97 | | Creating password files and configuring authentication works similar to the examples given in the generic instructions for [wiki:TracInstall#ConfiguringAuthentication configuring authentication]: |
98 | | {{{ |
99 | | #!xml |
100 | | <Location /projects/myproject/login> |
101 | | AuthType Basic |
102 | | AuthName "myproject" |
103 | | AuthUserFile /var/trac/myproject/.htpasswd |
104 | | Require valid-user |
105 | | </Location> |
106 | | }}} |
107 | | |
108 | | ==== Advanced Example: configuring authentication for mod_ldap |
109 | | |
110 | | As a special case, configuration for [http://httpd.apache.org/docs/2.2/mod/mod_ldap.html mod_ldap] authentication in Apache is a bit tricky (httpd 2.2.x and OpenLDAP: slapd 2.3.19) |
111 | | |
112 | | 1. You need to load the following modules in Apache httpd.conf |
113 | | {{{ |
114 | | LoadModule ldap_module modules/mod_ldap.so |
115 | | LoadModule authnz_ldap_module modules/mod_authnz_ldap.so |
116 | | }}} |
117 | | |
118 | | 2. Your httpd.conf also needs to look something like: |
119 | | |
120 | | {{{ |
121 | | #!xml |
122 | | <Location /trac/> |
123 | | SetHandler mod_python |
124 | | PythonInterpreter main_interpreter |
125 | | PythonHandler trac.web.modpython_frontend |
126 | | PythonOption TracEnv /home/trac/ |
127 | | PythonOption TracUriRoot /trac/ |
128 | | Order deny,allow |
129 | | Deny from all |
130 | | Allow from 192.168.11.0/24 |
131 | | AuthType Basic |
132 | | AuthName "Trac" |
133 | | AuthBasicProvider "ldap" |
134 | | AuthLDAPURL "ldap://127.0.0.1/dc=example,dc=co,dc=ke?uid?sub?(objectClass=inetOrgPerson)" |
135 | | authzldapauthoritative Off |
136 | | require valid-user |
137 | | </Location> |
138 | | }}} |
139 | | |
140 | | Or the LDAP interface to a Microsoft Active Directory: |
141 | | |
142 | | {{{ |
143 | | #!xml |
144 | | <Location /trac/> |
145 | | SetHandler mod_python |
146 | | PythonInterpreter main_interpreter |
147 | | PythonHandler trac.web.modpython_frontend |
148 | | PythonOption TracEnv /home/trac/ |
149 | | PythonOption TracUriRoot /trac/ |
150 | | Order deny,allow |
151 | | Deny from all |
152 | | Allow from 192.168.11.0/24 |
153 | | AuthType Basic |
154 | | AuthName "Trac" |
155 | | AuthBasicProvider "ldap" |
156 | | AuthLDAPURL "ldap://adserver.company.com:3268/DC=company,DC=com?sAMAccountName?sub?(objectClass=user)" |
157 | | AuthLDAPBindDN ldap-auth-user@company.com |
158 | | AuthLDAPBindPassword "the_password" |
159 | | authzldapauthoritative Off |
160 | | # require valid-user |
161 | | require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com |
162 | | </Location> |
163 | | }}} |
164 | | |
165 | | Note 1: This is the case where the LDAP search will get around the multiple OUs, conecting to Global Catalog Server portion of AD (Notice the port is 3268, not the normal LDAP 389). The GCS is basically a "flattened" tree which allows searching for a user without knowing to which OU they belong. |
166 | | |
167 | | Note 2: Active Directory requires an authenticating user/password to access records (AuthLDAPBindDN and AuthLDAPBindPassword). |
168 | | |
169 | | Note 3: The directive "require ldap-group ..." specifies an AD group whose members are allowed access. |
| 98 | See corresponding section in the [wiki:TracModWSGI#ConfiguringAuthentication] page. |