Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
mod_auth_mellon authentication with AccountManagerPlugin and HttpAuthStore
21 views
Skip to first unread message
Adrian Bradd
Jan 13, 2025, 3:10:15 PMJan 13
to Trac Users
Hi all,
I've got an Apache reverse proxy that I'm trying to use with mod_auth_mellon to authenticate users on our trac instance using HttpAuthStore. AccountManager is v0.6 (installed using "pip install TracAccountManager"). Trac is version 1.6. I'm able to get HtDigestStore to work fine, but everytime I try to use HttpAuthStore the page returns an error: "No handler matched request to /authFile"
I have the LogLevel set to DEBUG. But I see nothing in the logs.
I have MellonDiagnostics enabled. It seems to be working as expected.
tracd is running inside a container using the "--single-env" with the project url at root.
My trac config for AccountManager with HttpAuthStore:
[components]
trac.web.auth.loginmodule = disabled
acct_mgr.admin.* = enabled
acct_mgr.api.* = enabled
acct_mgr.http.* = enabled
acct_mgr.web_ui.* = enabled
acct_mgr.web_ui.resetpwstore = disabled
acct_mgr.db.sessionstore = disabled
acct_mgr.htfile.htdigeststore = disabled
acct_mgr.htfile.htpasswdstore = disabled
acct_mgr.notification.* = disabled
acct_mgr.pwhash.* = disabled
acct_mgr.register.* = disabled
acct_mgr.svnserve.svnservepasswordstore = disabled
trac.web.auth.loginmodule = disabled
acct_mgr.admin.* = enabled
acct_mgr.api.* = enabled
acct_mgr.http.* = enabled
acct_mgr.web_ui.* = enabled
acct_mgr.web_ui.resetpwstore = disabled
acct_mgr.db.sessionstore = disabled
acct_mgr.htfile.htdigeststore = disabled
acct_mgr.htfile.htpasswdstore = disabled
acct_mgr.notification.* = disabled
acct_mgr.pwhash.* = disabled
acct_mgr.register.* = disabled
acct_mgr.svnserve.svnservepasswordstore = disabled
[account-manager]
password_store = HttpAuthStore
authentication_url = /authFile
password_store = HttpAuthStore
authentication_url = /authFile
I've tried with both acct_mgr.web_ui.* enabled and disabled as I'm not sure if it is required. It made no difference in my testing.
My config for Apache uses a virtual host :
<Location /authFile>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
I've left out the configuration for <Location /> where i set the other Mellon config such as metadata. I can add if anyone thinks it could be relevant.
When I navigate to https://trac_site.com/authFile the browser goes through the SAML login process and returns to https://trac_site.com/authFile only to have the above-mentioned error reported: "No handler matched request to /authFile"
Any idea what I am missing?
Cheers,
Adrian
Jun Omae
Jan 18, 2025, 4:25:02 PMJan 18
to trac-...@googlegroups.com
Hi,
I am not familiar with SAML and mod_auth_mellon, but I think the
configuration is incorrect.
HttpAuthStore is unable to use with SAML. It is to delegate the
configured URL with HTTP Basic or Digest authentication. Also, I think
AccountManagerPlugin is not needed for Trac with mod_auth_mellon.
> <Location /authFile>
> AuthType Mellon
> MellonEnable auth
> Require valid-user
> </Location>
Change to:
<Location /login>
AuthType Mellon
MellonEnable auth
# Trac uses REMOTE_USER variable to authenticate the user
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
Require valid-user
</Location>
> [components]
> trac.web.auth.loginmodule = disabled
> acct_mgr.admin.* = enabled
> ...
Next, uninstall AccountManagerPlguin, and remove "trac.web.auth.loginmodule"
and all "acct_mgr.*" from the [components] section.
Finally, restart Apache and try to click "login" in the menu.
> --
> You received this message because you are subscribed to the Google Groups "Trac Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+...@googlegroups.com <mailto:trac-users+...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/trac-users/e16deb88-2386-4a0e-9f32-e09d41480857n%40googlegroups.com <https://groups.google.com/d/msgid/trac-users/e16deb88-2386-4a0e-9f32-e09d41480857n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Jun Omae <jun...@gmail.com> (大前 潤)
I am not familiar with SAML and mod_auth_mellon, but I think the
configuration is incorrect.
HttpAuthStore is unable to use with SAML. It is to delegate the
configured URL with HTTP Basic or Digest authentication. Also, I think
AccountManagerPlugin is not needed for Trac with mod_auth_mellon.
> <Location /authFile>
> AuthType Mellon
> MellonEnable auth
> Require valid-user
> </Location>
<Location /login>
AuthType Mellon
MellonEnable auth
# Trac uses REMOTE_USER variable to authenticate the user
MellonSetEnvNoPrefix REMOTE_USER NAME_ID
Require valid-user
</Location>
> [components]
> trac.web.auth.loginmodule = disabled
> acct_mgr.admin.* = enabled
Next, uninstall AccountManagerPlguin, and remove "trac.web.auth.loginmodule"
and all "acct_mgr.*" from the [components] section.
Finally, restart Apache and try to click "login" in the menu.
> You received this message because you are subscribed to the Google Groups "Trac Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+...@googlegroups.com <mailto:trac-users+...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/trac-users/e16deb88-2386-4a0e-9f32-e09d41480857n%40googlegroups.com <https://groups.google.com/d/msgid/trac-users/e16deb88-2386-4a0e-9f32-e09d41480857n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Jun Omae <jun...@gmail.com> (大前 潤)
Reply all
Reply to author
Forward
0 new messages