294 | | The process of adding, removing, and configuring user accounts for authentication depends on the specific way you run Trac. The basic procedure is described in the [wiki:TracCgi#AddingAuthentication "Adding Authentication"] section on the TracCgi page. To learn how to setup authentication for the frontend you're using, please refer to one of the following pages: |
| 294 | Trac uses HTTP authentication. You'll need to configure your webserver to request authentication when the `.../login` URL is hit (the virtual path of the "login" button). Trac will automatically pick the REMOTE_USER variable up after you provide your credentials. Therefore, all user management goes through your web server configuration. Please consult the documentation of your web server for more info. |
| 295 | |
| 296 | The process of adding, removing, and configuring user accounts for authentication depends on the specific way you run Trac. |
| 297 | |
| 298 | |
| 299 | We'll describe here the most common scenario. |
| 300 | |
| 301 | |
| 302 | === Example: Basic Authentication with Apache === |
| 303 | |
| 304 | The simplest way to enable authentication with Apache is to create a password file. Use the `htpasswd` program to create the password file: |
| 305 | {{{ |
| 306 | $ htpasswd -c /somewhere/trac.htpasswd admin |
| 307 | New password: <type password> |
| 308 | Re-type new password: <type password again> |
| 309 | Adding password for user admin |
| 310 | }}} |
| 311 | |
| 312 | After the first user, you dont need the "-c" option anymore: |
| 313 | {{{ |
| 314 | $ htpasswd /somewhere/trac.htpasswd john |
| 315 | New password: <type password> |
| 316 | Re-type new password: <type password again> |
| 317 | Adding password for user john |
| 318 | }}} |
| 319 | |
| 320 | ''See the man page for `htpasswd` for full documentation.'' |
| 321 | |
| 322 | After you've created the users, you can set their permissions using TracPermissions. |
| 323 | |
| 324 | Now, you'll need to enable authentication against the password file in the Apache configuration: |
| 325 | {{{ |
| 326 | <Location "/trac/login"> |
| 327 | AuthType Basic |
| 328 | AuthName "Trac" |
| 329 | AuthUserFile /somewhere/trac.htpasswd |
| 330 | Require valid-user |
| 331 | </Location> |
| 332 | }}} |
| 333 | |
| 334 | If you're hosting multiple projects you can use the same password file for all of them: |
| 335 | {{{ |
| 336 | <LocationMatch "/trac/[^/]+/login"> |
| 337 | AuthType Basic |
| 338 | AuthName "Trac" |
| 339 | AuthUserFile /somewhere/trac.htpasswd |
| 340 | Require valid-user |
| 341 | </LocationMatch> |
| 342 | }}} |
| 343 | |
| 344 | === Example: Digest Authentication with Apache === |
| 345 | |
| 346 | For better security, it is recommended that you either enable SSL or at least use the “digest” authentication scheme instead of “Basic”. Please read the [http://httpd.apache.org/docs/2.0/ Apache HTTPD documentation] to find out more. For example, on a Debian 4.0r1 (etch) system the relevant section in apache configuration can look like this: |
| 347 | {{{ |
| 348 | <Location "/trac/login"> |
| 349 | LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so |
| 350 | AuthType Digest |
| 351 | AuthName "trac" |
| 352 | AuthDigestDomain /trac |
| 353 | AuthUserFile /somewhere/trac.htpasswd |
| 354 | Require valid-user |
| 355 | </Location> |
| 356 | }}} |
| 357 | and you'll have to create your .htpasswd file with htdigest instead of htpasswd as follows: |
| 358 | {{{ |
| 359 | # htdigest /somewhere/trac.htpasswd trac admin |
| 360 | }}} |
| 361 | where the "trac" parameter above is the same as !AuthName above ("Realm" in apache-docs). |
| 362 | |
| 363 | |
| 364 | === More authentication scenarios |
| 365 | |
| 366 | To learn more how to setup authentication for the frontend you're using, please refer to one of the following pages: |