Can't get AccountManagerPlugin to work under 1.4.1

[Charles Bearden]

I'm trying to set up Trac 1.4.1 on Ubuntu 18.04.4 LTS, with AccountManager 0.5.. My short-term goal is to get it working with HtDigest, but ultimately I need to implement it with AD/LDAP authentication. I've used Trac a long time, but my experience setting it up and administering it is limited.

For the sake of simplicity, I am working with tracd until I get the configuration right, though ultimately I hope to run Trac under gunicorn behind nginx.

I have not been able to get AccountManager with the admin panel and HtDigestStore working with Trac. I'll explain my process and provide diffs of the trac.ini file at each step where it changes. Hopefully you can see where I'm going wrong.

 1.  Set up PostgreSQL database with Trac user & database
 2.  in parent of Trac environment create a Python2 virtual environment
 3.  activate venv and install required Python modules
 4.  initialize Trac environment, e.g.
     trac-admin /path/to/trac_env initenv
 5.  create Trac deployment (shares the environment)
     rm -rf /path/to/trac_env/htdocs
     trac-admin /path/to/trac_env deploy /path/to/trac_env
 6.  create .htdigest file with admin user in the realm of the Trac env
     htdigest -c /path/to/.htdigest trac_env trac_admin
 7.  make this user an admin in Trac
    trac-admin /path/to/trac_env permission add trac_admin TRAC_ADMIN

When I run this environment with tracd and authentication enabled, I can authenticate as an admin user.

  tracd -p 8080 --auth="trac_env,/path/to/.htdigest,trac_env" /path/to/trac_env

Now I try to implement AccountManager with HtDigestStore.

After killing the tracd I started above:

 1.  Download & extract TracAccountManager-0.5.0.tar.gz
 2.  build the egg for this plugin
 3.  copy the egg to /path/to/trac_env/plugins
 4.  start tracd as above (though if I haven't exited my browser, the naive htdigest authorization from before will still leave me with admin privileges)
 5.  go to Admin -> Plugins and check the 'Enabled' checkbox for TracAccountManager 0.5.0 and then click 'Apply changes'

This course of action yields the following new sections in trac_env/conf/trac.ini:

[account-manager]
login_attempt_max_count = 0
user_lock_max_time = 86400
user_lock_time = 0
user_lock_time_progression = 1

and

[components]
acct_mgr.guard.accountguard = enabled
acct_mgr.model.attachmentuseridchanger = enabled
acct_mgr.model.authcookieuseridchanger = enabled
acct_mgr.model.componentuseridchanger = enabled
acct_mgr.model.permissionuseridchanger = enabled
acct_mgr.model.reportuseridchanger = enabled
acct_mgr.model.revisionuseridchanger = enabled
acct_mgr.model.ticketuseridchanger = enabled
acct_mgr.model.wikiuseridchanger = enabled

Missing are lines for a bunch of things the Admin/Plugins web UI suggests are enabled, like HtDigestStore, HtPasswdStore, SessionStore, etc. are enabled, so I'm confused.

When I unfold HtDigestStore, I seen I need to add some lines to the [account-manager] section of trac.ini, so after that we get these changes:

[account-manager]
login_attempt_max_count = 0
user_lock_max_time = 86400
user_lock_time = 0
user_lock_time_progression = 1
password_store = HtDigestStore
htdigest_file = /path/to/.htdigest
htdigest_realm = trac_env

If I then visit the Trac instance from a browser profile that didn't logged in to the tracd naive htdigest authentication, I get an error message

  Authentication information not available

I have also tried adding in the lines from the [components] section of the HtDigestStore page on https://trac-hacks.org/wiki/CookBook/AccountManagerPluginConfiguration, yielding this:

