Changes between Version 22 and Version 23 of AccountManagerPlugin/Modules
- Timestamp:
- Apr 3, 2016, 10:19:17 AM (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
AccountManagerPlugin/Modules
v22 v23 1 1 [[PageOutline(2-5,Contents,pullout)]] 2 2 3 == !AccountManager == 3 == !AccountManager 4 4 5 '''Package''':: acct_mgr.api 5 6 6 This holds core code of this plugin. 7 This holds core code of this plugin. This component ''must'' be enabled to use any of the other components. 7 8 8 9 Additionally one or more sources for storing authentication information are required: … … 18 19 ---- 19 20 20 == !AccountManagerAdminPanel ^note1^ == 21 == !AccountManagerAdminPanel ^note1^ 22 21 23 '''Package''':: acct_mgr.admin 22 24 23 25 This component adds a whole new section with a couple of pages to the trac:WebAdmin section for managing user accounts: 24 * admin/accounts/config - basic configuration, i.e.!AuthStore activation and ordering26 * admin/accounts/config - basic configuration, such as !AuthStore activation and ordering 25 27 * admin/accounts/notification - !AccountManager change notification settings 26 * admin/accounts/users - user account listing with some management functions , i.e.28 * admin/accounts/users - user account listing with some management functions: 27 29 * add/delete accounts 28 30 * change password and other account attributes 29 31 * reset password similar to the 'lost password', but triggered by admin (since acct_mgr-0.3) 30 32 * review account details (since acct_mgr-0.3) 31 * review and erase entries of Trac d btable `session_attribute` (since acct_mgr-0.4) ^note2^33 * review and erase entries of Trac database table `session_attribute` (since acct_mgr-0.4) ^note2^ 32 34 33 35 '''^note1^''' In version acct_mgr-0.3, module name was !AccountManagerAdminPage. If you are upgrading to acct_mgr-0.4 from an earlier version, and this feature was enabled using `acct_mgr.admin.AccountManagerAdminPage`, this feature will now be disabled until it is enabled using `acct_mgr.admin.AccountManagerAdminPanel`.[[BR]] 34 '''^note2^''' Requires `ACCTMGR_ADMIN` or `TRAC_ADMIN`, but handle with ''extreme care'' anyway - no problem to shoot yourself in the foot by i.e. deleting your own `SessionStore` admin password. So double-check and think twice, and especially have a current, working Trac dbbackup before starting cleanup here.36 '''^note2^''' Requires `ACCTMGR_ADMIN` or `TRAC_ADMIN`, but ''handle with care'' anyway - no problem to shoot yourself in the foot by deleting your own `SessionStore` admin password. So double-check, and especially have a current, working Trac database backup before starting cleanup here. 35 37 36 38 [[Image(AccountManagerPlugin:account-manager-admin_v0.4.png)]] … … 41 43 `ACCTMGR_USER_ADMIN` :: permission to see and use most other admin pages of this plugin except the cleanup (button <Review account attributes>) 42 44 43 === Configuration ===44 {{{ 45 #!cfg 45 === Configuration 46 47 {{{#!ini 46 48 [components] 47 49 acct_mgr.admin.AccountManagerAdminPanel = enabled 48 50 }}} 49 '''NOTE:''' If you are upgrading to acct_mgr-0.4 from an earlier version, and this feature was enabled using `acct_mgr.admin.AccountManagerAdminPage`, this feature will now be disabled until it is enabled using `acct_mgr.admin.AccountManagerAdminPanel`.50 51 51 === Compatibility === 52 requires Trac >= 0.10 52 '''Note:''' If you are upgrading to acct_mgr-0.4 from an earlier version, and this feature was enabled using `acct_mgr.admin.AccountManagerAdminPage`, this feature will now be disabled until it is enabled using `acct_mgr.admin.AccountManagerAdminPanel`. 53 54 === Compatibility 55 56 Requires Trac >= 0.10 53 57 54 58 ---- 55 59 56 == !AccountModule == 60 == !AccountModule 61 57 62 '''Package''':: acct_mgr.web_ui 58 63 59 Allows users to change their password, or delete their account. When logged in it will appear as a tab “Account” after clicking the “Preferences”link.64 Allows users to change their password, or delete their account. When logged in it will appear as a tab "Account" after clicking the "Preferences" link. 60 65 61 66 [[Image(AccountManagerPlugin:my-account.png)]] 62 67 63 === Configuration ===64 {{{ 65 #!cfg 68 === Configuration 69 70 {{{#!ini 66 71 [components] 67 72 acct_mgr.web_ui.AccountModule = enabled 68 73 }}} 69 74 70 You'll need to activate at least one of the [wiki:AccountManagerPlugin/AuthStores