Responding a bit late here.... I believe it is in fact authenticating correctly, because if an incorrect username/password is entered, then the wiki / TRAC project screen does not show up. Otherwise I would have deduced the same reasoning that it was not authenticating.
The apache2 error logs confirm this as well: Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(403): [client 65.114.169.4] [28658] auth_ldap authenticate: using URL ldap:// ld.isi.edu:389/dc=isi,dc=usc,dc=edu??sub?(|(uid=mmusleh)(uid=mkkang)(uid=crago)(uid=cperi)), referer: http://128.9.144.231/trac/wiki/WikiStart?action=edit [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(518): [client 65.114.169.4] [28658] auth_ldap authenticate: accepting mmusleh, referer: http://128.9.144.231/trac/wiki/WikiStart?action=edit [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(699): [client 65.114.169.4] [28658] auth_ldap authorise: require user: authorisation failed [Comparison false (cached)][Compare False], referer: http://128.9.144.231/trac/wiki/WikiStart?action=edit [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(713): [client 65.114.169.4] [28658] auth_ldap authorise: require user: authorisation successful, referer: http://128.9.144.231/trac/wiki/WikiStart?action=edit [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(403): [client 65.114.169.4] [28659] auth_ldap authenticate: using URL ldap:// ld.isi.edu:389/dc=isi,dc=usc,dc=edu??sub?(|(uid=mmusleh)(uid=mkkang)(uid=crago)(uid=cperi)), referer: http://128.9.144.231/trac/chrome/common/css/trac.css [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(518): [client 65.114.169.4] [28659] auth_ldap authenticate: accepting mmusleh, referer: http://128.9.144.231/trac/chrome/common/css/trac.css [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(699): [client 65.114.169.4] [28659] auth_ldap authorise: require user: authorisation failed [Comparison false (cached)][Compare False], referer: http://128.9.144.231/trac/chrome/common/css/trac.css [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(713): [client 65.114.169.4] [28659] auth_ldap authorise: require user: authorisation successful, referer: http://128.9.144.231/trac/chrome/common/css/trac.css In any case, I will debug this further to get it resolved. Authentication wise my solution is fine, but for history tracking, if the user does not change the username/email box, then it would be impossible to track revision changes by users. Malek On Wed, Apr 3, 2013 at 7:27 PM, Jason Miller <[email protected]>wrote: > I am not entirely sure one even needs an LDAP plugin with Trac. But, there > must be a reason... I only post, because we are using LDAP with out a > plugin, and not trying to steal a thread, this may help the op, or, some > passerby: > > > > *Apache SSL site/enable/vhost/whatever config (different on just about > every linux distro...):* > > # WSGI mysite Trac page here: > WSGIScriptAlias /mysite /data/trac/mysite/htdocs/mysite_init.wsgi > <Directory /data/trac/mysite/htdocs> > Options -Indexes > WSGIApplicationGroup %{GLOBAL} > Options FollowSymLinks > AllowOverride None > Order deny,allow > Allow from all > </Directory> > <Location '/moose/login'> > AuthType Basic > AuthName "Mysite Authentication" > AuthBasicProvider ldap > AuthLDAPURL > "ldap://ldapserveraddress/dc=somedomain,dc=somedomain,dc=com?uid"; > AuthzLDAPAuthoritative off > require valid-user > Allow from all > </Location> > > > > *Special Trac configuration changes:* > Awesome... None! > Although, we do use the built-in AuthzPolicy for added permission > capabilities. > And my apologies if I am entirely wrong. I am scanning through the > trac.ini now, while tilting back a few Peldelton drinks... But I do not see > anything standing out as LDAP under [components] or elsewhere. > > > And just for kicks, because we host many different instances of Trac, and > this may be useful info to some: > */data/trac/mysite/htdocs/mysite_init.wsgi contents (referenced by the > Apache config above):* > > import os > os.environ['PYTHON_EGG_CACHE'] = '/data/trac/mysite/eggs' > > import trac.web.main > def application(environ, start_response): > environ['trac.env_path'] = '/data/trac/mysite' > return trac.web.main.dispatch_request(environ, start_response) > > > Hope this helps. Again, maybe not exactly what _your_ aiming for in your > organization. I would know. Were all different. But I post just in case its > useful. > > Jason Miller > > > > > On Mon, Apr 1, 2013 at 4:06 PM, malek <[email protected]> wrote: > >> Hi, >> >> I have managed to get TRAC + APACHE + LDAP configured with our company's >> internal ldap server for authenticating users, >> but am having an issue where users authenticated via LDAP are logged in >> as 