Changes between Version 12 and Version 13 of CookBook/AccountManagerPluginConfiguration


Ignore:
Timestamp:
Dec 15, 2012 12:20:48 PM (21 months ago)
Author:
hasienda
Comment:

splitted and re-ordered sections as appearing in real trac.ini, typo and more small fixes

Legend:

Unmodified
Added
Removed
Modified
  • CookBook/AccountManagerPluginConfiguration

    v12 v13  
    22 
    33= Cookbook: AccountManagerPlugin configuration = 
    4 commented sample configurations for common and special use cases 
    5  
    6 We'll collect some useful configuration examples here to give hints on proper use of available options. 
    7  
    8  '''Hint:''' Option names are written in !CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. Anyway, case doesn't really matter here. 
     4commented sample configurations for most common and some special use cases 
     5 
     6We collect some useful configuration examples here giving hints on proper use of available options. 
     7 
     8 '''General hints:''' 
     9 * Content for different section grouped in one example must be used together. 
     10 * Option names are written in !CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. As you see, case doesn't really matter here. 
    911 
    1012== Basic configuration/Kickstart == 
     
    1719 
    1820=== !HtPasswdStore === 
     21{{{ 
     22#!cfg 
     23[account-manager] 
     24password_store = HtPasswdStore 
     25htpasswd_hash_type = md5 
     26;password_file = /var/trac/trac.htpasswd   ; old style (acct_mgr < 0.4) 
     27htpasswd_file = /var/trac/trac.htpasswd   ; new style (acct_mgr >= 0.4) 
     28}}} 
    1929{{{ 
    2030#!cfg 
     
    3343acct_mgr.svnserve.svnservepasswordstore = disabled 
    3444acct_mgr.web_ui.* = enabled 
    35  
    36 [account-manager] 
    37 password_store = HtPasswdStore 
    38 htpasswd_hash_type = md5 
    39 ;password_file = /var/trac/trac.htpasswd   ; old style (acct_mgr < 0.4) 
    40 htpasswd_file = /var/trac/trac.htpasswd   ; new style (acct_mgr >= 0.4) 
    4145}}} 
    4246will: 
     
    5054 
    5155=== !HtDigestStore === 
     56{{{ 
     57#!cfg 
     58[account-manager] 
     59password_store = HtDigestStore 
     60htdigest_realm = Trac 
     61;password_file = /var/trac/trac.htdigest   ; old style (acct_mgr < 0.4) 
     62htdigest_file = /var/trac/trac.htdigest   ; new style (acct_mgr >= 0.4) 
     63}}} 
    5264{{{ 
    5365#!cfg 
     
    6678acct_mgr.svnserve.svnservepasswordstore = disabled 
    6779acct_mgr.web_ui.* = enabled 
    68  
    69 [account-manager] 
    70 password_store = HtDigestStore 
    71 htdigest_realm = Trac 
    72 ;password_file = /var/trac/trac.htdigest   ; old style (acct_mgr < 0.4) 
    73 htdigest_file = /var/trac/trac.htdigest   ; new style (acct_mgr >= 0.4) 
    7480}}} 
    7581will: 
     
    8389 
    8490=== !SessionStore === 
     91{{{ 
     92#!cfg 
     93[account-manager] 
     94hash_method = HtDigestHashMethod 
     95db_htdigest_realm = TracDB 
     96password_store = SessionStore 
     97}}} 
    8598{{{ 
    8699#!cfg 
     
    99112acct_mgr.svnserve.svnservepasswordstore = disabled 
    100113acct_mgr.web_ui.* = enabled 
    101  
    102 [account-manager] 
    103 hash_method = HtDigestHashMethod 
    104 db_htdigest_realm = TracDB 
    105 password_store = SessionStore 
    106114}}} 
    107115will: 
     
    153161persistent_sessions = true 
    154162}}} 
    155  
    156 will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time he visits the site, he'll be remembered. 
     163will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time he visits the site, he/she will be remembered. 
    157164 
    158165=== Single Sign On === 
     
    167174Hint: Even if this setting has been introduced in Trac 0.12, it could be set in `trac.ini` for older Trac versions, and !AcctMgr will use it, specifically providing a cookie path fix-up for `trac_auth` cookies generated by Trac 0.11 and above. 
    168175 
    169 An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid an working well. 
     176An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid and works well. 
    170177 
    171178=== Account Locking === 
    172  * new feature for acct_mgr-0.3 
     179 * new feature since acct_mgr-0.3 
    173180 * available options (displayed with default values here): 
    174  
    175 {{{ 
    176 #!cfg 
    177 [components] 
    178 acct_mgr.guard.accountguard = enabled 
    179 }}} 
    180181 
    181182{{{ 
     
    187188user_lock_time_progression = 1 
    188189}}} 
     190{{{ 
     191#!cfg 
     192[components] 
     193acct_mgr.guard.accountguard = enabled 
     194}}} 
     195but this does '''nothing''' for backwards-compatibility, preventing surprises for unaware plugin-upgraders 
     196 
     197As long as login_attempt_max_count == 0, login failure tracking is actually disabled and no other related option matters. The account locking section in the configuration admin panel (since acct_mgr-0.4.1) is quite self-explaining in the way how it conditionally hides irrelevant options. So it's worth a look even for the console guru, who doesn't immediately understand these options. 
    189198 
    190199==== Hard Lock-up ==== 
     
    197206will have following effect: 
    198207 * lock account after 5 successive failed login attempts 
    199  * no lock expiration, so release strictly requires administrator interaction 
    200  
    201 ==== Fixed login delay ==== 
     208 * no lock expiration, so release strictly '''requires administrator interaction''' 
     209 
     210==== Fixed login retry delay ==== 
     211fixed delay time regardless of number of successive failed login attempts 
     212 
    202213{{{ 
    203214#!cfg 
     
    208219will have following effect: 
    209220 * lock account after 3 successive failed login attempts 
    210  * timed account locked release 30 seconds after last failed login attempt 
    211  * fixed delay time regardless of number of successive failed login attempts 
    212  
    213 ==== Modestly progressing login delay ==== 
     221 * release account lock 30 seconds after last failed login attempt 
     222 
     223==== Modestly progressing login retry delay ==== 
    214224{{{ 
    215225#!cfg 
     
    224234 * timed account locked release after a time, that depends on failed login attempt history like so: 
    225235 
    226 Tab.: lock time progression (factor 2) 
     236Tab. 1: lock time progression (factor 2) 
    227237||attempt count ||delay time in seconds ^![1]^|| 
    228238||0 ||0 
     
    244254^![1]^ time after previous failed login attempt 
    245255 
    246 ==== Aggressively progressing, but limited login delay ==== 
     256==== Aggressively progressing, but limited login retry delay ==== 
    247257{{{ 
    248258#!cfg 
     
    257267 * timed account locked release after a time, that depends on failed login attempt history and is limited to max. 24 hours like so: 
    258268 
    259 Tab.: lock time progression (factor 5) 
     269Tab. 2: lock time progression (factor 5) 
    260270||attempt count ||delay time in seconds || 
    261271||0 ||0 ||