Changes between Version 12 and Version 13 of CookBook/AccountManagerPluginConfiguration


Ignore:
Timestamp:
Dec 15, 2012, 12:20:48 PM (2 years ago)
Author:
hasienda
Comment:

splitted and re-ordered sections as appearing in real trac.ini, typo and more small fixes

Legend:

Unmodified
Added
Removed
Modified
  • CookBook/AccountManagerPluginConfiguration

    v12 v13  
    22
    33= Cookbook: AccountManagerPlugin configuration =
    4 commented sample configurations for common and special use cases
    5 
    6 We'll collect some useful configuration examples here to give hints on proper use of available options.
    7 
    8  '''Hint:''' Option names are written in !CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. Anyway, case doesn't really matter here.
     4commented sample configurations for most common and some special use cases
     5
     6We collect some useful configuration examples here giving hints on proper use of available options.
     7
     8 '''General hints:'''
     9 * Content for different section grouped in one example must be used together.
     10 * Option names are written in !CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. As you see, case doesn't really matter here.
    911
    1012== Basic configuration/Kickstart ==
     
    1719
    1820=== !HtPasswdStore ===
     21{{{
     22#!cfg
     23[account-manager]
     24password_store = HtPasswdStore
     25htpasswd_hash_type = md5
     26;password_file = /var/trac/trac.htpasswd   ; old style (acct_mgr < 0.4)
     27htpasswd_file = /var/trac/trac.htpasswd   ; new style (acct_mgr >= 0.4)
     28}}}
    1929{{{
    2030#!cfg
     
    3343acct_mgr.svnserve.svnservepasswordstore = disabled
    3444acct_mgr.web_ui.* = enabled
    35 
    36 [account-manager]
    37 password_store = HtPasswdStore
    38 htpasswd_hash_type = md5
    39 ;password_file = /var/trac/trac.htpasswd   ; old style (acct_mgr < 0.4)
    40 htpasswd_file = /var/trac/trac.htpasswd   ; new style (acct_mgr >= 0.4)
    4145}}}
    4246will:
     
    5054
    5155=== !HtDigestStore ===
     56{{{
     57#!cfg
     58[account-manager]
     59password_store = HtDigestStore
     60htdigest_realm = Trac
     61;password_file = /var/trac/trac.htdigest   ; old style (acct_mgr < 0.4)
     62htdigest_file = /var/trac/trac.htdigest   ; new style (acct_mgr >= 0.4)
     63}}}
    5264{{{
    5365#!cfg
     
    6678acct_mgr.svnserve.svnservepasswordstore = disabled
    6779acct_mgr.web_ui.* = enabled
    68 
    69 [account-manager]
    70 password_store = HtDigestStore
    71 htdigest_realm = Trac
    72 ;password_file = /var/trac/trac.htdigest   ; old style (acct_mgr < 0.4)
    73 htdigest_file = /var/trac/trac.htdigest   ; new style (acct_mgr >= 0.4)
    7480}}}
    7581will:
     
    8389
    8490=== !SessionStore ===
     91{{{
     92#!cfg
     93[account-manager]
     94hash_method = HtDigestHashMethod
     95db_htdigest_realm = TracDB
     96password_store = SessionStore
     97}}}
    8598{{{
    8699#!cfg
     
    99112acct_mgr.svnserve.svnservepasswordstore = disabled
    100113acct_mgr.web_ui.* = enabled
    101 
    102 [account-manager]
    103 hash_method = HtDigestHashMethod
    104 db_htdigest_realm = TracDB
    105 password_store = SessionStore
    106114}}}
    107115will:
     
    153161persistent_sessions = true
    154162}}}
    155 
    156 will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time he visits the site, he'll be remembered.
     163will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time he visits the site, he/she will be remembered.
    157164
    158165=== Single Sign On ===
     
    167174Hint: Even if this setting has been introduced in Trac 0.12, it could be set in `trac.ini` for older Trac versions, and !AcctMgr will use it, specifically providing a cookie path fix-up for `trac_auth` cookies generated by Trac 0.11 and above.
    168175
    169 An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid an working well.
     176An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid and works well.
    170177
    171178=== Account Locking ===
    172  * new feature for acct_mgr-0.3
     179 * new feature since acct_mgr-0.3
    173180 * available options (displayed with default values here):
    174 
    175 {{{
    176 #!cfg
    177 [components]
    178 acct_mgr.guard.accountguard = enabled
    179 }}}
    180181
    181182{{{
     
    187188user_lock_time_progression = 1
    188189}}}
     190{{{
     191#!cfg
     192[components]
     193acct_mgr.guard.accountguard = enabled
     194}}}
     195but this does '''nothing''' for backwards-compatibility, preventing surprises for unaware plugin-upgraders
     196
     197As long as login_attempt_max_count == 0, login failure tracking is actually disabled and no other related option matters. The account locking section in the configuration admin panel (since acct_mgr-0.4.1) is quite self-explaining in the way how it conditionally hides irrelevant options. So it's worth a look even for the console guru, who doesn't immediately understand these options.
    189198
    190199==== Hard Lock-up ====
     
    197206will have following effect:
    198207 * lock account after 5 successive failed login attempts
    199  * no lock expiration, so release strictly requires administrator interaction
    200 
    201 ==== Fixed login delay ====
     208 * no lock expiration, so release strictly '''requires administrator interaction'''
     209
     210==== Fixed login retry delay ====
     211fixed delay time regardless of number of successive failed login attempts
     212
    202213{{{
    203214#!cfg
     
    208219will have following effect:
    209220 * lock account after 3 successive failed login attempts
    210  * timed account locked release 30 seconds after last failed login attempt
    211  * fixed delay time regardless of number of successive failed login attempts
    212 
    213 ==== Modestly progressing login delay ====
     221 * release account lock 30 seconds after last failed login attempt
     222
     223==== Modestly progressing login retry delay ====
    214224{{{
    215225#!cfg
     
    224234 * timed account locked release after a time, that depends on failed login attempt history like so:
    225235
    226 Tab.: lock time progression (factor 2)
     236Tab. 1: lock time progression (factor 2)
    227237||attempt count ||delay time in seconds ^![1]^||
    228238||0 ||0
     
    244254^![1]^ time after previous failed login attempt
    245255
    246 ==== Aggressively progressing, but limited login delay ====
     256==== Aggressively progressing, but limited login retry delay ====
    247257{{{
    248258#!cfg
     
    257267 * timed account locked release after a time, that depends on failed login attempt history and is limited to max. 24 hours like so:
    258268
    259 Tab.: lock time progression (factor 5)
     269Tab. 2: lock time progression (factor 5)
    260270||attempt count ||delay time in seconds ||
    261271||0 ||0 ||