Modify

Opened 4 years ago

Closed 2 years ago

#8659 closed defect (worksforme)

WinXP HtDigestStore disables AccountModule because the password store does not support writing

Reported by: baloan Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: major Keywords: htdigest file AccountModule disabled
Cc: Trac Release: 0.12

Description (last modified by hasienda)

When switching to htdigest authentication mode webui disables AccountModule and RegistrationModule. Login does no longer work.

Windows XP SP3
Apache/2.2.17 (Win32)
Python 2.7.1
trac 0.12.2
tracaccountmanager 0.2.1dev-r4679 0.3dev-r9929
trachttpauth 1.1
tracloginrequiredplugin 0.1.0
tracmercurial 0.12.0.26

Attachments (1)

trac.ini.zip (2.5 KB) - added by baloan 4 years ago.

Download all attachments as: .zip

Change History (16)

comment:1 Changed 4 years ago by baloan

  • Windows XP SP3
  • Apache/2.2.17 (Win32)
  • Python 2.7.1
  • trac 0.12.2
  • tracaccountmanager 0.2.1dev-r4679
  • trachttpauth 1.1
  • tracloginrequiredplugin 0.1.0
  • tracmercurial 0.12.0.26

Changed 4 years ago by baloan

comment:2 Changed 4 years ago by hasienda

  • Keywords htdigest file AccountModule disabled added

What actions do you expect? If I understand correctly from the trac.log snippet in #8660, you've got a read-only htdigest password file, right? At least this is just a local installation and configuration problem.

You still want to use it that way? Do you feel the action taken by AcctMgr is just too harsh, or anything else? And last but not least, as you're using Trac 0.12: Why don't you try a more recent revision of this plugin? :-)

comment:3 Changed 4 years ago by baloan

I have upgraded to "tracaccountmanager 0.3dev-r9929".

What actions do I expect?

  1. login fails with a "Invalid username or password". I have created the password file with
    htdigest -c htdigest trac baloan
    

Login works fine with htpasswd.

  1. htdigest is read-write so I was wondering whether updating the password is not supported by tracaccountmanager with htdigest?
    D:\Home\web\trac>attrib htdigest
    A          D:\Home\web\trac\htdigest
    

comment:4 Changed 4 years ago by hasienda

I don't use AcctMgr with htdigest right now, but still don't know, why it shouldn't work.

Currently you can't use two or more files on parallel, whether it might might be htpasswd, htdigest or a mix of them. This might lead to confusion, even unintended misconfiguration, so please double-check, what is you effective configuration.

LoginRequiredPlugin is another candidate for disturbance, as it states clearly on the wiki page. Redirection issues have been fixed for AcctMgr lately, dunno, how that suites to LoginRequiredPlugin.

You mentioned "webui disables AccountModule and RegistrationModule" initially. Can you proof such behavior, i.e. by DEBUG log of a Trac environment reload?

comment:5 Changed 3 years ago by hasienda

Ping. :-)

Any more comments? Issue resolved?

comment:6 Changed 3 years ago by hasienda

  • Keywords needinfo added

comment:7 Changed 3 years ago by hasienda

This could even be related to #4677 in your case. Please make sure you don't have conflicting configuration - there can be only one of HtDigestStore and HtPasswdStore working.

Unless you use the latest code from trunk. If you do, please read the commit message of changeset [10396] really careful. Would be great to get test feedback for this new code here.

comment:8 Changed 2 years ago by hasienda

After such a long time without feedback it might be reasonable to assume, that the issue has been resolved meanwhile, right? If so, tell us as well, please.

However I'll let the next release happen before I finally close this ticket.

comment:9 Changed 2 years ago by anonymous

Not fixed. Using tracd on Debian, so perhaps that's a conflict between the trac.ini parameters and the command-line --auth option and its parameters.
As for the proof, well the name of the report is pretty much the line of the log (found this report by googling the corresponding log line).

2012-09-27 21:57:56,102 Trac[web_ui] WARNING: AccountModule is disabled because the password store does not support writing.
2012-09-27 21:57:56,103 Trac[web_ui] WARNING: RegistrationModule is disabled because the password store does not support writing.

