Changes between Version 23 and Version 24 of AccountManagerPlugin/Modules
- Timestamp:
- Sep 6, 2016, 6:03:28 AM (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
AccountManagerPlugin/Modules
v23 v24 17 17 There's even some information on how to get not-yet-implemented [wiki:AccountManagerPlugin/AuthStores#LDAP LDAP authentication]. 18 18 19 ---- 20 21 == !AccountManagerAdminPanel ^note1^ 19 == !AccountManagerAdminPanel 22 20 23 21 '''Package''':: acct_mgr.admin 24 22 25 23 This component adds a whole new section with a couple of pages to the trac:WebAdmin section for managing user accounts: 26 * admin/accounts/config -basic configuration, such as !AuthStore activation and ordering27 * admin/accounts/notification -!AccountManager change notification settings28 * admin/accounts/users -user account listing with some management functions:24 * admin/accounts/config: basic configuration, such as !AuthStore activation and ordering 25 * admin/accounts/notification: !AccountManager change notification settings 26 * admin/accounts/users: user account listing with some management functions: 29 27 * add/delete accounts 30 28 * change password and other account attributes 31 29 * reset password similar to the 'lost password', but triggered by admin (since acct_mgr-0.3) 32 30 * review account details (since acct_mgr-0.3) 33 * review and erase entries of Trac database table `session_attribute` (since acct_mgr-0.4) ^note2^31 * review and erase entries of Trac database table `session_attribute` (since acct_mgr-0.4) 34 32 35 '''^note1^''' In version acct_mgr-0.3, module name was !AccountManagerAdminPage. If you are upgrading to acct_mgr-0.4 from an earlier version, and this feature was enabled using `acct_mgr.admin.AccountManagerAdminPage`, this feature will now be disabled until it is enabled using `acct_mgr.admin.AccountManagerAdminPanel`.[[BR]] 36 '''^note2^''' Requires `ACCTMGR_ADMIN` or `TRAC_ADMIN`, but ''handle with care'' anyway - no problem to shoot yourself in the foot by deleting your own `SessionStore` admin password. So double-check, and especially have a current, working Trac database backup before starting cleanup here. 33 '''Notes''' 34 * In version acct_mgr-0.3, the module name was !AccountManagerAdminPage. If you are upgrading to acct_mgr-0.4 from an earlier version, and this feature was enabled using `acct_mgr.admin.AccountManagerAdminPage`, this feature will now be disabled until it is enabled using `acct_mgr.admin.AccountManagerAdminPanel`. 35 * Deleting entries from the `session_attribute` table requires `ACCTMGR_ADMIN` or `TRAC_ADMIN` permissions, but ''handle with care'' anyway: it is easy to delete your own `SessionStore` admin password. So double-check, and especially have a current, working Trac database backup before starting cleanup here. 37 36 38 [[Image(AccountManagerPlugin:account-manager-admin_v0.4.png )]]37 [[Image(AccountManagerPlugin:account-manager-admin_v0.4.png, border=2)]] 39 38 40 39 Older versions required the `TRAC_ADMIN` permission to access any of the admin pages, but a more granular set of permissions has been introduced since acct_mgr-0.3 (see changeset [9280]): … … 56 55 Requires Trac >= 0.10 57 56 58 ----59 60 57 == !AccountModule 61 58 … … 64 61 Allows users to change their password, or delete their account. When logged in it will appear as a tab "Account" after clicking the "Preferences" link. 65 62 66 [[Image(AccountManagerPlugin:my-account.png )]]63 [[Image(AccountManagerPlugin:my-account.png, border=2)]] 67 64 68 65 === Configuration … … 73 70 }}} 74 71 75 You'll need to activate at least one of the [wiki:AccountManagerPlugin/AuthStores authentication resources] bundled with !AccountManagerPlugin. From a programmers view these are all IPasswordStore implementations. An error telling you "This password store does not support listing users" indicates that you didn't successfully activate/configure any authentication credential provider yet. Easiest way to do that is using the web-UI. Just go to admin/accounts/config and select a value different from setting "--" at least for one of the authentication resources listed there.72 You'll need to activate at least one of the [wiki:AccountManagerPlugin/AuthStores authentication resources] bundled with !AccountManagerPlugin. From a programmers view these are all IPasswordStore implementations. An error telling you "This password store does not support listing users" indicates that you didn't successfully activate/configure any authentication credential provider yet. The easiest way to do that is using the web-UI. Just go to admin/accounts/config and select a value different from setting "--" at least for one of the authentication resources listed there. 