'anonymous' users, instead of as TRAC_ADMIN. >> I have the LDAPPlugin module installed, and setup in my trace.ini file, >> and I even gave ldap users TRAC_ADMIN permissions via the trace-admin /env/ >> permission add ldapuser1 TRAC_ADMIN command. >> >> One hack I implemented was providing anonymous user with TRAC_ADMIN >> permissions, and setting the login prompt before the actual page is loaded >> (e.g. at '/trac' location instead of '/trac/login/'), and so it seems it >> would be a permissible solution. >> >> I am using trac 1.0 (and most of the previous discussions I have come >> across use version < 1.0, and since 1.0 has many of the plugins as part of >> the package, this process should be simpler than having to deal with extra >> packages right? >> >> Note I could not get the permission_store = LdapPermissionStore to work >> (not sure if this is required) >> Here is my trace.ini file: >> >> [trac] >> # remove 'No handler matched request error' >> #default_handler = WikiHandler >> auth_cookie_lifetime = 0 >> auth_cookie_path = >> authz_file = /home/crago/trac/testproj/conf/authzpolicy.conf >> authz_module_name = >> auto_preview_timeout = 2.0 >> auto_reload = False >> backup_dir = db >> base_url = >> check_auth_ip = false >> database = sqlite:db/trac.db >> debug_sql = False >> default_charset = utf-8 >> default_dateinfo_format = relative >> genshi_cache_size = 128 >> htdocs_location = >> ignore_auth_case = false >> jquery_location = >> jquery_ui_location = >> jquery_ui_theme_location = >> mainnav = wiki, timeline, roadmap, browser, tickets, newticket, search >> metanav = login, logout, prefs, help, about >> mysqldump_path = mysqldump >> never_obfuscate_mailto = false >> # Original >> #permission_policies = DefaultPermissionPolicy, LegacyAttachmentPolicy >> permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, >> LegacyAttachmentPolicy >> permission_store = DefaultPermissionStore >> #permission_store = LdapPermissionStore >> pg_dump_path = pg_dump >> repository_dir = >> repository_sync_per_request = (default) >> repository_type = svn >> resizable_textareas = true >> secure_cookies = False >> show_email_addresses = false >> show_ip_addresses = false >> timeout = 20 >> use_base_url_for_redirect = False >> >> >> # Malek >> [components] >> talm_importer.importer.* = enabled >> trac.web.auth.LoginModule = disabled >> # Allow users to login via a HTML form instead of using HTTP >> authentication >> acct_mgr.web_ui.loginmodule = disabled >> acct_mgr.web_ui.registrationmodule = disabled >> acct_mgr.web_ui.AccountModule = enabled >> acct_mgr.notification.accountchangelistener = enabled # allow user to >> reset password >> >> *.webadmin = enabled >> ticketdelete.* = enabled # allow user to delete tickets >> ldapplugin.* = enabled >> ldapplugin.api.ldappermissiongroupprovider = enabled >> ldapplugin.api.ldappermissionstore = enabled >> ldapauth.* = enabled >> ldapauth.store.* = enabled >> ldapplugin.api.* = enabled >> acct_mgr.db.sessionstore = disabled >> # Authz Permission Policy >> tracopt.perm.authz_policy.* = enabled >> >> >> [authz_policy] >> authz_file = /home/crago/trac/testproj/conf/authzpolicy.conf >> >> [account-manager] >> #; configure the plugin to use a page that is secured with http >> authentication >> authentication_url = /authFile >> password_store = HttpAuthStore >> reset_password = true >> >> # Note that authFile need not exist. See the HttpAuthStore link above for >> examples where multiple Trac projects are hosted on a server. >> >> [mainnav] >> importer.label = Import Tickets >> >> >> [ldap] >> basedn = ou=People,dc=isi,dc=usc,dc=edu >> #user_rdn = cn=ExampleUserGroup,dc=example,dc=com >> host = ld.isi.edu >> port = 389 >> enable = true >> #bind_user = mmusleh >> #bind_password = 2Jup@C*6Y3 >> bind_passwd = myverysecurepassword >> bind_user = cn=proxy,dc=isi,dc=usc,dc=edu >> group_bind = true >> group_rdn = ou=groups >> groupmember = memberUid >> groupname = posixGroup >> groupmemberisdn = false >> attempts = 3 (LDAP connection attempts). >> user_filter = uid (for Active Directory put sAMAccountName) >> #user_rdn = ou=users >> user_rdn = ou=People >> store_bind = true >> uidattr = cn >> >> >> Here is my authzpolicy.conf file: >> >> [wiki:WikiStart@*] >> * = WIKI_VIEW >> >> [wiki:PrivatePage@*] >> mmusleh = TRAC_ADMIN >> * = !WIKI_VIEW >> >> mmusleh TRAC_ADMIN >> anonymous !WIKI_VIEW >> # anonymous has no WIKI_VIEW >> >> Any help or direction would be appreciated. >> >> Malek >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Trac Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/trac-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Trac Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/trac-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
