[Trac] Re: user registration for SVN Trac using LDAP
On Tue, Feb 17, 2009 at 9:43 AM, Jeff Hammel jham...@openplans.org wrote: +1 on this. While auth is complex in trac, I'd rather have configurability and malleability than tailoring towards perceived common use cases. Jeff Though I still argue that the AccountManager plugin, or at least parts of it (including form-based login and user registration) should come with Trac and should be the default configuration. Most users seem to want to be able to just install Trac and have it handle user registration, like they're used to with other web applications, such as bulletin board software. It always seems like 90% of the support questions on trac-users are related to setting up authentication and user management. Now of course there are lots of users who have more advanced use cases, but there's no reason Trac wouldn't be able to maintain its existing flexibility for those cases. But I'm getting off topic so I'll stop there... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Wed, Feb 18, 2009 at 2:07 PM, Erik Bray hyugaricd...@gmail.com wrote: On Tue, Feb 17, 2009 at 9:43 AM, Jeff Hammel jham...@openplans.org wrote: +1 on this. While auth is complex in trac, I'd rather have configurability and malleability than tailoring towards perceived common use cases. Jeff Though I still argue that the AccountManager plugin, +1 for its inclusion in Trac ... at the end everybody installs AccMngrPlgin ... AFAICS in this list ... and since there is no way (... so far ;) to log users out off the site without using AccMngrPlgin ... I think this is ok ... just like WebAdmin is ok in Trac 0.11.x ... ;) or at least parts of it (including form-based login and user registration) should come with Trac +1 and should be the default configuration. +0.5 ... this depends on «strategic decisions» ... - default to form based auth if you want to ease the task to specific users not familiar with HTTP auth mechanisms ... - default to HTTP auth if you want to be consistent with standards (... are there stds for form-based auth ? ...) and RFCs ... and be backwards compatible, and allow seamless integration with of other services built on top of Trac (e.g. XML-RPC ;) ... IMO (... CMIIW ;) Trac is mainly used by developpers interested in managing their own projects, build their own management infraestructure and services on the PMS (excelent :) architecture, and make it be part of a more complex environment deployed in organizations, by automating PM tasks and more ... At least for me, now, HTTP Auth (... sometimes NTLM is requested first, but this is only 10% of the whole ...) is *EXPLICITLY* a *MUST* in every Trac instance I have installed so far ... that's what users request ... most of the time (... my experience ... ;). Most users seem to want to be able to just install Trac and have it handle user registration, +0.5 ... except when using central dirs (e.g. LDAP ...) so that many apps may share data ... in this scenarios I have quite often found domain admins which dont want anybody writing data in the dir they are responsibles for ... It always seems like 90% of the support questions on trac-users are related to setting up authentication and user management. ... it seems so ... yes ... Now of course there are lots of users who have more advanced use cases, but there's no reason Trac wouldn't be able to maintain its existing flexibility for those cases. ... without jeopardizing important tasks within organizations ... like LDAP admin/write ops. Sometimes LDAP stores centralized information very important to enterprises and many other apps and services depend on this info ... Modifying data in LDAP could be a source of chaos ... That's why everybody says in advance : «Are you going to write anything in MSAD?» (i.e. LDAP ;) and I have to tell them «Nop ... take a look at the code here. There is no way for Trac to modify data stored in MSAD». Believe me, such arguments are often important. All this is IMO ... ;) PD: ... sorry if part of this is OT ... -- Regards, Olemis. Blog ES: http://simelo-es.blogspot.com/ Blog EN: http://simelo-en.blogspot.com/ Featured article: --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Wed, Feb 18, 2009 at 11:48 AM, Olemis Lang ole...@gmail.com wrote: On Wed, Feb 18, 2009 at 2:07 PM, Erik Bray hyugaricd...