authentication resources] bundled with !AccountManagerPlugin. (From a programmers view these are all IPasswordStore implementations.) An error telling you "This password store does not support listing users" indicates, that you didn't successfully activate/configure any authentication credential provider yet. Easiest way to do that is using the web-UI. Just go toadmin/accounts/config and select a value different from setting "--" at least for one of the authentication resources listed there.75 You'll need to activate at least one of the [wiki:AccountManagerPlugin/AuthStores authentication resources] bundled with !AccountManagerPlugin. From a programmers view these are all IPasswordStore implementations. An error telling you "This password store does not support listing users" indicates that you didn't successfully activate/configure any authentication credential provider yet. Easiest way to do that is using the web-UI. Just go to admin/accounts/config and select a value different from setting "--" at least for one of the authentication resources listed there. 71 76 72 ==== Disabling account deletion ==== 77 ==== Disabling account deletion 78 73 79 If you want your users to be able to change their password in Trac user preferences (see 'Account' tab of 'Preferences' from the meta navigation bar), but don't want them to be able to delete their account, you should configure as follows in `trac.ini` (since acct_mgr-0.3): 74 80 75 {{{ 76 #!cfg 81 {{{#!ini 77 82 [account-manager] 78 83 allow_delete_account = false 79 84 }}} 80 85 81 '''Since Trac 0.10:''' When used in combination with the [wiki:AccountManagerPlugin#LoginModule LoginModule] it adds a link to the login page “Forgot your password?” where users can reset their password if they’ve forgotten it. You will need to have your SMTP server information configured in your {{{trac.ini}}} for the “Forgot your password?”link to show up and enable !AccountChangeListener:86 '''Since Trac 0.10:''' When used in combination with the [wiki:AccountManagerPlugin#LoginModule LoginModule] it adds a link to the login page "Forgot your password?" where users can reset their password if they've forgotten it. You will need to have your SMTP server information configured in your {{{trac.ini}}} for the "Forgot your password?" link to show up and enable !AccountChangeListener: 82 87 83 {{{ 84 #!cfg 88 {{{#!ini 85 89 [components] 86 90 acct_mgr.notification.accountchangelistener = enabled 87 91 }}} 88 92 89 === Lost password procedure === 93 === Lost password procedure 94 90 95 A user-triggered password reset is less intrusive starting with acct_mgr-0.3, ''not altering the current password before a successful login'' using it. Resetting your password you actually end up with two passwords before next valid login: 91 96 * Login with the new one from !ResetPwStore to silently and finally overwrite the old with the new. 92 97 * Login with the old will just chancel the latest lost/new password request. 98 93 99 Or in other words: The temporary password is stored in !ResetPwStore, a special !SessionStore (sharing configuration with any other !SessionStore) and merely checked as a fallback, if the regular authentication has failed. On authentication success with the old password any temporary password is deleted to prevent abuse of the 'lost password' procedure by others. 94 100 95 101 [[Image(AccountManagerPlugin:reset-password.png)]] 96 102 97 ==== Disabling password reset ==== 103 ==== Disabling password reset 104 98 105 To disable just the password reset functionality add the following line to the {{{[account-manager]}}} section: 99 106 100 {{{ 101 #!cfg 107 {{{#!ini 102 108 [account-manager] 103 109 reset_password = false 104 110 }}} 105 111 106 When a user resets their password they will be required to change their password on the next successful login. 112 When a user resets their password they will be required to change their password on the next successful login. This can be disabled via the `trac.ini` by setting: 107 113 108 {{{ 109 #!cfg 114 {{{#!ini 110 115 [account-manager] 111 116 force_passwd_change = false … … 114 119 ---- 115 120 116 == !LoginModule == 121 == !LoginModule 122 117 123 '''Package''':: acct_mgr.web_ui 118 124 … … 123 129 The template has been modified for acct_mgr-0.3 to allow for better [attachment:login-form_v0.3_custom.png custom CSS styling]. See `style.css` in the [source:accountmanagerplugin/0.11/contrib contrib] directory for a jump-start. 