I am not entirely sure one even needs an LDAP plugin with Trac. But, there
must be a reason... I only post, because we are using LDAP with out a
plugin, and not trying to steal a thread, this may help the op, or, some
passerby:
*Apache SSL site/enable/vhost/whatever config (different on just about
every linux distro...):*
# WSGI mysite Trac page here:
WSGIScriptAlias /mysite /data/trac/mysite/htdocs/mysite_init.wsgi
<Directory /data/trac/mysite/htdocs>
Options -Indexes
WSGIApplicationGroup %{GLOBAL}
Options FollowSymLinks
AllowOverride None
Order deny,allow
Allow from all
</Directory>
<Location '/moose/login'>
AuthType Basic
AuthName "Mysite Authentication"
AuthBasicProvider ldap
AuthLDAPURL
"ldap://ldapserveraddress/dc=somedomain,dc=somedomain,dc=com?uid";
AuthzLDAPAuthoritative off
require valid-user
Allow from all
</Location>
*Special Trac configuration changes:*
Awesome... None!
Although, we do use the built-in AuthzPolicy for added permission
capabilities.
And my apologies if I am entirely wrong. I am scanning through the trac.ini
now, while tilting back a few Peldelton drinks... But I do not see anything
standing out as LDAP under [components] or elsewhere.
And just for kicks, because we host many different instances of Trac, and
this may be useful info to some:
*/data/trac/mysite/htdocs/mysite_init.wsgi contents (referenced by the
Apache config above):*
import os
os.environ['PYTHON_EGG_CACHE'] = '/data/trac/mysite/eggs'
import trac.web.main
def application(environ, start_response):
environ['trac.env_path'] = '/data/trac/mysite'
return trac.web.main.dispatch_request(environ, start_response)
Hope this helps. Again, maybe not exactly what _your_ aiming for in your
organization. I would know. Were all different. But I post just in case its
useful.
Jason Miller
On Mon, Apr 1, 2013 at 4:06 PM, malek <malek.mus...@gmail.com> wrote:
> Hi,
>
> I have managed to get TRAC + APACHE + LDAP configured with our company's
> internal ldap server for authenticating users,
> but am having an issue where users authenticated via LDAP are logged in as
> 'anonymous' users, instead of as TRAC_ADMIN.
> I have the LDAPPlugin module installed, and setup in my trace.ini file,
> and I even gave ldap users TRAC_ADMIN permissions via the trace-admin /env/
> permission add ldapuser1 TRAC_ADMIN command.
>
> One hack I implemented was providing anonymous user with TRAC_ADMIN
> permissions, and setting the login prompt before the actual page is loaded
> (e.g. at '/trac' location instead of '/trac/login/'), and so it seems it
> would be a permissible solution.
>
> I am using trac 1.0 (and most of the previous discussions I have come
> across use version < 1.0, and since 1.0 has many of the plugins as part of
> the package, this process should be simpler than having to deal with extra
> packages right?
>
> Note I could not get the permission_store = LdapPermissionStore to work
> (not sure if this is required)
> Here is my trace.ini file:
>
> [trac]
> # remove 'No handler matched request error'
> #default_handler = WikiHandler
> auth_cookie_lifetime = 0
> auth_cookie_path =
> authz_file = /home/crago/trac/testproj/conf/authzpolicy.conf
> authz_module_name =
> auto_preview_timeout = 2.0
> auto_reload = False
> backup_dir = db
> base_url =
> check_auth_ip = false
> database = sqlite:db/trac.db
> debug_sql = False
> default_charset = utf-8
> default_dateinfo_format = relative
> genshi_cache_size = 128
> htdocs_location =
> ignore_auth_case = false
> jquery_location =
> jquery_ui_location =
> jquery_ui_theme_location =
> mainnav = wiki, timeline, roadmap, browser, tickets, newticket, search
> metanav = login, logout, prefs, help, about
> mysqldump_path = mysqldump
> never_obfuscate_mailto = false
> # Original
> #permission_policies = DefaultPermissionPolicy, LegacyAttachmentPolicy
> permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy,
> LegacyAttachmentPolicy
> permission_store = DefaultPermissionStore
> #permission_store = LdapPermissionStore
> pg_dump_path = pg_dump
> repository_dir =
> repository_sync_per_request = (default)
> repository_type = svn
> resizable_textareas = true
> secure_cookies = False
> show_email_addresses = false
> show_ip_addresses = false
> timeout = 20
> use_base_url_for_redirect = False
>
>
> # Malek
> [components]
> talm_importer.importer.* = enabled
> trac.web.auth.LoginModule = disabled
> # Allow users to login via a HTML form instead of using HTTP authentication
> acct_mgr.web_ui.loginmodule = disabled
> acct_mgr.web_ui.registrationmodule = disabled
> acct_mgr.web_ui.AccountModule = enabled
> acct_mgr.notification.accountchangelistener = enabled # allow user to
> reset password
>
> *.webadmin = enabled
> ticketdelete.* = enabled # allow user to delete tickets
> ldapplugin.* = enabled
> ldapplugin.api.ldappermissiongroupprovider = enabled
> ldapplugin.api.ldappermissionstore = enabled
> ldapauth.* = enabled
> ldapauth.store.* = enabled
> ldapplugin.api.* = enabled
> acct_mgr.db.sessionstore = disabled
> # Authz Permission Policy
> tracopt.perm.authz_policy.* = enabled
>
>
> [authz_policy]
> authz_file = /home/crago/trac/testproj/conf/authzpolicy.conf
>
> [account-manager]
> #; configure the plugin to use a page that is secured with http
> authentication
> authentication_url = /authFile
> password_store = HttpAuthStore
> reset_password = true
>
> # Note that authFile need not exist. See the HttpAuthStore link above for
> examples where multiple Trac projects are hosted on a server.
>
> [mainnav]
> importer.label = Import Tickets
>
>
> [ldap]
> basedn = ou=People,dc=isi,dc=usc,dc=edu
> #user_rdn = cn=ExampleUserGroup,dc=example,dc=com
> host = ld.isi.edu
> port = 389
> enable = true
> #bind_user = mmusleh
> #bind_password = 2Jup@C*6Y3
> bind_passwd = myverysecurepassword
> bind_user = cn=proxy,dc=isi,dc=usc,dc=edu
> group_bind = true
> group_rdn = ou=groups
> groupmember = memberUid
> groupname = posixGroup
> groupmemberisdn = false
> attempts = 3 (LDAP connection attempts).
> user_filter = uid (for Active Directory put sAMAccountName)
> #user_rdn = ou=users
> user_rdn = ou=People
> store_bind = true
> uidattr = cn
>
>
> Here is my authzpolicy.conf file:
>
> [wiki:WikiStart@*]
> * = WIKI_VIEW
>
> [wiki:PrivatePage@*]
> mmusleh = TRAC_ADMIN
> * = !WIKI_VIEW
>
> mmusleh TRAC_ADMIN
> anonymous !WIKI_VIEW
> # anonymous has no WIKI_VIEW
>
> Any help or direction would be appreciated.
>
> Malek
>
> --
> You received this message because you are subscribed to the Google Groups
> "Trac Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to trac-users+unsubscr...@googlegroups.com.
> To post to this group, send email to trac-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/trac-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to trac-users+unsubscr...@googlegroups.com.
To post to this group, send email to trac-users@googlegroups.com.
Visit this group at http://groups.google.com/group/trac-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