76 73 77 74 ==== Disabling account deletion 78 75 79 If you want your users to be able to change their password in Trac user preferences (see 'Account' tab of 'Preferences' from the meta navigation bar), but don't want them to be able to delete their account, you should configure as follows in `trac.ini` (since acct_mgr-0.3):76 If you want your users to be able to change their password in Trac user preferences (see 'Account' tab of 'Preferences' from the meta navigation bar), but don't want them to be able to delete their account, you should configure that as follows in `trac.ini` (since acct_mgr-0.3): 80 77 81 78 {{{#!ini … … 93 90 === Lost password procedure 94 91 95 A user-triggered password reset is less intrusive starting with acct_mgr-0.3, ''not altering the current password before a successful login'' using it. Resetting your password you actually end up with two passwords before next valid login:92 A user-triggered password reset is less intrusive starting with acct_mgr-0.3, ''not altering the current password before a successful login'' using it. Resetting your password you actually end up with two passwords before the next valid login: 96 93 * Login with the new one from !ResetPwStore to silently and finally overwrite the old with the new. 97 * Login with the old will just chancel the latest lost/new password request.94 * Login with the old one will just chancel the latest lost/new password request. 98 95 99 96 Or in other words: The temporary password is stored in !ResetPwStore, a special !SessionStore (sharing configuration with any other !SessionStore) and merely checked as a fallback, if the regular authentication has failed. On authentication success with the old password any temporary password is deleted to prevent abuse of the 'lost password' procedure by others. 100 97 101 [[Image(AccountManagerPlugin:reset-password.png )]]98 [[Image(AccountManagerPlugin:reset-password.png, border=2)]] 102 99 103 100 ==== Disabling password reset … … 117 114 }}} 118 115 119 ----120 121 116 == !LoginModule 122 117 … … 125 120 Allows users to login via a HTML form instead of using HTTP authentication. 126 121 127 [[Image(AccountManagerPlugin:login-form.png )]]122 [[Image(AccountManagerPlugin:login-form.png, border=2)]] 128 123 129 124 The template has been modified for acct_mgr-0.3 to allow for better [attachment:login-form_v0.3_custom.png custom CSS styling]. See `style.css` in the [source:accountmanagerplugin/0.11/contrib contrib] directory for a jump-start. … … 131 126 === Configuration 132 127 133 To use the AccountManager ’s HTML form, you need to explicitly disable Trac's own HTTP authentication module. To do so add this your trac.ini or find and modifyexisting lines accordingly:128 To use the AccountManager's HTML form, you need to explicitly disable Trac's own HTTP authentication module. To do so add this your `trac.ini` file or find and modify these existing lines accordingly: 134 129 135 130 {{{#!ini … … 151 146 }}} 152 147 153 Deleting or commenting the `Require valid-user` line should be sufficient to disable HTTP authentication. After you ’ve tested it, you can probably delete or comment out the rest of the authentication options. In some pre-bundled packages as Bitnami Trac you will find it inside an apache configuration extension as trac.conf (!BitnamiTrac\trac\conf\trac.conf)148 Deleting or commenting the `Require valid-user` line should be sufficient to disable HTTP authentication. After you've tested it, you can probably delete or comment out the rest of the authentication options. In some pre-bundled packages as Bitnami Trac you will find it inside an Apache configuration extension as trac.conf (!BitnamiTrac\trac\conf\trac.conf) 154 149 155 150 === Compatibility … … 157 152 requires Trac >= 0.10 158 153 To use this module with [trac:TracStandalone tracd] stand-alone server you'll need Trac 0.10 or later version, or an external webserver such as Apache. 159 160 ----161 154 162 155 == !AccountGuard … … 167 160 Enabling the guard means, that even legitimate login attempts will get rejected as long as account lock conditions are met. So an account is not reachable for the user while under attack. An admin could still log in (to a different account), check the source(s) of the malicious login attempts and stop them by other means to help the user restore access to his/her account. 168 161 169 See some example configurations i t the [wiki:CookBook/AccountManagerPluginConfiguration#AccountLocking cookbook page] and look at screenshot series below to get an idea, how this looks like andis meant to work.162 See some example configurations in the [wiki:CookBook/AccountManagerPluginConfiguration#AccountLocking cookbook page] and look at the screenshot series below to get an idea how this is meant to work. 170 163 171 164 '''Hitting account soft (temporary) lock condition on login failure''' 172 165 173 [[Image(acct_mgr_with_acct-guard_login-failure_v0.3.png )]]166 [[Image(acct_mgr_with_acct-guard_login-failure_v0.3.png, border=2)]] 174 167 175 168 '''Account details page showing failed login attempts and other details''' 176 169 177 [[Image(acct_mgr-admin_acct-details_v0.3.png )]]170 [[Image(acct_mgr-admin_acct-details_v0.3.png, border=2)]] 178 171 179 172 '''Display of total failed login attempts since last successful login''' 180 173 181 [[Image(acct_mgr_with_acct-guard_login-success_v0.3.png )]]174 [[Image(acct_mgr_with_acct-guard_login-success_v0.3.png, border=2)]] 182 175 183 176 ----