wiki:InfoCardAccountPlugin

Version 2 (modified by dbuss, 7 years ago) (diff)

--

Information Card Account Management Plugin

Abstract

This extension allows Information Cards to be associated with existing accounts and then used as an authentication mechanism to a Trac system.

License

The extension is distributed to you under the lgpl, please note that it includes works copyrighted by others and released under permissive licenses such as BSD, Beerware and the Trac license.

Requirements

This plugin works with Trac 0.11.

Some form of Python xml with dom and xpath support, tested with pyxml

m2crypto as an python wrapper to openssl which must also be installed. m2crypto also requires SWIG

Systems running python older than 2.5 require hashlib

If you use the LDAP user store module then the Python LDAP module is required.

To create and install an egg file you need to have a recent version of setuptools installed.
Please refer to the TracPlugins page for additional information about plugin installation.

Download

Installation

   easy_install https://forgesvn1.novell.com/svn/bandit/trunk/rp/trac/infocard_acct/0.11
  • Configure the plugin (see Configuration below)
  • Use trac-admin-acct to initialize the association store and optionally the user store.

Configuration

You need to customize the trac.ini file of your project, following the instructions below

  1. Optionally add the path to your plugin directory.
  2. Enable account-manager and infocard_acct in [components] section, so that the Trac engine loads and uses this extension.
  3. Configure account-manager.
  4. Create a new section [infocard_acct] in the .ini file

Enable components

To properly enable plugin you must disable trac and account manager's LoginModules, and enable AccountManagerPlugin and InfoCardAccountPlugin components In the [components] section of trac.ini:

[components]
trac.web.auth.LoginModule = disabled
acct_mgr.*=enabled
acct_mgr.web_ui.LoginModule=disabled
infocard_acct.* = enabled

For complete details on configuring the AccountManagerPlugin please visit AccountManagerPlugin. The InfoCardAccountPlugin adds two new password stores, TracDBUserStore and LDAPUserStore which are enabled as follows:

[account-manager]
#any password store supported by acct-mgr including TracDBUserStore and LDAPUserStore
password_store = LDAPUserStore   

If you use the LDAPUserStore then the following options are supported in the [ldap_user_store] section:

[ldap_user_store]
#any ldap query url it's usage matches the authldapurl from mod_ldap in apache
#http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl
url = ldaps://bandit-project.org/ou=people,dc=wag,dc=bandit-project,dc=org?uid?sub?(objectClass=inetOrgPerson)

# If your ldap server requires authentication to search for users, please provide that name and password
#bind_user = 
#bind_password = 

The InfoCardAccountPlugin configuration section [infocard_acct] supports the following:

[infocard_acct]
#file path to the server's ssl key, required to properly decrypt and validate security tokens
private_key_path = /etc/ssl/private/server.key.unsecure
#if the ssl key file requires a pass phrase, please supply that here
#private_key_pass_phrase = ifItoldYouItWouldBeBad
#Currently only TracDBAssociationStore is supported
association_store = TracDBAssociationStore
#Optional setting to display a debug page after accepting a security token
debug = False

trac-admin-acct

This is a configuration tool similar to trac-admin. Before the InfoCardAccountPlugin is fully functional, the configuration tool must be run with at least the initenv card option.

trac-admin-acct /var/trac/rpset initenv card

usage

trac-admin-acct supports both command line and interactive modes.

interactive usage

For a list of options supported by trac-admin-acct, start the tool giving it the path to the trac environment and type help.

trac-admin-acct /var/trac/rpset 
>help
command line usage
Usage: trac-admin-acct </path/to/projenv> [command [subcommand] [option ...]]

Invoking trac-admin-acct without command starts interactive mode.
help
        -- Show documentation

initenv
        -- create all the database tables for infocard account manager

initenv user
        -- create just the user / passwordhash table

initenv card
        -- create just the cardkey association table

cleanenv
        -- delete all the database tables for infocard account manager

cleanenv user
        -- delete just the user / passwordhash table

cleanenv card
        -- delete just the cardkey association table

user list
        -- Show user

user add <name> <clear text password>
        -- Add user

user rename <name> <newname>
        -- Rename user

user remove <name>
        -- Remove user (leaves permissions etc.

Gory Details

Account Associations

LDAPUserStore

Known limitations

Tickets

ToDo list

Tickets

Testing

In addition to the unit tests and developer tests run this was also part of an OSIS interop event, all issues identified at that event have been resolved.

Testing has been primarily on opensuse versions of Linux.

History

  • v0.1: First crack at extending the AccountManagerPlugin to support LDAP and the Trac database as user stores, and accept Information Cards as an authentication mechanism from any user store.

Author/Contributors

Author: dbuss, bandit-dev@…
Contributors: see the setup.py file, this extension utilizes code from several sources.

TagIt(dbuss,0.11,plugin)?