I tried without authentication info in trac.ini, without --auth on the command line (that disabled authentication as expected), with the same info on the command line and in trac.ini, with a distinct (but similar) copy of the password file in each, and a few other even dumber things (same or different realms etc). Nothing worked. I think I'll just conclude that tracd is not compatible with the Registration or Account modules, install a minimalist web server such as boa an let it deal with the passwords. That would be consistent with the need to manually hash the passwords for tracd command-line options...

comment:10 follow-up: Changed 2 years ago by hasienda

  • Description modified (diff)

Did you try acct_mgr-0.3 or better: latest development code of acct_mgr-0.4dev aka trunk yet?

But I suspect there's no issue with AcctMgr at all. You want to use tracd with HTTP Basic Auth, but manage the htdigest file with AcctMgr, right? Make sure, that tracd process is running with a suitable UID, so you have r/w access to that file. You didn't talk about that by now. It seems that you continue to fail with that in your configuration - nothing that AcctMgr could be blamed for. If you're sure, that you'll be able to write to the file from tracd, post your [account-manager] configuration here, please.

Login is yet a different topic. For tracd with HTTP Basic Auth you need to follow t:wiki:TracStandalone#UsingAuthentication. Make sure to not enable AcctMgr's login form.

Btw, what is HttpAuthPlugin (you listed trachttpauth) meant to be fore? It's not needed for normal login as mentioned in the wiki docs, and I think you have more, than you need, or you don't know exactly what to do, so you risk interfering plugin actions. Try to build you setup step-by-step. Activating multiple plugins while having issues is a bad idea - just sort out each one on it's own, ok?

comment:11 in reply to: ↑ 10 Changed 2 years ago by anonymous

[PiLS] formerly [anonymous] Replying to hasienda:

Did you try acct_mgr-0.3 or better: latest development code of acct_mgr-0.4dev aka trunk yet?

Nope. But as you say further down, that doesn't look like a acct_mgr error to me.

But I suspect there's no issue with AcctMgr at all.

I suspect the same.

You want to use tracd with HTTP Basic Auth,

No, I want the htdigest auth if possible. I never actually tried the basic auth.

but manage the htdigest file with AcctMgr, right?

Right-ish.

Make sure, that tracd process is running with a suitable UID, so you have r/w access to that file. You didn't talk about that by now.

My bad. I have otherwise pretty good security and isolation so I run tracd as root on port 80 in that case. The password file, store, etc (and everything else in my Trac install) are owned by www-data in prevision of a move towards more sensible settings, but I think we can agree that root should have write access to them nonetheless ;-)

It seems that you continue to fail with that in your configuration

Not sure what you mean but yes I keep failing

  • nothing that AcctMgr could be blamed for.

Again, I do agree. Did my post somehow imply that? If so, that was definitely not my intention.

If you're sure, that you'll be able to write to the file from tracd, post your [account-manager] configuration here, please.

I can post one of the ten or so that did not work.

[account-manager]
account_changes_notify_addresses =
force_passwd_change = true
htdigest_realm = trac
password_file = /some/place/owned/by/www-data/trac/passwords/pass.digest
password_store = HtPasswdStore
persistent_sessions = true

"trac" is the realm I specify on the command line. I tried with nothing, and with a different realm

"pass.digest" is the password file I specify on the command line. It contains hashed passwords. I tried with nothing, with a non-existent file, with an exact copy of the same file, with the source file containing the undigested passwords, and with an ghost file (created with touch).

I tried removing "HtPasswdStore" but I never tried using basic auth instead (and I don't want to).

Login is yet a different topic.

How so?

For tracd with HTTP Basic Auth

Which I am not interested in even trying

you need to follow t:wiki:TracStandalone#UsingAuthentication. Make sure to not enable AcctMgr's login form.

Is that still valid if I really, REALLY don't want basic auth, to the point that I'd switch projects if Trac doesn't allow anything else?
Again, I am willing to install a web server if tracd can't deal with that issue. I will NOT use basic auth. EVER. I hope that is clear ;-)

Btw, what is HttpAuthPlugin (you listed trachttpauth) meant to be fore?

Ho ha OK. Well I am not Baloan, I am the anonymous guy you reply to. Sorry, I'm in a rush so I did not create an account. I will ASAP
Call me PiLS if you must, that's gonna be my ID if still available.

It's not needed for normal login as mentioned in the wiki docs,

No discussion about that

and I think you have more, than you need,

Tell me about that, I used to run GForge...

or you don't know exactly what to do,

If I knew exactly what to do we would not be having that discussion, would we? But I do believe that you are answering someone else. Someone who runs XP and not Debian... someone wo did not find this report by googling a line in the logs...

so you risk interfering plugin actions.

