wiki:AccountManagerPlugin/Modules

Version 14 (modified by hasienda, 3 years ago) (diff)

some more words of explanation on account lock behavior

AccountManager

Package
acct_mgr.api

This holds core code of this plugin. This component must be enabled to use any of the other components.

Additionally one or more sources for storing authentication information are required:

There's even some information on how to get not-yet-implemented LDAP authentication.


AccountManagerAdminPages note1

Package
acct_mgr.admin

This component adds a whole new section with a couple of pages to the trac:WebAdmin section for managing user accounts:

  • admin/accounts/config - basic configuration, i.e. AuthStore activation and ordering
  • admin/accounts/notification - AccountManager change notification settings
  • admin/accounts/users - user account listing with some management functions, i.e.
    • add/delete accounts
    • change password and other account attributes
    • reset password similar to the 'lost password', but triggered by admin (since acct_mgr-0.3)
    • review account details (since acct_mgr-0.3)
    • review and erase entries of Trac db table session_attribute (since acct_mgr-0.4) note2

note1 Before acct_mgr-0.3 modules name has been AccountManagerAdminPage instead.
note2 Requires ACCTMGR_ADMIN or TRAC_ADMIN, but handle with extreme care anyway - no problem to shoot yourself in the foot by i.e. deleting your own SessionStore admin password. So double-check and think twice, and especially have a current, working Trac db backup before starting cleanup here.

screenshot of account administration - v 0.4

Older versions required the TRAC_ADMIN permission to access any of the admin pages, but a more granular set of permissions has been introduced since acct_mgr-0.3 (see changeset [9280]):

ACCTMGR_ADMIN
all permissions in the plugin's domain, like TRAC_ADMIN for Trac core
ACCTMGR_CONFIG_ADMIN
permission to see and use the configuration admin page
ACCTMGR_USER_ADMIN
permission to see and use most other admin pages of this plugin except the cleanup (button <Review account attributes>)

Configuration

[components]
acct_mgr.admin.AccountManagerAdminPages = enabled

Compatibility

requires Trac >= 0.10


AccountModule

Package
acct_mgr.web_ui

Allows users to change their password, or delete their account. When logged in it will appear as a tab “Account” after clicking the “Preferences” link.

Configuration

[components]
acct_mgr.web_ui.AccountModule = enabled

You'll need to activate at least one of the authentication resources bundled with AccountManagerPlugin. (From a programmers view these are all IPasswordStore implementations.) An error telling you "This password store does not support listing users" indicates, that you didn't successfully activate/configure any authenticaton credential provider yet. Easiest way to do that is using the web-UI. Just go to admin/accounts/config and select a value different from setting "--" at least for one of the authentication resources listed there.

Since Trac 0.10: When used in combination with the LoginModule it adds a link to the login page “Forgot your password?” where users can reset their password if they’ve forgotten it. You will need to have your SMTP server information configured in your trac.ini for the “Forgot your password?” link to show up and enable AccountChangeListener:

[components]
acct_mgr.notification.accountchangelistener = enabled

To disable just the password reset functionality add the following line to the [account-manager] section:

[account-manager]
reset_password = False

Since Trac 0.11: When a user resets their password they will be required to change their password on the next successful login. This can be disabled via the trac.ini by setting:

[account-manager]
force_passwd_change = false

LoginModule

Package
acct_mgr.web_ui

Allows users to login via a HTML form instead of using HTTP authentication.

screenshot of login form

The template has been modified for acct_mgr-0.3 to allow for better custom CSS styling. See style.css in the contrib directory for a jump-start.

Configuration

To use the AccountManager’s HTML form, you need to explicitly disable Trac's own HTTP authentication module. To do so add this your trac.ini or find and modify existing lines accordingly:

[components]
acct_mgr.web_ui.LoginModule = enabled

trac.web.auth.LoginModule = disabled

When using the tracd server be sure not to use the --auth or --basic-auth options. Using either of these options will cause tracd to popup the username/password dialog box and you will not be able to use AccountManagerPlugin's HTML form.

If you have previously enabled authentication for Trac on Apache, you will need to disable it or Apache will popup the username/password dialog and you will be unable to use the HTML form. In order to disable the authentication look for a section in the Apache configuration file like:

<Location /trac/login>
   # Some options like AuthType and AuthUserFile
   Require valid-user
</Location>

Deleting or commenting the Require valid-user line should be sufficient to disable HTTP authentication. After you’ve tested it, you can probably delete or comment out the rest of the authentication options. In some pre-bundled packages as Bitnami Trac you will find it inside an apache configuration extension as trac.conf (BitnamiTrac\trac\conf\trac.conf)

Compatibility

requires Trac >= 0.10

To use this module with tracd stand-alone server you'll need Trac 0.10 or later version, or an external webserver such as Apache.


AccountGuard

Package
acct_mgr.guard

appears in acct_mgr-0.3: adds login failure tracking and administrative account locking to protect against brute-force attacks on user passwords

Enabling the guard means, that even legitimated login attempts will get rejected as long as account lock conditions are met. So an account is not reachable for the user while under attack. An admin could still log in (to a different account), check the source(s) of the malicious login attempts and stop them by other means to help the user restore access to his/her account.

See some example configurations it the cookbook page and look at screenshot series below to get an idea, how this looks like and is meant to work.

account manager login page when hitting temporary account lock condition on login failure
Hitting account soft (temporary) lock condition on login failure

account details admin page with failed login attempts
Account details page showing failed login attempts and other details

failed login attemps display after successful login
Display of total failed login attempts since last successful login


RegistrationModule

Package
acct_mgr.web_ui

Enables users to register a new account. It adds a “Register” link on the same menu bar as the “Login” link.

screenshot of registration page

Configuration

[components]
acct_mgr.web_ui.RegistrationModule = enabled

Warning: You must enable one of the password storage modules for the Registration Module to work.

Note: You must not enable ignore_auth_case in trac.ini as otherwise this module won’t work. [Update: This doesn't apply to trunk branch anymore. Use a revision at changeset [9286] or later to lift this limitation.]


EmailVerificationModule

Package
acct_mgr.web_ui

If you enable this, users will be sent an email with a verification code to enter, to approve it is really their own email address:

Configuration

[components]
acct_mgr.web_ui.EmailVerificationModule = enabled
acct_mgr.notification.AccountChangeListener = enabled

Until they entered the verification code on the URL sent with the email, their permissions will be restricted (even if they have the TRAC_ADMIN privilege, they won't be able to access anything exceeding the standard privileges of authenticated users). Update: After changeset [9304] ACCTMGR_ADMIN (and TRAC_ADMIN, as it inherits it among all other privileges) won't be bothered with the verification procedure.

This has been added as a strict requirement now as suggested by ticket #5509 to trunk code with changeset [9277], but was not enforced before, so verification only happened, if an email had been specified on registration. In other words, if some user registered w/o specifying an email address, this was possible and an unrestricted account was created without requiring further actions.

Note that if you don't want to enforce entering a valid email on registration, you may want to disable this component. An option

[account-manager]
verify_email = false

for switching this off easily, to restore the old behavior of AccountManagerPlugin by default, is available since changeset [9304] as well.

As shown in the configuration above, you'll have to enable the accountchangelistener component as well. Without it, verification emails will be silently ignored (but the webui will still say they got sent!).

Attachments (4)

Download all attachments as: .zip