> On May 26, 2015, at 12:09 PM, RjOllos <[email protected]> wrote: > > On Tuesday, May 26, 2015 at 2:26:31 AM UTC-4, Cooke, Mark wrote: > > > On May 22, 2015 3:02 PM, "Josh Santangelo" > <[email protected] <javascript:> > wrote: > > > > > > > > >> On May 21, 2015, at 8:53 PM, RjOllos <[email protected] > <javascript:> > wrote: > > >> > > >> On Thursday, May 21, 2015 at 2:23:50 PM UTC-7, Josh > Santangelo wrote: > > >>> > > >>> I ran the 1.0.6 MSI, but it seemed to break LDAP > authentication. When I > > browse to trac I see: > > >>> > > >>> Traceback (most recent call last): > > >>> File "C:\Python27\lib\site-packages\trac\web\api.py", > line 559, in > > send_error > > >>> data, 'text/html') > > >>> File "C:\Python27\lib\site- > packages\trac\web\chrome.py", line 1063, in > > render_template > > >>> template = self.load_template(filename, > method=method) > > >>> File "C:\Python27\lib\site- > packages\trac\web\chrome.py", line 1017, in > > load_template > > >>> self.get_all_templates_dirs(), > auto_reload=self.auto_reload, > > >>> File "C:\Python27\lib\site- > packages\trac\web\chrome.py", line 725, in > > get_all_templates_dirs > > >>> for provider in self.template_providers: > > >>> File "C:\Python27\lib\site-packages\trac\core.py", line > 78, in > > extensions > > >>> components = [component.compmgr[cls] for cls in > classes] > > >>> File "C:\Python27\lib\site-packages\trac\core.py", line > 204, in > > __getitem__ > > >>> component = cls(self) > > >>> File "C:\Python27\lib\site-packages\trac\core.py", line > 140, in > > __call__ > > >>> self.__init__() > > >>> File "build\bdist.win32\egg\acct_mgr\web_ui.py", line > 75, in __init__ > > >>> self._write_check(log=True) > > >>> File "build\bdist.win32\egg\acct_mgr\web_ui.py", line > 79, in > > _write_check > > >>> writable = > self.acctmgr.get_all_supporting_stores('set_password') > > >>> File "build\bdist.win32\egg\acct_mgr\api.py", line 348, > in > > get_all_supporting_stores > > >>> for store in self.password_stores: > > >>> File "C:\Python27\lib\site-packages\trac\config.py", > line 777, in > > __get__ > > >>> option=tag.tt <http://tag.tt/> ("[%s] %s" % > (self.section, self.name <http://self.name/> )))) > > >>> ConfigurationError: Cannot find implementation(s) of the > > <tt>IPasswordStore</tt> interface named > <tt>LdapAuthStore</tt>. Please check > > that the Component is enabled or update the option > <tt>[account-manager] > > password_store</tt> in trac.ini. > > >>> > > >>> I backed up my Python directory before the install, and > restoring it > > seems to have restored things back to working. > > >>> > > >> > > >> Trac 1.0.2 and later enforces that Components specified in > the trac.ini > > configuration file must be loaded. Often users find that when > upgrading they > > had errors in their configuration that passed silently prior > to the upgrade. > > >> > > >> Your [account-manager] password_store setting includes > LdapAuthStore, but > > the plugin is either not installed, not loading correctly due > to an error, or > > not enabled. LdapAuthStore is provided by LdapAuthStorePlugin > (1). Perhaps > > you aren't actually using that store? In that case you can > just removed > > LdapAuthStore from password_store. But if you are using the > plugin, and the > > plugin is installed and enabled, then we need to determine > why it's not > > loading. See TracTroubleshooting (2). It would also be useful > to confirm, > > before trying the upgrade again, if it is loading in Trac > 1.0.2. You can do > > that by inspecting the debug level log, as described in > TracTroubleshooting. > > > > > > > > > Thanks, it seems your suspicions about the plugin not > loading are correct, > > according to the log, which I’ve pasted below. I’m confused > though, since > > LDAP authentication does work, and has for some time. How’s > that possible if > > the plugin isn’t loading? I confirmed that the .egg files in > the log are > > indeed there. > > > > > > 2014-04-01 11:22:27,046 Trac[env] INFO: ------------------- > ------------- > > environment startup [Trac 1.0.1] ---------------------------- > ---- > > > 2014-04-01 11:22:27,079 Trac[loader] DEBUG: Adding plugin > > LdapAuthStorePlugin 0.3.0 from > c:\trac\stimulant\plugins\ldapauthstoreplugin- > > 0.3.0-py2.7.egg > > > 2014-04-01 11:22:27,079 Trac[loader] DEBUG: Adding plugin > LdapPlugin > > 0.7.0dev from c:\trac\stimulant\plugins\ldapplugin-0.7.0dev- > py2.7.egg > > > 2014-04-01 11:22:27,174 Trac[loader] DEBUG: Loading > > ldapauthstore.ldap_store from > c:\trac\stimulant\plugins\ldapauthstoreplugin- > > 0.3.0-py2.7.egg > > > 2014-04-01 11:22:27,181 Trac[loader] ERROR: Skipping > > "ldapauthstore.ldap_store = ldapauthstore.ldap_store": > > > > > > Traceback (most recent call last): > > > File "C:\Python27\lib\site-packages\trac\loader.py", line > 68, in > > _load_eggs > > > entry.load(require=True) > > > File "C:\Python27\lib\site-packages\setuptools-0.6c11- > > py2.7.egg\pkg_resources.py", line 1954, in load > > > entry = __import__(self.module_name, > globals(),globals(), ['__name__']) > > > File "build\bdist.win32\egg\ldapauthstore\ldap_store.py", > line 2, in > > <module> > > > File "build\bdist.win32\egg\ldapplugin\__init__.py", line > 2, in <module> > > > File "build\bdist.win32\egg\ldapplugin\api.py", line 25, > in <module> > > > ImportError: No module named ldap > > > 2014-04-01 11:22:27,181 Trac[loader] DEBUG: Loading > ldapplugin.api from > > c:\trac\stimulant\plugins\ldapplugin-0.7.0dev-py2.7.egg > > > 2014-04-01 11:22:27,187 Trac[loader] ERROR: Skipping > "ldapplugin.api = > > ldapplugin.api": > > > > > > Traceback (most recent call last): > > > File "C:\Python27\lib\site-packages\trac\loader.py", line > 68, in > > _load_eggs > > > entry.load(require=True) > > > File "C:\Python27\lib\site-packages\setuptools-0.6c11- > > py2.7.egg\pkg_resources.py", line 1954, in load > > > entry = __import__(self.module_name, > globals(),globals(), ['__name__']) > > > File "build\bdist.win32\egg\ldapplugin\__init__.py", line > 2, in <module> > > > File "build\bdist.win32\egg\ldapplugin\api.py", line 25, > in <module> > > > ImportError: No module named ldap > > > > -----Original Message----- > > From: [email protected] <javascript:> [mailto:trac- > [email protected] <javascript:> ] On > > Behalf Of Ryan Ollos > > > > It looks like it's not finding the Python ldap package. You > might be able to > > install that from pypi. > > > > https://pypi.python.org/pypi/python-ldap > <https://pypi.python.org/pypi/python-ldap> > > Hmm, I think we would be better to understand how LDAP auth is > working > before fixing something that it looks like is not needed. > > Are you using apache httpd? I use Trac on Windoze and use > apache to > authenticate against our AD forest, perhaps you do the same? > In which > case you do not need the Trac ldap interface at all... > > ~ mark c > > > > Does the Apache configuration you use populate the session info such > as name and email address from the LDAP data store? > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Josh Santangelo > Sent: 31 May 2015 22:45 > To: [email protected] > Subject: Re: [Trac] Updating Trac on Windows? > > Yes, I’m using Apache on Windows. I believe the original configuration was > based on the docs here: > https://trac-hacks.org/wiki/LdapPlugin > > httpd.conf looks something like: > > <Location /> > Order deny,allow > Allow from all > AuthType Basic > AuthName "Stimulant Trac" > AuthBasicProvider "ldap" > AuthLDAPURL "ldap://…"; > AuthLDAPBindDN [email protected] > AuthLDAPBindPassword “..." > authzldapauthoritative Off > require ldap-group CN=Stimulant Devops,CN=Users,DC=stimulant,DC=local > </Location>
This is definitely providing _authentication_ against LDAP as well as _authorisation_ in that httpd will reject users not in the specified group. What this does is pass the user info through to Trac in the session info (based on the parameters specified in the LDAP URL which can include the user's email). If you only need to _authorise_ users based on LDAP group membership you are done. Do all members of "Stimulant Devops" (via the built-in "authenticated" group) have the same rights or do you need finer grained permissions? > trac.ini looks something like: > > [ldap] > allusers_group = Stimulant Devops > basedn = dc=stimulant,dc=local > bind_passwd = ... > bind_user = cn=trac,dc=stimulant,dc=local > enable = true > group_rdn = ou=groups > host = ... > store_bind = true > user_rdn = ou=people Trac is repeating work done (probably more efficiently) by httpd. As I only have a small number of users per repository I manage those special cases through the usual Trac Admin interface (no plugins required) using their network login names, forced to lower case. Personally I would remove this plugin and the section from trac.ini. > Mark raises a good point, perhaps I should use LDAP in Apache but not at all > in Trac? > > Thanks again for the thoughtful responses. I hope I have been helpful. Good luck. ~ Mark C -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
