[[PageOutline(2-5,Contents,pullout)]] = Authentication modules for AccountManagerPlugin = see !AccountManagerPlugin's [wiki:AccountManagerPlugin main page] == !HtDigestStore == '''Package''':: acct_mgr.htfile Used to store passwords in the htdigest file format. '''Warning:''' This password method may not work with [t:TracModPython mod_python] due to a bug using Python’s md5 module under mod_python (''"it has been reported that mod_python has trouble returning good MD5 strings. It has been speculated that this is because many apache mods are using the same md5 source (php and so forth), but this is not confirmed"''). If you experience problems try [t:TracFastCgi FastCGI], [t:wiki:TracModWSGI mod_wsgi], [t:TracStandalone tracd], or use md5crypt patch (#8386). To use this component to manage your password file you need to enable it as described above and add some additional configuration to [t:wiki:TracIni trac.ini]: {{{ [components] ; be sure to enable the component acct_mgr.htfile.HtDigestStore = enabled [account-manager] ; configure the plugin to store passwords in the htdigest format: password_store = HtDigestStore ; with Trac < 0.10 use this instead: password_format = htdigest ; the file where user accounts are stored ; the webserver will need write permissions to this file ; and its parent folder ;password_file = /var/trac/trac.htdigest # old style (acct_mgr < 0.4) htdigest_file = /var/trac/trac.htdigest # new style (acct_mgr >= 0.4) ; the name of the authentication “realm” ; it can be any text to identify your site or project htdigest_realm = TracRealm }}} '''Note:''' `password_format` option is ''strongly depreciated'' now and will be withdrawn soon, since versions prior to Trac 0.10 are no longer relevant. Recent changes: * new 'htdigest_password_file' option replaced 'password_file' in [10396] for `acct_mgr-0.4` == !HtPasswdStore == '''Package''':: acct_mgr.htfile Used to store passwords in the htpasswd file format. '''Warning:''' This password method may not work with [t:TracModPython mod_python] due to a bug using Python’s md5 module under mod_python. If you experience problems try [t:TracFastCgi FastCGI], [t:wiki:TracModWSGI mod_wsgi], [t:TracStandalone tracd], or use md5crypt patch (#8386). To use this component to manage your password file you need to enable it as described above and add some additional configuration to [trac:TracIni trac.ini]: {{{ [components] ; be sure to enable the component acct_mgr.htfile.HtPasswdStore = enabled [account-manager] ; configure the plugin to store passwords in the htpasswd format: password_store = HtPasswdStore ; with Trac < 0.10 use this instead: password_format = htpasswd ; optional hash type selection htpasswd_hash_type = ; the file where user accounts are stored ; the webserver will need write permissions to this file ; and its parent folder ;password_file = /var/trac/trac.htpasswd # old style (acct_mgr < 0.4) htpasswd_file = /var/trac/trac.htpasswd # new style (acct_mgr >= 0.4) }}} '''Note:''' `password_format` option is ''strongly depreciated'' now and will be withdrawn soon, since versions prior to Trac 0.10 are no longer relevant. Recent changes: * 'htpasswd_hash_type' for hash type selection available since [9274] * integration of popular sha512 hash type pending (see #8791, patch available) * new 'htpasswd_file' option replaced 'password_file' in [10396] for `acct_mgr-0.4` == !HttpAuthStore == '''Package''':: acct_mgr.http '''Note:''' This component requires Trac 0.10 or later Used to delegate authentication to the web server. This allows access to be restricted based on LDAP, a password file, etc, or some combination of them. Note: This password store does not support listing/adding/removing users or changing passwords. {{{ [components] ; be sure to enable the component acct_mgr.http.HttpAuthStore = enabled [account-manager] ; configure the plugin to use a page that is secured with http authentication authentication_url = http://hostname/trac/path/authFile password_store = HttpAuthStore }}} This will generally be matched with an Apache config like: {{{ …HTTP authentication configuration… Require valid-user }}} Note that '''authFile''' must exist, and be a file (not directory) that can be acessed via the authentication_url value. == !SessionStore == '''Package''':: acct_mgr.db Stores password information in the trac database. This may give better behavior if you have large numbers of users and are finding errors due to write contention on the password file. You