@gmail.com wrote: or at least parts of it (including form-based login and user registration) should come with Trac +1 and should be the default configuration. +0.5 ... this depends on «strategic decisions» ... - default to form based auth if you want to ease the task to specific users not familiar with HTTP auth mechanisms ... - default to HTTP auth if you want to be consistent with standards (... are there stds for form-based auth ? ...) and RFCs ... and be backwards compatible, and allow seamless integration with of other services built on top of Trac (e.g. XML-RPC ;) ... You have a point there, and this argument has been brought up before. With AccountManager-like functionality built into Trac, it would also make sense to ask authentication-related questions as part of trac-admin initenv. As for XML-RPC and the like, that's where the HttpAuth plugin is incredibly useful. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Mon, Feb 16, 2009 at 2:30 PM, Noah Kantrowitz n...@coderanger.net wrote: On Feb 16, 2009, at 10:59 AM, Ed - 0x1b, Inc. wrote: On Wed, Feb 11, 2009 at 1:12 AM, Noah Kantrowitz n...@coderanger.net wrote: On Feb 5, 2009, at 4:36 AM, nik gaffney wrote: Hi, I am trying to setup trac to be able to register new users and grant rw access to an svn repo. It looks like using LDAP would be the most obvious as both trac and svn can authenticate against a local server. With my currentl setup trac can view the svn repo and authenticate users with LDAPStore. However, the 'register' link doesn't appear when password_store is LDAPStore but works ok when using SessionStore. As it appears there are several plugins to use LDAP authentication with the Acount Manager plugin, I have tried 'TracLDAPAuth' and 'LdapAuthStore' and couldn't get either to work with the registration interface. Has anyone managed to get this kind of setup to work, or should i be trying a differnt approach? The LDAP auth plugin doesn't support modification, nor do I plan to add that. The general use case for LDAP is hooking in to an existing, large company infrastructure. In this case you would already have a procedure and tools for adding/modifying accounts. I don't think it makes sense to try to build these tools into Trac when the whole point is to allow you to use your existing ones. --Noah -1 Noah, please consider other use cases, I'm trying to create a system that can do what the OP requested without the overhead you're assuming because, in my case, the participants span several organizations with incompatible infrastructures. The result is that I would very much like to grant SVN access based on those that create Trac ID creds. LDAP Auth is looking to be the best(only?) bridge between the two. The actual problem is that you assume the only usable option is LDAP, when it is in fact not. It is very common to use htpasswd or htdigest auth for both Trac and SVN, and if you point them at the same the file then registrations work across both. This is why making assumptions is bad :-) --Noah yes, but how does Trac populate the htpasswd/htdigest files? I've always know them to be essentially static lists and Trac registrations are kept in the database backend..right? The features I am looking for are 1)Trac as the front door, 2) speed of user acquisition with a self-serve level of automation, 3) filtering of obvious nonsense, and 4) a degree of uniqueness across users' ID (dupe checking). Additional contact information (email) is nice but not necessary and the IDs created are only meant to be used within the Trac/SVN site with a limited TTL. I should have said dynamic bridge between the two, or something - the impression that the list of credentials already existed was incorrect. Ideally (4me) Trac would produce creds that SVN could consume - maybe as a part of a RESTful interface. :) Ed --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Mon, Feb 16, 2009 at 01:30:03PM -0800, Noah Kantrowitz wrote: On Feb 16, 2009, at 10:59 AM, Ed - 0x1b, Inc. wrote: On Wed, Feb 11, 2009 at 1:12 AM, Noah Kantrowitz n...@coderanger.net wrote: On Feb 5, 2009, at 4:36 AM, nik gaffney wrote: Hi, I am trying to setup trac to be able to register new users and grant rw access to an svn repo. It looks like using LDAP would be the most obvious as both trac and svn can authenticate against a local server. With my currentl setup trac can view the svn repo and authenticate users with LDAPStore. However, the 'register' link doesn't appear when password_store is LDAPStore but works ok when using SessionStore. As it appears there are several plugins to use LDAP authentication with the Acount Manager plugin, I have tried 'TracLDAPAuth' and 'LdapAuthStore' and couldn't get either to work with the registration interface. Has