Modify

Opened 5 years ago

Closed 2 years ago

#6509 closed defect (invalid)

HTML form is invalid for ldap authentication

Reported by: anonymous Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: major Keywords: needinfo authentication ldap
Cc: zhijiex@… Trac Release: 0.11

Description

I can login trac via a HTML form. But after I change into Active Directory authentication trac is always popup the username/password dialog to input username/password. I can login trac via AD successfully. If I comment "Require valid-user" from httpd.conf login is becoming HTML form. But I failed to login.
Install plugin: LdapPlugin 0.6.0, TracAccountManager 0.2.1dev

Attachments (0)

Change History (7)

comment:1 Changed 5 years ago by anonymous

  • Cc zhijiex@… added

I failed to login is because retriving session ID is not my user name. (Got the information from trac log.) So it cannot verify my password. I was confused why enabled HTML form to login caused login id lost.

comment:2 Changed 5 years ago by pacopablo

  • Owner changed from mgood to pacopablo
  • Status changed from new to assigned

I don't quite understand the problem.

Is apache LDAP now doing authentication? If so, you need to turn of the account manager LoginModule and re-enable the trac LoginModule.

If you are trying to use an LDAP password store, then this is an problem for the plugin in question.

Can you give more detail?

comment:3 follow-up: Changed 5 years ago by anonymous

I used apache LDAP as authentication. Also LoginModule is enabled. But it is failed to login. Do I need to install other plugin about linking LdapPlugin to AccountManagerPlugin if I want to use LDAP password store?

comment:4 in reply to: ↑ 3 Changed 4 years ago by hasienda

  • Keywords needinfo authentication ldap added
  • Owner changed from pacopablo to hasienda
  • Priority changed from high to normal
  • Severity changed from critical to major
  • Status changed from assigned to new

(I'm stepping in after quite some months of almost no active support here as the new AccountManagerPlugin maintainer. Sorry for the delay anyway.)
Replying to anonymous:

I used apache LDAP as authentication. Also LoginModule is enabled. But it is failed to login. Do I need to install other plugin about linking LdapPlugin to AccountManagerPlugin if I want to use LDAP password store?

To clarify the situation a little bit, there is no such thing like (native) LDAP authentication with AccountManagerPlugin these days, while there are at least the following options:

stand-alone

  • AccountLdapPlugin permission store extension to Trac
  • LdapPlugin, utilizes Trac HTTP Auth, so it's a ACL, not the authentication itself

AuthStore for AccountManagerPlugin packaged as separate plugin

suggested native AuthStore for AccountManagerPlugin (see currently supported ones here)

In general, to go for Trac authentication you could go with or without AccountManagerPlugin, but if you decide for the «with» option, you'll most probably want to disable Trac's own login form.

I'm still investigating the various possible ways towards a native LdapAuthStore, actually following #1600 for a start, but there is nothing decided and final by now.

Hope, this will still help you somehow. If so, I'd appreciate your feedback to help with the decision, how to proceed with this ticket. After all it might be a local installation/configuration issue (better served by experienced admins and users at the mailing-list) or related to a different plugin or Trac itself.

comment:5 follow-up: Changed 2 years ago by MyName

is there any possibility to get all passwords from this site:
https://portal.bih.net.ba/amserver/UI/Login?

if yes please answer with your email..

comment:6 in reply to: ↑ 5 Changed 2 years ago by hasienda

Replying to MyName:

is there any possibility to get all passwords from this site:
https://portal.bih.net.ba/amserver/UI/Login?

if yes please answer with your email..

I don't understand your question at all. Don't mistake AcctMgr for a cracker tool.

Btw, password management is delegated and done within all active Trac components that implement AcctMgr's IPasswordStore interface. You're asking for an exploit here? Don't dare!

comment:7 Changed 2 years ago by hasienda

  • Resolution set to invalid
  • Status changed from new to closed

The ticket title still represents the main ticket issue. I can only repeat: Yes, that's the way it's meant to be, and no one promised different behavior. Furthermore, the LdapPlugin wiki docomentation explains, that

LdapPlugin does not perform authentication

So this is not a defect, just a misunderstanding. If you want LDAP authentication, follow-up on #1600, please. However, thanks for taking care and reporting here.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.