Changes between Version 22 and Version 23 of AccountManagerPlugin/Modules


Ignore:
Timestamp:
Apr 3, 2016, 10:19:17 AM (7 years ago)
Author:
figaro
Comment:

Cosmetic changes

Legend:

Unmodified
Added
Removed
Modified
  • AccountManagerPlugin/Modules

    v22 v23  
    11[[PageOutline(2-5,Contents,pullout)]]
    22
    3 == !AccountManager ==
     3== !AccountManager
     4
    45 '''Package''':: acct_mgr.api
    56
    6 This holds core code of this plugin.  This component ''must'' be enabled to use any of the other components.
     7This holds core code of this plugin. This component ''must'' be enabled to use any of the other components.
    78
    89Additionally one or more sources for storing authentication information are required:
     
    1819----
    1920
    20 == !AccountManagerAdminPanel ^note1^ ==
     21== !AccountManagerAdminPanel ^note1^
     22
    2123 '''Package''':: acct_mgr.admin
    2224
    2325This component adds a whole new section with a couple of pages to the trac:WebAdmin section for managing user accounts:
    24  * admin/accounts/config - basic configuration, i.e. !AuthStore activation and ordering
     26 * admin/accounts/config - basic configuration, such as !AuthStore activation and ordering
    2527 * admin/accounts/notification - !AccountManager change notification settings
    26  * admin/accounts/users - user account listing with some management functions, i.e.
     28 * admin/accounts/users - user account listing with some management functions:
    2729  * add/delete accounts
    2830  * change password and other account attributes
    2931  * reset password similar to the 'lost password', but triggered by admin (since acct_mgr-0.3)
    3032  * review account details (since acct_mgr-0.3)
    31   * review and erase entries of Trac db table `session_attribute` (since acct_mgr-0.4) ^note2^
     33  * review and erase entries of Trac database table `session_attribute` (since acct_mgr-0.4) ^note2^
    3234
    3335'''^note1^''' In version acct_mgr-0.3, module name was !AccountManagerAdminPage. If you are upgrading to acct_mgr-0.4 from an earlier version, and this feature was enabled using `acct_mgr.admin.AccountManagerAdminPage`, this feature will now be disabled until it is enabled using `acct_mgr.admin.AccountManagerAdminPanel`.[[BR]]
    34 '''^note2^''' Requires `ACCTMGR_ADMIN` or `TRAC_ADMIN`, but handle with ''extreme care'' anyway - no problem to shoot yourself in the foot by i.e. deleting your own `SessionStore` admin password. So double-check and think twice, and especially have a current, working Trac db backup before starting cleanup here.
     36'''^note2^''' Requires `ACCTMGR_ADMIN` or `TRAC_ADMIN`, but ''handle with care'' anyway - no problem to shoot yourself in the foot by deleting your own `SessionStore` admin password. So double-check, and especially have a current, working Trac database backup before starting cleanup here.
    3537
    3638[[Image(AccountManagerPlugin:account-manager-admin_v0.4.png)]]
     
