Authenticating Trac users against MS Windows domain controller
Doyal, Charles T CIV NSWCDD, K94
I am unsuccessfully trying to authenticate Trac users via the information at http://trac.edgewall.org/wili/TracOnWindows/Advanced about 'Authenticating Trac users against MS Windows domain controller'. I suspect either I did not place the plug-in in the right location or improperly, or I did not modify the files sufficiently for my install.
The error I am getting is ...
"The Apache service named reported the following error: >>> Invalid command 'SSPIAuth', perhaps misspelled or defined by a module not included in the server configuration ."
I downloaded the module indicated by the 'here' link. I then unzipped the file mod_auth_sspi-1.0.4 and copied the entire director structure to c:\Program Files\BitNami Trac Stack\apache2\modules\mod_auth_sspi-1.0.4.
I also modified the information for httpd.conf first by what was in the downloaded file, then by what is included in the wiki information indicated above.
The new httpd.conf information, which I placed at the end of the file is...
<LocationMatch /http://vms5/trac/[^/]+/login>
AuthName "A Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain SOI.DAHLGREN.LOCAL
Require valid-user
</LocationMatch>
Could you please provide additional information regarding this issue? I would also like this 'password pass-through' to work for subversion also.
Respectfully,
Charles
Joseph P Villa
I've found it works when I don't use the Trac plugin and instead use the Apache for the LDAP authentication against AD. I've been authenticating against Microsoft AD for the last month or so. You also want to make sure you
have a dummy account to initiate the connection between your LDAP server and the Apache server where users log in and need LDAP Authentication..
This is something like what I have for LDAP Authentication.
<LocationMatch "^(/TracInstance)?/TracInstance/login">
AuthType Basic
AuthName "Secret login area"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldaps://someADServer.ad.net/DC=,DC=,DC=?sAMAccountName"
AuthLDAPBindDN SomeAccountSomewhereToTalkToLDAP
AuthLDAPBindPassword ************
Require valid-user
</LocationMatch>
Make sure you fill out the DC= portions respectively.. I think you can just have this be your Domain somewhere.
Does this help?
Thanks,
Joe
| From: | "Doyal, Charles T CIV NSWCDD, K94" <charle...@navy.mil> |
| To: | <trac-...@googlegroups.com> |
| Date: | 02/06/2012 11:13 AM |
| Subject: | [Trac] Authenticating Trac users against MS Windows domain controller |
| Sent by: | trac-...@googlegroups.com |
Doyal, Charles T CIV NSWCDD, K94
<LocationMatch "^(/TracInstance)?/TracInstance/login">.
The Apache service named reported the following error: >>> Unknown Authn provider: ldap
Should that line altered to something else? If so, could you provide of an example
Thank you,
Charles
________________________________
Hi Charles,
Does this help?
Thanks,
Joe
________________________________
I am unsuccessfully trying to authenticate Trac users via the information at http://trac.edgewall.org/wili/TracOnWindows/Advanced <http://trac.edgewall.org/wili/TracOnWindows/Advanced> about 'Authenticating Trac users against MS Windows domain controller'. I suspect either I did not place the plug-in in the right location or improperly, or I did not modify the files sufficiently for my install.
The error I am getting is ...
"The Apache service named reported the following error: >>> Invalid command 'SSPIAuth', perhaps misspelled or defined by a module not included in the server configuration ."
I downloaded the module indicated by the 'here' link. I then unzipped the file mod_auth_sspi-1.0.4 and copied the entire director structure to c:\Program Files\BitNami Trac Stack\apache2\modules\mod_auth_sspi-1.0.4.
I also modified the information for httpd.conf first by what was in the downloaded file, then by what is included in the wiki information indicated above.
The new httpd.conf information, which I placed at the end of the file is...
<LocationMatch /http://vms5/trac/[^/]+/login>
AuthName "A Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain SOI.DAHLGREN.LOCAL
Require valid-user
</LocationMatch>
Could you please provide additional information regarding this issue? I would also like this 'password pass-through' to work for subversion also.
