This sounds like more of an SVN question. I'm not familiar with the
settings and permissions for looking at multiple repositories through a
single Trac site. This page
(http://trac.edgewall.org/wiki/TracFineGrainedPermissions) looks like it
might be able to help you, but its also something that I haven't looked at.
I'll try to help with why authentication isn't working, and share how I
implemented Trac with LDAP at work.
I think the logging for LDAP authentication should be enabled by default. I
have a server running Ubuntu 12.04 with an SVN repository, which places its
logs in /var/log/apache2/. RHEL-flavored distributions place the files in
/var/log/httpd/.
I get the following error when I try to log in with a user who doesn't
exist:
[Tue Dec 03 08:13:41 2013] [error] [client 10.10.11.6] user bob not
found: /
I get the following for an intentional bad password:
[Tue Dec 03 08:16:49 2013] [error] [client 10.10.11.6] user myuser:
authentication failure for "/": Password Mismatch
If a user authenticates, but isn't a member of the group, I get a 403 error:
[Tue Dec 03 08:18:07 2013] [error] [client 10.10.11.6] Access denied:
'someotheruser' GET /:/
On this server, I have the following virtual host defined for this
repository (Accessing an OpenLDAP server):
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName svn.home.local
<Location />
AuthName "Home SVN"
AuthType Basic
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password
file: (null)"
AuthUserFile /dev/null
AuthLDAPBindDN 'uid=reader,ou=users,dc=home,dc=local'
AuthLDAPBindPassword 'redacted'
AuthLDAPURL ldap://1.2.3.4/dc=home,dc=local?uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require valid-user
DAV svn
SVNPath /srv/svn/repos/svn
AuthzSVNAccessFile /srv/svn/access/svnauth.conf
</Location>
</VirtualHost>
At work we have a repository for each Trac site, authenticating against
Active Directory. I ended up putting my group restriction in the LDAP
filter instead:
<Location "/trac/login">
AuthName "AD Credentials"
AuthType Basic
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password
file: (null)"
AuthUserFile /dev/null
# Using these credentials to bind
AuthLDAPBindDN "CN=reader,OU=Service Accounts,DC=work,DC=local"
AuthLDAPBindPassword 'redacted'
AuthLDAPURL
"ldap://4.3.2.1:3268/DC=work,DC=local?sAMAccountName,displayName,mail?sub?(memberOf%3A1.2.840.113556.1.4.1941%3A=CN=work-trac-access,OU=Groups
,DC=work,DC=local)"
Require valid-user
</Location>
Users who are not a member of the group, whether directly or nested, are
immediately looped back to the login prompt. Once a user is authenticated,
the next thing to do is access control. Our Trac is set not to give any
permissions within Trac to users just on account of being authenticated. To
grant users access within Trac, I have an external script that goes off the
output of `trac-admin /trac-env permission list`. It flushes all instances
of a permission or permission group (e.g. 'developer','tester', and
TRAC_ADMIN), and then makes sure that it has an updated version of the
groups gathered via LDAP. It bases these permissions off of various groups
who are members of the master "trac-access" group. I also used the same
method to generate the file used by the AuthzSVNAccessFile directive. For
Trac, a cleaner way (I can't vouch for easier) to manage permissions would
probably be to use the LDAP plugin to automatically draw permissions
instead of having a script go in manually.
The only change I made to trac.ini was to add the following so that new
users had their e-mail pulled out of AD:
[apacheuserinfo]
email_override = true
email_var = AUTHENTICATE_MAIL
name_override = true
name_var = AUTHENTICATE_DISPLAYNAME
On Monday, 2 December 2013 23:52:24 UTC-8, Stuart Cracraft wrote:
>
> This is a very good question.
>
> Can we enable any logging to provide the necessary data?
>
> On Dec 2, 2013, at 2:37 PM, Alan Deutscher <[email protected]<javascript:>>
> wrote:
>
> I'd like to confirm where you're having trouble.
>
> Are you able to successfully authenticate against LDAP with Trac, or are
> you having difficulty with access control after a user has authenticated?
>
> On Monday, 2 December 2013 13:16:45 UTC-8, Stuart Cracraft wrote:
>>
>>
>> Trouble with implementing LDAP groups with TRAC.
>>
>> Just doesn’t work for me so far.
>>
>> Here is my /etc/httpd/conf.d/trac.conf:
>>
>> ##LogLevel
>> debug
>>
>>
>> Alias /trac/chrome/common /u01/trac/apache/htdocs/common
>> Alias /trac/chrome/site /u01/trac/apache/htdocs/site
>> <Directory "/u01/trac/apache/htdocs">
>> Order allow,deny
>> Allow from all
>> </Directory>
>> WSGIScriptAlias /trac /u01/trac/apache/cgi-bin/trac.wsgi
>> <Directory /u01/trac/apache/cgi-bin>
>> WSGIApplicationGroup %{GLOBAL}
>> Order deny,allow
>> Allow from all
>> </Directory>
>> <Location "/trac/login">
>> Order allow,deny
>> Allow from all
>> AuthType Basic
>> AuthName "trac"
>> AuthBasicProvider "ldap"
>> AuthLDAPURL "
>> ldap://EXAMPLEIP/ou=SOMEOU,dc=examplecompany,dc=com?sAMAccountName?sub?(objectClass=user
>> )"
>> AuthLDAPBindDN "EXAMPLEUSER"
>> AuthLDAPBindPassword "EXAMPLEPASSWORD"
>> AuthzLDAPAuthoritative off
>> Require valid-user
>> require ldap-group CN=SOMEOU,CN=Users,DC=examplecompany,DC=com
>> Require ldap-attribute
>> memberOf="CN=SOMECN,CN=Users,DC=examplecompany,DC=com"
>> </Location>
>>
>>
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Trac Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/trac-users/MdFWRzxzVkQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected] <javascript:>.
> To post to this group, send email to [email protected]<javascript:>
> .
> Visit this group at http://groups.google.com/group/trac-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/groups/opt_out.
