Opened 8 years ago

Closed 5 years ago

HTML form is invalid for ldap authentication

Reported by: Owned by: anonymous Steffen Hoffmann normal AccountManagerPlugin major needinfo authentication ldap zhijiex@… 0.11

Description

I can login trac via a HTML form. But after I change into Active Directory authentication trac is always popup the username/password dialog to input username/password. I can login trac via AD successfully. If I comment "Require valid-user" from httpd.conf login is becoming HTML form. But I failed to login. Install plugin: LdapPlugin 0.6.0, TracAccountManager 0.2.1dev

comment:1 Changed 8 years ago by anonymous

Cc: zhijiex@… added; anonymous removed

I failed to login is because retriving session ID is not my user name. (Got the information from trac log.) So it cannot verify my password. I was confused why enabled HTML form to login caused login id lost.

comment:2 Changed 8 years ago by John Hampton

Owner: changed from Matt Good to John Hampton new → assigned

I don't quite understand the problem.

Is apache LDAP now doing authentication? If so, you need to turn of the account manager LoginModule and re-enable the trac LoginModule.

If you are trying to use an LDAP password store, then this is an problem for the plugin in question.

Can you give more detail?

comment:3 follow-up:  4 Changed 8 years ago by anonymous

I used apache LDAP as authentication. Also LoginModule is enabled. But it is failed to login. Do I need to install other plugin about linking LdapPlugin to AccountManagerPlugin if I want to use LDAP password store?

comment:4 in reply to:  3 Changed 7 years ago by Steffen Hoffmann

Keywords: needinfo authentication ldap added changed from John Hampton to Steffen Hoffmann high → normal critical → major assigned → new

(I'm stepping in after quite some months of almost no active support here as the new AccountManagerPlugin maintainer. Sorry for the delay anyway.) Replying to anonymous:

I used apache LDAP as authentication. Also LoginModule is enabled. But it is failed to login. Do I need to install other plugin about linking LdapPlugin to AccountManagerPlugin if I want to use LDAP password store?

To clarify the situation a little bit, there is no such thing like (native) LDAP authentication with AccountManagerPlugin these days, while there are at least the following options:

stand-alone

• AccountLdapPlugin permission store extension to Trac
• LdapPlugin, utilizes Trac HTTP Auth, so it's a ACL, not the authentication itself

AuthStore for AccountManagerPlugin packaged as separate plugin

suggested native AuthStore for AccountManagerPlugin (see currently supported ones here)

In general, to go for Trac authentication you could go with or without AccountManagerPlugin, but if you decide for the «with» option, you'll most probably want to disable Trac's own login form.

I'm still investigating the various possible ways towards a native LdapAuthStore, actually following #1600 for a start, but there is nothing decided and final by now.

Hope, this will still help you somehow. If so, I'd appreciate your feedback to help with the decision, how to proceed with this ticket. After all it might be a local installation/configuration issue (better served by experienced admins and users at the mailing-list) or related to a different plugin or Trac itself.

comment:5 follow-up:  6 Changed 6 years ago by MyName

is there any possibility to get all passwords from this site: https://portal.bih.net.ba/amserver/UI/Login?

comment:6 in reply to:  5 Changed 5 years ago by Steffen Hoffmann

is there any possibility to get all passwords from this site: https://portal.bih.net.ba/amserver/UI/Login?

I don't understand your question at all. Don't mistake AcctMgr for a cracker tool.

Btw, password management is delegated and done within all active Trac components that implement AcctMgr's IPasswordStore interface. You're asking for an exploit here? Don't dare!

comment:7 Changed 5 years ago by Steffen Hoffmann

Resolution: → invalid new → closed

The ticket title still represents the main ticket issue. I can only repeat: Yes, that's the way it's meant to be, and no one promised different behavior. Furthermore, the LdapPlugin wiki docomentation explains, that

LdapPlugin does not perform authentication

So this is not a defect, just a misunderstanding. If you want LDAP authentication, follow-up on #1600, please. However, thanks for taking care and reporting here.

Modify Ticket

Change Properties