Changes between Version 12 and Version 13 of CookBook/AccountManagerPluginConfiguration

Timestamp:

Dec 15, 2012, 11:20:48 AM (11 years ago)

Author:

Steffen Hoffmann

Comment:

splitted and re-ordered sections as appearing in real trac.ini, typo and more small fixes

CookBook/AccountManagerPluginConfiguration

@@ -2 +2 @@
 
 = Cookbook: AccountManagerPlugin configuration =
-commented sample configurations for common and special use cases
-
-We'll collect some useful configuration examples here to give hints on proper use of available options.
-
- '''Hint:''' Option names are written in !CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. Anyway, case doesn't really matter here.
+commented sample configurations for most common and some special use cases
+
+We collect some useful configuration examples here giving hints on proper use of available options.
+
+ '''General hints:'''
+ * Content for different section grouped in one example must be used together.
+ * Option names are written in !CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. As you see, case doesn't really matter here.
 
 == Basic configuration/Kickstart ==
@@ -17 +19 @@
 
 === !HtPasswdStore ===
+{{{
+#!cfg
+[account-manager]
+password_store = HtPasswdStore
+htpasswd_hash_type = md5
+;password_file = /var/trac/trac.htpasswd   ; old style (acct_mgr < 0.4)
+htpasswd_file = /var/trac/trac.htpasswd   ; new style (acct_mgr >= 0.4)
+}}}
 {{{
 #!cfg
@@ -33 +43 @@
 acct_mgr.svnserve.svnservepasswordstore = disabled
 acct_mgr.web_ui.* = enabled
-
-[account-manager]
-password_store = HtPasswdStore
-htpasswd_hash_type = md5
-;password_file = /var/trac/trac.htpasswd   ; old style (acct_mgr < 0.4)
-htpasswd_file = /var/trac/trac.htpasswd   ; new style (acct_mgr >= 0.4)
 }}}
 will:
@@ -50 +54 @@
 
 === !HtDigestStore ===
+{{{
+#!cfg
+[account-manager]
+password_store = HtDigestStore
+htdigest_realm = Trac
+;password_file = /var/trac/trac.htdigest   ; old style (acct_mgr < 0.4)
+htdigest_file = /var/trac/trac.htdigest   ; new style (acct_mgr >= 0.4)
+}}}
 {{{
 #!cfg
@@ -66 +78 @@
 acct_mgr.svnserve.svnservepasswordstore = disabled
 acct_mgr.web_ui.* = enabled
-
-[account-manager]
-password_store = HtDigestStore
-htdigest_realm = Trac
-;password_file = /var/trac/trac.htdigest   ; old style (acct_mgr < 0.4)
-htdigest_file = /var/trac/trac.htdigest   ; new style (acct_mgr >= 0.4)
 }}}
 will:
@@ -83 +89 @@
 
 === !SessionStore ===
+{{{
+#!cfg
+[account-manager]
+hash_method = HtDigestHashMethod
+db_htdigest_realm = TracDB
+password_store = SessionStore
+}}}
 {{{
 #!cfg
@@ -99 +112 @@
 acct_mgr.svnserve.svnservepasswordstore = disabled
 acct_mgr.web_ui.* = enabled
-
-[account-manager]
-hash_method = HtDigestHashMethod
-db_htdigest_realm = TracDB
-password_store = SessionStore
 }}}
 will:
@@ -153 +161 @@
 persistent_sessions = true
 }}}
-
-will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time he visits the site, he'll be remembered.
+will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time he visits the site, he/she will be remembered.
 
 === Single Sign On ===
@@ -167 +174 @@
 Hint: Even if this setting has been introduced in Trac 0.12, it could be set in `trac.ini` for older Trac versions, and !AcctMgr will use it, specifically providing a cookie path fix-up for `trac_auth` cookies generated by Trac 0.11 and above.
 
-An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid an working well.
+An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid and works well.
 
 === Account Locking ===
- * new feature for acct_mgr-0.3
+ * new feature since acct_mgr-0.3
  * available options (displayed with default values here):
-
-{{{
-#!cfg
-[components]
-acct_mgr.guard.accountguard = enabled
-}}}
 
 {{{
@@ -187 +188 @@
 user_lock_time_progression = 1
 }}}
+{{{
+#!cfg
+[components]
+acct_mgr.guard.accountguard = enabled
+}}}
+but this does '''nothing''' for backwards-compatibility, preventing surprises for unaware plugin-upgraders
+
+As long as login_attempt_max_count == 0, login failure tracking is actually disabled and no other related option matters. The account locking section in the configuration admin panel (since acct_mgr-0.4.1) is quite self-explaining in the way how it conditionally hides irrelevant options. So it's worth a look even for the console guru, who doesn't immediately understand these options.
 
 ==== Hard Lock-up ====
@@ -197 +206 @@
 will have following effect:
  * lock account after 5 successive failed login attempts
- * no lock expiration, so release strictly requires administrator interaction
-
-==== Fixed login delay ====
+ * no lock expiration, so release strictly '''requires administrator interaction'''
+
+==== Fixed login retry delay ====
+fixed delay time regardless of number of successive failed login attempts
+
 {{{
 #!cfg
@@ -208 +219 @@
 will have following effect:
  * lock account after 3 successive failed login attempts
- * timed account locked release 30 seconds after last failed login attempt
- * fixed delay time regardless of number of successive failed login attempts
-
-==== Modestly progressing login delay ====
+ * release account lock 30 seconds after last failed login attempt
+
+==== Modestly progressing login retry delay ====
 {{{
 #!cfg
@@ -224 +234 @@
  * timed account locked release after a time, that depends on failed login attempt history like so:
 
-Tab.: lock time progression (factor 2)
+Tab. 1: lock time progression (factor 2)
 ||attempt count ||delay time in seconds ^![1]^||
 ||0 ||0
@@ -244 +254 @@
 ^![1]^ time after previous failed login attempt
 
-==== Aggressively progressing, but limited login delay ====
+==== Aggressively progressing, but limited login retry delay ====
 {{{
 #!cfg
@@ -257 +267 @@
  * timed account locked release after a time, that depends on failed login attempt history and is limited to max. 24 hours like so:
 
-Tab.: lock time progression (factor 5)
+Tab. 2: lock time progression (factor 5)
 ||attempt count ||delay time in seconds ||
 ||0 ||0 ||