This debug output might be a little clearer in illustrating authentication success/failure:
(Successful login -- correct username/password) [Mon Apr 08 12:16:00 2013] [debug] mod_authnz_ldap.c(699): [client 65.114.169.4] [28660] auth_ldap authorise: require user: authorisation failed [Comparison false (cached)][Compare False], referer: http://128.9.144.231/trac/chrome/common/css/trac.css [Mon Apr 08 12:16:00 2013] [debug] mod_authnz_ldap.c(713): [client 65.114.169.4] [28660] auth_ldap authorise: require user: authorisation successful, referer: http://128.9.144.231/trac/chrome/common/css/trac.css [Mon Apr 08 12:16:00 2013] [debug] mod_authnz_ldap.c(403): [client 65.114.169.4] [28660] auth_ldap authenticate: using URL ldap:// ld.isi.edu:389/dc=isi,dc=usc,dc=edu??sub?(|(uid=mmusleh)(uid=mkkang)(uid=crago)(uid=cperi)), referer: http://128.9.144.231/trac/chrome/common/css/trac.css [Mon Apr 08 12:16:00 2013] [debug] mod_authnz_ldap.c(518): [client 65.114.169.4] [28660] auth_ldap authenticate: accepting mmusleh, referer: http://128.9.144.231/trac/chrome/common/css/trac.css [Mon Apr 08 12:16:00 2013] [debug] mod_authnz_ldap.c(699): [client 65.114.169.4] [28660] auth_ldap authorise: require user: authorisation failed [Comparison false (cached)][Compare False], referer: http://128.9.144.231/trac/chrome/common/css/trac.css [Mon Apr 08 12:16:00 2013] [debug] mod_authnz_ldap.c(713): [client 65.114.169.4] [28660] auth_ldap authorise: require user: authorisation successful, referer: http://128.9.144.231/trac/chrome/common/css/trac.css [Mon Apr 08 12:16:00 2013] [debug] mod_authnz_ldap.c(403): [client 65.114.169.4] [28660] auth_ldap authenticate: using URL ldap:// ld.isi.edu:389/dc=isi,dc=usc,dc=edu??sub?(|(uid=mmusleh)(uid=mkkang)(uid=crago)(uid=cperi)) [Mon Apr 08 12:16:00 2013] [debug] mod_authnz_ldap.c(518): [client 65.114.169.4] [28660] auth_ldap authenticate: accepting mmusleh [Mon Apr 08 12:16:00 2013] [debug] mod_authnz_ldap.c(699): [client 65.114.169.4] [28660] auth_ldap authorise: require user: authorisation failed [Comparison false (cached)][Compare False] [Mon Apr 08 12:16:00 2013] [debug] mod_authnz_ldap.c(713): [client 65.114.169.4] [28660] auth_ldap authorise: require user: authorisation successful Failure (incorrect password) [Mon Apr 08 12:16:46 2013] [debug] mod_deflate.c(615): [client 65.114.169.4] Zlib: Compressed 7471 to 2683 : URL / [Mon Apr 08 12:16:58 2013] [debug] mod_deflate.c(615): [client 65.114.169.4] Zlib: Compressed 482 to 328 : URL /trac/ [Mon Apr 08 12:17:07 2013] [debug] mod_authnz_ldap.c(403): [client 65.114.169.4] [28658] auth_ldap authenticate: using URL ldap:// ld.isi.edu:389/dc=isi,dc=usc,dc=edu??sub?(|(uid=mmusleh)(uid=mkkang)(uid=crago)(uid=cperi)) [Mon Apr 08 12:17:07 2013] [info] [client 65.114.169.4] [28658] auth_ldap authenticate: user mmusleh authentication failed; URI /trac/ [ldap_simple_bind_s() to check user credentials failed][Invalid credentials] [Mon Apr 08 12:17:07 2013] [error] [client 65.114.169.4] user mmusleh: authentication failure for "/trac/": Password Mismatch [Mon Apr 08 12:17:07 2013] [debug] mod_deflate.c(615): [client 65.114.169.4] Zlib: Compressed 482 to 328 : URL /trac/ On Mon, Apr 8, 2013 at 3:13 PM, Malek Musleh <[email protected]> wrote: > Responding a bit late here.... > > I believe it is in fact authenticating correctly, because if an incorrect > username/password is entered, then the wiki / TRAC project screen does not > show up. Otherwise I would have deduced the same reasoning that it was not > authenticating. > > The apache2 error logs confirm this as well: > > Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(403): [client > 65.114.169.4] [28658] auth_ldap authenticate: using URL ldap:// > ld.isi.edu:389/dc=isi,dc=usc,dc=edu??sub?(|(uid=mmusleh)(uid=mkkang)(uid=crago)(uid=cperi))<http://ld.isi.edu:389/dc=isi,dc=usc,dc=edu??sub?(%7C(uid=mmusleh)(uid=mkkang)(uid=crago)(uid=cperi))>, > referer: http://128.9.144.231/trac/wiki/WikiStart?action=edit > [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(518): [client > 65.114.169.4] [28658] auth_ldap authenticate: accepting mmusleh, referer: > http://128.9.144.231/trac/wiki/WikiStart?action=edit > [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(699): [client > 65.114.169.4] [28658] auth_ldap authorise: require user: authorisation > failed [Comparison false (cached)][Compare False], referer: > http://128.9.144.231/trac/wiki/WikiStart?action=edit > [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(713): [client > 65.114.169.4] [28658] auth_ldap authorise: require user: authorisation > successful, referer: http://128.9.144.231/trac/wiki/WikiStart?action=edit > [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(403): [client > 65.114.169.4] [28659] auth_ldap authenticate: using URL ldap:// > ld.isi.edu:389/dc=isi,dc=usc,dc=edu??sub?