Changes between Version 65 and Version 66 of TracModWSGI
- Timestamp:
- Mar 23, 2015, 4:58:36 AM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracModWSGI
v65 v66 75 75 After preparing your .wsgi script, add the following to your Apache configuration file, typically `httpd.conf`: 76 76 77 {{{ 77 {{{#!apache 78 78 WSGIScriptAlias /trac /usr/local/trac/mysite/apache/mysite.wsgi 79 79 … … 89 89 If you followed the directions [TracInstall#cgi-bin Generating the Trac cgi-bin directory], your Apache configuration file should look like following: 90 90 91 {{{ 91 {{{#!apache 92 92 WSGIScriptAlias /trac /usr/share/trac/cgi-bin/trac.wsgi 93 93 … … 115 115 The following sections describe different methods for setting up authentication. See also [http://httpd.apache.org/docs/2.2/howto/auth.html Authentication, Authorization and Access Control] in the Apache guide. 116 116 117 === Using Basic Authentication ===117 === Using Basic Authentication 118 118 119 119 The simplest way to enable authentication with Apache is to create a password file. Use the `htpasswd` program as follows: 120 {{{ 120 {{{#!sh 121 121 $ htpasswd -c /somewhere/trac.htpasswd admin 122 122 New password: <type password> … … 126 126 127 127 After the first user, you don't need the "-c" option anymore: 128 {{{ 128 {{{#!sh 129 129 $ htpasswd /somewhere/trac.htpasswd john 130 130 New password: <type password> … … 138 138 139 139 Now, you need to enable authentication against the password file in the Apache configuration: 140 {{{ 140 {{{#!apache 141 141 <Location "/trac/login"> 142 142 AuthType Basic … … 148 148 149 149 If you are hosting multiple projects, you can use the same password file for all of them: 150 {{{ 150 {{{#!apache 151 151 <LocationMatch "/trac/[^/]+/login"> 152 152 AuthType Basic … … 159 159 See also the [http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html mod_auth_basic] documentation. 160 160 161 === Using Digest Authentication ===161 === Using Digest Authentication 162 162 163 163 For better security, it is recommended that you either enable SSL or at least use the “digest” authentication scheme instead of “Basic”. 164 164 165 165 You have to create your `.htpasswd` file with the `htdigest` command instead of `htpasswd`, as follows: 166 {{{ 167 #htdigest -c /somewhere/trac.htpasswd trac admin166 {{{#!sh 167 $ htdigest -c /somewhere/trac.htpasswd trac admin 168 168 }}} 169 169 170 170 The "trac" parameter above is the "realm", and will have to be reused in the Apache configuration in the !AuthName directive: 171 171 172 {{{ 172 {{{#!apache 173 173 <Location "/trac/login"> 174 175 AuthType Digest 176 AuthName "trac" 177 AuthDigestDomain /trac 178 AuthUserFile /somewhere/trac.htpasswd 179 Require valid-user 174 AuthType Digest 175 AuthName "trac" 176 AuthDigestDomain /trac 177 AuthUserFile /somewhere/trac.htpasswd 178 Require valid-user 180 179 </Location> 181 180 }}} … … 186 185 187 186 Don't forget to activate the mod_auth_digest. For example, on a Debian 4.0r1 (etch) system: 188 {{{ 189 187 {{{#!apache 188 LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so 190 189 }}} 191 190 … … 197 196 198 197 1. You need to load the following modules in Apache httpd.conf: 199 {{{ 200 LoadModule ldap_module modules/mod_ldap.so 201 LoadModule authnz_ldap_module modules/mod_authnz_ldap.so 202 }}} 203 204 2. Your httpd.conf also needs to look something like: 205 206 {{{ 198 {{{#!apache 199 LoadModule ldap_module modules/mod_ldap.so 200 LoadModule authnz_ldap_module modules/mod_authnz_ldap.so 201 }}} 202 1. Your httpd.conf also needs to look something like: 203 {{{#!apache 207 204 <Location /trac/> 208 205 # (if you're using it, mod_python specific settings go here) … … 218 215 </Location> 219 216 }}} 220 221 3. