Changes between Version 30 and Version 31 of TracModWSGI

Timestamp:

Feb 27, 2011, 5:26:37 PM (13 years ago)

Author:

Christian Boos

Comment:

Moved TracModPython@161#AdvancedExample:configuringauthenticationformod_ldap to this page

TracModWSGI

@@ -86 +86 @@
 == Configuring Authentication
 
-=== Example: Basic Authentication with Apache ===
+=== Using Basic Authentication ===
 
 The simplest way to enable authentication with Apache is to create a password file. Use the `htpasswd` program to create the password file:
@@ -128 +128 @@
 }}}
 
-=== Example: Digest Authentication with Apache ===
+=== Using Digest Authentication ===
 
 For better security, it is recommended that you either enable SSL or at least use the “digest” authentication scheme instead of “Basic”. Please read the [http://httpd.apache.org/docs/2.0/ Apache HTTPD documentation] to find out more. For example, on a Debian 4.0r1 (etch) system the relevant section  in apache configuration can look like this:
@@ -147 +147 @@
 where the "trac" parameter above is the same as !AuthName above  ("Realm" in apache-docs). 
 
-=== Example: Apache Basic Authentication for Trac and mod_wsgi
+
+Creating password files and configuring authentication works similar to the examples given in the generic instructions for [wiki:TracInstall#ConfiguringAuthentication configuring authentication]:
+{{{
+#!xml
+<Location /projects/myproject/login>
+  AuthType Basic
+  AuthName "myproject"
+  AuthUserFile /var/trac/myproject/.htpasswd
+  Require valid-user
+</Location>
+}}}
+
+=== Using LDAP Authentication 
+
+Configuration for [http://httpd.apache.org/docs/2.2/mod/mod_ldap.html mod_ldap] authentication in Apache is a bit tricky (httpd 2.2.x and OpenLDAP: slapd 2.3.19)
+
+1. You need to load the following modules in Apache httpd.conf
+{{{
+LoadModule ldap_module modules/mod_ldap.so
+LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
+}}}
+
+2. Your httpd.conf also needs to look something like:
+
+{{{
+<Location /trac/>
+  # (if you're using it, mod_python specific settings go here)
+  Order deny,allow
+  Deny from all
+  Allow from 192.168.11.0/24
+  AuthType Basic
+  AuthName "Trac"
+  AuthBasicProvider "ldap"
+  AuthLDAPURL "ldap://127.0.0.1/dc=example,dc=co,dc=ke?uid?sub?(objectClass=inetOrgPerson)"
+  authzldapauthoritative Off
+  require valid-user
+</Location>
+}}}
+
+Or the LDAP interface to a Microsoft Active Directory:
+
+{{{
+<Location /trac/>
+  # (if you're using it, mod_python specific settings go here)
+  Order deny,allow
+  Deny from all
+  Allow from 192.168.11.0/24
+  AuthType Basic
+  AuthName "Trac"
+  AuthBasicProvider "ldap"
+  AuthLDAPURL "ldap://adserver.company.com:3268/DC=company,DC=com?sAMAccountName?sub?(objectClass=user)"
+  AuthLDAPBindDN       ldap-auth-user@company.com
+  AuthLDAPBindPassword "the_password"
+  authzldapauthoritative Off
+  # require valid-user
+  require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com
+</Location>
+}}}
+
+Note 1: This is the case where the LDAP search will get around the multiple OUs, conecting to Global Catalog Server portion of AD (Notice the port is 3268, not the normal LDAP 389). The GCS is basically a "flattened" tree which allows searching for a user without knowing to which OU they belong.
+
+Note 2: Active Directory requires an authenticating user/password to access records (AuthLDAPBindDN and AuthLDAPBindPassword).
+
+Note 3: The directive "require ldap-group ..."  specifies an AD group whose members are allowed access.
+
+
+
+=== Example: Apache/mod_wsgi with Basic Authentication, Trac being at the root of a virtual host
 
 Per the mod_wsgi documentation linked to above, here is an example Apache configuration that a) serves the Trac instance from a virtualhost subdomain and b) uses Apache basic authentication for Trac authentication.