Now we're talking. I have both accountmodule and registrationmodule installed. They are both disabled at startup because of that password store issue (as shown in the log extract in my previous post, the anon one). I suspect it's not the plugins interfering with each other, but each of the plugins interfering with tracd (and losing the fight, as should damn well be).

Try to build you setup step-by-step. Activating multiple plugins while having issues is a bad idea - just sort out each one on it's own, ok?

That's a sensible idea. I tested my install without any plugin at all -everything went fine-, then with both registrationmodule and accountmodule at once (because I know for a fact that users will moan otherwise). The fact that the errors shows up that early in the logs, before any of the module is actually used, and the fact that it is exactly the same, at the very same time for both plugins, and the fact that is causes webui to disable both plugins at startup (so neither actually get a chance to cause interference, because they are just disabled before they have a chance to cause any trouble -correct me if I am wrong), all that suggests to me that this has in fact nothing to do with interference between plugins.
I may of course be completely wrong... legend has it, that it has happenned before ;-)

PiLS

comment:12 follow-up: Changed 2 years ago by PiLS

OK, so I finally created an account.
I was the guy on

09/28/12 04:11:24

and

09/29/12 04:19:42

I am definitely not the original reporter.

I do no encounter issues with login; however, the same error shows up in my logs, and that prevents validation emails from being sent.

For more info about my config please read the two anonymous messages further up.
The line I use for tracd is

#tracd -p80 --auth="*,/some/place/owned/by/www-data/passwords/pass.digest,trac" /my/trac/place/tracsite-1 /my/trac/place/tracsite-2

comment:13 in reply to: ↑ 12 ; follow-up: Changed 2 years ago by hasienda

Replying to PiLS:

OK, so I finally created an account.

Much better, thanks. So the communication link is more reliable.

I am definitely not the original reporter.

Got that wrong by your comment start 'Not fixed.', and overlooked the mismatch with OP in the following sentence, indeed. Clear now.

I do no encounter issues with login; however, the same error shows up in my logs, and that prevents validation emails from being sent.

For more info about my config please read the two anonymous messages further up.
The line I use for tracd is

#tracd -p80 --auth="*,/some/place/owned/by/www-data/passwords/pass.digest,trac" /my/trac/place/tracsite-1 /my/trac/place/tracsite-2

Here you fire tracd with authentication information, that is required only, if you intend to use Trac itself for authentication/login. But in your previous comment you made already clear, that you would want to do it with AcctMgr and it's form-based LoginModule alone, right?

  1. use simple htdigest file store configuration - see i.e. README in your AcctMgr version as a starting point
  2. make sure, that you enabled AcctMgr's LoginModule, but disabled Trac's own - this is even done for you in latest trunk automatically, so trac.ini looks similar to the htdigest example in our cookbook wiki page
  3. start tracd like so instead: #tracd -p80 /my/trac/place/tracsite-1 /my/trac/place/tracsite-2

I use tracd in a similar setup in production on a Gnu/Linux (Debian) system, so I know it works, as soon as we've sorted out your installation/configuration issues. All this would certainly better fit into our mailing-list. Tickets here are meant for development, and resolved configuration issues have much less visibility here than on the list archive.

comment:14 in reply to: ↑ 13 Changed 2 years ago by PiLS

Replying to hasienda:g to PiLS:

Thanks. I apparently missed a few lines in trac.ini, among which

acct_mgr.htfile.htdigeststore = enabled

for some reason. Pretty much everything else was set up automatically by initenv.

The line

trac.web.auth.loginmodule = disabled

is also required to use the web login form, but I went back as http auth is more efficient.

I use tracd in a similar setup in production on a Gnu/Linux (Debian) system, so I know it works, as soon as we've sorted out your installation/configuration issues. All this would certainly better fit into our mailing-list. Tickets here are meant for development, and resolved configuration issues have much less visibility here than on the list archive.

Sorry, I'll keep that in mind next time. Feel free to repost it there.

comment:15 Changed 2 years ago by hasienda

  • Keywords needinfo removed
  • Resolution set to worksforme
  • Status changed from new to closed

Pretty much information for similar cases.

Your implicit "Ok" seems to confirm, that all this is related to local installation/configuration of Trac and AcctMgr, not to a real defect of the plugin, as this ticket might suggest - so I'm closing this now.

Welcome to ask on the mailing-list next time. Thanks for taking care.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.