Account Manager Plugin

Description

The AccountManagerPlugin offers several features for managing user accounts:

• allow users to register new accounts
• login via an HTML form instead of using HTTP authentication
• allow existing users to change their passwords or delete their accounts

These features are new in the plugin for Trac 0.10.

• send a new password to users who’ve forgotten their password
• administration of user accounts

Bugs/Feature Requests

Existing bugs and feature requests for AccountManagerPlugin are here.

If you have any issues, create a ​new ticket.

Install

First make sure you’ve ​installed setuptools. Make sure you have a version >= 0.6c9, since previous versions contain a bug which makes the installation fail.

Then you can install the plugin using the easy_install application.

Note: Windows users will need to ​add easy_install to their PATH.

For Trac 0.9:

easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.9

For Trac 0.10:

Install the ​trac:WebAdmin plugin.

Then install this plugin:

easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.10

For Trac 0.11 (doesn't currently work with 0.11.4, see #4125):

easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.11

For Trac 0.12:

easy_install http://trac-hacks.org/svn/accountmanagerplugin/trunk

If you are using the tracd standalone server you will need to restart it to detect the plugin.

Source

Browse the source​

Subversion Checkout (depends on your Trac version):

svn co http://trac-hacks.org/svn/accountmanagerplugin/0.9
svn co http://trac-hacks.org/svn/accountmanagerplugin/0.10
svn co http://trac-hacks.org/svn/accountmanagerplugin/0.11
svn co http://trac-hacks.org/svn/accountmanagerplugin/trunk

Downloads:

• [download:accountmanagerplugin/0.9 0.9]
• [download:accountmanagerplugin/0.10 0.10]
• [download:accountmanagerplugin/0.11 0.11] (doesn't currently work with 0.11.4, see #4125)
• [download:accountmanagerplugin/trunk trunk]

Components

In order to use the features of the AccountManager you will need to enable some or all of its components.

The easiest way to enable the components is via the ​trac:WebAdmin plugin. Users logged in with the TRAC_ADMIN permission will be able to manage the enabled components:

Components can also be enabled or disabled in the ​trac.ini file under the [components] section. For example to enable the login form and disable user registration:

[components]
trac.web.auth.LoginModule = disabled
acct_mgr.web_ui.LoginModule = enabled
acct_mgr.web_ui.RegistrationModule = disabled

The available components are described below.

AccountManager

Package

acct_mgr.api

This is the core of this plugin. This component must be enabled to use any of the other components.

HtDigestStore

Package

acct_mgr.htfile

Used to store passwords in the htdigest file format.

Warning: This password method may not work with ​mod_python due to a bug using Python’s md5 module under mod_python ("it has been reported that mod_python has trouble returning good MD5 strings. It has been speculated that this is because many apache mods are using the same md5 source (php and so forth), but this is not confirmed"). If you experience problems try ​FastCGI, ​mod_wsgi, or ​tracd.

To use this component to manage your password file you need to enable it as described above and add some additional configuration to ​trac.ini:

[components]
; be sure to enable the component
acct_mgr.htfile.HtDigestStore = enabled

[account-manager]
; configure the plugin to store passwords in the htdigest format:
password_store = HtDigestStore
; with Trac < 0.10 use this instead:
password_format = htdigest

; the file where user accounts are stored
; the webserver will need write permissions to this file
; and its parent folder
password_file = /var/trac/trac.htdigest

; the name of the authentication “realm”
; it can be any text to identify your site or project
htdigest_realm = TracRealm

HtPasswdStore

Package

acct_mgr.htfile

Used to store passwords in the htpasswd file format.

Warning: This password method may not work with ​mod_python due to a ​bug using Python’s md5 module under mod_python. If you experience problems try ​FastCGI, ​mod_wsgi, or ​tracd.

To use this component to manage your password file you need to enable it as described above and add some additional configuration to ​trac.ini:

[components]
; be sure to enable the component
acct_mgr.htfile.HtPasswdStore = enabled

[account-manager]
; configure the plugin to store passwords in the htpasswd format:
password_store = HtPasswdStore
; with Trac < 0.10 use this instead:
password_format = htpasswd

; the file where user accounts are stored
; the webserver will need write permissions to this file
; and its parent folder
password_file = /var/trac/trac.htpasswd

HttpAuthStore

Package

acct_mgr.http

Note: This component requires Trac 0.10 or later

Used to delegate authentication to the web server. This allows access to be restricted based on LDAP, a password file, etc, or some combination of them.

Note: This password store does not support listing/adding/removing users or changing passwords.

[components]
; be sure to enable the component
acct_mgr.http.HttpAuthStore = enabled

[account-manager]
; configure the plugin to use a page that is secured with http authentication
authentication_url = http://hostname/path
password_store = HttpAuthStore

This will generally be matched with an Apache config like:

<Directory /var/www/html/path>
   …HTTP authentication configuration…
   Require valid-user
</Directory>

LDAP

Check ​LDAPAuthStore and LdapAuthStorePlugin regarding how to link LdapPlugin to AccountManagerPlugin.

#1600 seems related also

SessionStore

Package

acct_mgr.db

Stores password information in the trac database. This may give better behaviour if you have large numbers of users and are finding errors due to write contention on the password file. You must enable one or other of the hash method components. HtDigestHashMethod is the default.

