Edgewall Software

Changes between Version 89 and Version 90 of TracStandalone


Ignore:
Timestamp:
Aug 8, 2011, 3:21:52 PM (13 years ago)
Author:
lkraav <leho@…>
Comment:

instructions how to provide external authentication to tracd instances with REMOTE_USER, apache mod_proxy example

Legend:

Unmodified
Added
Removed
Modified

  • TracStandalone

    v89 v90  
    262262See also [trac:TracOnWindowsIisAjp], [trac:TracNginxRecipe].
    263263
     264=== Authentication for tracd behind a proxy
     265It is convenient to provide central external authentication to your tracd instances, instead of using {{{--basic-auth}}}. There is some discussion about this in #9206.
     266
     267Below is example configuration based on Apache 2.2, mod_proxy, mod_authnz_ldap.
     268
     269First we bring tracd into Apache's location namespace.
     270
     271{{{
     272<Location /project/proxified>
     273        Require ldap-group cn=somegroup, ou=Groups,dc=domain.com
     274        Require ldap-user somespecificusertoo
     275        ProxyPass http://localhost:8101/project/proxified/
     276        # Turns out we don't really need complicated RewriteRules here at all
     277        RequestHeader set REMOTE_USER %{REMOTE_USER}s
     278</Location>
     279}}}
     280
     281Then we need a single file plugin to recognize HTTP_REMOTE_USER header as valid authentication source. HTTP headers like '''HTTP_FOO_BAR''' will get converted to '''Foo-Bar''' during processing. Name it something like '''remote-user-auth.py''' and drop it into '''proxified/plugins''' directory:
     282{{{
     283#!python
     284from trac.core import *
     285from trac.config import BoolOption
     286from trac.web.api import IAuthenticator
     287
     288class MyRemoteUserAuthenticator(Component):
     289
     290    implements(IAuthenticator)
     291
     292    obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false',
     293               """Whether the 'Remote-User:' HTTP header is to be trusted for user logins
     294                (''since ??.??').""")
     295
     296    def authenticate(self, req):
     297        if self.obey_remote_user_header and req.get_header('Remote-User'):
     298            return req.get_header('Remote-User')
     299        return None
     300
     301}}}
     302
     303Add this new parameter to your TracIni:
     304{{{
     305...
     306[trac]
     307...
     308obey_remote_user_header = true
     309...
     310}}}
     311
     312Run tracd:
     313{{{
     314tracd -p 8101 -r -s proxified --base-path=/project/proxified
     315}}}
     316
    264317=== Serving a different base path than / ===
    265318Tracd supports serving projects with different base urls than /<project>. The parameter name to change this is