Respectfully,
Charles
--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-...@googlegroups.com.
To unsubscribe from this group, send email to trac-users+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
victoria
Sorry if this is too basic or if you already checked it. Did you load
the modules in the httpd.conf file?
LoadModule sspi_auth_module "c:\Program Files\BitNami Trac
Stack\apache2\modules\mod_auth_sspi-1.0.4\bin\mod_auth_sspi.so"
Also the line "#LoadModule ldap_module modules/mod_ldap.so" should be
uncommented:
LoadModule ldap_module modules/mod_ldap.so
You can check if the modules have been loaded correctly executing in a
command prompt:
c:\Program Files\BitNami Trac Stack\apache2\bin\httpd.exe" -M -f
"c:\Program Files\BitNami Trac Stack\apache2\conf\httpd.conf"
Best regards,
Victoria.
Cooke, Mark
> > From: "Doyal, Charles T CIV NSWCDD, K94" <charle...@navy.mil>
> > To: <trac-...@googlegroups.com>
> > Date: 02/06/2012 11:13 AM
> > Subject: [Trac] Authenticating Trac users against MS
> Windows domain controller
> > Sent by: trac-...@googlegroups.com
> >
> >
> -----Original Message-----
> From: trac-...@googlegroups.com
> [mailto:trac-...@googlegroups.com] On Behalf Of victoria
> Sent: 07 February 2012 08:58
> To: trac-...@googlegroups.com
> Subject: Re: [Trac] Authenticating Trac users against MS
> Windows domain controller
>
> Hi,
>
> Sorry if this is too basic or if you already checked it. Did you load
> the modules in the httpd.conf file?
>
> LoadModule sspi_auth_module "c:\Program Files\BitNami Trac
> Stack\apache2\modules\mod_auth_sspi-1.0.4\bin\mod_auth_sspi.so"
>
> Also the line "#LoadModule ldap_module modules/mod_ldap.so" should be
> uncommented:
>
> LoadModule ldap_module modules/mod_ldap.so
>
> You can check if the modules have been loaded correctly executing in a
> command prompt:
>
> c:\Program Files\BitNami Trac Stack\apache2\bin\httpd.exe" -M -f
> "c:\Program Files\BitNami Trac Stack\apache2\conf\httpd.conf"
>
> Best regards,
>
> Victoria.
As Victoria mentions, you need to look into your apache configuration settings. It takes a little while but it is well worth reading up on authentication and autorisation on the apache httpd pages:
http://httpd.apache.org/docs/2.2/howto/auth.html
You are currently trying to use the SSPI module for windows which, although the simplest option, has AFAIK no active maintainer and is increasingly out of date.
Joe is suggesting the oficial LDAP module which is more complicated but probably better in the long run for Active Directory. However it can be a bit of a bugger to get going. I found the hardest part was figuring out what the credentials should be for the "AuthLDAPURL" and "AuthLDAPBindDN" (Active Directory requires an authenticated user to allow a search), I had to search for a tool to tell me what my credentials were and in the end used the free version of PowerGUI from http://powergui.org/ and that was a big help.
Also, if you want to cover both subversion and trac, make sure that the AuthName directive in both configurations uses exactly the same text (check out the docs: http://httpd.apache.org/docs/2.2/mod/core.html#authname)
Finally, as Victoria mentioned, you need several modules enabled, read the docs for each directive to make sure you have the right modules enabled.
Alternatively, use a distribution such as the BitNami stack that has most of this pre-integrated for you (at the expense of the learning you get from sorting it all out yourself).
