Changes between Version 33 and Version 34 of AccountManagerPlugin/AuthStores
- Timestamp:
- May 9, 2016, 9:49:21 PM (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
AccountManagerPlugin/AuthStores
v33 v34 1 1 [[PageOutline(2-5,Contents,pullout)]] 2 2 3 = Authentication modules for AccountManagerPlugin = 4 see !AccountManagerPlugin's [wiki:AccountManagerPlugin main page] 5 6 == !HtDigestStore == 3 = Authentication modules for AccountManagerPlugin 4 5 {{{#!box note 6 This page documents AccountManagerPlugin 0.4 and later with Trac 0.11 and later. If you are using older versions, please upgrade. 7 }}} 8 9 == !HtDigestStore 7 10 '''Package''':: acct_mgr.htfile 8 11 9 12 Used to store passwords in the htdigest file format. 10 13 11 '''Warning:''' This password method may not work with [t:TracModPython mod_python] due to a bug using Python’s md5 module under mod_python (''"it has been reported that mod_python has trouble returning good MD5 strings. It has been speculated that this is because many apache mods are using the same md5 source (php and so forth), but this is not confirmed"''). If you experience problems try [t:TracFastCgi FastCGI], [t:wiki:TracModWSGI mod_wsgi], [t:TracStandalone tracd], or use md5crypt patch (#8386). 12 13 To use this component to manage your password file, you need to enable it as described above and add some additional configuration to [t:wiki:TracIni trac.ini]: 14 15 {{{ 16 #!ini 14 {{{#!box warn 15 This password method may not work with [TracModPython mod_python] due to a bug using Python’s md5 module under `mod_python`. It has been reported that `mod_python` has trouble returning good MD5 strings. It has been speculated that this is because many Apache mods are using the same md5 source (PHP and so forth), but this is not confirmed. If you experience problems try [TracFastCgi FastCGI], [wiki:TracModWSGI mod_wsgi], [TracStandalone tracd], or use md5crypt patch (#8386). 16 }}} 17 18 To use this component to manage your password file, you need to enable it as described above and add some additional configuration to [TracIni trac.ini]: 19 20 {{{#!ini 17 21 [components] 18 22 ; be sure to enable the component … … 22 26 ; configure the plugin to store passwords in the htdigest format: 23 27 password_store = HtDigestStore 24 ; with Trac < 0.10 use this instead:25 password_format = htdigest26 28 27 29 ; the file where user accounts are stored 28 30 ; the webserver will need write permissions to this file 29 31 ; and its parent folder 30 ;password_file = /var/trac/trac.htdigest ; old style (acct_mgr < 0.4) 31 htdigest_file = /var/trac/trac.htdigest ; new style (acct_mgr >= 0.4) 32 htdigest_file = /var/trac/trac.htdigest 32 33 33 34 ; the name of the authentication “realm” … … 35 36 htdigest_realm = TracRealm 36 37 }}} 37 '''Note:''' `password_format` option is ''strongly deprecated'' now and will be withdrawn soon, since versions prior to Trac 0.10 are no longer relevant. 38 39 Recent changes: 40 * new 'htdigest_file' option replaced 'password_file' in [10396] for `acct_mgr-0.4` 41 42 == !HtPasswdStore == 38 39 == !HtPasswdStore 43 40 '''Package''':: acct_mgr.htfile 44 41 45 42 Used to store passwords in the htpasswd file format. 46 43 47 '''Warning:''' This password method may not work with [t:TracModPython mod_python] due to a bug using Python’s md5 module under mod_python. If you experience problems try [t:TracFastCgi FastCGI], [t:wiki:TracModWSGI mod_wsgi], [t:TracStandalone tracd], or use md5crypt patch (#8386). 48 49 To use this component to manage your password file you need to enable it as described above and add some additional configuration to [trac:TracIni trac.ini]: 50 51 {{{ 52 #!ini 44 {{{#!box warn 45 This password method may not work with [TracModPython mod_python] due to a bug using Python’s md5 module under mod_python. If you experience problems try [TracFastCgi FastCGI], [wiki:TracModWSGI mod_wsgi], [TracStandalone tracd], or use md5crypt patch (#8386). 46 }}} 47 48 To use this component to manage your password file you need to enable it as described above and add some additional configuration to [TracIni trac.ini]: 49 50 {{{#!ini 53 51 [components] 54 52 ; be sure to enable the component … … 58 56 ; configure the plugin to store passwords in the htpasswd format: 59 57 password_store = HtPasswdStore 60 ; with Trac < 0.10 use this instead:61 password_format = htpasswd62 58 ; optional hash type selection 63 59 htpasswd_hash_type = … … 66 62 ; the webserver will need write permissions to this file 67 63 ; and its parent folder 68 ;password_file = /var/trac/trac.htpasswd ; old style (acct_mgr < 0.4) 69 htpasswd_file = /var/trac/trac.htpasswd ; new style (acct_mgr >= 0.4) 70 71 }}} 72 '''Note:''' `password_format` option is ''strongly deprecated'' now and will be withdrawn soon, since versions prior to Trac 0.10 are no longer relevant. 