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory: 222 223 Use the following as your LDAP URL: 224 {{{ 225 AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" 226 }}} 227 228 You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you need to use an account specifically for this task: 229 {{{ 230 AuthLDAPBindDN ldap-auth-user@example.com 231 AuthLDAPBindPassword "password" 232 }}} 233 234 The whole section looks like: 235 {{{ 217 1. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory. Use the following as your LDAP URL: 218 {{{#!apache 219 AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" 220 }}} 221 You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you need to use an account specifically for this task: 222 {{{#!apache 223 AuthLDAPBindDN ldap-auth-user@example.com 224 AuthLDAPBindPassword "password" 225 }}} 226 The whole section looks like: 227 {{{#!apache 236 228 <Location /trac/> 237 229 # (if you're using it, mod_python specific settings go here) … … 247 239 authzldapauthoritative Off 248 240 # require valid-user 249 require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com241 Require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com 250 242 </Location> 251 243 }}} … … 254 246 255 247 Note 2: You can also require the user be a member of a certain LDAP group, instead of just having a valid login: 256 {{{ 257 248 {{{#!apache 249 Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com 258 250 }}} 259 251 … … 266 258 267 259 If you are using Apache on Windows, you can use mod_auth_sspi to provide single-sign-on. Download the module from the !SourceForge [http://sourceforge.net/projects/mod-auth-sspi/ mod-auth-sspi project] and then add the following to your !VirtualHost: 268 {{{ 269 270 271 272 273 274 275 276 277 278 279 260 {{{#!apache 261 <Location /trac/login> 262 AuthType SSPI 263 AuthName "Trac Login" 264 SSPIAuth On 265 SSPIAuthoritative On 266 SSPIDomain MyLocalDomain 267 SSPIOfferBasic On 268 SSPIOmitDomain Off 269 SSPIBasicPreferred On 270 Require valid-user 271 </Location> 280 272 }}} 281 273 … … 293 285 294 286 Here is an example (from the !HttpAuthStore link) using acct_mgr-0.4 for hosting a single project: 295 {{{ 287 {{{#!ini 296 288 [components] 297 289 ; be sure to enable the component … … 304 296 }}} 305 297 This will generally be matched with an Apache config like: 306 {{{ 298 {{{#!apache 307 299 <Location /authFile> 308 300 …HTTP authentication configuration… … … 321 313 322 314 Create the htpasswd file: 323 {{{ 315 {{{#!sh 324 316 cd /home/trac-for-my-proj/the-env 325 317 htpasswd -c htpasswd firstuser … … 331 323 Create this file e.g. (ubuntu) `/etc/apache2/sites-enabled/trac.my-proj.my-site.org.conf` with the following content: 332 324 333 {{{ 325 {{{#!apache 334 326 <Directory /home/trac-for-my-proj/the-deploy/cgi-bin/trac.wsgi> 335 327 WSGIApplicationGroup %{GLOBAL} … … 364 356 If you plan to use `mod_wsgi` in embedded mode on Windows or with the MPM worker on Linux, then you will need version 0.3.4 or greater. See [trac:#10675] for details. 365 357 366 === Getting Trac to work nicely with SSPI and 'Require Group' ===358 === Getting Trac to work nicely with SSPI and 'Require Group' 367 359 368 360 If you have set Trac up on Apache, Win32 and configured SSPI, but added a 'Require group' option to your apache configuration, then the SSPIOmitDomain option is probably not working. If it is not working, your usernames in Trac probably look like 'DOMAIN\user' rather than 'user'. … … 382 374 }}} 383 375 384 === Trac with PostgreSQL ===376 === Trac with PostgreSQL 385 377 386 378 When using the mod_wsgi adapter with multiple Trac instances and PostgreSQL (or MySQL?) as the database, the server ''may'' create a lot of open database connections and thus PostgreSQL processes.