Hi Kristian,
>From my limited knowledge - what you're asking for just isn't possible.
The trac model authentication model doesn't really permit what you're
requiring. It suggests: all users _must_ authenticate or no users must
authenticate.
This is because the two principles in Trac that you give permissions to
are ANONYMOUS and AUTHENTICATED. What you want is some split of
ANONYMOUS based upon the network the person is coming from.
The only solution I can provide is:
1. Ensure that Apache is performing the authentication, not Trac.
2. Alter Apache config so that it provides a default user if the source
IP range is the internal network.
That will make internal users appear as AUTHENTICATED to trac - but it
won't permit any audit trail within Trac.
An alternative solution would be to set up single-sign-on in your
network and use that for authentication.
That would require a login from users coming in over the Internet but
should automatically authenticate for internal users - permitting an
audit trail without the hassle of authenticating.
However that is complex and requires a greater understanding of your
network.
Lastly - irrespective of which method you choose you should be using
BASIC authentication over SSL for external (i.e. Internet) clients.
Best Regards,
Brett
On Fri, 2010-04-16 at 15:24 +0200, Kristian Rink wrote:
> Folks;
>
> not sure whether this is sort of an FAQ, but at the very least I have
> not yet found a solution to _all_ my given problems running
> authenticated trac. Here's the scenario: We run a trac host internally
> which needs to be accessible from "the external internet", and access
> control should be more or less like this:
>
> - Users accessing trac from the public internet mustn't even be able to
> read anything inside the trac site, so at the moment we use HTTP-BASIC
> authentication to control site access.
>
> - Internal users should be provided with read-only access to trac wiki
> pages, issues, ... .
>
> - Internal users, however, should be required to login before doing any
> changes (posting issues, editing content, ...).
>
> We run account-manager and web-admin plugins installed, trac itself runs
> in mod_python / apache 2.2 on an internal host which lives behind
> another apache 2.2 in reverse-proxy configuration. Right now, I enjoyed
> some quality time playing with various access control configurations in
> apache configuration ("order deny,allow", that kind of stuff), but not
> really to my satisfaction:
>
> - Disabling HTTP-AUTH for local network altogether lets me access the
> site, but it doesn't provide me with some login facility anymore.
> Moreover, by then trying to manually enter ../login in the browser just
> ends up with an error like "No handler found for /login".
>
> - Goin' with form-based login altogether, so far I didn't manage to find
> a way of keeping anonymous people from having read-only access to the site.
>
> - Doing HTTP-AUTH on the reverse-proxy machine does most of what I want,
> but by then local users again do not have any way of how to log in to
> the trac installment.
>
>
> Hmmmm... running out of options it seems, or maybe I just haven't yet
> found the right place where to peek. Can any kind soul provide some
> enlightenment about that?
>
> TIA and all the best,
> Kristian
>
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/trac-users?hl=en.
