[EMAIL PROTECTED] wrote:
> On Jun 4, 11:46 am, Robert C Corsaro <[EMAIL PROTECTED]> wrote:
>> [EMAIL PROTECTED] wrote:
>>> On Jun 4, 10:23 am, [EMAIL PROTECTED] wrote:
>>>> Hi all.
>>>> Ok, I have played with trac a bit, and some other supporting tools and
>>>> plugins, etc. I managed to get my hands on a server to "properly"
>>>> host it on for our use internally. The upper IT folks just refuse to
>>>> give us an outward facing server. So all of our outsources, will get
>>>> vpn, or onsite access only, bummer, but a small step in the right
>>>> direction.
>>>> That said, the server we are getting is running windows. I have seen/
>>>> browsed the "on windows" wikis out there, and all seems good. here is
>>>> what I "hope" to run, and really just need to know if there are any
>>>> "gotchas" I need to know about ahead of time. I also will have admin
>>>> rights on the box, but am not an IT admin anymore, so my windows
>>>> server knowledge is, well, lame nowadays.
>>>> anyway:
>>>> * assumption: running Apache on windows.
>>>> Trac
>>>> Subversion
>>>> probably php and all that jazz, although, at this moment, I have no
>>>> need for it.
>>>> the following plugins I am hoping to go with:
>>>> TimingAndEstimation
>>>> TracIniAdmin
>>>> TracAccountManager
>>>> TracUserManagerPlugin
>>>> XMLRPC plugin
>>>> MasterTicketsPlugin
>>>> and probably the black magic one.
>>>> Will have custom workflow, and probably have a handler hook as I want
>>>> to do some stuff behind the scenes on one of the transitions of the
>>>> workflow.
>>>> Ok, I am sure there are other I might want, or "NEED" but I KNOW I
>>>> would like those. That said I also "want" to do the following:
>>>> Multi-project setup 1-4 active most likely, and eventually those
>>>> become a maintenance stage, so still around.
>>>> I also "think" I would want to use windows authentication somehow (is
>>>> that ldap?) access to the subversion and trac environments. simply
>>>> because outsources will be internal to the network, and may never
>>>> actually access trac directly. I envision a eclipse/mylan interface
>>>> very possible to the subversion/trac data. I also see direct
>>>> subversion access via subversion clients (TortiseSVN, svn command
>>>> line, etc.) which may never actually utilize the trac DB). I have no
>>>> issue with requiring a second login to trac(via the nice web interface
>>>> in one of the above plugins, I forget which one), just not sure if it
>>>> is needed. If there are other tools/plugins you think will make this
>>>> objective go more smoothly, great, I can use that too, please let me
>>>> know. Things like TracMetrix etc. I might want to use, etc.
>>>> Basically, I need to manage multiple projects, which are managed by
>>>> multiple people, who manage multiple sources/levels of access. :D All
>>>> on bleeping windows servers....with no external facing web access....
>>>> I think it's just the run of the mill TracOnWindows/Advanced path, but
>>>> was looking for insight.
>>>> oh, yes, I personally prefer python 2.5, but seems like Apache needs
>>>> 2.4, is that correct? Anyone tried the windows bitNami installer?
>>>> that would work too. etc.
>>>> I will try to really document well as I go, a future version of this
>>>> email from others is not needed in the mailing list.
>>>> Thanks.
>>> I also forgot. Some devs need access to multiple project environments
>>> (subversion and trac) and some need to be restricted/redirected to the
>>> project they know about. We don't want some sources to even know
>>> about the others. I have no issue added each individual 1 by to to
>>> each project that is appropriate, but I would like to grant access to
>>> the "project list" or top-level to individuals with multi-project
>>> access so they may navigate from a top level if they so choose.
>>> "ideally" it would only show the projects they actually have access
>>> to, but practically will not be needed for my purposes. They will
>>> either be able to see only 1 project, or them all. While they may not
>>> have rights to do anything in them all (read only, for example), that
>>> is easily managed at the per project level. See now, I just made it
>>> more complicated, and just out of my grasp for implementing without a
>>> little hand holding....
>> We have worked out a secure solution with OForge[1]. We have two layers
>> of authorization. The first is site wide and the second is per project.
>> We do not yet have a way to redirect single project users to their
>> projects, which is a problem. If they don't have the URL right, they
>> get an auth error. Our needs are close to yours, our single projects
>> clients shouldn't even know other projects exist.