[components]
acct_mgr.guard.accountguard = enabled
acct_mgr.model.attachmentuseridchanger = enabled
acct_mgr.model.authcookieuseridchanger = enabled
acct_mgr.model.componentuseridchanger = enabled
acct_mgr.model.permissionuseridchanger = enabled
acct_mgr.model.reportuseridchanger = enabled
acct_mgr.model.revisionuseridchanger = enabled
acct_mgr.model.ticketuseridchanger = enabled
acct_mgr.model.wikiuseridchanger = enabled
; https://trac-hacks.org/wiki/CookBook/AccountManagerPluginConfiguration#HtDigestStore
acct_mgr.admin.* = enabled
acct_mgr.api.* = enabled
acct_mgr.db.sessionstore = disabled
acct_mgr.htfile.htdigeststore = enabled
acct_mgr.htfile.htpasswdstore = disabled
acct_mgr.http.* = disabled
acct_mgr.notification.* = enabled
acct_mgr.pwhash.* = disabled
acct_mgr.register.* = enabled
acct_mgr.svnserve.svnservepasswordstore = disabled
acct_mgr.web_ui.* = enabled
acct_mgr.web_ui.resetpwstore = disabled
trac.web.auth.loginmodule = disabled

In this case, when I visit the site from a browser that has no cached credentials, there is no Login link at all. Since the AccountManagerPlugin cookbook page was last modified in July 2017, I figure the options have changed, and possibly some conflict with the newer config lines the plugin installation process added.

I remove the lines from the cookbook I added, and I then use the pages for AccountManager, AccountManagerAdminPanel, and HtDigestStore.

My [components] looks like this

[components]
acct_mgr.guard.accountguard = enabled
acct_mgr.model.attachmentuseridchanger = enabled
acct_mgr.model.authcookieuseridchanger = enabled
acct_mgr.model.componentuseridchanger = enabled
acct_mgr.model.permissionuseridchanger = enabled
acct_mgr.model.reportuseridchanger = enabled
acct_mgr.model.revisionuseridchanger = enabled
acct_mgr.model.ticketuseridchanger = enabled
acct_mgr.model.wikiuseridchanger = enabled
; added for AdminUserPanel
; https://trac-hacks.org/wiki/AccountManagerPlugin/Modules#AccountManagerAdminPanel
acct_mgr.admin.useradminpanel = enabled
acct_mgr.api.accountmanager = enabled
; added for HtDigestStore
; https://trac-hacks.org/wiki/AccountManagerPlugin/AuthStores#HtDigestStore
acct_mgr.htfile.HtDigestStore = enabled

At this point I do get the Login link in a browser with no cached credentials, but when I click on it, I again get

  Authentication information not available

error page.

I have really tried to make use of the documentation and the help of smart friends in working this problem, but I come up short. Maybe I'm missing one config line? If I get AccountManager with HtDigestStore authentication working, I think I can get the AD/LDAP extensions to work.

Thank you for your patience in reading this.

All the best,
Chuck Bearden

[Jun Omae]

On Fri, Mar 20, 2020 at 7:32 AM Charles Bearden <cfbm...@gmail.com> wrote:
>
> I'm trying to set up Trac 1.4.1 on Ubuntu 18.04.4 LTS, with AccountManager 0.5.. My short-term goal is to get it working with HtDigest, but ultimately I need to implement it with AD/LDAP authentication. I've used Trac a long time, but my experience setting it up and administering it is limited.

Please install AccountManagerPlugin 0.6dev directly from repository,
for Trac 1.4.

See also https://trac-hacks.org/ticket/13720#comment:3

--
Jun Omae <jun...@gmail.com> (大前 潤)

[Charles Bearden]

Thank you for the suggestion. I tried installing the AccountManagerPlugin from trunk and configuring it in a completely fresh Trac environment, and I get the 404 page

No handler matched request to /login

I also tried following the process in the ticket comment more exactly, namely installing & enabling AccountManager 0.5.0 first, and then upgrading it from source, with the same result. HtDigestStore is enabled in [account-manager] and the realm & path to the htdigest file are correct.

The changes that 0.6.0dev make to trac.ini are a lot more reasonable looking than the changes made by 0.5.0, so maybe I have moved one step forward. But I'm still stuck.

Thanks & all the best,

Chuck Bearden

[Charles Bearden]

I got it now.

The plugin management web interface confusingly makes it look as if acct_mgr.web_ui.LoginModule is enabled, since the check-box next to it is checked. When I edit trac.ini, the trac.web.auth.loginmodule is indeed disabled, but there is no line actually enabling AccountManager's login module. Is that aspect of the plugin admin page intentional?

When I add the line enabling AccountManager's login module and click 'Login', I am prompted to install Genshi. When I do that & restart, I can login using htdigest.

Thank you!

Chuck