Re: [Trac] Apache, Trac and LDAP - how to glue them all together?

[Noah Kantrowitz]

On Sep 1, 2010, at 7:24 AM, Jon Hadley wrote:
I'm trying to set-up Trac to authorise users via the LDAP plugin on  
a Debian (Lenny) server.

LDAP appears to be working correctly, I can query successfully via:

        ldapsearch -vLx -h 127.0.0.1 -b "dc=example, dc=com" "(sn=mysurname)"
        
And if i purposely break my Apache LDAP address settings I can see  
errors in /var/log/apache2/error.log

	2010-08-27 17:19:38,909 Trac[api] WARNING: LDAP error: No such  
object (dc=examplefoo,dc=com)

When I visit http://example.com:8022/trac and click the login button  
the authentication window pops up, __however__, when I enter a  
correct username/password I just get a Trac web page with:


        Trac Error
	Authentication information not available. Please refer to the  
installation documentation.

        TracGuide — The Trac User and Administration Guide


The logs are equally unhelpful (ignore the svn error, I'm aware of  
that):

	2010-09-01 14:25:30,553 Trac[api] DEBUG: NEEDS UP?: sys:False,  
rep:False, stats:False, fields:False, man:False
	2010-09-01 14:25:30,577 Trac[env] WARNING: base_url option not set  
in configuration, generated links may be incorrect
	2010-09-01 14:25:30,577 Trac[main] DEBUG: Dispatching <Request "GET  
u'/login'">
	2010-09-01 14:25:30,583 Trac[svn_fs] INFO: Failed to load  
Subversion bindings
        Traceback (most recent call last):
	  File "/home/web/example/buildout-cache/eggs/Trac-0.11-py2.6.egg/ 
trac/versioncontrol/svn_fs.py", line 251, in __init__
            _import_svn()
	  File "/home/web/example/buildout-cache/eggs/Trac-0.11-py2.6.egg/ 
trac/versioncontrol/svn_fs.py", line 69, in _import_svn
            from svn import fs, repos, core, delta
        ImportError: No module named svn
	2010-09-01 14:25:30,584 Trac[chrome] DEBUG: Prepare chrome data for  
request
	2010-09-01 14:25:30,586 Trac[api] DEBUG: action controllers for  
ticket workflow: ['ConfigurableTicketWorkflow']
	2010-09-01 14:25:30,597 Trac[perm] DEBUG: No policy allowed  
anonymous performing TICKET_CREATE on None
	2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed  
anonymous performing TRAC_ADMIN on None
	2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed  
anonymous performing PERMISSION_GRANT on None
	2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed  
anonymous performing PERMISSION_REVOKE on None
	2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed  
anonymous performing TICKET_ADMIN on None
	2010-09-01 14:25:30,601 Trac[main] WARNING: 500 Trac Error  
(Authentication information not available. Please refer to the <a  
href="/trac/wiki/TracInstall#ConfiguringAuthentication"  
title="Configuring Authentication">installation documentation</a>.)
	2010-09-01 14:25:30,621 Trac[perm] DEBUG: No policy allowed  
anonymous performing EMAIL_VIEW on None
	2010-09-01 14:25:30,621 Trac[session] DEBUG: Retrieving session for  
ID '20e2cfb643bff0f9121fe615'
	2010-09-01 14:25:30,641 Trac[tande_filters] DEBUG:  
self.billing_reports= set([9, 10, 11, 12, 13, 14, 15, 16, 17])
	2010-09-01 14:25:30,642 Trac[ticket_webui] DEBUG: TicketWebUiAddon  
executing
	2010-09-01 14:25:30,774 Trac[main] DEBUG: 124 unreachable objects  
found.


My apache set-up is as follows.

        <VirtualHost example.com:8022>
            ServerName example.com
            ServerAlias example.com

            ProxyRequests Off
            <Proxy *>
              Order deny,allow
              Allow from all
            </Proxy>

            ProxyPreserveHost On
            RewriteEngine On
            RewriteCond %{HTTP:Authorization} ^(.*)
            RewriteRule ^/(.*) http://127.0.0.1:8002/$1 [P]
        </VirtualHost>

        <Location /trac/login>
           AuthType Basic
           AuthName "Trac"
           AuthBasicProvider ldap
           Order Allow,Deny
           Allow from All
           AuthLDAPURL "ldap://127.0.0.1:389/dc=example,dc=com?uid";
           #should be on if using groups
           AuthzLDAPAuthoritative off
           Require valid-user
           #Require ldap-group cn=tracusers,dc=example,dc=com
        </Location>
        
The server has a number of other in-development services running,  
hence the odd port number.

For testing I just start the Trac server with:

   bin/tracd --port 8202 parts/trac

Where am I going wrong? It feels as if the Apache config is as  
fault, as LDAP does seem to be working.

Is that the correct command to be starting the server with (htpasswd  
for example has it's own options)?

In the long run what's the best way to run the server? WSGI?

You cannot proxy HTTP auth like that. It is an internal thing within  
the web server. You either need to run the Trac on Apache, or let  
tracd do the authentication (via AccountManager+LDAPAuth).

--Noah

--
You received this message because you are subscribed to the Google Groups "Trac 
Users" group.
To post to this group, send email to trac-us...@googlegroups.com.
To unsubscribe from this group, send email to 
trac-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/trac-users?hl=en.