Changes between Version 33 and Version 34 of AccountManagerPlugin/AuthStores


Ignore:
Timestamp:
May 9, 2016, 9:49:21 PM (8 years ago)
Author:
Ryan J Ollos
Comment:

Remove obsolete information.

Legend:

Unmodified
Added
Removed
Modified
  • AccountManagerPlugin/AuthStores

    v33 v34  
    11[[PageOutline(2-5,Contents,pullout)]]
    22
    3 = Authentication modules for AccountManagerPlugin =
    4  see !AccountManagerPlugin's [wiki:AccountManagerPlugin main page]
    5 
    6 == !HtDigestStore ==
     3= Authentication modules for AccountManagerPlugin
     4
     5{{{#!box note
     6This page documents AccountManagerPlugin 0.4 and later with Trac 0.11 and later. If you are using older versions, please upgrade.
     7}}}
     8
     9== !HtDigestStore
    710 '''Package''':: acct_mgr.htfile
    811
    912Used to store passwords in the htdigest file format.
    1013
    11 '''Warning:''' This password method may not work with [t:TracModPython mod_python] due to a  bug using Python’s md5 module under mod_python (''"it has been reported that mod_python has trouble returning good MD5 strings. It has been speculated that this is because many apache mods are using the same md5 source (php and so forth), but this is not confirmed"'').  If you experience problems try [t:TracFastCgi FastCGI], [t:wiki:TracModWSGI mod_wsgi], [t:TracStandalone tracd], or use md5crypt patch (#8386).
    12 
    13 To use this component to manage your password file, you need to enable it as described above and add some additional configuration to [t:wiki:TracIni trac.ini]:
    14 
    15 {{{
    16 #!ini
     14{{{#!box warn
     15This password method may not work with [TracModPython mod_python] due to a  bug using Python’s md5 module under `mod_python`. It has been reported that `mod_python` has trouble returning good MD5 strings. It has been speculated that this is because many Apache mods are using the same md5 source (PHP and so forth), but this is not confirmed.  If you experience problems try [TracFastCgi FastCGI], [wiki:TracModWSGI mod_wsgi], [TracStandalone tracd], or use md5crypt patch (#8386).
     16}}}
     17
     18To use this component to manage your password file, you need to enable it as described above and add some additional configuration to [TracIni trac.ini]:
     19
     20{{{#!ini
    1721[components]
    1822; be sure to enable the component
     
    2226; configure the plugin to store passwords in the htdigest format:
    2327password_store = HtDigestStore
    24 ; with Trac < 0.10 use this instead:
    25 password_format = htdigest
    2628
    2729; the file where user accounts are stored
    2830; the webserver will need write permissions to this file
    2931; and its parent folder
    30 ;password_file = /var/trac/trac.htdigest   ; old style (acct_mgr < 0.4)
    31 htdigest_file = /var/trac/trac.htdigest   ; new style (acct_mgr >= 0.4)
     32htdigest_file = /var/trac/trac.htdigest
    3233
    3334; the name of the authentication “realm”
     
    3536htdigest_realm = TracRealm
    3637}}}
    37 '''Note:''' `password_format` option is ''strongly deprecated'' now and will be withdrawn soon, since versions prior to Trac 0.10 are no longer relevant.
    38 
    39 Recent changes:
    40  * new 'htdigest_file' option replaced 'password_file' in [10396] for `acct_mgr-0.4`
    41 
    42 == !HtPasswdStore ==
     38
     39== !HtPasswdStore
    4340 '''Package''':: acct_mgr.htfile
    4441
    4542Used to store passwords in the htpasswd file format.
    4643
    47 '''Warning:''' This password method may not work with [t:TracModPython mod_python] due to a bug using Python’s md5 module under mod_python.  If you experience problems try [t:TracFastCgi FastCGI], [t:wiki:TracModWSGI mod_wsgi], [t:TracStandalone tracd], or use md5crypt patch (#8386).
    48 
    49 To use this component to manage your password file you need to enable it as described above and add some additional configuration to [trac:TracIni trac.ini]:
    50 
    51 {{{
    52 #!ini
     44{{{#!box warn
     45This password method may not work with [TracModPython mod_python] due to a bug using Python’s md5 module under mod_python.  If you experience problems try [TracFastCgi FastCGI], [wiki:TracModWSGI mod_wsgi], [TracStandalone tracd], or use md5crypt patch (#8386).
     46}}}
     47
     48To use this component to manage your password file you need to enable it as described above and add some additional configuration to [TracIni trac.ini]:
     49
     50{{{#!ini
    5351[components]
    5452; be sure to enable the component
     
    5856; configure the plugin to store passwords in the htpasswd format:
    5957password_store = HtPasswdStore
    60 ; with Trac < 0.10 use this instead:
    61 password_format = htpasswd
    6258; optional hash type selection
    6359htpasswd_hash_type =
     
