[Trac] Re: Single Sign On Authentication
How do you go about setting up SSO for TRAC so that the user don't have to login twice? Once they passed the initial SSO login, all web applications can use that cookie to authenticate w/o the user having to re-login unless the cookie has expired. Thanks, Doug On Nov 13, 10:11 am, Jason Winnebeck [EMAIL PROTECTED] wrote: I'm sorry to ask an Apache question here but it is on topic for this thread and it's been something I've wondered for a long time. Currently I have a Linux Apache/SSL/SVN/Trac setup for about a 15-user group done as aSSObut through htpasswd files. Our real IT system is an NT active directory domain. I looked at how I might be able to authenticate against that and got quickly overwhelmed (I'm just a dev setting up a server, not an IT guy and certainly not an MS IT guy). OK, getting to the point and my question. I heard that AD is compatible with LDAP (or an implementation thereof). Assuming that, if I can get LDAP to work is there a way to map LDAP (NT) names to Apache names, i.e. I don't want the users named SillyITDomainName\CrazyUserName -- in fact because there are shared accounts I can't even do this uniquely. In other words, there are 20,000 users or so, but I only want to allow about 15 of them, and I want to map them to some arbitrary signin name. The result is that all I take is the NT password (and possibly allow automatic NT auth through browser). Jason -Original Message- From: trac-users@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Wilson, Bruce E. Sent: Tuesday, November 13, 2007 10:52 AM To: trac-users@googlegroups.com Subject: [Trac] Re: Single Sign On Authentication Not sure what you're really asking for here, but I use LDAP integration with Apache (built in with 2.2) and haveSSOworking for both Trac and SVN, using a couple of different LDAP authorities here. I have the pages set up so that there's a /projectname root, with /projectname/svn and /projectname/trac. I configure Apache to protect /projectname with LDAP authentication and a list of allowed users. It's Basic authentication in Apache, so I force everything to https, again using Apache authentication. So, yes, it does prompt for username and password, but it's the same username and password as used everywhere else. Good enough for my purposes Bruce E. Wilson ([EMAIL PROTECTED]) Environmental Sciences Division Oak Ridge National Laboratory (office) +1-865-574-6651 -Original Message- From: trac-users@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of rupert thurner Sent: Sunday, November 11, 2007 12:02 AM To: Trac Users Subject: [Trac] Re: Single Sign On Authentication maybe kerberos/gssapi would be a possibility? seehttp://www.grolmsnet.de/kerbtut/ ... On Nov 10, 1:20 pm, anhD [EMAIL PROTECTED] wrote: Hi All, At my work place, we are usingSSOfor our web applications. I am wondering if any is currently working on any plugin or anything that may integrate with this? Basically, apache will help do the authentication. If everything is successful, the user name is stored in a variable in the session. I want to modify TRAC to use that variable as the user login w/o having the need for the password and automatically log the user in. Thanks, Doug --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: Single Sign On Authentication
I'm sorry to ask an Apache question here but it is on topic for this thread and it's been something I've wondered for a long time. Currently I have a Linux Apache/SSL/SVN/Trac setup for about a 15-user group done as a SSO but through htpasswd files. Our real IT system is an NT active directory domain. I looked at how I might be able to authenticate against that and got quickly overwhelmed (I'm just a dev setting up a server, not an IT guy and certainly not an MS IT guy). OK, getting to the point and my question. I heard that AD is compatible with LDAP (or an implementation thereof). Assuming that, if I can get LDAP to work is there a way to map LDAP (NT) names to Apache names, i.e. I don't want the users named SillyITDomainName\CrazyUserName -- in fact because there are shared accounts I can't even do this uniquely. In other words, there are 20,000 users or so, but I only want to allow about 15 of them, and I want to map them to some arbitrary signin name. The result is that all I take is the NT password (and possibly allow automatic NT auth through browser). Jason -Original Message- From: trac-users@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Wilson, Bruce E. Sent: Tuesday, November 13, 2007 10:52 AM To: trac-users@googlegroups.com Subject: [Trac] Re: Single Sign On Authentication Not sure what you're really asking for here, but I use LDAP integration with Apache (built in with 2.2) and have SSO working for both Trac and SVN, using a couple of different LDAP authorities here. I have the pages set up so that there's a /projectname root, with /projectname/svn and /projectname/trac. I configure Apache to protect /projectname with LDAP authentication and a list of allowed users. It's Basic authentication in Apache, so I force everything to https, again using Apache authentication. So, yes, it does prompt for username and password, but it's the same username and password as used everywhere else. Good enough for my purposes Bruce E. Wilson ([EMAIL PROTECTED]) Environmental Sciences Division Oak Ridge National Laboratory (office) +1-865-574-6651 -Original Message- From: trac-users@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of rupert thurner Sent: Sunday, November 11, 2007 12:02 AM To: Trac Users Subject: [Trac] Re: Single Sign On Authentication maybe kerberos/gssapi would be a possibility? see http://www.grolmsnet.de/kerbtut/ ... On Nov 10, 1:20 pm, anhD [EMAIL PROTECTED] wrote: Hi All, At my work place, we are using SSO for our web applications. I am wondering if any is currently working on any plugin or anything that may integrate with this? Basically, apache will help do the authentication. If everything is successful, the user name is stored in a variable in the session. I want to modify TRAC to use that variable as the user login w/o having the need for the password and automatically log the user in. Thanks, Doug --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: Single Sign On Authentication
Are you using windows? If so, the mod_auth_sspi module for Apache is what you need. Works pretty well unless you machine has cached windows credentials like mine did :) Good Luck, Andrew --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: Single Sign On Authentication
is there any possibility of a mod_auth_sspi which runs on unix/linux too? On Nov 10, 6:37 pm, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Are you using windows? If so, the mod_auth_sspi module for Apache is what you need. Works pretty well unless you machine has cached windows credentials like mine did :) Good Luck, Andrew --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---
[Trac] Re: Single Sign On Authentication
maybe kerberos/gssapi would be a possibility? see http://www.grolmsnet.de/kerbtut/ ... On Nov 10, 1:20 pm, anhD [EMAIL PROTECTED] wrote: Hi All, At my work place, we are using SSO for our web applications. I am wondering if any is currently working on any plugin or anything that may integrate with this? Basically, apache will help do the authentication. If everything is successful, the user name is stored in a variable in the session. I want to modify TRAC to use that variable as the user login w/o having the need for the password and automatically log the user in. Thanks, Doug --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Trac Users group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~--~~~~--~~--~--~---