wiki:AccountManagerPlugin/AuthStores

Version 30 (modified by sandinak, 19 months ago) (diff)

--

Authentication modules for AccountManagerPlugin

see AccountManagerPlugin's main page

HtDigestStore

Package
acct_mgr.htfile

Used to store passwords in the htdigest file format.

Warning: This password method may not work with mod_python due to a bug using Python’s md5 module under mod_python ("it has been reported that mod_python has trouble returning good MD5 strings. It has been speculated that this is because many apache mods are using the same md5 source (php and so forth), but this is not confirmed"). If you experience problems try FastCGI, mod_wsgi, tracd, or use md5crypt patch (#8386).

To use this component to manage your password file you need to enable it as described above and add some additional configuration to trac.ini:

[components]
; be sure to enable the component
acct_mgr.htfile.HtDigestStore = enabled

[account-manager]
; configure the plugin to store passwords in the htdigest format:
password_store = HtDigestStore
; with Trac < 0.10 use this instead:
password_format = htdigest

; the file where user accounts are stored
; the webserver will need write permissions to this file
; and its parent folder
;password_file = /var/trac/trac.htdigest   ; old style (acct_mgr < 0.4)
htdigest_file = /var/trac/trac.htdigest   ; new style (acct_mgr >= 0.4)

; the name of the authentication “realm”
; it can be any text to identify your site or project
htdigest_realm = TracRealm

Note: password_format option is strongly deprecated now and will be withdrawn soon, since versions prior to Trac 0.10 are no longer relevant.

Recent changes:

  • new 'htdigest_password_file' option replaced 'password_file' in [10396] for acct_mgr-0.4

HtPasswdStore

Package
acct_mgr.htfile

Used to store passwords in the htpasswd file format.

Warning: This password method may not work with mod_python due to a bug using Python’s md5 module under mod_python. If you experience problems try FastCGI, mod_wsgi, tracd, or use md5crypt patch (#8386).

To use this component to manage your password file you need to enable it as described above and add some additional configuration to trac.ini:

[components]
; be sure to enable the component
acct_mgr.htfile.HtPasswdStore = enabled

[account-manager]
; configure the plugin to store passwords in the htpasswd format:
password_store = HtPasswdStore
; with Trac < 0.10 use this instead:
password_format = htpasswd
; optional hash type selection
htpasswd_hash_type = 

; the file where user accounts are stored
; the webserver will need write permissions to this file
; and its parent folder
;password_file = /var/trac/trac.htpasswd   ; old style (acct_mgr < 0.4)
htpasswd_file = /var/trac/trac.htpasswd   ; new style (acct_mgr >= 0.4)

Note: password_format option is strongly deprecated now and will be withdrawn soon, since versions prior to Trac 0.10 are no longer relevant.

Recent changes:

  • 'htpasswd_hash_type' for hash type selection available since [9274]
  • integration of popular sha512 hash type pending (see #8791, patch available)
  • new 'htpasswd_file' option replaced 'password_file' in [10396] for acct_mgr-0.4. If upgrading from an earlier version, password file authentication will fail until the option name has been changed in the trac.ini file.

HttpAuthStore

Package
acct_mgr.http

Note: This component requires Trac 0.10 or later

Used to delegate authentication to the web server. This allows access to be restricted based on LDAP, a password file, etc, or some combination of them.

Note: If you are using the WSGI Apache interpreter instead of mod_python (pretty much required if using RHEL6), it is difficult to get HttpAuthStore to work with versions prior to acct_mgr-0.4. Upgrading is recommended.

Note: This password store does not support listing/adding/removing users or changing passwords.

[components]
; be sure to enable the component
acct_mgr.http.HttpAuthStore = enabled

[account-manager]
; configure the plugin to use a page that is secured with http authentication
authentication_url = /authFile
password_store = HttpAuthStore

Note: Only absolute URLs are supported in acct_mgr-0.3.

This will generally be matched with an Apache config like:

<Location /authFile>
   HTTP authentication configuration…
   Require valid-user
</Location>

The above example assumes that you are hosting a single Trac project. If hosting multiple Trac projects, you might use something like this in project1's trac.ini:

[account-manager]
; configure the plugin to use a page that is secured with http authentication
authentication_url = /project1/authFile
password_store = HttpAuthStore

Note: Only absolute URLs are supported in acct_mgr-0.3.

This could then be matched with an Apache config like:

<LocationMatch ^/[^/]+/authFile$>
   HTTP authentication configuration…
   Require valid-user
</Location>

Note that, prior to acct_mgr-0.4, authFile had to actually exist in the filesystem, and be a file (not directory) that could be accessed via the authentication_url specification. This is no longer the case: authFile does not need to exist; but the Apache configuration must match the authentication_url setting.

IMPORTANT: Be sure to test your configuration by attempting a login with a valid user, and both a valid and invalid password to ensure that your Apache <Location> or <LocationMatch> section is getting executed. If it is not, you will be able to log in with an invalid password.

