Noah Kantrowitz skrev 14. sep. 2010 19:51: >> -----Original Message----- >> From: trac-users@googlegroups.com [mailto:trac-us...@googlegroups.com] >> On Behalf Of Jon Hadley >> Sent: Tuesday, September 14, 2010 12:41 AM >> To: trac-users@googlegroups.com >> Subject: [Trac] Trac + Ldap - Restricted mode error >> >> I'm trying to setup Trac, using mod_wsgi, LDAP and a xml theming proxy >> called collective.xdv. >> (...) >> >> 2) LDAP on Trac only works via port 8202, not via 8022. Fairly >> obviously because that's where the rule is set-up. But the rest of the >> site on 8022 doesn't need to be LDAP protected. How do I apply the >> LDAP authentication behind the proxy? Can the proxy somehow inherit >> the authentication rule when Trac is requested? (More detail regarding >> this problem is also here: http://serverfault.com/questions/180845 ) > > To answer #2, HTTP authentication is a local system only, it does not > work with proxies like that. >
I first thought you wanted the following: ,-------- ldap auth -- < trac user <- (xml theme proxy ) < '-------- cms website In addition, you want to map /trac into the url-space under your other site, so that: 1: All requests arrive at www.example.com 2: All requests are transformed/formatted by the xml proxy 3: An url starting with /trac: 1: should be served from the trac instance 2: should be authenticated via ldap However, as far as I can tell collective.xdv is just a post-hook for plone ? So "all" you want is to have separate mapping of /trac, and everything else, going through an apache server, with the /trac part authenticated by ldap ? Should be as easy as: <VirtualHost www.example.com> ServerName www.example.com ProxyRequests Off # Do not proxy /trac using mod_http_proxy, use wsgi (which is a kind of reverse proxy) ProxyPass /trac ! <Location /trac> AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "Login" AuthLDAPURL "ldap://127.0.0.1:389/dc=foo-bar,dc=org?uid" AuthLDAPBindDN "cn=admin, dc=foo-bar, dc=org" AuthLDAPBindPassword secretword require valid-user </Location> <Location /> #Assuming you’ve got plone running on port 8001 ProxyPass 127.0.0.1:8001 ProxyPassReverse 127.0.0.1:8001 </Location> </VirtualHost> #WSGIDaemonProcess causes prob if this not outside WSGIDaemonProcess trac stack-size=524288 python-path=/usr/lib/python2.5/site-packages WSGIScriptAlias /trac /home/web/foo/parts/trac/tracwsgi/cgi-bin/trac.wsgi WSGIProcessGroup trac #changed from global WSGIApplicationGroup %{GLOBAL} I’m not entirely sure I’ve really grasped your problem though. In general, if you want a more complicated setup, I would suggest not cramming everything into one apache config instance, but rather set everything up as if you were setting up seperate servers. Then you’d have one apache in front, as reverse proxy, and possibly doing url rewrite and/or ssl-proxy “accelleration” – and other instances mounting up wsgi etc. It might be more overhead, but a lot easier to manage (and scale out to new servers). Best regards, -- .---. Eirik Schwenke <eirik.schwe...@nsd.uib.no> ( NSD ) Harald Hårfagresgate 29 Rom 150 '---' N-5007 Bergen tlf: (555) 889 13 GPG-key at pgp.mit.edu Id 0x8AA3392C
signature.asc
Description: OpenPGP digital signature