anyone managed to get this kind of setup to work, or should i be trying a differnt approach? The LDAP auth plugin doesn't support modification, nor do I plan to add that. The general use case for LDAP is hooking in to an existing, large company infrastructure. In this case you would already have a procedure and tools for adding/modifying accounts. I don't think it makes sense to try to build these tools into Trac when the whole point is to allow you to use your existing ones. --Noah -1 Noah, please consider other use cases, I'm trying to create a system that can do what the OP requested without the overhead you're assuming because, in my case, the participants span several organizations with incompatible infrastructures. The result is that I would very much like to grant SVN access based on those that create Trac ID creds. LDAP Auth is looking to be the best(only?) bridge between the two. The actual problem is that you assume the only usable option is LDAP, when it is in fact not. It is very common to use htpasswd or htdigest auth for both Trac and SVN, and if you point them at the same the file then registrations work across both. This is why making assumptions is bad :-) --Noah +1 on this. While auth is complex in trac, I'd rather have configurability and malleability than tailoring towards perceived common use cases. Jeff --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Tue, Feb 17, 2009 at 9:43 AM, Jeff Hammel jham...@openplans.org wrote: On Mon, Feb 16, 2009 at 01:30:03PM -0800, Noah Kantrowitz wrote: On Feb 16, 2009, at 10:59 AM, Ed - 0x1b, Inc. wrote: On Wed, Feb 11, 2009 at 1:12 AM, Noah Kantrowitz n...@coderanger.net wrote: The LDAP auth plugin doesn't support modification, nor do I plan to add that. The general use case for LDAP is hooking in to an existing, large company infrastructure. -1 Noah, please consider other use cases, The actual problem is that you assume the only usable option is LDAP, when it is in fact not. +1 on this. While auth is complex in trac, I'd rather have configurability and malleability than tailoring towards perceived common use cases. The only thing I want to add to this thread is that if devs are finally convinced of supporting 'write' operations in LDAP dirs, pls, provide separate components for each scenario ... I mean «Default_LDAP_XXX» for read-only ops ... and «Full_LDAP_XXX» for read/write ops (possibly connected through inheritance or maybe not ...). Read-only access to LDAP dirs is mandatory most of the times I have set up Trac ... so this would be very useful to avoid conflicts in organizations (and sometimes chaos ;) ... IMO ... PD: ... users are always right ... :) -- Regards, Olemis. Blog ES: http://simelo-es.blogspot.com/ Blog EN: http://simelo-en.blogspot.com/ Featured article: --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Tue, Feb 17, 2009 at 10:08:28AM -0500, Olemis Lang wrote: On Tue, Feb 17, 2009 at 9:43 AM, Jeff Hammel jham...@openplans.org wrote: On Mon, Feb 16, 2009 at 01:30:03PM -0800, Noah Kantrowitz wrote: On Feb 16, 2009, at 10:59 AM, Ed - 0x1b, Inc. wrote: On Wed, Feb 11, 2009 at 1:12 AM, Noah Kantrowitz n...@coderanger.net wrote: The LDAP auth plugin doesn't support modification, nor do I plan to add that. The general use case for LDAP is hooking in to an existing, large company infrastructure. -1 Noah, please consider other use cases, The actual problem is that you assume the only usable option is LDAP, when it is in fact not. +1 on this. While auth is complex in trac, I'd rather have configurability and malleability than tailoring towards perceived common use cases. The only thing I want to add to this thread is that if devs are finally convinced of supporting 'write' operations in LDAP dirs, pls, provide separate components for each scenario ... I mean «Default_LDAP_XXX» for read-only ops ... and «Full_LDAP_XXX» for read/write ops (possibly connected through inheritance or maybe not ...). +1 on this too Read-only access to LDAP dirs is mandatory most of the times I have set up Trac ... so this would be very useful to avoid conflicts in organizations (and sometimes chaos ;) ... IMO ... PD: ... users are always right ... :) -- Regards, Olemis. Blog ES: http://simelo-es.blogspot.com/ Blog EN: http://simelo-en.blogspot.com/ Featured article: --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Wed, Feb 11, 2009 at 3:12 AM, Noah Kantrowitz n...