Please note: generally this list prefers not to top-post (unless the answer is trivial) as it makes it difficult to read in chronological order... I have re-ordered the posts below:
> > From: "Doyal, Charles T CIV NSWCDD, K94" <[email protected]> > > To: <[email protected]> > > Date: 02/06/2012 11:13 AM > > Subject: [Trac] Authenticating Trac users against MS > Windows domain controller > > Sent by: [email protected] > > > > > > I am a brand-new Trac user and had a sys-admin install Trac > 0.12 about two weeks ago using Easy-Install for a MS Windows > environment. The install was uneventful and I have been > creating users and tickets to get a feel for Trac and using > htpasswd. I have set up two projects with 1 Trac install. > Users will run Trac via a local internet. > > > > I am unsuccessfully trying to authenticate Trac users via > the information at > http://trac.edgewall.org/wili/TracOnWindows/Advanced > <http://trac.edgewall.org/wili/TracOnWindows/Advanced> about > 'Authenticating Trac users against MS Windows domain > controller'. I suspect either I did not place the plug-in in > the right location or improperly, or I did not modify the > files sufficiently for my install. > > > > The error I am getting is ... > > "The Apache service named reported the following error: > >>> Invalid command 'SSPIAuth', perhaps misspelled or defined > by a module not included in the server configuration ." > > > > I downloaded the module indicated by the 'here' link. I > then unzipped the file mod_auth_sspi-1.0.4 and copied the > entire director structure to c:\Program Files\BitNami Trac > Stack\apache2\modules\mod_auth_sspi-1.0.4. > > > > I also modified the information for httpd.conf first by > what was in the downloaded file, then by what is included in > the wiki information indicated above. > > > > The new httpd.conf information, which I placed at the end > of the file is... > > <LocationMatch /http://vms5/trac/[^/]+/login> > > AuthName "A Protected Place" > > AuthType SSPI > > SSPIAuth On > > SSPIAuthoritative On > > SSPIDomain SOI.DAHLGREN.LOCAL > > Require valid-user > > </LocationMatch> > > > > Could you please provide additional information regarding > this issue? I would also like this 'password pass-through' > to work for subversion also. > > > > Respectfully, > > > > Charles > > > > ________________________________ > > > > From: [email protected] on behalf of Joseph P Villa > > Sent: Mon 2/6/2012 12:41 PM > > To: [email protected] > > Subject: Re: [Trac] Authenticating Trac users against MS > Windows domain controller > > > > > > Hi Charles, > > > > I've found it works when I don't use the Trac plugin and > instead use the Apache for the LDAP authentication against > AD. I've been authenticating against Microsoft AD for the > last month or so. You also want to make sure you > > have a dummy account to initiate the connection between > your LDAP server and the Apache server where users log in and > need LDAP Authentication.. > > > > This is something like what I have for LDAP Authentication. > > > > <LocationMatch "^(/TracInstance)?/TracInstance/login"> > > AuthType Basic > > AuthName "Secret login area" > > AuthBasicProvider ldap > > AuthzLDAPAuthoritative off > > AuthLDAPURL "ldaps://someADServer.ad.net/DC=,DC=,DC=?sAMAccountName" > > AuthLDAPBindDN SomeAccountSomewhereToTalkToLDAP > > AuthLDAPBindPassword ************ > > Require valid-user > > </LocationMatch> > > > > Make sure you fill out the DC= portions respectively.. I > think you can just have this be your Domain somewhere. > > > > Does this help? > > > > Thanks, > > Joe > > > On Mon, Feb 6, 2012 at 10:48 PM, Doyal, Charles T CIV NSWCDD, K94 > <[email protected]> wrote: > > Thank you for your reply Joseph. I am getting an error on the line > > <LocationMatch "^(/TracInstance)?/TracInstance/login">. > > > > The Apache service named reported the following error: >>> > Unknown Authn provider: ldap > > > > Should that line altered to something else? If so, could > you provide of an example > > > > Thank you, > > > > Charles > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of victoria > Sent: 07 February 2012 08:58 > To: [email protected] > Subject: Re: [Trac] Authenticating Trac users against MS > Windows domain controller > > Hi, > > Sorry if this is too basic or if you already checked it. Did you load > the modules in the httpd.conf file? > > LoadModule sspi_auth_module "c:\Program Files\BitNami Trac > Stack\apache2\modules\mod_auth_sspi-1.0.4\bin\mod_auth_sspi.so" > > Also the line "#LoadModule ldap_module modules/mod_ldap.so" should be > uncommented: > > LoadModule ldap_module modules/mod_ldap.so > > You can check if the modules have been loaded correctly executing in a > command prompt: > > c:\Program Files\BitNami Trac Stack\apache2\bin\httpd.exe" -M -f > "c:\Program Files\BitNami Trac Stack\apache2\conf\httpd.conf" > > Best regards, > > Victoria. As Victoria mentions, you need to look into your apache configuration settings. It takes a little while but it is well worth reading up on authentication and autorisation on the apache httpd pages: http://httpd.apache.org/docs/2.2/howto/auth.html You are currently trying to use the SSPI module for windows which, although the simplest option, has AFAIK no active maintainer and is increasingly out of date. Joe is suggesting the oficial LDAP module which is more complicated but probably better in the long run for Active Directory. However it can be a bit of a bugger to get going. I found the hardest part was figuring out what the credentials should be for the "AuthLDAPURL" and "AuthLDAPBindDN" (Active Directory requires an authenticated user to allow a search), I had to search for a tool to tell me what my credentials were and in the end used the free version of PowerGUI from http://powergui.org/ and that was a big help. Also, if you want to cover both subversion and trac, make sure that the AuthName directive in both configurations uses exactly the same text (check out the docs: http://httpd.apache.org/docs/2.2/mod/core.html#authname) Finally, as Victoria mentioned, you need several modules enabled, read the docs for each directive to make sure you have the right modules enabled. Alternatively, use a distribution such as the BitNami stack that has most of this pre-integrated for you (at the expense of the learning you get from sorting it all out yourself). Hope that helps, ~ mark c P.S. here is a sanitised version of my settings to protect the whole of my trac/svn server virtual host: <Location /> Order allow,deny Allow from all # The name of the protected area or "realm" AuthName "My Trac/svn server" # Do basic password authentication in the clear NB: !! use https !! AuthType Basic # Make LDAP the authentication mechanism AuthBasicProvider ldap # Make LDAP authentication is final AuthzLDAPAuthoritative on # The LDAP query URL ~ upgrading to a secure connection once connected... # using port 3268 searches the global catalogue, not just the local domain AuthLDAPURL "ldap://<servername>:3268/DC=<sub>,DC=<domain>,DC=<com>?sAMAccountName,mail?sub?(objectClass=*)" TLS # Active Directory requires an authenticating DN to access records # for our server we can use an email address to login so... AuthLDAPBindDN "[email protected]" # This is the password for the AuthLDAPBindDN user in Active Directory # NB: stored in plain text so create a special account and protect this file! AuthLDAPBindPassword <password> # Require a valid user (uses: mod_authz_user.so) #Require valid-user # Require specific LDAP membership (uses: mod_authnz_ldap.so) Require ldap-group <complicated LDAP stuff with lots of CN=,OU=,OU=,DC=<sub>,DC=<domain>,DC=<com>> # Require specific LDAP user(s) (uses: mod_authnz_ldap.so) Require ldap-user <username> </Location> If you do not have an SSL certificate for your server (are you using https:// ?) be aware that your user's passwords are (probably) being transmitted across your network in plain text... -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
