Seems that using https solves the issue. A Rewrite to https should
solve the issue completely.
Thank you very much for your help : )
Eberhardt
Zitat von "Cooke, Mark" <[email protected]>:
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Cooke, Mark
Sent: 29 October 2014 08:55
To: [email protected]
Subject: RE: [Trac] Trac issue with permission for ldap users
[Replying in-line below...]
> Zitat von "Cooke, Mark" <[email protected]>:
>
> >> -----Original Message-----
> >> From: [email protected] [mailto:[email protected]]
On
> >> Behalf Of Jan Eberhardt
> >>
> >>
> >> Hello trac-team and/or mailinglist users,
> >>
> >> I am using LDAP for authentication and I want to define permissions
> >> for every single user that logged in via LDAP.
> >> When I login (LDAP is working), the permissions of the 'authenticated'
> >> group are matched to the login user (seems right so far), but I also
> >> did 'trac-admin <env> permission add <username>'. I gave this user
> >> (matching the LDAP login) higher permissions, but they dont apply.
> >>
> >> An example:
> >> LDAP Login for the user is 'bob', I also create 'trac-admin <env>
> >> permission add bob TRAC_ADMIN', but when I login as 'bob' I dont see
> >> the admin-panel.
> >>
> >> The 'admin' user works right (authenticated via local htpasswd file),
> >> but when I want to grant the LDAP users higher rights, it fails.
> >>
> >> What goes wrong, where do I fail ?
> >
> > What messages (if any) do you get in your apache log files?
> >
> > Can you show us the relevant bits of your apache `conf` file and
> > your wsgi files?
> >
> > As a quick suggestion, is this a case issue? I have the following
> > line in my WSGI file:
> >
> > # Make sure usernames are lower case...
> > environ['REMOTE_USER'] = environ['REMOTE_USER'].lower()
> >
> > ...or a domain issue...
> >
> > # Strip any domain if present
> > while "\\" in environ['REMOTE_USER']:
> > environ['REMOTE_USER'] =
environ['REMOTE_USER'].split("\\", 1)[1]
> >
> > Hope that helps,
> >
> > ~ Mark C
> >
> >> Kind regards
> >> Eberhardt
> >>
> >> --
> >> Trac-System:
> >> - Red Hat Linux
> >> - apache (with mod_wsgi, mod_ldap, mod_authnz_ldap)
> >> - MySQL
> >
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of Jan Eberhardt
>
> Hi,
> editing my trac.wsgi (with the proposed snippet), gave me an "500
> Internal error" and following message in my apache error log:
>
> [Thu Oct 23 22:55:39 2014] [error] [client *] mod_wsgi (pid=27135):
> Exception occurred processing WSGI script
> '/var/www/trac/cgi-bin/trac.wsgi'.
> [Thu Oct 23 22:55:39 2014] [error] [client *] Traceback (most recent
> call last):
> [Thu Oct 23 22:55:39 2014] [error] [client *] File
> "/var/www/trac/cgi-bin/trac.wsgi", line 33, in application
> [Thu Oct 23 22:55:39 2014] [error] [client *]
> environ['REMOTE_USER'] = environ['REMOTE_USER'].lower()
> [Thu Oct 23 22:55:39 2014] [error] [client *] KeyError: 'REMOTE_USER'
This is the important bit. mod_wsgi can only pass on data set by the apache
modules that handle your authentication. That is not setting the
remote user
variable and therefore there is no "REMOTE_USER" to pass on to Trac...
Update: I remembered I had a script to display the WSGI environment
back to the browser so I could check what was and was not available.
Searching for it I re-found Graham Dumpleton's excellent mod_wsgi
docs and a section specifically for this:-
https://code.google.com/p/modwsgi/wiki/DebuggingTechniques#Displaying_Request_Environment
Try that out and let us know what you get... You need to make sure
that the "REMOTE_USER" is being set before Trac can see who "you" are.
~ Mark C
> My trac.wsgi (without your proposal):
>
> import os
>
> def application(environ, start_request):
> if not 'trac.env_parent_dir' in environ:
> environ.setdefault('trac.env_path', '/var/www/trac')
> if 'PYTHON_EGG_CACHE' in environ:
> os.environ['PYTHON_EGG_CACHE'] = environ['PYTHON_EGG_CACHE']
> elif 'trac.env_path' in environ:
> os.environ['PYTHON_EGG_CACHE'] = \
> os.path.join(environ['trac.env_path'], '.egg-cache')
> elif 'trac.env_parent_dir' in environ:
> os.environ['PYTHON_EGG_CACHE'] = \
> os.path.join(environ['trac.env_parent_dir'], '.egg-cache')
> os.environ['PYTHON_EGG_CACHE'] = '/tmp/python-eggs'
> from trac.web.main import dispatch_request
> return dispatch_request(environ, start_request)
>
> My trac-apache.conf:
>
> LDAPVerifyServerCert Off
> <LocationMatch "/trac/login">
> AuthName "Trac LDAP Authentication"
> AuthType Basic
> AuthBasicProvider ldap file
> AuthzLDAPAuthoritative Off
> AuthUserFile /opt/trac-password/trac.htpasswd
> AuthLDAPURL "ldaps://DOMAIN:PORT/ou=OU,o=O,dc=DC,dc=DC?uid?"
> Require ldap-user USER USER USER
> Require user admin
> </LocationMatch>
Hmm, my apache-fu may be letting me down here but I think the problem is you
are only protecting the login page?
I have configured my server to redirect (almost *) everything to https using
a RewriteRule. After that, the whole server requires
authentication (using a
<Location /> block in the SSL conf file).
(*) I have set up some exceptions to serve the static trac resources:
{{{
RewriteCond %{REQUEST_URI} !/trac/common/"
RewriteRule ^/(.*) https://server/$1 [R=permanent,L]
}}}
Another possible issue is with your LDAP query. If you are using Active
Directory then you may want to use "sAMAccountName" instead of "uid"?
I hope one or both of those ideas help...
~ Mark C
> WSGIScriptAlias /trac /var/www/trac/cgi-bin/trac.wsgi
> <Directory "/var/www/trac/cgi-bin">
> WSGIApplicationGroup %{GLOBAL}
> Order deny,allow
> Allow from all
> </Directory>
>
> Alias /trac/chrome/common /var/www/trac/htdocs/common
> Alias /trac/chrome/site /var/www/trac/htdocs/site
> <Directory "/var/www/trac/htdocs">
> Order allow,deny
> Allow from all
> </Directory>
>
> That is my config.
>
> Kind regards
> Eberhardt
>
--
You received this message because you are subscribed to the Google Groups
"Trac Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Trac Users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
