I am not entirely sure one even needs an LDAP plugin with Trac. But, there must be a reason... I only post, because we are using LDAP with out a plugin, and not trying to steal a thread, this may help the op, or, some passerby:
*Apache SSL site/enable/vhost/whatever config (different on just about every linux distro...):* # WSGI mysite Trac page here: WSGIScriptAlias /mysite /data/trac/mysite/htdocs/mysite_init.wsgi <Directory /data/trac/mysite/htdocs> Options -Indexes WSGIApplicationGroup %{GLOBAL} Options FollowSymLinks AllowOverride None Order deny,allow Allow from all </Directory> <Location '/moose/login'> AuthType Basic AuthName "Mysite Authentication" AuthBasicProvider ldap AuthLDAPURL "ldap://ldapserveraddress/dc=somedomain,dc=somedomain,dc=com?uid" AuthzLDAPAuthoritative off require valid-user Allow from all </Location> *Special Trac configuration changes:* Awesome... None! Although, we do use the built-in AuthzPolicy for added permission capabilities. And my apologies if I am entirely wrong. I am scanning through the trac.ini now, while tilting back a few Peldelton drinks... But I do not see anything standing out as LDAP under [components] or elsewhere. And just for kicks, because we host many different instances of Trac, and this may be useful info to some: */data/trac/mysite/htdocs/mysite_init.wsgi contents (referenced by the Apache config above):* import os os.environ['PYTHON_EGG_CACHE'] = '/data/trac/mysite/eggs' import trac.web.main def application(environ, start_response): environ['trac.env_path'] = '/data/trac/mysite' return trac.web.main.dispatch_request(environ, start_response) Hope this helps. Again, maybe not exactly what _your_ aiming for in your organization. I would know. Were all different. But I post just in case its useful. Jason Miller On Mon, Apr 1, 2013 at 4:06 PM, malek <malek.mus...@gmail.com> wrote: > Hi, > > I have managed to get TRAC + APACHE + LDAP configured with our company's > internal ldap server for authenticating users, > but am having an issue where users authenticated via LDAP are logged in as > 'anonymous' users, instead of as TRAC_ADMIN. > I have the LDAPPlugin module installed, and setup in my trace.ini file, > and I even gave ldap users TRAC_ADMIN permissions via the trace-admin /env/ > permission add ldapuser1 TRAC_ADMIN command. > > One hack I implemented was providing anonymous user with TRAC_ADMIN > permissions, and setting the login prompt before the actual page is loaded > (e.g. at '/trac' location instead of '/trac/login/'), and so it seems it > would be a permissible solution. > > I am using trac 1.0 (and most of the previous discussions I have come > across use version < 1.0, and since 1.0 has many of the plugins as part of > the package, this process should be simpler than having to deal with extra > packages right? > > Note I could not get the permission_store = LdapPermissionStore to work > (not sure if this is required) > Here is my trace.ini file: > > [trac] > # remove 'No handler matched request error' > #default_handler = WikiHandler > auth_cookie_lifetime = 0 > auth_cookie_path = > authz_file = /home/crago/trac/testproj/conf/authzpolicy.conf > authz_module_name = > auto_preview_timeout = 2.0 > auto_reload = False > backup_dir = db > base_url = > check_auth_ip = false > database = sqlite:db/trac.db > debug_sql = False > default_charset = utf-8 > default_dateinfo_format = relative > genshi_cache_size = 128 > htdocs_location = > ignore_auth_case = false > jquery_location = > jquery_ui_location = > jquery_ui_theme_location = > mainnav = wiki, timeline, roadmap, browser, tickets, newticket, search > metanav = login, logout, prefs, help, about > mysqldump_path = mysqldump > never_obfuscate_mailto = false > # Original > #permission_policies = DefaultPermissionPolicy, LegacyAttachmentPolicy > permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, > LegacyAttachmentPolicy > permission_store = DefaultPermissionStore > #permission_store = LdapPermissionStore > pg_dump_path = pg_dump > repository_dir = > repository_sync_per_request = (default) > repository_type = svn > resizable_textareas = true > secure_cookies = False > show_email_addresses = false > show_ip_addresses = false > timeout = 20 > use_base_url_for_redirect = False > > > # Malek > [components] > talm_importer.importer.* = enabled > trac.web.auth.LoginModule = disabled > # Allow users to login via a HTML form instead of using HTTP authentication > acct_mgr.web_ui.loginmodule = disabled > acct_mgr.web_ui.registrationmodule = disabled > acct_mgr.web_ui.AccountModule = enabled > acct_mgr.notification.accountchangelistener = enabled # allow user to > reset password > > *.webadmin = enabled > ticketdelete.* = enabled # allow user to delete tickets > ldapplugin.* = enabled > ldapplugin.api.ldappermissiongroupprovider = enabled > ldapplugin.api.ldappermissionstore = enabled > ldapauth.* = enabled > ldapauth.store.* = enabled > ldapplugin.api.* = enabled > acct_mgr.db.sessionstore = disabled > # Authz Permission Policy > tracopt.perm.authz_policy.* = enabled > > > [authz_policy] > authz_file = /home/crago/trac/testproj/conf/authzpolicy.conf > > [account-manager] > #; configure the plugin to use a page that is secured with http > authentication > authentication_url = /authFile > password_store = HttpAuthStore > reset_password = true > > # Note that authFile need not exist. See the HttpAuthStore link above for > examples where multiple Trac projects are hosted on a server. > > [mainnav] > importer.label = Import Tickets > > > [ldap] > basedn = ou=People,dc=isi,dc=usc,dc=edu > #user_rdn = cn=ExampleUserGroup,dc=example,dc=com > host = ld.isi.edu > port = 389 > enable = true > #bind_user = mmusleh > #bind_password = 2Jup@C*6Y3 > bind_passwd = myverysecurepassword > bind_user = cn=proxy,dc=isi,dc=usc,dc=edu > group_bind = true > group_rdn = ou=groups > groupmember = memberUid > groupname = posixGroup > groupmemberisdn = false > attempts = 3 (LDAP connection attempts). > user_filter = uid (for Active Directory put sAMAccountName) > #user_rdn = ou=users > user_rdn = ou=People > store_bind = true > uidattr = cn > > > Here is my authzpolicy.conf file: > > [wiki:WikiStart@*] > * = WIKI_VIEW > > [wiki:PrivatePage@*] > mmusleh = TRAC_ADMIN > * = !WIKI_VIEW > > mmusleh TRAC_ADMIN > anonymous !WIKI_VIEW > # anonymous has no WIKI_VIEW > > Any help or direction would be appreciated. > > Malek > > -- > You received this message because you are subscribed to the Google Groups > "Trac Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to trac-users+unsubscr...@googlegroups.com. > To post to this group, send email to trac-users@googlegroups.com. > Visit this group at http://groups.google.com/group/trac-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To post to this group, send email to trac-users@googlegroups.com. Visit this group at http://groups.google.com/group/trac-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.