    6662; the webserver will need write permissions to this file
    6763; and its parent folder
    68 ;password_file = /var/trac/trac.htpasswd   ; old style (acct_mgr < 0.4)
    69 htpasswd_file = /var/trac/trac.htpasswd   ; new style (acct_mgr >= 0.4)
    70 
    71 }}}
    72 '''Note:''' `password_format` option is ''strongly deprecated'' now and will be withdrawn soon, since versions prior to Trac 0.10 are no longer relevant.
    73 
    74 Recent changes:
    75  * new 'htpasswd_file' option replaced 'password_file' in [10396] for `acct_mgr-0.4`
    76  * 'htpasswd_hash_type' for hash type selection available since [9274]
    77  * integration of popular sha512 hash type pending (see #8791, patch available)
    78  * new 'htpasswd_file' option replaced 'password_file' in [10396] for `acct_mgr-0.4`. If upgrading from an earlier version, password file authentication will fail until the option name has been changed in the trac.ini file.
    79 
    80 == !HttpAuthStore ==
     64htpasswd_file = /var/trac/trac.htpasswd
     65
     66}}}
     67
     68== !HttpAuthStore
    8169 '''Package''':: acct_mgr.http
    8270
    83 '''Note:''' This component requires Trac 0.10 or later
    84 
    8571Used to delegate authentication to the web server.  This allows access to be restricted based on LDAP, a password file, etc, or some combination of them.
    8672
    87 Note: If you are using the WSGI Apache interpreter instead of mod_python (pretty much required if using RHEL6), it is difficult to get !HttpAuthStore to work with versions prior to acct_mgr-0.4. Upgrading is recommended.
    88 
    8973Note: This password store does not support listing/adding/removing users or changing passwords.
    9074
    91 {{{
    92 #!ini
     75{{{#!ini
    9376[components]
    9477; be sure to enable the component
     
    10285
    10386This will generally be matched with an Apache config like:
    104 {{{
    105 #!apache
     87{{{#!apache
    10688<Location /authFile>
    107    HTTP authentication configuration…
     89   # HTTP authentication configuration…
    10890   Require valid-user
    10991</Location>
     
    11193
    11294The above example assumes that you are hosting a single Trac project. If hosting multiple Trac projects, you might use something like this in project1's trac.ini:
    113 {{{
    114 #!ini
     95{{{#!ini
    11596[account-manager]
    11697; configure the plugin to use a page that is secured with http authentication
     
    120101
    121102This could then be matched with an Apache config like:
    122 {{{
    123 #!apache
     103{{{#!apache
    124104<LocationMatch ^/[^/]+/authFile$>
    125105   …HTTP authentication configuration…
     
    127107</Location>
    128108}}}
    129 Note that, prior to acct_mgr-0.4, '''authFile''' had to actually exist in the filesystem, and be a file (not directory) that could be accessed via the ''authentication_url'' specification. This is no longer the case: '''authFile''' does not need to exist; but the Apache configuration '''must''' match the ''authentication_url'' setting.
    130 
    131 '''IMPORTANT:''' Be sure to test your configuration by attempting a login with a valid user, and both a valid and '''invalid''' password to ensure that your Apache <Location> or <!LocationMatch> section is getting executed. If it is not, you will be able to log in with an invalid password.
     109{{{#!box note
     110'''authFile''' does not need to exist; but the Apache configuration '''must''' match the ''authentication_url'' setting.
     111}}}
     112
     113{{{#!box important
     114Be sure to test your configuration by attempting a login with a valid user, and both a valid and '''invalid''' password to ensure that your Apache `<Location>` or `<!LocationMatch>` section is getting executed. If it is not, you will be able to log in with an invalid password.
     115}}}
    132116
    133117Note: If you are having trouble getting !HttpAuthStore to work, enable DEBUG-level logging, and check for !HttpAuthStore messages in your project's Trac log file.
    134118
    135 == !SessionStore ==
     119== !SessionStore
    136120 '''Package''':: acct_mgr.db
    137121
    138122Stores password information in the trac database. This may give better behavior if you have large numbers of users and are finding errors due to write contention on the password file. You must enable one or other of the hash method components. !HtDigestHashMethod is the default.
    139123
    140 {{{
    141 #!ini
     124{{{#!ini
    142125[components]
    143126; be sure to enable the component
     
    157140}}}
    158141
    159 Recent changes:
    160  * fixture to undesired option inheritance implementation available since [10494] for `acct_mgr-0.4`
    161   * 'db_htdigest_realm' Realm to select relevant htdigest db entries
    162   * 'db_htpasswd_hash_type' for hash type selection
    163  * `ResetPwStore`, a special `SessionStore` sharing configuration with it, see explanation of [wiki:AccountManagerPlugin/Modules#Lostpasswordprocedure 'lost password' procedure]
    164 
    165142For sample configuration settings see [wiki:CookBook/AccountManagerPluginConfiguration#SessionStore our cookbook] page
    166143
    167 For historic background of this `IPasswordStore` implementation see:
    168   http://www.mailinglistarchive.com/trac-users@googlegroups.com/msg03696.html
    169 
    170 == !SvnServePasswordStore ==
     144For historic background of this `IPasswordStore` implementation see the [http://www.mailinglistarchive.com/trac-users@googlegroups.com/msg03696.html mailing list].
     145
     146== !SvnServePasswordStore
    171147 '''Package''':: acct_mgr.svnserve
    172148
    173149Allows Trac to use SVN users (may be in addition to Trac users). SVN server configuration option should be "svnserve". For more information, read chapter 6 of [http://svnbook.red-bean.com/ SVN book].
    174150
    175 {{{
    176 #!ini
     151{{{#!ini
    177152[components]
    178153; be sure to enable the component
     
    191166}}}
    192167
    193 NB : `password_file` points to a file which defines users/passwords this way : `user = password`
    194 
    195 == LDAP ==
     168`password_file` points to a file which defines users/passwords this way : `user = password`.
     169
     170== LDAP
    196171 '''Package''':: acct_mgr.adauth
    197172Allows authentication against most LDAP based directories including Active Directory.  See DirectoryAuthPlugin for details.
     
    210185 * #1600, a spin-off of LdapPlugin, that we may add some day (needed preparation done, see #1602)
    211186
    212 == Other sources ==
     187== Other sources
    213188There are a number of other implementations of `IPasswordStore` like the LDAP authentication plugins mentioned above, here at t-h.o and elsewhere on the web.
    214189