(|(uid=mmusleh)(uid=mkkang)(uid=crago)(uid=cperi))<http://ld.isi.edu:389/dc=isi,dc=usc,dc=edu??sub?(%7C(uid=mmusleh)(uid=mkkang)(uid=crago)(uid=cperi))>, > referer: http://128.9.144.231/trac/chrome/common/css/trac.css > [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(518): [client > 65.114.169.4] [28659] auth_ldap authenticate: accepting mmusleh, referer: > http://128.9.144.231/trac/chrome/common/css/trac.css > [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(699): [client > 65.114.169.4] [28659] auth_ldap authorise: require user: authorisation > failed [Comparison false (cached)][Compare False], referer: > http://128.9.144.231/trac/chrome/common/css/trac.css > [Mon Apr 08 11:45:49 2013] [debug] mod_authnz_ldap.c(713): [client > 65.114.169.4] [28659] auth_ldap authorise: require user: authorisation > successful, referer: http://128.9.144.231/trac/chrome/common/css/trac.css > > In any case, I will debug this further to get it resolved. Authentication > wise my solution is fine, but for history tracking, if the user does not > change the username/email box, then it would be impossible to track > revision changes by users. > > Malek > > > > On Wed, Apr 3, 2013 at 7:27 PM, Jason Miller <[email protected]>wrote: > >> I am not entirely sure one even needs an LDAP plugin with Trac. But, >> there must be a reason... I only post, because we are using LDAP with out a >> plugin, and not trying to steal a thread, this may help the op, or, some >> passerby: >> >> >> >> *Apache SSL site/enable/vhost/whatever config (different on just about >> every linux distro...):* >> >> # WSGI mysite Trac page here: >> WSGIScriptAlias /mysite /data/trac/mysite/htdocs/mysite_init.wsgi >> <Directory /data/trac/mysite/htdocs> >> Options -Indexes >> WSGIApplicationGroup %{GLOBAL} >> Options FollowSymLinks >> AllowOverride None >> Order deny,allow >> Allow from all >> </Directory> >> <Location '/moose/login'> >> AuthType Basic >> AuthName "Mysite Authentication" >> AuthBasicProvider ldap >> AuthLDAPURL >> "ldap://ldapserveraddress/dc=somedomain,dc=somedomain,dc=com?uid"; >> AuthzLDAPAuthoritative off >> require valid-user >> Allow from all >> </Location> >> >> >> >> *Special Trac configuration changes:* >> Awesome... None! >> Although, we do use the built-in AuthzPolicy for added permission >> capabilities. >> And my apologies if I am entirely wrong. I am scanning through the >> trac.ini now, while tilting back a few Peldelton drinks... But I do not see >> anything standing out as LDAP under [components] or elsewhere. >> >> >> And just for kicks, because we host many different instances of Trac, and >> this may be useful info to some: >> */data/trac/mysite/htdocs/mysite_init.wsgi contents (referenced by the >> Apache config above):* >> >> import os >> os.environ['PYTHON_EGG_CACHE'] = '/data/trac/mysite/eggs' >> >> import trac.web.main >> def application(environ, start_response): >> environ['trac.env_path'] = '/data/trac/mysite' >> return trac.web.main.dispatch_request(environ, start_response) >> >> >> Hope this helps. Again, maybe not exactly what _your_ aiming for in your >> organization. I would know. Were all different. But I post just in case its >> useful. >> >> Jason Miller >> >> >> >> >> On Mon, Apr 1, 2013 at 4:06 PM, malek <[email protected]> wrote: >> >>> Hi, >>> >>> I have managed to get TRAC + APACHE + LDAP configured with our company's >>> internal ldap server for authenticating users, >>> but am having an issue where users authenticated via LDAP are logged in >>> as 'anonymous' users, instead of as TRAC_ADMIN. >>> I have the LDAPPlugin module installed, and setup in my trace.ini file, >>> and I even gave ldap users TRAC_ADMIN permissions via the trace-admin /env/ >>> permission add ldapuser1 TRAC_ADMIN command. >>> >>> One hack I implemented was providing anonymous user with TRAC_ADMIN >>> permissions, and setting the login prompt before the actual page is loaded >>> (e.g. at '/trac' location instead of '/trac/login/'), and so it seems it >>> would be a permissible