    4143 `ACCTMGR_USER_ADMIN` :: permission to see and use most other admin pages of this plugin except the cleanup (button <Review account attributes>)
    4244
    43 === Configuration ===
    44 {{{
    45 #!cfg
     45=== Configuration
     46
     47{{{#!ini
    4648[components]
    4749acct_mgr.admin.AccountManagerAdminPanel = enabled
    4850}}}
    49 '''NOTE:''' If you are upgrading to acct_mgr-0.4 from an earlier version, and this feature was enabled using `acct_mgr.admin.AccountManagerAdminPage`, this feature will now be disabled until it is enabled using `acct_mgr.admin.AccountManagerAdminPanel`.
    5051
    51 === Compatibility ===
    52 requires Trac >= 0.10
     52'''Note:''' If you are upgrading to acct_mgr-0.4 from an earlier version, and this feature was enabled using `acct_mgr.admin.AccountManagerAdminPage`, this feature will now be disabled until it is enabled using `acct_mgr.admin.AccountManagerAdminPanel`.
     53
     54=== Compatibility
     55
     56Requires Trac >= 0.10
    5357
    5458----
    5559
    56 == !AccountModule ==
     60== !AccountModule
     61
    5762 '''Package''':: acct_mgr.web_ui
    5863
    59 Allows users to change their password, or delete their account.  When logged in it will appear as a tab “Account” after clicking the “Preferences” link.
     64Allows users to change their password, or delete their account. When logged in it will appear as a tab "Account" after clicking the "Preferences" link.
    6065
    6166[[Image(AccountManagerPlugin:my-account.png)]]
    6267
    63 === Configuration ===
    64 {{{
    65 #!cfg
     68=== Configuration
     69
     70{{{#!ini
    6671[components]
    6772acct_mgr.web_ui.AccountModule = enabled
    6873}}}
    6974
    70 You'll need to activate at least one of the [wiki:AccountManagerPlugin/AuthStores authentication resources] bundled with !AccountManagerPlugin. (From a programmers view these are all IPasswordStore implementations.) An error telling you "This password store does not support listing users" indicates, that you didn't successfully activate/configure any authentication credential provider yet. Easiest way to do that is using the web-UI. Just go to admin/accounts/config and select a value different from setting "--" at least for one of the authentication resources listed there.
     75You'll need to activate at least one of the [wiki:AccountManagerPlugin/AuthStores authentication resources] bundled with !AccountManagerPlugin. From a programmers view these are all IPasswordStore implementations. An error telling you "This password store does not support listing users" indicates that you didn't successfully activate/configure any authentication credential provider yet. Easiest way to do that is using the web-UI. Just go to admin/accounts/config and select a value different from setting "--" at least for one of the authentication resources listed there.
    7176
    72 ==== Disabling account deletion ====
     77==== Disabling account deletion
     78
    7379If you want your users to be able to change their password in Trac user preferences (see 'Account' tab of 'Preferences' from the meta navigation bar), but don't want them to be able to delete their account, you should configure as follows in `trac.ini` (since acct_mgr-0.3):
    7480
    75 {{{
    76 #!cfg
     81{{{#!ini
    7782[account-manager]
    7883allow_delete_account = false
    7984}}}
    8085
    81 '''Since Trac 0.10:''' When used in combination with the [wiki:AccountManagerPlugin#LoginModule LoginModule] it adds a link to the login page “Forgot your password?” where users can reset their password if they’ve forgotten it. You will need to have your SMTP server information configured in your {{{trac.ini}}} for the “Forgot your password?” link to show up and enable !AccountChangeListener:
     86'''Since Trac 0.10:''' When used in combination with the [wiki:AccountManagerPlugin#LoginModule LoginModule] it adds a link to the login page "Forgot your password?" where users can reset their password if they've forgotten it. You will need to have your SMTP server information configured in your {{{trac.ini}}} for the "Forgot your password?" link to show up and enable !AccountChangeListener:
    8287
    83 {{{
    84 #!cfg
     88{{{#!ini
    8589[components]
    8690acct_mgr.notification.accountchangelistener = enabled
    8791}}}
    8892
    89 === Lost password procedure ===
     93=== Lost password procedure
     94
    9095A user-triggered password reset is less intrusive starting with acct_mgr-0.3, ''not altering the current password before a successful login'' using it. Resetting your password you actually end up with two passwords before next valid login:
    9196 * Login with the new one from !ResetPwStore to silently and finally overwrite the old with the new.
    9297 * Login with the old will just chancel the latest lost/new password request.
     98
    9399Or in other words: The temporary password is stored in !ResetPwStore, a special !SessionStore (sharing configuration with any other !SessionStore) and merely checked as a fallback, if the regular authentication has failed. On authentication success with the old password any temporary password is deleted to prevent abuse of the 'lost password' procedure by others.
    94100
    95101[[Image(AccountManagerPlugin:reset-password.png)]]
    96102
    97 ==== Disabling password reset ====
     103==== Disabling password reset
     104
    98105To disable just the password reset functionality add the following line to the {{{[account-manager]}}} section:
    99106
    100 {{{
    101 #!cfg
     107{{{#!ini
    102108[account-manager]
    103109reset_password = false
    104110}}}
    105111
    106 When a user resets their password they will be required to change their password on the next successful login.  This can be disabled via the `trac.ini` by setting:
     112When a user resets their password they will be required to change their password on the next successful login. This can be disabled via the `trac.ini` by setting:
    107113
    108 {{{
    109 #!cfg
     114{{{#!ini
    110115[account-manager]
    111116force_passwd_change = false
     
    114119----
    115120
    116 == !LoginModule ==
     121== !LoginModule
     122
    117123 '''Package''':: acct_mgr.web_ui
    118124
     
