The convention here is to post in-line or at the bottom (preferably in plain text) to make it easier to read, so I'll post below...
> On Tuesday, January 21, 2014 2:23:04 AM UTC-5, Cooke, Mark wrote: > > > -----Original Message----- > > From: trac-...@googlegroups.com <javascript:> On > Behalf Of Alan Frye > > Sent: 17 January 2014 23:44 > > > > I am having the same issue. Were you able to geet > this issue resolved > > It would probably be better to post your own > configuration, your problems may well be rather different > than from a 4-year old post. > > I have AD authentication working for both trac and > subversion (using apache httpd 2.2 and mod_wsgi on windoze > server) so may be able to help out. > > ~ mark c > > -----Original Message----- > From: Alan Frye [mailto:alf...@gmail.com] > Sent: 21 January 2014 07:52 > To: trac-users@googlegroups.com > Cc: sehra....@gmail.com; Cooke, Mark > Subject: Re: [Trac] Re: Trac AD Authentication using Apache on Windows > > > Marc thanks for the reply. > > Here is what I have in my http.conf file > > WSGIScriptAlias /trac C:\tracwsgi\cgi-bin\trac.wsgi > > <Directory C:\tracwsgi\cgi-bin> > WSGIApplicationGroup %{GLOBAL} > Order deny,allow > Allow from all > > AuthType Basic > AuthLDAPURL > ldap://dc1.grace.local:389/DC=grace,DC=local?sAMAccountName?su > b?(objectClass=user)" > AuthLDAPBindDN GRACE\\compadmin > AuthLDAPBindPassword password > AuthName "/trac > AuthBasicProvider "ldap" > require valid-user > > </Directory> > > > Also which plugins are you using in trac and what apache > modules are you using You do not give much info about how your server is configured (versions, platform, usage), is it just used for subversion / trac for example? Mine is (just about, I do run a few minor odds and ends but mostly as trac plugins), so I am using a stripped-down version with only 14 modules including SSL, subversion and AD stuff: LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule dav_module modules/mod_dav.so LoadModule dir_module modules/mod_dir.so LoadModule ldap_module modules/mod_ldap.so LoadModule log_config_module modules/mod_log_config.so LoadModule mime_module modules/mod_mime.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule ssl_module modules/mod_ssl.so # mod_wsgi module:- LoadModule wsgi_module modules/mod_wsgi.so # Subversion modules:- LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so I think I may even be able to remove a few more modules but I ran out of time... BTW this is httpd 2.2, mod_wsgi 3.3 on windoze server 2008. As we use "Basic" authentication, usernames and passwords are sent in plain text, making SSL pretty much a requirement. We also use a rewrite rule to redirect non-SSL to SSL: RewriteRule ^/(.*) https://my.server.net/$1 [R=permanent,L] I then protect access to the whole server with a global authentication block: # # ALL access must be authenticated against AD... # <Location /> Order allow,deny Allow from all # Require SSL for all paths (subject to minimum key strength) SSLRequireSSL SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 # The name of the protected area or "realm" AuthName "trac" # Do basic password authentication in the clear AuthType Basic # Make LDAP the authentication mechanism AuthBasicProvider ldap # Make LDAP authentication is final AuthzLDAPAuthoritative on # The LDAP query URL ~ upgrading to a secure connection once connected... AuthLDAPURL "ldap://<server>:3268/DC=<>,DC=<>,DC=<>?sAMAccountName,mail?sub?(objectClass=*)" TLS # Active Directory requires an authenticating DN to access records AuthLDAPBindDN "<user-id>@<domain>" # This is the password for the AuthLDAPBindDN user in Active Directory AuthLDAPBindPassword <password> # Require a valid user (uses: mod_authz_user.so) #Require valid-user # Require specific LDAP membership (uses: mod_authnz_ldap.so) Require ldap-group CN=<>,OU=<>,OU=<>,DC=<>,DC=<>,DC=<> # Require specific LDAP user(s) (uses: mod_authnz_ldap.so) #Require ldap-user <user-id> </Location> Note the AuthLDAPURL specifies the user info to make available to mod_wsgi, username and email in this case (depending on your AD configuration). Also `:3268` searches the "global catalogue", useful if you have an AD forest rather than a single domain. Then all I have for trac is:- # =========================================================================== # # ================================================================== Trac === # # =========================================================================== # # # Trac is accessed using WSGI * per Department * ... # WSGIScriptAlias /dept1 D:/TRAC/apache/dept1.wsgi WSGIScriptAlias /dept2 D:/TRAC/apache/dept2.wsgi <Directory D:/TRAC/apache> WSGIApplicationGroup %{GLOBAL} Order deny,allow Allow from all </Directory> One problem with this setup is that people cannot "log out" once connected, unless they close their browser. This is not usually a problem for us as people only use one AD user account... There are various other configuration directives for configuring the LDAP cache and SSL etc but that is the main config. Let me know if you have any more specific questions... ~ Mark C -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To post to this group, send email to trac-users@googlegroups.com. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/groups/opt_out.