solution. >>> >>> I am using trac 1.0 (and most of the previous discussions I have come >>> across use version < 1.0, and since 1.0 has many of the plugins as part of >>> the package, this process should be simpler than having to deal with extra >>> packages right? >>> >>> Note I could not get the permission_store = LdapPermissionStore to work >>> (not sure if this is required) >>> Here is my trace.ini file: >>> >>> [trac] >>> # remove 'No handler matched request error' >>> #default_handler = WikiHandler >>> auth_cookie_lifetime = 0 >>> auth_cookie_path = >>> authz_file = /home/crago/trac/testproj/conf/authzpolicy.conf >>> authz_module_name = >>> auto_preview_timeout = 2.0 >>> auto_reload = False >>> backup_dir = db >>> base_url = >>> check_auth_ip = false >>> database = sqlite:db/trac.db >>> debug_sql = False >>> default_charset = utf-8 >>> default_dateinfo_format = relative >>> genshi_cache_size = 128 >>> htdocs_location = >>> ignore_auth_case = false >>> jquery_location = >>> jquery_ui_location = >>> jquery_ui_theme_location = >>> mainnav = wiki, timeline, roadmap, browser, tickets, newticket, search >>> metanav = login, logout, prefs, help, about >>> mysqldump_path = mysqldump >>> never_obfuscate_mailto = false >>> # Original >>> #permission_policies = DefaultPermissionPolicy, LegacyAttachmentPolicy >>> permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, >>> LegacyAttachmentPolicy >>> permission_store = DefaultPermissionStore >>> #permission_store = LdapPermissionStore >>> pg_dump_path = pg_dump >>> repository_dir = >>> repository_sync_per_request = (default) >>> repository_type = svn >>> resizable_textareas = true >>> secure_cookies = False >>> show_email_addresses = false >>> show_ip_addresses = false >>> timeout = 20 >>> use_base_url_for_redirect = False >>> >>> >>> # Malek >>> [components] >>> talm_importer.importer.* = enabled >>> trac.web.auth.LoginModule = disabled >>> # Allow users to login via a HTML form instead of using HTTP >>> authentication >>> acct_mgr.web_ui.loginmodule = disabled >>> acct_mgr.web_ui.registrationmodule = disabled >>> acct_mgr.web_ui.AccountModule = enabled >>> acct_mgr.notification.accountchangelistener = enabled # allow user to >>> reset password >>> >>> *.webadmin = enabled >>> ticketdelete.* = enabled # allow user to delete tickets >>> ldapplugin.* = enabled >>> ldapplugin.api.ldappermissiongroupprovider = enabled >>> ldapplugin.api.ldappermissionstore = enabled >>> ldapauth.* = enabled >>> ldapauth.store.* = enabled >>> ldapplugin.api.* = enabled >>> acct_mgr.db.sessionstore = disabled >>> # Authz Permission Policy >>> tracopt.perm.authz_policy.* = enabled >>> >>> >>> [authz_policy] >>> authz_file = /home/crago/trac/testproj/conf/authzpolicy.conf >>> >>> [account-manager] >>> #; configure the plugin to use a page that is secured with http >>> authentication >>> authentication_url = /authFile >>> password_store = HttpAuthStore >>> reset_password = true >>> >>> # Note that authFile need not exist. See the HttpAuthStore link above >>> for examples where multiple Trac projects are hosted on a server. >>> >>> [mainnav] >>> importer.label = Import Tickets >>> >>> >>> [ldap] >>> basedn = ou=People,dc=isi,dc=usc,dc=edu >>> #user_rdn = cn=ExampleUserGroup,dc=example,dc=com >>> host = ld.isi.edu >>> port = 389 >>> enable = true >>> #bind_user = mmusleh >>> #bind_password = 2Jup@C*6Y3 >>> bind_passwd = myverysecurepassword >>> bind_user = cn=proxy,dc=isi,dc=usc,dc=edu >>> group_bind = true >>> group_rdn = ou=groups >>> groupmember = memberUid >>> groupname = posixGroup >>> groupmemberisdn = false >>> attempts = 3 (LDAP connection attempts). >>> user_filter = uid (for Active Directory put sAMAccountName) >>> #user_rdn = ou=users >>> user_rdn = ou=People >>> store_bind = true >>> uidattr = cn >>> >>> >>> Here is my authzpolicy.conf file: >>> >>> [wiki:WikiStart@*] >>> * = WIKI_VIEW >>> >>> [wiki:PrivatePage@*] >>> mmusleh = TRAC_ADMIN >>> * = !WIKI_VIEW >>> >>> mmusleh TRAC_ADMIN >>> anonymous !WIKI_VIEW >>> # anonymous has no WIKI_VIEW >>> >>> Any help or direction would be appreciated. >>> >>> Malek >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Trac Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at http://groups.google.com/group/trac-users?hl=en. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Trac Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/trac-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