    123129The template has been modified for acct_mgr-0.3 to allow for better [attachment:login-form_v0.3_custom.png custom CSS styling]. See `style.css` in the [source:accountmanagerplugin/0.11/contrib contrib] directory for a jump-start.
    124130
    125 === Configuration ===
     131=== Configuration
     132
    126133To use the AccountManager’s HTML form, you need to explicitly disable Trac's own HTTP authentication module. To do so add this your trac.ini or find and modify existing lines accordingly:
    127134
    128 {{{
    129 #!cfg
     135{{{#!ini
    130136[components]
    131137acct_mgr.web_ui.LoginModule = enabled
     
    134140}}}
    135141
    136 When using the [trac:TracStandalone tracd] server be sure '''not''' to use the `--auth` or `--basic-auth` options.  Using either of these options will cause tracd to popup the username/password dialog box and you will not be able to use AccountManagerPlugin's HTML form.
     142When using the [trac:TracStandalone tracd] server be sure '''not''' to use the `--auth` or `--basic-auth` options. Using either of these options will cause tracd to popup the username/password dialog box and you will not be able to use AccountManagerPlugin's HTML form.
    137143
    138 If you have previously enabled authentication for Trac on Apache, you will need to disable it or Apache will popup the username/password dialog and you will be unable to use the HTML form.  In order to disable the authentication look for a section in the Apache configuration file like:
     144If you have previously enabled authentication for Trac on Apache, you will need to disable it or Apache will popup the username/password dialog and you will be unable to use the HTML form. To disable the authentication look for a section in the Apache configuration file like:
    139145
    140 {{{
     146{{{#!apache
    141147<Location /trac/login>
    142148   # Some options like AuthType and AuthUserFile
     
    145151}}}
    146152
    147 Deleting or commenting the `Require valid-user` line should be sufficient to disable HTTP authentication.  After you’ve tested it, you can probably delete or comment out the rest of the authentication options. In some pre-bundled packages as Bitnami Trac you will find it inside an apache configuration extension as trac.conf (!BitnamiTrac\trac\conf\trac.conf)
     153Deleting or commenting the `Require valid-user` line should be sufficient to disable HTTP authentication. After you’ve tested it, you can probably delete or comment out the rest of the authentication options. In some pre-bundled packages as Bitnami Trac you will find it inside an apache configuration extension as trac.conf (!BitnamiTrac\trac\conf\trac.conf)
    148154
    149 === Compatibility ===
     155=== Compatibility
     156
    150157requires Trac >= 0.10
    151158 To use this module with [trac:TracStandalone tracd] stand-alone server you'll need Trac 0.10 or later version, or an external webserver such as Apache.
     
    153160----
    154161
    155 == !AccountGuard ==
     162== !AccountGuard
     163
    156164 '''Package''':: acct_mgr.guard
    157165appears in `acct_mgr-0.3`: adds login failure tracking and administrative account locking to protect against brute-force attacks on user passwords
    158166
    159 Enabling the guard means, that even legitimated login attempts will get rejected as long as account lock conditions are met. So an account is not reachable for the user while under attack. An admin could still log in (to a different account), check the source(s) of the malicious login attempts and stop them by other means to help the user restore access to his/her account.
     167Enabling the guard means, that even legitimate login attempts will get rejected as long as account lock conditions are met. So an account is not reachable for the user while under attack. An admin could still log in (to a different account), check the source(s) of the malicious login attempts and stop them by other means to help the user restore access to his/her account.
    160168
    161169See some example configurations it the [wiki:CookBook/AccountManagerPluginConfiguration#AccountLocking cookbook page] and look at screenshot series below to get an idea, how this looks like and is meant to work.
    162170
    163 [[Image(acct_mgr_with_acct-guard_login-failure_v0.3.png)]][[BR]]
    164 Hitting account soft (temporary) lock condition on login failure
     171'''Hitting account soft (temporary) lock condition on login failure'''
    165172
    166 [[Image(acct_mgr-admin_acct-details_v0.3.png)]][[BR]]
    167 Account details page showing failed login attempts and other details
     173[[Image(acct_mgr_with_acct-guard_login-failure_v0.3.png)]]
    168174
    169 [[Image(acct_mgr_with_acct-guard_login-success_v0.3.png)]][[BR]]
    170 Display of total failed login attempts since last successful login
     175'''Account details page showing failed login attempts and other details'''
     176
     177[[Image(acct_mgr-admin_acct-details_v0.3.png)]]
     178
     179'''Display of total failed login attempts since last successful login'''
     180
     181[[Image(acct_mgr_with_acct-guard_login-success_v0.3.png)]]
    171182
    172183----