| 294 | | The process of adding, removing, and configuring user accounts for authentication depends on the specific way you run Trac. The basic procedure is described in the [wiki:TracCgi#AddingAuthentication "Adding Authentication"] section on the TracCgi page. To learn how to setup authentication for the frontend you're using, please refer to one of the following pages: |
| | 294 | Trac uses HTTP authentication. You'll need to configure your webserver to request authentication when the `.../login` URL is hit (the virtual path of the "login" button). Trac will automatically pick the REMOTE_USER variable up after you provide your credentials. Therefore, all user management goes through your web server configuration. Please consult the documentation of your web server for more info. |
| | 295 | |
| | 296 | The process of adding, removing, and configuring user accounts for authentication depends on the specific way you run Trac. |
| | 297 | |
| | 298 | |
| | 299 | We'll describe here the most common scenario. |
| | 300 | |
| | 301 | |
| | 302 | === Example: Basic Authentication with Apache === |
| | 303 | |
| | 304 | The simplest way to enable authentication with Apache is to create a password file. Use the `htpasswd` program to create the password file: |
| | 305 | {{{ |
| | 306 | $ htpasswd -c /somewhere/trac.htpasswd admin |
| | 307 | New password: <type password> |
| | 308 | Re-type new password: <type password again> |
| | 309 | Adding password for user admin |
| | 310 | }}} |
| | 311 | |
| | 312 | After the first user, you dont need the "-c" option anymore: |
| | 313 | {{{ |
| | 314 | $ htpasswd /somewhere/trac.htpasswd john |
| | 315 | New password: <type password> |
| | 316 | Re-type new password: <type password again> |
| | 317 | Adding password for user john |
| | 318 | }}} |
| | 319 | |
| | 320 | ''See the man page for `htpasswd` for full documentation.'' |
| | 321 | |
| | 322 | After you've created the users, you can set their permissions using TracPermissions. |
| | 323 | |
| | 324 | Now, you'll need to enable authentication against the password file in the Apache configuration: |
| | 325 | {{{ |
| | 326 | <Location "/trac/login"> |
| | 327 | AuthType Basic |
| | 328 | AuthName "Trac" |
| | 329 | AuthUserFile /somewhere/trac.htpasswd |
| | 330 | Require valid-user |
| | 331 | </Location> |
| | 332 | }}} |
| | 333 | |
| | 334 | If you're hosting multiple projects you can use the same password file for all of them: |
| | 335 | {{{ |
| | 336 | <LocationMatch "/trac/[^/]+/login"> |
| | 337 | AuthType Basic |
| | 338 | AuthName "Trac" |
| | 339 | AuthUserFile /somewhere/trac.htpasswd |
| | 340 | Require valid-user |
| | 341 | </LocationMatch> |
| | 342 | }}} |
| | 343 | |
| | 344 | === Example: Digest Authentication with Apache === |
| | 345 | |
| | 346 | For better security, it is recommended that you either enable SSL or at least use the “digest” authentication scheme instead of “Basic”. Please read the [http://httpd.apache.org/docs/2.0/ Apache HTTPD documentation] to find out more. For example, on a Debian 4.0r1 (etch) system the relevant section in apache configuration can look like this: |
| | 347 | {{{ |
| | 348 | <Location "/trac/login"> |
| | 349 | LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so |
| | 350 | AuthType Digest |
| | 351 | AuthName "trac" |
| | 352 | AuthDigestDomain /trac |
| | 353 | AuthUserFile /somewhere/trac.htpasswd |
| | 354 | Require valid-user |
| | 355 | </Location> |
| | 356 | }}} |
| | 357 | and you'll have to create your .htpasswd file with htdigest instead of htpasswd as follows: |
| | 358 | {{{ |
| | 359 | # htdigest /somewhere/trac.htpasswd trac admin |
| | 360 | }}} |
| | 361 | where the "trac" parameter above is the same as !AuthName above ("Realm" in apache-docs). |
| | 362 | |
| | 363 | |
| | 364 | === More authentication scenarios |
| | 365 | |
| | 366 | To learn more how to setup authentication for the frontend you're using, please refer to one of the following pages: |
