> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Alan Deutscher > Sent: 03 December 2013 17:09 > > This sounds like more of an SVN question. I'm not familiar > with the settings and permissions for looking at multiple > repositories through a single Trac site. This page > (http://trac.edgewall.org/wiki/TracFineGrainedPermissions) > looks like it might be able to help you, but its also > something that I haven't looked at. I'll try to help with why > authentication isn't working, and share how I implemented > Trac with LDAP at work. > > I think the logging for LDAP authentication should be enabled > by default. I have a server running Ubuntu 12.04 with an SVN > repository, which places its logs in /var/log/apache2/. > RHEL-flavored distributions place the files in /var/log/httpd/. > > I get the following error when I try to log in with a user > who doesn't exist: > [Tue Dec 03 08:13:41 2013] [error] [client 10.10.11.6] > user bob not found: / > I get the following for an intentional bad password: > [Tue Dec 03 08:16:49 2013] [error] [client 10.10.11.6] > user myuser: authentication failure for "/": Password Mismatch > If a user authenticates, but isn't a member of the group, I > get a 403 error: > [Tue Dec 03 08:18:07 2013] [error] [client 10.10.11.6] > Access denied: 'someotheruser' GET /:/ > > On this server, I have the following virtual host defined for > this repository (Accessing an OpenLDAP server): > > <VirtualHost *:80> > ServerAdmin webmaster@localhost > > ServerName svn.home.local > > <Location /> > AuthName "Home SVN" > AuthType Basic > AuthBasicProvider ldap > # Important, otherwise "(9)Bad file descriptor: Could not > open password file: (null)" > AuthUserFile /dev/null > > AuthLDAPBindDN 'uid=reader,ou=users,dc=home,dc=local' > AuthLDAPBindPassword 'redacted' > AuthLDAPURL ldap://1.2.3.4/dc=home,dc=local?uid > > AuthLDAPGroupAttribute memberUid > AuthLDAPGroupAttributeIsDN off > Require valid-user > > DAV svn > SVNPath /srv/svn/repos/svn > AuthzSVNAccessFile /srv/svn/access/svnauth.conf > > </Location> > </VirtualHost> > > At work we have a repository for each Trac site, > authenticating against Active Directory. I ended up putting > my group restriction in the LDAP filter instead: > > <Location "/trac/login"> > AuthName "AD Credentials" > AuthType Basic > AuthBasicProvider ldap > # Important, otherwise "(9)Bad file descriptor: Could not > open password file: (null)" > AuthUserFile /dev/null > > # Using these credentials to bind > AuthLDAPBindDN "CN=reader,OU=Service Accounts,DC=work,DC=local" > AuthLDAPBindPassword 'redacted' > > AuthLDAPURL > "ldap://4.3.2.1:3268/DC=work,DC=local?sAMAccountName,displayNa > me,mail?sub?(memberOf%3A1.2.840.113556.1.4.1941%3A=CN=work-tra > c-access,OU=Groups > ,DC=work,DC=local)" > Require valid-user > </Location> > > Users who are not a member of the group, whether directly or > nested, are immediately looped back to the login prompt. Once > a user is authenticated, the next thing to do is access > control. Our Trac is set not to give any permissions within > Trac to users just on account of being authenticated. To > grant users access within Trac, I have an external script > that goes off the output of `trac-admin /trac-env permission > list`. It flushes all instances of a permission or permission > group (e.g. 'developer','tester', and TRAC_ADMIN), and then > makes sure that it has an updated version of the groups > gathered via LDAP. It bases these permissions off of various > groups who are members of the master "trac-access" group. I > also used the same method to generate the file used by the > AuthzSVNAccessFile directive. For Trac, a cleaner way (I > can't vouch for easier) to manage permissions would probably > be to use the LDAP plugin to automatically draw permissions > instead of having a script go in manually. > > The only change I made to trac.ini was to add the following > so that new users had their e-mail pulled out of AD: > > > [apacheuserinfo] > email_override = true > email_var = AUTHENTICATE_MAIL > name_override = true > name_var = AUTHENTICATE_DISPLAYNAME
...just a note that [apacheuserinfo] is not standard Trac but from the ApacheUserInfo hack:- http://trac-hacks.org/wiki/ApacheUserInfoPlugin Thanks for including this, I had not found it before! ~ mark c > On Monday, 2 December 2013 23:52:24 UTC-8, Stuart Cracraft wrote: > > This is a very good question. > > Can we enable any logging to provide the necessary data? > > On Dec 2, 2013, at 2:37 PM, Alan Deutscher > <[email protected] <javascript:> > wrote: > > > I'd like to confirm where you're having trouble. > > Are you able to successfully authenticate > against LDAP with Trac, or are you having difficulty with > access control after a user has authenticated? > > On Monday, 2 December 2013 13:16:45 UTC-8, > Stuart Cracraft wrote: > > > Trouble with implementing LDAP groups > with TRAC. > > Just doesn't work for me so far. > > Here is my /etc/httpd/conf.d/trac.conf: > > ##LogLevel debug > > > Alias /trac/chrome/common > /u01/trac/apache/htdocs/common > Alias /trac/chrome/site > /u01/trac/apache/htdocs/site > <Directory "/u01/trac/apache/htdocs"> > Order allow,deny > Allow from all > </Directory> > WSGIScriptAlias /trac > /u01/trac/apache/cgi-bin/trac.wsgi > <Directory /u01/trac/apache/cgi-bin> > WSGIApplicationGroup %{GLOBAL} > Order deny,allow > Allow from all > </Directory> > <Location "/trac/login"> > Order allow,deny > Allow from all > AuthType Basic > AuthName "trac" > AuthBasicProvider "ldap" > AuthLDAPURL > "ldap://EXAMPLEIP/ou=SOMEOU,dc=examplecompany,dc=com?sAMAccoun > tName?sub?(objectClass=user)" > AuthLDAPBindDN "EXAMPLEUSER" > AuthLDAPBindPassword "EXAMPLEPASSWORD" > AuthzLDAPAuthoritative off > Require valid-user > require ldap-group > CN=SOMEOU,CN=Users,DC=examplecompany,DC=com > Require ldap-attribute > memberOf="CN=SOMECN,CN=Users,DC=examplecompany,DC=com" > </Location> > > > > > -- > You received this message because you are > subscribed to a topic in the Google Groups "Trac Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/trac-users/MdFWRzxzVkQ/unsub > scribe > <https://groups.google.com/d/topic/trac-users/MdFWRzxzVkQ/unsu > bscribe> . > To unsubscribe from this group and all its > topics, send an email to [email protected] > <javascript:> . > To post to this group, send email to > [email protected] <javascript:> . > Visit this group at > http://groups.google.com/group/trac-users > <http://groups.google.com/group/trac-users> . > For more options, visit > https://groups.google.com/groups/opt_out > <https://groups.google.com/groups/opt_out> . > > > > -- > You received this message because you are subscribed to the > Google Groups "Trac Users" group. > To unsubscribe from this group and stop receiving emails from > it, send an email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/trac-users. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/groups/opt_out.