124 130 125 === Configuration === 131 === Configuration 132 126 133 To use the AccountManager’s HTML form, you need to explicitly disable Trac's own HTTP authentication module. To do so add this your trac.ini or find and modify existing lines accordingly: 127 134 128 {{{ 129 #!cfg 135 {{{#!ini 130 136 [components] 131 137 acct_mgr.web_ui.LoginModule = enabled … … 134 140 }}} 135 141 136 When using the [trac:TracStandalone tracd] server be sure '''not''' to use the `--auth` or `--basic-auth` options. 142 When using the [trac:TracStandalone tracd] server be sure '''not''' to use the `--auth` or `--basic-auth` options. Using either of these options will cause tracd to popup the username/password dialog box and you will not be able to use AccountManagerPlugin's HTML form. 137 143 138 If you have previously enabled authentication for Trac on Apache, you will need to disable it or Apache will popup the username/password dialog and you will be unable to use the HTML form. In order to disable the authentication look for a section in the Apache configuration file like:144 If you have previously enabled authentication for Trac on Apache, you will need to disable it or Apache will popup the username/password dialog and you will be unable to use the HTML form. To disable the authentication look for a section in the Apache configuration file like: 139 145 140 {{{ 146 {{{#!apache 141 147 <Location /trac/login> 142 148 # Some options like AuthType and AuthUserFile … … 145 151 }}} 146 152 147 Deleting or commenting the `Require valid-user` line should be sufficient to disable HTTP authentication. 153 Deleting or commenting the `Require valid-user` line should be sufficient to disable HTTP authentication. After you’ve tested it, you can probably delete or comment out the rest of the authentication options. In some pre-bundled packages as Bitnami Trac you will find it inside an apache configuration extension as trac.conf (!BitnamiTrac\trac\conf\trac.conf) 148 154 149 === Compatibility === 155 === Compatibility 156 150 157 requires Trac >= 0.10 151 158 To use this module with [trac:TracStandalone tracd] stand-alone server you'll need Trac 0.10 or later version, or an external webserver such as Apache. … … 153 160 ---- 154 161 155 == !AccountGuard == 162 == !AccountGuard 163 156 164 '''Package''':: acct_mgr.guard 157 165 appears in `acct_mgr-0.3`: adds login failure tracking and administrative account locking to protect against brute-force attacks on user passwords 158 166 159 Enabling the guard means, that even legitimate dlogin attempts will get rejected as long as account lock conditions are met. So an account is not reachable for the user while under attack. An admin could still log in (to a different account), check the source(s) of the malicious login attempts and stop them by other means to help the user restore access to his/her account.167 Enabling the guard means, that even legitimate login attempts will get rejected as long as account lock conditions are met. So an account is not reachable for the user while under attack. An admin could still log in (to a different account), check the source(s) of the malicious login attempts and stop them by other means to help the user restore access to his/her account. 160 168 161 169 See some example configurations it the [wiki:CookBook/AccountManagerPluginConfiguration#AccountLocking cookbook page] and look at screenshot series below to get an idea, how this looks like and is meant to work. 162 170 163 [[Image(acct_mgr_with_acct-guard_login-failure_v0.3.png)]][[BR]] 164 Hitting account soft (temporary) lock condition on login failure 171 '''Hitting account soft (temporary) lock condition on login failure''' 165 172 166 [[Image(acct_mgr-admin_acct-details_v0.3.png)]][[BR]] 167 Account details page showing failed login attempts and other details 173 [[Image(acct_mgr_with_acct-guard_login-failure_v0.3.png)]] 168 174 169 [[Image(acct_mgr_with_acct-guard_login-success_v0.3.png)]][[BR]] 170 Display of total failed login attempts since last successful login 175 '''Account details page showing failed login attempts and other details''' 176 177 [[Image(acct_mgr-admin_acct-details_v0.3.png)]] 178 179 '''Display of total failed login attempts since last successful login''' 180 181 [[Image(acct_mgr_with_acct-guard_login-success_v0.3.png)]] 171 182 172 183 ----