> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Cooke, Mark > Sent: 29 October 2014 08:55 > To: [email protected] > Subject: RE: [Trac] Trac issue with permission for ldap users > > [Replying in-line below...] > > > Zitat von "Cooke, Mark" <[email protected]>: > > > > >> -----Original Message----- > > >> From: [email protected] [mailto:[email protected]] > On > > >> Behalf Of Jan Eberhardt > > >> > > >> > > >> Hello trac-team and/or mailinglist users, > > >> > > >> I am using LDAP for authentication and I want to define permissions > > >> for every single user that logged in via LDAP. > > >> When I login (LDAP is working), the permissions of the 'authenticated' > > >> group are matched to the login user (seems right so far), but I also > > >> did 'trac-admin <env> permission add <username>'. I gave this user > > >> (matching the LDAP login) higher permissions, but they dont apply. > > >> > > >> An example: > > >> LDAP Login for the user is 'bob', I also create 'trac-admin <env> > > >> permission add bob TRAC_ADMIN', but when I login as 'bob' I dont see > > >> the admin-panel. > > >> > > >> The 'admin' user works right (authenticated via local htpasswd file), > > >> but when I want to grant the LDAP users higher rights, it fails. > > >> > > >> What goes wrong, where do I fail ? > > > > > > What messages (if any) do you get in your apache log files? > > > > > > Can you show us the relevant bits of your apache `conf` file and > > > your wsgi files? > > > > > > As a quick suggestion, is this a case issue? I have the following > > > line in my WSGI file: > > > > > > # Make sure usernames are lower case... > > > environ['REMOTE_USER'] = environ['REMOTE_USER'].lower() > > > > > > ...or a domain issue... > > > > > > # Strip any domain if present > > > while "\\" in environ['REMOTE_USER']: > > > environ['REMOTE_USER'] = environ['REMOTE_USER'].split("\\", 1)[1] > > > > > > Hope that helps, > > > > > > ~ Mark C > > > > > >> Kind regards > > >> Eberhardt > > >> > > >> -- > > >> Trac-System: > > >> - Red Hat Linux > > >> - apache (with mod_wsgi, mod_ldap, mod_authnz_ldap) > > >> - MySQL > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On > > Behalf Of Jan Eberhardt > > > > Hi, > > editing my trac.wsgi (with the proposed snippet), gave me an "500 > > Internal error" and following message in my apache error log: > > > > [Thu Oct 23 22:55:39 2014] [error] [client *] mod_wsgi (pid=27135): > > Exception occurred processing WSGI script > > '/var/www/trac/cgi-bin/trac.wsgi'. > > [Thu Oct 23 22:55:39 2014] [error] [client *] Traceback (most recent > > call last): > > [Thu Oct 23 22:55:39 2014] [error] [client *] File > > "/var/www/trac/cgi-bin/trac.wsgi", line 33, in application > > [Thu Oct 23 22:55:39 2014] [error] [client *] > > environ['REMOTE_USER'] = environ['REMOTE_USER'].lower() > > [Thu Oct 23 22:55:39 2014] [error] [client *] KeyError: 'REMOTE_USER' > > This is the important bit. mod_wsgi can only pass on data set by the apache > modules that handle your authentication. That is not setting the remote user > variable and therefore there is no "REMOTE_USER" to pass on to Trac...
Update: I remembered I had a script to display the WSGI environment back to the browser so I could check what was and was not available. Searching for it I re-found Graham Dumpleton's excellent mod_wsgi docs and a section specifically for this:- https://code.google.com/p/modwsgi/wiki/DebuggingTechniques#Displaying_Request_Environment Try that out and let us know what you get... You need to make sure that the "REMOTE_USER" is being set before Trac can see who "you" are. ~ Mark C > > My trac.wsgi (without your proposal): > > > > import os > > > > def application(environ, start_request): > > if not 'trac.env_parent_dir' in environ: > > environ.setdefault('trac.env_path', '/var/www/trac') > > if 'PYTHON_EGG_CACHE' in environ: > > os.environ['PYTHON_EGG_CACHE'] = environ['PYTHON_EGG_CACHE'] > > elif 'trac.env_path' in environ: > > os.environ['PYTHON_EGG_CACHE'] = \ > > os.path.join(environ['trac.env_path'], '.egg-cache') > > elif 'trac.env_parent_dir' in environ: > > os.environ['PYTHON_EGG_CACHE'] = \ > > os.path.join(environ['trac.env_parent_dir'], '.egg-cache') > > os.environ['PYTHON_EGG_CACHE'] = '/tmp/python-eggs' > > from trac.web.main import dispatch_request > > return dispatch_request(environ, start_request) > > > > My trac-apache.conf: > > > > LDAPVerifyServerCert Off > > <LocationMatch "/trac/login"> > > AuthName "Trac LDAP Authentication" > > AuthType Basic > > AuthBasicProvider ldap file > > AuthzLDAPAuthoritative Off > > AuthUserFile /opt/trac-password/trac.htpasswd > > AuthLDAPURL "ldaps://DOMAIN:PORT/ou=OU,o=O,dc=DC,dc=DC?uid?" > > Require ldap-user USER USER USER > > Require user admin > > </LocationMatch> > > Hmm, my apache-fu may be letting me down here but I think the problem is you > are only protecting the login page? > > I have configured my server to redirect (almost *) everything to https using > a RewriteRule. After that, the whole server requires authentication (using a > <Location /> block in the SSL conf file). > > (*) I have set up some exceptions to serve the static trac resources: > {{{ > RewriteCond %{REQUEST_URI} !/trac/common/" > RewriteRule ^/(.*) https://server/$1 [R=permanent,L] > }}} > > Another possible issue is with your LDAP query. If you are using Active > Directory then you may want to use "sAMAccountName" instead of "uid"? > > I hope one or both of those ideas help... > > ~ Mark C > > > WSGIScriptAlias /trac /var/www/trac/cgi-bin/trac.wsgi > > <Directory "/var/www/trac/cgi-bin"> > > WSGIApplicationGroup %{GLOBAL} > > Order deny,allow > > Allow from all > > </Directory> > > > > Alias /trac/chrome/common /var/www/trac/htdocs/common > > Alias /trac/chrome/site /var/www/trac/htdocs/site > > <Directory "/var/www/trac/htdocs"> > > Order allow,deny > > Allow from all > > </Directory> > > > > That is my config. > > > > Kind regards > > Eberhardt > > > > -- > You received this message because you are subscribed to the Google Groups > "Trac Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/trac-users. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
