Dear Ryan,
thanks for your quick and detailed reply.
I think I understand the problem and it seems that your analysis regarding
REMOTE_USER and HTTP_REMOTE_USER is right. Yet, I do not understand how
to fix this.
The TracModWSGI approach seems promising, but as I run tracd, I do not know
where to add the ''environ['REMOTE_USER'] = environ['HTTP_REMOTE_USER']"
line.
I can't do it in remote-user-auth.py as far as I can see, because there
I have no access to
'environ', right?
My setup is as follows:
Tracd started with "tracd -d -p 8080 --protocol=http -s
/usr/local/trac/myproject".
Nginx conf:
ldap_server myldapserver {
url "ldaps://ldap.mydomain.com:636/...";
binddn "...";
binddn_passwd "...";
connect_timeout 5s;
bind_timeout 5s;
request_timeout 5s;
satisfy any;
}
server {
listen 80;
server_name trac.mydomain.com;
location / {
proxy_pass http://trac.mydomain.com:8080;
}
location /login {
proxy_pass http://trac.mydomain.com:8080;
auth_ldap "Please enter your credentials for issue tracker";
auth_ldap_servers myldapserver;
proxy_set_header REMOTE_USER $remote_user;
}
}
Any further help will be much appreciated.
Kind regards,
Alex
Am 19.01.2016 um 20:50 schrieb RjOllos:
On Tuesday, January 19, 2016 at 6:51:29 AM UTC-8, deadf00d wrote:
Hi all,
I'm trying to set up tracd behind nginx with LDAP authentication
handled by nginx.
My approach is setting the REMOTE_USER header from nginx and using
the
remote-user-auth.py script from
http://trac.edgewall.org/wiki/TracStandalone#Authenticationfortracdbehindaproxy
<http://trac.edgewall.org/wiki/TracStandalone#Authenticationfortracdbehindaproxy>
The nginx/ldap part works fine and the user gets passed to trac,
as you can see here (says 'angemeldet als alex'):
http://postimg.org/image/vtj2jpqih/
<http://postimg.org/image/vtj2jpqih/>
Yet, it displays "Trac Error Authentication information not
available."
I'm reading all the documentation I can find on the issue and only
get mor confused.
Is my approach (letting nginx handle the authentication) correct?
I was thinking that the remote user would be sufficient and thus
no authentication data is needed at the trac side.
Or does trac require additional data besides the REMOTE_USER?
Kind regards and thanks in advance,
Alex
I'm unsure if REMOTE_USER and/or HTTP_REMOTE_USER needs to be set.
I'll attempt to trace the flow in reverse.
If the site shows //Logged in as xxx//, then req.authname returned a
valid value:
http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/auth.py?marks=108-109#L101
req.authname is set through a callback, which iterates over the
IAuthenticator implementations:
http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/main.py?marks=158,161,185#L156
When your "MyRemoteUserAuthenticator" authenticator executes, it calls
get_header, which returns a value from the _inheaders dictionary:
http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/api.py?marks=436#L431
req._inheaders is a callback that calls req._parse_headers:
http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/api.py?marks=341#L318
From the logic in req._parse_headers,
http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/api.py?marks=749#L749
it looks like a call to req.get_headers('Remote-User') will only
return a value if HTTP_REMOTE_USER is set.
So best I can infer, HTTP_REMOTE_USER is being set in your request,
and therefore req.authname is being set.
On the other hand, when a request is sent to /login, req.remote_user
must return the username otherwise the error is seen:
http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/auth.py?marks=133,148#L131
From the behavior you've described it sounds like req.remote_user is
None. Therefore I infer that REMOTE_USER hasn't been set:
http://trac.edgewall.org/browser/tags/trac-1.0.9/trac/web/api.py?marks=400#L394
So it looks to me like HTTP_REMOTE_USER is set in the environ
dictionary, but REMOTE_USER is not set.
What comes to mind is another configuration which was discussed on the
mailing list a few weeks back:
http://trac.edgewall.org/wiki/TracModWSGI#UsingCASiteMinderAuthentication
I never understood why REMOTE_USER needed to be explicitly set.
This issue might be related:
http://serverfault.com/a/392096
Could you share your script that invokes tracd, as well as your Nginx
configuration?
The following might be helpful:
http://trac.edgewall.org/wiki/TracNginxRecipe#HandlingauthenticationinNginx
- Ryan
--
You received this message because you are subscribed to the Google
Groups "Trac Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
Visit this group at https://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
