On Tuesday, January 19, 2016 at 6:51:29 AM UTC-8, deadf00d wrote: > > Hi all, > > I'm trying to set up tracd behind nginx with LDAP authentication handled > by nginx. > My approach is setting the REMOTE_USER header from nginx and using the > remote-user-auth.py script from > http://trac.edgewall.org/wiki/TracStandalone#Authenticationfortracdbehindaproxy > > The nginx/ldap part works fine and the user gets passed to trac, as you > can see here (says 'angemeldet als alex'): > http://postimg.org/image/vtj2jpqih/ > > Yet, it displays "Trac Error Authentication information not available." > I'm reading all the documentation I can find on the issue and only get mor > confused. > > Is my approach (letting nginx handle the authentication) correct? > I was thinking that the remote user would be sufficient and thus no > authentication data is needed at the trac side. > Or does trac require additional data besides the REMOTE_USER? > > Kind regards and thanks in advance, > Alex >
I'm unsure if REMOTE_USER and/or HTTP_REMOTE_USER needs to be set. I'll attempt to trace the flow in reverse. If the site shows //Logged in as xxx//, then req.authname returned a valid value: http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/auth.py?marks=108-109#L101 req.authname is set through a callback, which iterates over the IAuthenticator implementations: http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/main.py?marks=158,161,185#L156 When your "MyRemoteUserAuthenticator" authenticator executes, it calls get_header, which returns a value from the _inheaders dictionary: http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/api.py?marks=436#L431 req._inheaders is a callback that calls req._parse_headers: http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/api.py?marks=341#L318 >From the logic in req._parse_headers, http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/api.py?marks=749#L749 it looks like a call to req.get_headers('Remote-User') will only return a value if HTTP_REMOTE_USER is set. So best I can infer, HTTP_REMOTE_USER is being set in your request, and therefore req.authname is being set. On the other hand, when a request is sent to /login, req.remote_user must return the username otherwise the error is seen: http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/auth.py?marks=133,148#L131 >From the behavior you've described it sounds like req.remote_user is None. Therefore I infer that REMOTE_USER hasn't been set: http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/api.py?marks=400#L394 So it looks to me like HTTP_REMOTE_USER is set in the environ dictionary, but REMOTE_USER is not set. What comes to mind is another configuration which was discussed on the mailing list a few weeks back: http://trac.edgewall.org/wiki/TracModWSGI#UsingCASiteMinderAuthentication I never understood why REMOTE_USER needed to be explicitly set. This issue might be related: http://serverfault.com/a/392096 Could you share your script that invokes tracd, as well as your Nginx configuration? The following might be helpful: http://trac.edgewall.org/wiki/TracNginxRecipe#HandlingauthenticationinNginx - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
