Trac - Active Directory

53 views
Skip to first unread message

tracman

unread,
Jun 20, 2007, 3:09:01 PM6/20/07
to Trac Users
hi all,

I used the instructions from http://trac.edgewall.org/wiki/TracModPython
and well I cant get Active Directory authentcation to work...

in /etc/apache2/sites-available/default :

<Location /trac>
SetHandler mod_python
PythonOption TracEnvParentDir "/var/www/trac/"
PythonHandler trac.web.modpython_frontend
AuthType Basic
AuthBasicProvider ldap
Order Allow,Deny
Allow from All
AuthName "Trac"
AuthLDAPURL "ldap://192.168.0.1:389/dc=mydomain-bc,dc=local?
sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN te...@mydomain.local
AuthLDAPBindPassword test123
AuthzLDAPAuthoritative off
Require ldap-group OU=Users,OU=MyBusiness,DC=mydomain,DC=local
</Location>

I do get a pop-up asking for username / password.
when I enter a username like
login: test
password: test123

Then I do get this error in apache error.log:

access to /trac failed, reason: require directives present and no
Authoritative handler.

when I enter
login: test
password: notthecorrectpassword
Then Apache error.log says "Password Mismatch" - so apparently it did
communicate with the Active Directory

when I enter
login: thisuserdoesnotexist
password: whatever
Then Apache error.log says "user thisuserdoesnotexistnot found: /trac"

When I remove all authentication stuff I can see the Trac projects...
that part is setup correctly, just the authentication goes wrong...

any help?

tracman

unread,
Jun 22, 2007, 12:03:34 PM6/22/07
to Trac Users
nobody that knows anything about this...? I had the feeling I had it
*almost* working...

Jirka Vejrazka

unread,
Jun 22, 2007, 3:12:32 PM6/22/07
to trac-...@googlegroups.com
Hi,

  I can't tell you what's wrong with your setup (not an LDAP expert), but this seems to work fine for me:

LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/root.pem

  <Location /trac/sandbox>
    AuthType Basic
    AuthBasicProvider "ldap"
    AuthName "AD authorization"
    AuthLDAPBindDN "DOMAIN\LDAP_Search_Service_User"
    AuthLDAPBindPassword "AVeryComplexPassword"
    AuthLDAPURL ldaps://AD_Server:3269/DC=XXX,DC=XX,DC=com?userPrincipalName?sub
    require ldap-user I...@business.email.address.com
  </Location>



  I still plan to improve it to make the search more "user friendly" - on my TODO list :)


  Jirka

Sergey

unread,
Jun 22, 2007, 10:45:24 PM6/22/07
to Trac Users
Have you tried without "AuthzLDAPAuthoritative off?" Also, try
"Require
valid-user" first to make sure authentication works well, before
enforcing group membership with "Require ldap-group."
HTH,

Sergey.

On Jun 20, 3:09 pm, tracman <coenen....@gmail.com> wrote:
> hi all,
>

> I used the instructions fromhttp://trac.edgewall.org/wiki/TracModPython


> and well I cant get Active Directory authentcation to work...
>
> in /etc/apache2/sites-available/default :
>
> <Location /trac>
> SetHandler mod_python
> PythonOption TracEnvParentDir "/var/www/trac/"
> PythonHandler trac.web.modpython_frontend
> AuthType Basic
> AuthBasicProvider ldap
> Order Allow,Deny
> Allow from All
> AuthName "Trac"
> AuthLDAPURL "ldap://192.168.0.1:389/dc=mydomain-bc,dc=local?
> sAMAccountName?sub?(objectClass=user)"

> AuthLDAPBindDN t...@mydomain.local

Reply all
Reply to author
Forward
0 new messages