Note: If you are having trouble getting HttpAuthStore to work, enable DEBUG-level logging, and check for HttpAuthStore messages in your project's Trac log file.

SessionStore

Package
acct_mgr.db

Stores password information in the trac database. This may give better behavior if you have large numbers of users and are finding errors due to write contention on the password file. You must enable one or other of the hash method components. HtDigestHashMethod is the default.

[components]
; be sure to enable the component
acct_mgr.db.SessionStore = enabled
; choose one of the hash methods
acct_mgr.pwhash.htdigesthashmethod = enabled
acct_mgr.pwhash.htpasswdhashmethod = enabled
trac.web.auth.loginmodule = disabled ;this is important, otherwise login does not work. ref: http://www.gossamer-threads.com/lists/trac/users/41969

[account-manager]
password_store = SessionStore
; choose one of the hash methods with corresponding supplemental option
hash_method = HtDigestHashMethod
db_htdigest_realm = TracDbRealm
;hash_method = HtPasswdHashMethod
;db_htpasswd_hash_type = sha

Recent changes:

  • fixture to undesired option inheritance implementation available since [10494] for acct_mgr-0.4
    • 'db_htdigest_realm' Realm to select relevant htdigest db entries
    • 'db_htpasswd_hash_type' for hash type selection
  • ResetPwStore, a special SessionStore sharing configuration with it, see explanation of 'lost password' procedure

For sample configuration settings see our cookbook page

For historic background of this IPasswordStore implementation see:

http://www.mailinglistarchive.com/trac-users@googlegroups.com/msg03696.html

SvnServePasswordStore

Package
acct_mgr.svnserve

Allows Trac to use SVN users (may be in addition to Trac users). SVN server configuration option should be "svnserve". For more information, read chapter 6 of SVN book.

[components]
; be sure to enable the component
acct_mgr.svnserve.* = enabled
acct_mgr.svnserve.svnservepasswordstore = enabled
; choose one of the hash methods
acct_mgr.pwhash.htdigesthashmethod = enabled
acct_mgr.pwhash.htpasswdhashmethod = enabled

[account-manager]
password_store = SvnServePasswordStore
password_file = /path/to/svn/repos/conf/passwd
; choose one of the hash methods
hash_method = HtDigestHashMethod
hash_method = HtPasswdHashMethod

NB : password_file points to a file which defines users/passwords this way : user = password

LDAP

Package
acct_mgr.adauth

Allows authentication against most LDAP based directories including Active Directory. See DirectoryAuthPlugin for details. Meanwhile please check the following options:

stand-alone

  • AccountLdapPlugin permission store extension to Trac
  • LdapPlugin, utilizes Trac HTTP Auth, so it's a ACL, not the authentication itself

AuthStore for AccountManagerPlugin packaged as separate plugin

suggested native AuthStore for AccountManagerPlugin (see currently supported ones here)

Other sources

There are a number of other implementations of IPasswordStore like the LDAP authentication plugins mentioned above, here at t-h.o and elsewhere on the web.

Where to start? Here is a small and certainly incomplete collection:

Package/Plugin and store nameDescriptionAuthorResource link
DirectoryAuthPlugin Provides authentication against AD or Generic LDAP John Hampton (pacopablo), Branson Matheson (sandinak) DirectoryAuthPlugin
CrowdAuthStore in TracCrowdAuthPlugin Use a crowd service for authentication. Richard Liao (richard)TracCrowdAuthPlugin
DjangoPasswordStore in TracDjangoAuthPluginTrac Authentication against Django's userdb. Ville Korhonen https://github.com/ypcs/TracDjangoAuth
GoogleAppsPasswordStore in TracGoogleAppsAuthPlugin Trac authentication plugin for integration with hosted Google Apps domain. David A. Riggs http://pypi.python.org/pypi/TracGoogleAppsAuthPlugin/
HtBlowfishStore in HtBlowfishStorePlugin HtPasswdStore with Blowfish support. Mitar (mitar) https://bitbucket.org/mitar/trac-htblowfishstore
PhpBBAuthStore in PhpBbAuthPlugin Use a phpBB3 database as the authentication store. John Hampton (pacopablo) PhpBbAuthPlugin
PwAuthStore in TracPwAuth AccountManager password store that uses pwauth to check against the system password database. Noah Kantrowitz (coderanger)http://pypi.python.org/pypi/TracPwAuth/
SQLAuthStore in SQLAuthStorePlugin Defines authentication store over SQL database. Mitar (mitar) https://bitbucket.org/mitar/trac-sqlauthstore
SQLFlexibleAuthStore in SqlFlexibleAuthStorePlugin Defines authentication store over SQL database, includes an PermissionGroup provider from SQL too. Dolf Andringa, Mitar, Chris Liechti (dolfandringa, mitar) SqlFlexibleAuthStorePlugin

Please add a valid reference here, if you know/find more.