149 | | === Example: Apache Basic Authentication for Trac and mod_wsgi |
| 149 | |
| 150 | Creating password files and configuring authentication works similar to the examples given in the generic instructions for [wiki:TracInstall#ConfiguringAuthentication configuring authentication]: |
| 151 | {{{ |
| 152 | #!xml |
| 153 | <Location /projects/myproject/login> |
| 154 | AuthType Basic |
| 155 | AuthName "myproject" |
| 156 | AuthUserFile /var/trac/myproject/.htpasswd |
| 157 | Require valid-user |
| 158 | </Location> |
| 159 | }}} |
| 160 | |
| 161 | === Using LDAP Authentication |
| 162 | |
| 163 | Configuration for [http://httpd.apache.org/docs/2.2/mod/mod_ldap.html mod_ldap] authentication in Apache is a bit tricky (httpd 2.2.x and OpenLDAP: slapd 2.3.19) |
| 164 | |
| 165 | 1. You need to load the following modules in Apache httpd.conf |
| 166 | {{{ |
| 167 | LoadModule ldap_module modules/mod_ldap.so |
| 168 | LoadModule authnz_ldap_module modules/mod_authnz_ldap.so |
| 169 | }}} |
| 170 | |
| 171 | 2. Your httpd.conf also needs to look something like: |
| 172 | |
| 173 | {{{ |
| 174 | <Location /trac/> |
| 175 | # (if you're using it, mod_python specific settings go here) |
| 176 | Order deny,allow |
| 177 | Deny from all |
| 178 | Allow from 192.168.11.0/24 |
| 179 | AuthType Basic |
| 180 | AuthName "Trac" |
| 181 | AuthBasicProvider "ldap" |
| 182 | AuthLDAPURL "ldap://127.0.0.1/dc=example,dc=co,dc=ke?uid?sub?(objectClass=inetOrgPerson)" |
| 183 | authzldapauthoritative Off |
| 184 | require valid-user |
| 185 | </Location> |
| 186 | }}} |
| 187 | |
| 188 | Or the LDAP interface to a Microsoft Active Directory: |
| 189 | |
| 190 | {{{ |
| 191 | <Location /trac/> |
| 192 | # (if you're using it, mod_python specific settings go here) |
| 193 | Order deny,allow |
| 194 | Deny from all |
| 195 | Allow from 192.168.11.0/24 |
| 196 | AuthType Basic |
| 197 | AuthName "Trac" |
| 198 | AuthBasicProvider "ldap" |
| 199 | AuthLDAPURL "ldap://adserver.company.com:3268/DC=company,DC=com?sAMAccountName?sub?(objectClass=user)" |
| 200 | AuthLDAPBindDN ldap-auth-user@company.com |
| 201 | AuthLDAPBindPassword "the_password" |
| 202 | authzldapauthoritative Off |
| 203 | # require valid-user |
| 204 | require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com |
| 205 | </Location> |
| 206 | }}} |
| 207 | |
| 208 | Note 1: This is the case where the LDAP search will get around the multiple OUs, conecting to Global Catalog Server portion of AD (Notice the port is 3268, not the normal LDAP 389). The GCS is basically a "flattened" tree which allows searching for a user without knowing to which OU they belong. |
| 209 | |
| 210 | Note 2: Active Directory requires an authenticating user/password to access records (AuthLDAPBindDN and AuthLDAPBindPassword). |
| 211 | |
| 212 | Note 3: The directive "require ldap-group ..." specifies an AD group whose members are allowed access. |
| 213 | |
| 214 | |
| 215 | |
| 216 | === Example: Apache/mod_wsgi with Basic Authentication, Trac being at the root of a virtual host |