proxy ) <
'-------- cms website
In addition, you want to map /trac into the url-space under your other
site, so that:
1: All requests arrive at www.example.com
2: All requests are transformed/formatted by the xml proxy
3: An url starting with /trac:
1: should be served from the trac instance
2: should be authenticated via ldap
However, as far as I can tell collective.xdv is just a post-hook for
plone ? So "all" you want is to have separate mapping of /trac, and
everything else, going through an apache server, with the /trac part
authenticated by ldap ?
Should be as easy as:
<VirtualHost www.example.com>
ServerName www.example.com
ProxyRequests Off
# Do not proxy /trac using mod_http_proxy, use wsgi (which is a kind
of reverse proxy)
ProxyPass /trac !
<Location /trac>
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Login"
AuthLDAPURL "ldap://127.0.0.1:389/dc=foo-bar,dc=org?uid";
AuthLDAPBindDN "cn=admin, dc=foo-bar, dc=org"
AuthLDAPBindPassword secretword
require valid-user
</Location>
<Location />
#Assuming you’ve got plone running on port 8001
ProxyPass 127.0.0.1:8001
ProxyPassReverse 127.0.0.1:8001
</Location>
</VirtualHost>
#WSGIDaemonProcess causes prob if this not outside
WSGIDaemonProcess trac stack-size=524288
python-path=/usr/lib/python2.5/site-packages
WSGIScriptAlias /trac /home/web/foo/parts/trac/tracwsgi/cgi-bin/trac.wsgi
WSGIProcessGroup trac #changed from global
WSGIApplicationGroup %{GLOBAL}
I’m not entirely sure I’ve really grasped your problem though. In
general, if you want a more complicated setup, I would suggest not
cramming everything into one apache config instance, but rather set
everything up as if you were setting up seperate servers.
Then you’d have one apache in front, as reverse proxy, and
possibly doing url rewrite and/or ssl-proxy “accelleration” – and other
instances mounting up wsgi etc.
It might be more overhead, but a lot easier to manage (and scale out to
new servers).
Best regards,
--
.---. Eirik Schwenke <eirik.schwe...@nsd.uib.no>
( NSD ) Harald Hårfagresgate 29 Rom 150
'---' N-5007 Bergen tlf: (555) 889 13
GPG-key at pgp.mit.edu Id 0x8AA3392C
signature.asc
Description: OpenPGP digital signature
