Changes between Version 12 and Version 13 of CookBook/AccountManagerPluginConfiguration
- Timestamp:
- Dec 15, 2012, 11:20:48 AM (11 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
CookBook/AccountManagerPluginConfiguration
v12 v13 2 2 3 3 = Cookbook: AccountManagerPlugin configuration = 4 commented sample configurations for common and special use cases 5 6 We'll collect some useful configuration examples here to give hints on proper use of available options. 7 8 '''Hint:''' Option names are written in !CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. Anyway, case doesn't really matter here. 4 commented sample configurations for most common and some special use cases 5 6 We collect some useful configuration examples here giving hints on proper use of available options. 7 8 '''General hints:''' 9 * Content for different section grouped in one example must be used together. 10 * Option names are written in !CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. As you see, case doesn't really matter here. 9 11 10 12 == Basic configuration/Kickstart == … … 17 19 18 20 === !HtPasswdStore === 21 {{{ 22 #!cfg 23 [account-manager] 24 password_store = HtPasswdStore 25 htpasswd_hash_type = md5 26 ;password_file = /var/trac/trac.htpasswd ; old style (acct_mgr < 0.4) 27 htpasswd_file = /var/trac/trac.htpasswd ; new style (acct_mgr >= 0.4) 28 }}} 19 29 {{{ 20 30 #!cfg … … 33 43 acct_mgr.svnserve.svnservepasswordstore = disabled 34 44 acct_mgr.web_ui.* = enabled 35 36 [account-manager]37 password_store = HtPasswdStore38 htpasswd_hash_type = md539 ;password_file = /var/trac/trac.htpasswd ; old style (acct_mgr < 0.4)40 htpasswd_file = /var/trac/trac.htpasswd ; new style (acct_mgr >= 0.4)41 45 }}} 42 46 will: … … 50 54 51 55 === !HtDigestStore === 56 {{{ 57 #!cfg 58 [account-manager] 59 password_store = HtDigestStore 60 htdigest_realm = Trac 61 ;password_file = /var/trac/trac.htdigest ; old style (acct_mgr < 0.4) 62 htdigest_file = /var/trac/trac.htdigest ; new style (acct_mgr >= 0.4) 63 }}} 52 64 {{{ 53 65 #!cfg … … 66 78 acct_mgr.svnserve.svnservepasswordstore = disabled 67 79 acct_mgr.web_ui.* = enabled 68 69 [account-manager]70 password_store = HtDigestStore71 htdigest_realm = Trac72 ;password_file = /var/trac/trac.htdigest ; old style (acct_mgr < 0.4)73 htdigest_file = /var/trac/trac.htdigest ; new style (acct_mgr >= 0.4)74 80 }}} 75 81 will: … … 83 89 84 90 === !SessionStore === 91 {{{ 92 #!cfg 93 [account-manager] 94 hash_method = HtDigestHashMethod 95 db_htdigest_realm = TracDB 96 password_store = SessionStore 97 }}} 85 98 {{{ 86 99 #!cfg … … 99 112 acct_mgr.svnserve.svnservepasswordstore = disabled 100 113 acct_mgr.web_ui.* = enabled 101 102 [account-manager]103 hash_method = HtDigestHashMethod104 db_htdigest_realm = TracDB105 password_store = SessionStore106 114 }}} 107 115 will: … … 153 161 persistent_sessions = true 154 162 }}} 155 156 will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time he visits the site, he'll be remembered. 163 will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time he visits the site, he/she will be remembered. 157 164 158 165 === Single Sign On === … … 167 174 Hint: Even if this setting has been introduced in Trac 0.12, it could be set in `trac.ini` for older Trac versions, and !AcctMgr will use it, specifically providing a cookie path fix-up for `trac_auth` cookies generated by Trac 0.11 and above. 168 175 169 An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid an workingwell.176 An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid and works well. 170 177 171 178 === Account Locking === 172 * new feature foracct_mgr-0.3179 * new feature since acct_mgr-0.3 173 180 * available options (displayed with default values here): 174 175 {{{176 #!cfg177 [components]178 acct_mgr.guard.accountguard = enabled179 }}}180 181 181 182 {{{ … … 187 188 user_lock_time_progression = 1 188 189 }}} 190 {{{ 191 #!cfg 192 [components] 193 acct_mgr.guard.accountguard = enabled 194 }}} 195 but this does '''nothing''' for backwards-compatibility, preventing surprises for unaware plugin-upgraders 196 197 As long as login_attempt_max_count == 0, login failure tracking is actually disabled and no other related option matters. The account locking section in the configuration admin panel (since acct_mgr-0.4.1) is quite self-explaining in the way how it conditionally hides irrelevant options. So it's worth a look even for the console guru, who doesn't immediately understand these options. 189 198 190 199 ==== Hard Lock-up ==== … … 197 206 will have following effect: 198 207 * lock account after 5 successive failed login attempts 199 * no lock expiration, so release strictly requires administrator interaction 200 201 ==== Fixed login delay ==== 208 * no lock expiration, so release strictly '''requires administrator interaction''' 209 210 ==== Fixed login retry delay ==== 211 fixed delay time regardless of number of successive failed login attempts 212 202 213 {{{ 203 214 #!cfg … … 208 219 will have following effect: 209 220 * lock account after 3 successive failed login attempts 210 * timed account locked release 30 seconds after last failed login attempt 211 * fixed delay time regardless of number of successive failed login attempts 212 213 ==== Modestly progressing login delay ==== 221 * release account lock 30 seconds after last failed login attempt 222 223 ==== Modestly progressing login retry delay ==== 214 224 {{{ 215 225 #!cfg … … 224 234 * timed account locked release after a time, that depends on failed login attempt history like so: 225 235 226 Tab. : lock time progression (factor 2)236 Tab. 1: lock time progression (factor 2) 227 237 ||attempt count ||delay time in seconds ^![1]^|| 228 238 ||0 ||0 … … 244 254 ^![1]^ time after previous failed login attempt 245 255 246 ==== Aggressively progressing, but limited login delay ====256 ==== Aggressively progressing, but limited login retry delay ==== 247 257 {{{ 248 258 #!cfg … … 257 267 * timed account locked release after a time, that depends on failed login attempt history and is limited to max. 24 hours like so: 258 268 259 Tab. : lock time progression (factor 5)269 Tab. 2: lock time progression (factor 5) 260 270 ||attempt count ||delay time in seconds || 261 271 ||0 ||0 ||