must enable one or other of the hash method components. !HtDigestHashMethod is the default. {{{ [components] ; be sure to enable the component acct_mgr.db.SessionStore = enabled ; choose one of the hash methods acct_mgr.pwhash.htdigesthashmethod = enabled acct_mgr.pwhash.htpasswdhashmethod = enabled trac.web.auth.loginmodule = disabled #this is important, otherwise login does not work. ref: http://www.gossamer-threads.com/lists/trac/users/41969 [account-manager] password_store = SessionStore ; choose one of the hash methods with corresponding supplemental option hash_method = HtDigestHashMethod db_htdigest_realm = TracDbRealm ;hash_method = HtPasswdHashMethod ;db_htpasswd_hash_type = sha }}} Recent changes: * fixture to undesired option inheritance implementation available since [10494] for `acct_mgr-0.4` * 'db_htdigest_realm' Realm to select relevant htdigest db entries * 'db_htpasswd_hash_type' for hash type selection For sample configuration settings see [wiki:CookBook/AccountManagerPluginConfiguration#SessionStore our cookbook] page For historic background of this `IPasswordStore` implementation see: http://www.mailinglistarchive.com/trac-users@googlegroups.com/msg03696.html == !SvnServePasswordStore == '''Package''':: acct_mgr.svnserve Allows Trac to use SVN users (may be in addition to Trac users). SVN server configuration option should be "svnserve". For more information, read chapter 6 of [http://svnbook.red-bean.com/ SVN book]. {{{ [components] ; be sure to enable the component acct_mgr.svnserve.* = enabled acct_mgr.svnserve.svnservepasswordstore = enabled ; choose one of the hash methods acct_mgr.pwhash.htdigesthashmethod = enabled acct_mgr.pwhash.htpasswdhashmethod = enabled [account-manager] password_store = SvnServePasswordStore password_file = /path/to/svn/repos/conf/passwd ; choose one of the hash methods hash_method = HtDigestHashMethod hash_method = HtPasswdHashMethod }}} NB : `password_file` points to a file which defines users/passwords this way : `user = password` == LDAP == '''Not yet available''' Meanwhile please check the following options: stand-alone * AccountLdapPlugin permission store extension to Trac * LdapPlugin, utilizes Trac HTTP Auth, so it's a ACL, not the authentication itself !AuthStore for AccountManagerPlugin packaged as separate plugin * LdapAuthnzPlugin * LdapAuthStorePlugin that spun off of #1147 - a 'wontfix'ed enhancement request for AccountManagerPlugin * http://pypi.python.org/pypi/TracLDAPAuth/ and * TracLdapAuthPlugin as an enhanced fork of it suggested native !AuthStore for AccountManagerPlugin (see [wiki:AccountManagerPlugin/AuthStores currently supported ones here]) * #1600, a spin-off of LdapPlugin, that we may add some day (needed preparation done, see #1602) == Other sources == There are a number of other implementations of `IPasswordStore` like the LDAP authentication plugins mentioned above, here at t-h.o and elsewhere on the web. Where to start? Here is a small and certainly incomplete collection: ||'''Package/Plugin and store name'''||'''Description'''||'''Author'''||'''Resource link'''|| ||ADAuthStore in ActiveDirectoryAuthPlugin ||Provides authentication against Active Directory. ||John Hampton (pacopablo)||ActiveDirectoryAuthPlugin || ||!CrowdAuthStore in TracCrowdAuthPlugin ||Use a [http://www.atlassian.com/software/crowd/ crowd] service for authentication. ||Richard Liao (richard)||TracCrowdAuthPlugin || ||!DjangoPasswordStore in !TracDjangoAuthPlugin||Trac Authentication against Django's userdb. ||Ville Korhonen ||https://github.com/ypcs/TracDjangoAuth || ||!GoogleAppsPasswordStore in !TracGoogleAppsAuthPlugin ||Trac authentication plugin for integration with hosted Google Apps domain. ||David A. Riggs ||http://pypi.python.org/pypi/TracGoogleAppsAuthPlugin/ || ||!HtBlowfishStore in HtBlowfishStorePlugin|| !HtPasswdStore with Blowfish support. ||Mitar (mitar) ||https://bitbucket.org/mitar/trac-htblowfishstore || ||PhpBBAuthStore in PhpBbAuthPlugin ||Use a phpBB3 database as the authentication store. ||John Hampton (pacopablo) ||PhpBbAuthPlugin || ||!PwAuthStore in !TracPwAuth ||!AccountManager password store that uses pwauth to check against the system password database. ||Noah Kantrowitz (coderanger)||http://pypi.python.org/pypi/TracPwAuth/ || ||SQLAuthStore in SQLAuthStorePlugin ||Defines authentication store over SQL database. ||Mitar (mitar) ||https://bitbucket.org/mitar/trac-sqlauthstore || Please add a valid reference here, if you know/find more.