Hope that helps,
~ mark c
P.S. here is a sanitised version of my settings to protect the whole of my trac/svn server virtual host:
<Location />
Order allow,deny
Allow from all
# The name of the protected area or "realm"
AuthName "My Trac/svn server"
# Do basic password authentication in the clear NB: !! use https !!
AuthType Basic
# Make LDAP the authentication mechanism
AuthBasicProvider ldap
# Make LDAP authentication is final
AuthzLDAPAuthoritative on
# The LDAP query URL ~ upgrading to a secure connection once connected...
# using port 3268 searches the global catalogue, not just the local domain
AuthLDAPURL "ldap://<servername>:3268/DC=<sub>,DC=<domain>,DC=<com>?sAMAccountName,mail?sub?(objectClass=*)" TLS
# Active Directory requires an authenticating DN to access records
# for our server we can use an email address to login so...
AuthLDAPBindDN "us...@company.org"
# This is the password for the AuthLDAPBindDN user in Active Directory
# NB: stored in plain text so create a special account and protect this file!
AuthLDAPBindPassword <password>
# Require a valid user (uses: mod_authz_user.so)
#Require valid-user
# Require specific LDAP membership (uses: mod_authnz_ldap.so)
Require ldap-group <complicated LDAP stuff with lots of CN=,OU=,OU=,DC=<sub>,DC=<domain>,DC=<com>>
# Require specific LDAP user(s) (uses: mod_authnz_ldap.so)
Require ldap-user <username>
</Location>
If you do not have an SSL certificate for your server (are you using https:// ?) be aware that your user's passwords are (probably) being transmitted across your network in plain text...
Doyal, Charles T CIV NSWCDD, K94
The executive summary of my problem is that have a single Track install and I need a seperate password file (htpasswd) for each of two projects, and Trac is using a single password file.
In a VM windows environment, I installed Trac 12.2-5. I thought everything was going well until I added another project and wanted different Trac permissions for different users. After considerable reading, I have discovered I do not understand how the password file htpasswd is referenced.
In my initial misguided efforts, I notied that whenever I ran htpasswd.exe, the output htpasswd file was be created at
c:/Users/charles/AppData/Local/VirtualStore/Program Files/BitNami Trac Stack/apps/trac/conf/, and that this htpasswd file had to copied to
c:/Program Files/BitNami Trac Stack/apps/trac/conf/. I just figured that since the paths were identical starting at 'Program Files', that I had a path set incorrectly someplace and this was just a trivial problem I would fix later. I realized my problem and learned how to place the htpasswd file where I wanted.
My projects are located at ...
c:/Users/charles/BitNami Trac Stack Projects/XXX and
c:/Users/charles/BitNami Trac Stack Projects/YYY.
Somewhere I was lead to believe that I should create a htpasswd file in each of the two directories noted above, which I did. I supposed that inclusion of the password files in those project directories would overide the file located at c:/Program Files/BitNami Trac Stack/apps/trac/conf. That is not the case.
How do I get my Trac XXX project to use one password file, and my YYY project to use another password file? These projects are only accessable from out internal LAN/intranet, so real world protection is not necessary. I am just trying to keep honest programmers from accidently making a mistake.
Thanks,
Charles
victoria
In the trac.conf file in
c:/Users/charles/AppData/Local/VirtualStore/Program Files/BitNami Trac
Stack/apps/trac/conf/ you can see the following:
<LocationMatch "/trac/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile "c:/Users/charles/AppData/Local/VirtualStore/Program
Files/BitNami Trac Stack/apps/trac/conf/htpasswd"
Require valid-user
</LocationMatch>
The regular expresion "/trac/[^/]+/login" will mach all the projects.
What you is add Location entries for each project each one using a
different htpasswd file:
<Location "/trac/Project1/login">
AuthType Basic
AuthName "Trac"
AuthUserFile "c:/Users/charles/AppData/Local/VirtualStore/Program
Files/BitNami Trac Stack/apps/trac/conf/htpasswd1"
Require valid-user
</LocationMatch>
<Location "/trac/Project2/login">
AuthType Basic
AuthName "Trac"
AuthUserFile "c:/Users/charles/AppData/Local/VirtualStore/Program
Files/BitNami Trac Stack/apps/trac/conf/htpasswd2"
Require valid-user
</LocationMatch>
> Thanks,