I'm trying to set up Trac 1.4.1 on Ubuntu 18.04.4 LTS, with AccountManager
0.5.. My short-term goal is to get it working with HtDigest, but ultimately
I need to implement it with AD/LDAP authentication. I've used Trac a long
time, but my experience setting it up and administering it is limited.
For the sake of simplicity, I am working with tracd until I get the
configuration right, though ultimately I hope to run Trac under gunicorn
behind nginx.
I have not been able to get AccountManager with the admin panel and
HtDigestStore working with Trac. I'll explain my process and provide diffs
of the trac.ini file at each step where it changes. Hopefully you can see
where I'm going wrong.
1. Set up PostgreSQL database with Trac user & database
2. in parent of Trac environment create a Python2 virtual environment
3. activate venv and install required Python modules
4. initialize Trac environment, e.g.
trac-admin /path/to/trac_env initenv
5. create Trac deployment (shares the environment)
rm -rf /path/to/trac_env/htdocs
trac-admin /path/to/trac_env deploy /path/to/trac_env
6. create .htdigest file with admin user in the realm of the Trac env
htdigest -c /path/to/.htdigest trac_env trac_admin
7. make this user an admin in Trac
trac-admin /path/to/trac_env permission add trac_admin TRAC_ADMIN
When I run this environment with tracd and authentication enabled, I can
authenticate as an admin user.
tracd -p 8080 --auth="trac_env,/path/to/.htdigest,trac_env"
/path/to/trac_env
Now I try to implement AccountManager with HtDigestStore.
After killing the tracd I started above:
1. Download & extract TracAccountManager-0.5.0.tar.gz
2. build the egg for this plugin
3. copy the egg to /path/to/trac_env/plugins
4. start tracd as above (though if I haven't exited my browser, the naive
htdigest authorization from before will still leave me with admin
privileges)
5. go to Admin -> Plugins and check the 'Enabled' checkbox for
TracAccountManager 0.5.0 and then click 'Apply changes'
This course of action yields the following new sections in
trac_env/conf/trac.ini:
[account-manager]
login_attempt_max_count = 0
user_lock_max_time = 86400
user_lock_time = 0
user_lock_time_progression = 1
and
[components]
acct_mgr.guard.accountguard = enabled
acct_mgr.model.attachmentuseridchanger = enabled
acct_mgr.model.authcookieuseridchanger = enabled
acct_mgr.model.componentuseridchanger = enabled
acct_mgr.model.permissionuseridchanger = enabled
acct_mgr.model.reportuseridchanger = enabled
acct_mgr.model.revisionuseridchanger = enabled
acct_mgr.model.ticketuseridchanger = enabled
acct_mgr.model.wikiuseridchanger = enabled
Missing are lines for a bunch of things the Admin/Plugins web UI suggests
are enabled, like HtDigestStore, HtPasswdStore, SessionStore, etc. are
enabled, so I'm confused.
When I unfold HtDigestStore, I seen I need to add some lines to the
[account-manager] section of trac.ini, so after that we get these changes:
[account-manager]
login_attempt_max_count = 0
user_lock_max_time = 86400
user_lock_time = 0
user_lock_time_progression = 1
password_store = HtDigestStore
htdigest_file = /path/to/.htdigest
htdigest_realm = trac_env
If I then visit the Trac instance from a browser profile that didn't logged
in to the tracd naive htdigest authentication, I get an error message
* Authentication information not available*
I have also tried adding in the lines from the [components] section of the
HtDigestStore page on
https://trac-hacks.org/wiki/CookBook/AccountManagerPluginConfiguration,
yielding this:
[components]
acct_mgr.guard.accountguard = enabled
acct_mgr.model.attachmentuseridchanger = enabled
acct_mgr.model.authcookieuseridchanger = enabled
acct_mgr.model.componentuseridchanger = enabled
acct_mgr.model.permissionuseridchanger = enabled
acct_mgr.model.reportuseridchanger = enabled
acct_mgr.model.revisionuseridchanger = enabled
acct_mgr.model.ticketuseridchanger = enabled
acct_mgr.model.wikiuseridchanger = enabled
; https:
//trac-hacks.org/wiki/CookBook/AccountManagerPluginConfiguration#HtDigestStore
acct_mgr.admin.* = enabled
acct_mgr.api.* = enabled
acct_mgr.db.sessionstore = disabled
acct_mgr.htfile.htdigeststore = enabled
acct_mgr.htfile.htpasswdstore = disabled
acct_mgr.http.* = disabled
acct_mgr.notification.* = enabled
acct_mgr.pwhash.* = disabled
acct_mgr.register.* = enabled
acct_mgr.svnserve.svnservepasswordstore = disabled
acct_mgr.web_ui.* = enabled
acct_mgr.web_ui.resetpwstore = disabled
trac.web.auth.loginmodule = disabled
In this case, when I visit the site from a browser that has no cached
credentials, there is no Login link at all. Since the AccountManagerPlugin
cookbook page was last modified in July 2017, I figure the options have
changed, and possibly some conflict with the newer config lines the plugin
installation process added.
I remove the lines from the cookbook I added, and I then use the pages for
AccountManager, AccountManagerAdminPanel, and HtDigestStore.
My [components] looks like this
[components]
acct_mgr.guard.accountguard = enabled
acct_mgr.model.attachmentuseridchanger = enabled
acct_mgr.model.authcookieuseridchanger = enabled
acct_mgr.model.componentuseridchanger = enabled
acct_mgr.model.permissionuseridchanger = enabled
acct_mgr.model.reportuseridchanger = enabled
acct_mgr.model.revisionuseridchanger = enabled
acct_mgr.model.ticketuseridchanger = enabled
acct_mgr.model.wikiuseridchanger = enabled
; added for AdminUserPanel
; https:
//trac-hacks.org/wiki/AccountManagerPlugin/Modules#AccountManagerAdminPanel
acct_mgr.admin.useradminpanel = enabled
acct_mgr.api.accountmanager = enabled
; added for HtDigestStore
; https://trac-hacks.org/wiki/AccountManagerPlugin/AuthStores#HtDigestStore
acct_mgr.htfile.HtDigestStore = enabled
At this point I do get the Login link in a browser with no cached
credentials, but when I click on it, I again get
Authentication information not available
error page.
I have really tried to make use of the documentation and the help of smart
friends in working this problem, but I come up short. Maybe I'm missing one
config line? If I get AccountManager with HtDigestStore authentication
working, I think I can get the AD/LDAP extensions to work.
Thank you for your patience in reading this.
All the best,
Chuck Bearden
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/trac-users/5e41796b-f187-4f8f-ad76-858e99cca63d%40googlegroups.com.