@coderanger.net wrote: On Feb 5, 2009, at 4:36 AM, nik gaffney wrote: As it appears there are several plugins to use LDAP authentication with the Acount Manager plugin, I have tried 'TracLDAPAuth' and 'LdapAuthStore' and couldn't get either to work with the registration interface. The LDAP auth plugin doesn't support modification, nor do I plan to add that. The general use case for LDAP is hooking in to an existing, large company infrastructure. In this case you would already have a procedure and tools for adding/modifying accounts. I don't think it makes sense to try to build these tools into Trac when the whole point is to allow you to use your existing ones. +1 ... this is exactly the idea and Trac admins should not be responsible for managing users in LDAP (e.g. MSAD ...) dirs ... if there is a central LDAP server, then there should be an admin. If you still need to do something like this you (or someone else ... ;) may write your own registration module to either: - Modify data in the LDAP dir directly ... (not recommended IMO ... but anyway, it's up to you ;) - Notify the MSAD admin (or another external tool ...) of the fact that a new user should be added ... and delegate this task to this «external actor» ... You can also consider the use of specific LDAP admin tools ... or any other third party tool ... outside the Trac site ... ;) -- Regards, Olemis. Blog ES: http://simelo-es.blogspot.com/ Blog EN: http://simelo-en.blogspot.com/ Featured article: --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Mon, Feb 16, 2009 at 12:57:21PM -0500, Olemis Lang wrote: On Wed, Feb 11, 2009 at 3:12 AM, Noah Kantrowitz n...@coderanger.net wrote: On Feb 5, 2009, at 4:36 AM, nik gaffney wrote: As it appears there are several plugins to use LDAP authentication with the Acount Manager plugin, I have tried 'TracLDAPAuth' and 'LdapAuthStore' and couldn't get either to work with the registration interface. The LDAP auth plugin doesn't support modification, nor do I plan to add that. The general use case for LDAP is hooking in to an existing, large company infrastructure. In this case you would already have a procedure and tools for adding/modifying accounts. I don't think it makes sense to try to build these tools into Trac when the whole point is to allow you to use your existing ones. +1 ... this is exactly the idea and Trac admins should not be responsible for managing users in LDAP (e.g. MSAD ...) dirs ... if there is a central LDAP server, then there should be an admin. If you still need to do something like this you (or someone else ... ;) may write your own registration module to either: - Modify data in the LDAP dir directly ... (not recommended IMO ... but anyway, it's up to you ;) - Notify the MSAD admin (or another external tool ...) of the fact that a new user should be added ... and delegate this task to this «external actor» ... You can also consider the use of specific LDAP admin tools ... or any other third party tool ... outside the Trac site ... ;) -- Regards, Olemis. We have been thinking about this in-house as well, as we have several projects that are OSS (so anyone should be able to register) but will have SVN committers and members of other privilege that will have LDAP accounts. I was thinking of a layered scheme for this: * allow registration TTW for anyone * for auth, check LDAP first; if no such account, then validate against (e.g.) and .htpasswd file which will contain registered accounts * create tools to allow easy migration from TTW registered users to LDAP users We're still in the thinking and planning stage on this one, but I'd be happy to make such tools available when they're ready (or for that matter, use someone else's tools if they've already solved this problem). Jeff --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Wed, Feb 11, 2009 at 1:12 AM, Noah Kantrowitz n...@coderanger.net wrote: On Feb 5, 2009, at 4:36 AM, nik gaffney wrote: Hi, I am trying to setup trac to be able to register new users and grant rw access to an svn repo. It looks like using LDAP would be the most obvious as both trac and svn can authenticate against a local server. With my currentl setup trac can view the svn repo and authenticate users with LDAPStore. However, the 'register' link doesn't appear when password_store is LDAPStore but works ok when using SessionStore. As it appears there are several plugins to use LDAP authentication with the Acount Manager plugin, I have tried 'TracLDAPAuth' and 'LdapAuthStore' and couldn't get either to work with the registration interface. Has anyone managed to get this kind of setup to work, or should i be trying a differnt approach? The LDAP