73 74 Recent changes: 75 * new 'htpasswd_file' option replaced 'password_file' in [10396] for `acct_mgr-0.4` 76 * 'htpasswd_hash_type' for hash type selection available since [9274] 77 * integration of popular sha512 hash type pending (see #8791, patch available) 78 * new 'htpasswd_file' option replaced 'password_file' in [10396] for `acct_mgr-0.4`. If upgrading from an earlier version, password file authentication will fail until the option name has been changed in the trac.ini file. 79 80 == !HttpAuthStore == 64 htpasswd_file = /var/trac/trac.htpasswd 65 66 }}} 67 68 == !HttpAuthStore 81 69 '''Package''':: acct_mgr.http 82 70 83 '''Note:''' This component requires Trac 0.10 or later84 85 71 Used to delegate authentication to the web server. This allows access to be restricted based on LDAP, a password file, etc, or some combination of them. 86 72 87 Note: If you are using the WSGI Apache interpreter instead of mod_python (pretty much required if using RHEL6), it is difficult to get !HttpAuthStore to work with versions prior to acct_mgr-0.4. Upgrading is recommended.88 89 73 Note: This password store does not support listing/adding/removing users or changing passwords. 90 74 91 {{{ 92 #!ini 75 {{{#!ini 93 76 [components] 94 77 ; be sure to enable the component … … 102 85 103 86 This will generally be matched with an Apache config like: 104 {{{ 105 #!apache 87 {{{#!apache 106 88 <Location /authFile> 107 …HTTP authentication configuration…89 # HTTP authentication configuration… 108 90 Require valid-user 109 91 </Location> … … 111 93 112 94 The above example assumes that you are hosting a single Trac project. If hosting multiple Trac projects, you might use something like this in project1's trac.ini: 113 {{{ 114 #!ini 95 {{{#!ini 115 96 [account-manager] 116 97 ; configure the plugin to use a page that is secured with http authentication … … 120 101 121 102 This could then be matched with an Apache config like: 122 {{{ 123 #!apache 103 {{{#!apache 124 104 <LocationMatch ^/[^/]+/authFile$> 125 105 …HTTP authentication configuration… … … 127 107 </Location> 128 108 }}} 129 Note that, prior to acct_mgr-0.4, '''authFile''' had to actually exist in the filesystem, and be a file (not directory) that could be accessed via the ''authentication_url'' specification. This is no longer the case: '''authFile''' does not need to exist; but the Apache configuration '''must''' match the ''authentication_url'' setting. 130 131 '''IMPORTANT:''' Be sure to test your configuration by attempting a login with a valid user, and both a valid and '''invalid''' password to ensure that your Apache <Location> or <!LocationMatch> section is getting executed. If it is not, you will be able to log in with an invalid password. 109 {{{#!box note 110 '''authFile''' does not need to exist; but the Apache configuration '''must''' match the ''authentication_url'' setting. 111 }}} 112 113 {{{#!box important 114 Be sure to test your configuration by attempting a login with a valid user, and both a valid and '''invalid''' password to ensure that your Apache `<Location>` or `<!LocationMatch>` section is getting executed. If it is not, you will be able to log in with an invalid password. 115 }}} 132 116 133 117 Note: If you are having trouble getting !HttpAuthStore to work, enable DEBUG-level logging, and check for !HttpAuthStore messages in your project's Trac log file. 134 118 135 == !SessionStore ==119 == !SessionStore 136 120 '''Package''':: acct_mgr.db 137 121 138 122 Stores password information in the trac database. This may give better behavior if you have large numbers of users and are finding errors due to write contention on the password file. You must enable one or other of the hash method components. !HtDigestHashMethod is the default. 139 123 140 {{{ 141 #!ini 124 {{{#!ini 142 125 [components] 143 126 ; be sure to enable the component … … 157 140 }}} 158 141 159 Recent changes:160 * fixture to undesired option inheritance implementation available since [10494] for `acct_mgr-0.4`161 * 'db_htdigest_realm' Realm to select relevant htdigest db entries162 * 'db_htpasswd_hash_type' for hash type selection163 * `ResetPwStore`, a special `SessionStore` sharing configuration with it, see explanation of [wiki:AccountManagerPlugin/Modules#Lostpasswordprocedure 'lost password' procedure]164 165 142 For sample configuration settings see [wiki:CookBook/AccountManagerPluginConfiguration#SessionStore our cookbook] page 166 143 167 For historic background of this `IPasswordStore` implementation see: 168 http://www.mailinglistarchive.com/trac-users@googlegroups.com/msg03696.html 169 170 == !SvnServePasswordStore == 144 For historic background of this `IPasswordStore` implementation see the [http://www.mailinglistarchive.com/trac-users@googlegroups.com/msg03696.html mailing list]. 145 146 == !SvnServePasswordStore 171 147 '''Package''':: acct_mgr.svnserve 172 148 173 149 Allows Trac to use SVN users (may be in addition to Trac users). SVN server configuration option should be "svnserve". For more information, read chapter 6 of [http://svnbook.red-bean.com/ SVN book]. 174 150 175 {{{ 176 #!ini 151 {{{#!ini 177 152 [components] 178 153 ; be sure to enable the component … … 191 166 }}} 192 167 193 NB : `password_file` points to a file which defines users/passwords this way : `user = password` 194 195 == LDAP ==168 `password_file` points to a file which defines users/passwords this way : `user = password`. 169 170 == LDAP 196 171 '''Package''':: acct_mgr.adauth 197 172 Allows authentication against most LDAP based directories including Active Directory. See DirectoryAuthPlugin for details. … … 210 185 * #1600, a spin-off of LdapPlugin, that we may add some day (needed preparation done, see #1602) 211 186 212 == Other sources ==187 == Other sources 213 188 There are a number of other implementations of `IPasswordStore` like the LDAP authentication plugins mentioned above, here at t-h.o and elsewhere on the web. 214 189