>>
>> [1]http://code.optaros.com/trac/oforge
>
> While potentially helpful, I don't see us using Oforge as: it's not
> ready or documented, I don't want to build all the parts from source,
> and it seems like it won't be a windows server solution without a lot
> of work as some of the components seem to be Linux only, or heavily
> leaning (maybe I am wrong here). And on a personal note, seems a
> little java centric, but that could just be me.
There is not much "building" as it's a python project. It's basically
installing a bunch of eggs. You are right that we haven't tried it on
Windows. But we would love to get a Windows expert to give it a try.
We do a lot of java work, but I wouldn't consider it java-centric. We
also have python and php projects running on it. They just don't use
java features.
> It is also a little
> more than I need at this point. I currently will be the trac/
> subversion "admin" but I will ultimately get to offload all that IT
> crap (tm) to those that know what they are doing. I am just the
> guinea pig trying to drive the change, and therefor just really want
> an "out of the box" solution that is as close to what I need as
> possible. While Oforge seems, in theory out of the box, there is a
> LOT more than I need, and that is just more I need to admin. I
> wouldn't mind a link to how you accomplished this one need if you have
> it however.
>
We are using wsgi for trac. The trick is defining an AuthnProviderAlias.
Ours looks something like this:
<AuthnProviderAlias ldap ldap-trac>
AuthLDAPURL #ldap-connection-string
</AuthnProviderAlias>
Then you can use wsgi to do the htpasswd auth per project in
/usr/share/trac/cgi-bin/trac-auth.wsgi:
from trac.env import open_environment, Environment
acct_mgr = None
from os import path
import re
trac_path_match = re.compile(r'^/[^/]+/([^/]+)')
TRAC_ENV_PARENT_DIR = $YOURTRACHOME
def check_password(environ, user, password):
global acct_mgr, trac_path_match, TRAC_ENV_PARENT_DIR
m=trac_path_match.match(environ.get('REQUEST_URI'))
if m:
env_path=path.join(TRAC_ENV_PARENT_DIR,m.group(1))
if path.isfile(path.join(env_path,'VERSION')):
try:
env = open_environment(env_path, use_cache=True)
if acct_mgr is None:
from acct_mgr.api import AccountManager
acct_mgr = AccountManager
if acct_mgr(env).check_password(user, password):
return True
except Exception, e: # for example, environment needs upgrade
environ.get('wsgi.errors').write(
'Error authenticating user %s for environment
%s: %s' %
(user,env_path,e)
)
def groups_for_user(environ, user):
return ['']
Now that you have to auth methods defined, you just have to use them:
<LocationMatch "^/(trac|svn)/">
AuthType Basic
AuthName "Security"
AuthBasicProvider wsgi ldap-trac
AuthzLDAPAuthoritative off
Require valid-user
SetEnv trac.env_parent_dir $YOURTRACHOME
WSGIAuthUserScript /usr/share/trac/cgi-bin/trac-auth.wsgi
</Location>
And of course for your index page you would only use ldap-trac. You
could probably substitute ldap for something else if you wanted, as long
as it allowed non-authoritative auth.
Also, before we started using wsgi, we had a apache-perl script to do
the per-project permissions. This replaces the wsgi auth script. Here
is what it looked like:
<IfModule !mod_perl.c>
LoadModule perl_module modules/mod_perl.so
</IfModule>
<Perl>
# This is to make the results available to dumper below
$Apache2::PerlSections::Save = 1;
# trac environments location - this should be TRAC_ENV_PARENT_DIR
my $trac_path = "$YOURTRACHOME";
# trac base url
my $trac_location = "/trac";
opendir(TRAC_ROOT, $trac_path) or die "Unable to open Trac root
directory ($trac_path)";
my @contents = grep !/^\.\.?$/, readdir TRAC_ROOT;
foreach $envname ( @contents ) {
my $env_directory=("$trac_path/$envname");
my $env_passwd=("$env_directory/passwd");
if ((-d $env_directory) and (-f $env_passwd)) {
$LocationMatch{"^(/|/[[:alnum:]]+/)$envname(\$|/)"} = {
AuthBasicProvider => "file ldap-trac",
AuthUserFile => "$env_passwd",
};
}
}
closedir TRAC_ROOT;
__END__
</Perl>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---