auth plugin doesn't support modification, nor do I plan to add that. The general use case for LDAP is hooking in to an existing, large company infrastructure. In this case you would already have a procedure and tools for adding/modifying accounts. I don't think it makes sense to try to build these tools into Trac when the whole point is to allow you to use your existing ones. --Noah -1 Noah, please consider other use cases, I'm trying to create a system that can do what the OP requested without the overhead you're assuming because, in my case, the participants span several organizations with incompatible infrastructures. The result is that I would very much like to grant SVN access based on those that create Trac ID creds. LDAP Auth is looking to be the best(only?) bridge between the two. Alternatives - we currently are adding unneeded layers such as forcing users to register via jabber to populate the LDAP - sorta busts up the browser centricness of the experience but then it adds some too. I understand that in most cases Trac is just a consumer of credentials, but there are cases where Trac is all there is to the institutional layer. --Ed --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Feb 16, 2009, at 10:59 AM, Ed - 0x1b, Inc. wrote: On Wed, Feb 11, 2009 at 1:12 AM, Noah Kantrowitz n...@coderanger.net wrote: On Feb 5, 2009, at 4:36 AM, nik gaffney wrote: Hi, I am trying to setup trac to be able to register new users and grant rw access to an svn repo. It looks like using LDAP would be the most obvious as both trac and svn can authenticate against a local server. With my currentl setup trac can view the svn repo and authenticate users with LDAPStore. However, the 'register' link doesn't appear when password_store is LDAPStore but works ok when using SessionStore. As it appears there are several plugins to use LDAP authentication with the Acount Manager plugin, I have tried 'TracLDAPAuth' and 'LdapAuthStore' and couldn't get either to work with the registration interface. Has anyone managed to get this kind of setup to work, or should i be trying a differnt approach? The LDAP auth plugin doesn't support modification, nor do I plan to add that. The general use case for LDAP is hooking in to an existing, large company infrastructure. In this case you would already have a procedure and tools for adding/modifying accounts. I don't think it makes sense to try to build these tools into Trac when the whole point is to allow you to use your existing ones. --Noah -1 Noah, please consider other use cases, I'm trying to create a system that can do what the OP requested without the overhead you're assuming because, in my case, the participants span several organizations with incompatible infrastructures. The result is that I would very much like to grant SVN access based on those that create Trac ID creds. LDAP Auth is looking to be the best(only?) bridge between the two. The actual problem is that you assume the only usable option is LDAP, when it is in fact not. It is very common to use htpasswd or htdigest auth for both Trac and SVN, and if you point them at the same the file then registrations work across both. This is why making assumptions is bad :-) --Noah --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: user registration for SVN Trac using LDAP
On Feb 5, 2009, at 4:36 AM, nik gaffney wrote: Hi, I am trying to setup trac to be able to register new users and grant rw access to an svn repo. It looks like using LDAP would be the most obvious as both trac and svn can authenticate against a local server. With my currentl setup trac can view the svn repo and authenticate users with LDAPStore. However, the 'register' link doesn't appear when password_store is LDAPStore but works ok when using SessionStore. As it appears there are several plugins to use LDAP authentication with the Acount Manager plugin, I have tried 'TracLDAPAuth' and 'LdapAuthStore' and couldn't get either to work with the registration interface. Has anyone managed to get this kind of setup to work, or should i be trying a differnt approach? The LDAP auth plugin doesn't support modification, nor do I plan to add that. The general use case for LDAP is hooking in to an existing, large company infrastructure. In this case you would already have a procedure and tools for adding/modifying accounts. I don't think it makes sense to try to build these tools into Trac when the whole point is to allow you to use your existing ones. --Noah --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---