[components]
; be sure to enable the component
acct_mgr.db.SessionStore = enabled
; choose one of the hash methods
acct_mgr.pwhash.htdigesthashmethod = enabled
acct_mgr.pwhash.htpasswdhashmethod = enabled
trac.web.auth.loginmodule = disabled #this is important, otherwise login does not work. ref: http://www.gossamer-threads.com/lists/trac/users/41969

[account-manager]
password_store = SessionStore
; choose one of the hash methods
hash_method = HtDigestHashMethod
hash_method = HtPasswdHashMethod

For more information see:

​http://www.mailinglistarchive.com/trac-users@googlegroups.com/msg03696.html

SvnServePasswordStore

Package

acct_mgr.svnserve

Allows Trac to use SVN users (may be in addition to Trac users). SVN server configuration option should be "svnserve". For more information, read chapter 6 of ​SVN book.

[components]
; be sure to enable the component
acct_mgr.svnserve.* = enabled
acct_mgr.svnserve.svnservepasswordstore = enabled
; choose one of the hash methods
acct_mgr.pwhash.htdigesthashmethod = enabled
acct_mgr.pwhash.htpasswdhashmethod = enabled

[account-manager]
password_store = SvnServePasswordStore
password_file = /path/to/svn/repos/conf/passwd
; choose one of the hash methods
hash_method = HtDigestHashMethod
hash_method = HtPasswdHashMethod

NB : password_file points to a file which defines users/passwords this way : user = password

AccountManagerAdminPage

Package

acct_mgr.admin

Note: This component requires Trac 0.10 or later

This component adds a new page to the ​trac:WebAdmin section for managing user accounts. It requires the TRAC_ADMIN permission to access.

[components]
acct_mgr.admin.AccountManagerAdminPage = enabled

AccountModule

Package

acct_mgr.web_ui

Allows users to change their password, or delete their account. When logged in it will appear as a tab “Account” after clicking the “Preferences” link.

[components]
acct_mgr.web_ui.AccountModule = enabled

New for Trac 0.10: When used in combination with the LoginModule it adds a link to the login page “Forgot your password?” where users can reset their password if they’ve forgotten it. You will need to have your SMTP server information configured in your trac.ini for the “Forgot your password?” link to show up.

New for Trac 0.11: When a user resets their password they will be required to change their password on the next successful login. This can be disabled via the trac.ini by setting force_passwd_change = false.

LoginModule

Package

acct_mgr.web_ui

Warning: this module is not supported using the ​tracd stand-alone server on Trac 0.9. It either needs Trac 0.10 or later, or an external webserver such as Apache.

Allows users to login via a HTML form instead of using HTTP authentication.

[components]
acct_mgr.web_ui.LoginModule = enabled

Disable HTTP authentication

To use the AccountManager’s form-based login system instead, add this to the [components] section of your trac.ini:

trac.web.auth.LoginModule = disabled 

When using the ​tracd server be sure not to use the --auth or --basic-auth options. Using either of these options will cause tracd to popup the username/password dialog box and you will not be able to use the HTML form.

If you have previously enabled authentication for Trac on Apache, you will need to disable it or Apache will popup the username/password dialog and you will be unable to use the HTML form. In order to disable the authentication look for a section in the Apache configuration file like:

<Location /trac/login>
   # Some options like AuthType and AuthUserFile
   Require valid-user
</Location>

Deleting or commenting the Require valid-user line should be sufficient to disable HTTP authentication. After you’ve tested it you can probably delete or comment out the rest of the authentication options.

RegistrationModule

Package

acct_mgr.web_ui

Enables users to register a new account. It adds a “Register” link on the same menu bar as the “Login” link.

[components]
acct_mgr.web_ui.RegistrationModule = enabled

Warning: You must enable one of the above password storage modules for the Registration Module to work.

Note: You must not enable ignore_auth_case in trac.ini as otherwise this module won’t work.

EmailVerificationModule

Package

acct_mgr.web_ui

If you enable this, users will be sent an email with a verification code to enter, to approve it is really their own email address:

[components]
acct_mgr.web_ui.EmailVerificationModule = enabled

Until they entered the verification code on the URL sent with the email, their permissions will be restricted (even if they have the TRAC_ADMIN privilege, they won't be able to access anything exceeding the standard privileges of authenticated users).

Note that with the current code, this will only happen if an email was specified - but this is not enforced on registration. In other words, if some user registers w/o specifying an email address, this will be possible - no verification will be done, but the account will be created anyway. If you want to enforce entering a valid email on registration, there's a patch for this attached to ticket #5509 you could use (read more there). Be warned that it is not thoroughly tested yet - so if you use it, feel free to add your comments to that ticket :)

Post Setup/Configuration

In order to use the Account Manager plugin, while logged in as a user with TRAC_ADMIN rights, use the new “Admin” link on the menubar.

Once in, you might want to enable the permissions to allow the “authenticated” user group permissions. For instance, if you remove the anonymous group from TICKET_MODIFY, and WIKI_MODIFY, and add the “authenticated” group instead, only authenticated, logged-in (registered) users can perform ticket modifications and wiki editing.

Author/Contributors

Author: mgood
Maintainer: pacopablo
Contributors: crocea, s0undt3ch

TagIt(plugin,mgood,alpha,0.9)?