Changes between Version 21 and Version 22 of CookBook/AccountManagerPluginConfiguration

Timestamp:

Jul 22, 2015, 8:47:10 AM (9 years ago)

Author:

figaro

Comment:

Cosmetic changes

CookBook/AccountManagerPluginConfiguration

@@ -1 @@
-[[PageOutline(2-5,content)]]
-
-= Cookbook: AccountManagerPlugin configuration =
-commented sample configurations for most common and some special use cases
-
-We collect some useful configuration examples here giving hints on proper use of available options.
-
- '''General hints:'''
+[[PageOutline(2-5,Contents,pullout)]]
+
+= Cookbook: AccountManagerPlugin configuration
+
+This page lists some useful configuration examples with hints on proper use of available options.
+
+'''General hints:'''
  * Content for different section grouped in one example must be used together.
  * Option names are written in !CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. As you see, case doesn't really matter here.
 
-== Basic configuration/Kickstart ==
+== Basic configuration/Kickstart
+
 !AccountManagerPlugin replaces the traditional Trac login feature with a webform, because [wiki:AccountManagerPlugin/Modules#LoginModule LoginModule] is enabled in all examples below. No additional action is required since acct_mgr-0.4, but older plugin versions required to disable the obsoleted Trac core component explicitly:
-{{{
-#!cfg
+{{{#!cfg
 [components]
 trac.web.auth.loginmodule = disabled
 }}}
 
-=== !HtPasswdStore ===
-{{{
-#!cfg
+=== !HtPasswdStore
+
+{{{#!cfg
 [account-manager]
 password_store = HtPasswdStore
@@ -28 +27 @@
 reset_password = false
 }}}
-{{{
-#!cfg
+{{{#!cfg
 [components]
 acct_mgr.admin.* = enabled
@@ -50 +48 @@
  * use `md5` password hash type for changed/new passwords, hint: use the cryptographically strongest, that is available on your system (and still compatible with other applications in shared-use case)
 
-''Note:''  new configuration option 'htpasswd_file' for acct_mgr-0.4 and later
- see [wiki:AccountManagerPlugin/AuthStores#HtPasswdStore HtPasswdStore] module documentation for more details
-
-=== !HtDigestStore ===
-{{{
-#!cfg
+'''Note:''' new configuration option 'htpasswd_file' for acct_mgr-0.4 and later, see [wiki:AccountManagerPlugin/AuthStores#HtPasswdStore HtPasswdStore] module documentation for more details.
+
+=== !HtDigestStore
+
+{{{#!cfg
 [account-manager]
 password_store = HtDigestStore
@@ -63 +60 @@
 reset_password = false
 }}}
-{{{
-#!cfg
+{{{#!cfg
 [components]
 acct_mgr.admin.* = enabled
@@ -85 +81 @@
  * set realm to select relevant htdigest file entries to '`Trac`'
 
-''Note:''  new configuration option 'htdigest_file' for acct_mgr-0.4 and later
- see [wiki:AccountManagerPlugin/AuthStores#HtDigestStore HtDigestStore] module documentation for more details
-
-=== !SessionStore ===
-{{{
-#!cfg
+'''Note:''' new configuration option 'htdigest_file' for acct_mgr-0.4 and later, see [wiki:AccountManagerPlugin/AuthStores#HtDigestStore HtDigestStore] module documentation for more details.
+
+=== !SessionStore
+
+{{{#!cfg
 [account-manager]
 hash_method = HtDigestHashMethod
@@ -97 +92 @@
 reset_password = false
 }}}
-{{{
-#!cfg
+{{{#!cfg
 [components]
 acct_mgr.admin.* = enabled
@@ -120 +114 @@
  * set realm to select relevant htdigest entries to '`TracDB`'
 
-''Note:''  new configuration option 'db_htdigest_realm' for acct_mgr-0.4 and later
- see [wiki:AccountManagerPlugin/AuthStores#SessionStore SessionStore] module documentation for more details
-
-=== Create users ===
+'''Note:''' new configuration option 'db_htdigest_realm' for acct_mgr-0.4 and later, see [wiki:AccountManagerPlugin/AuthStores#SessionStore SessionStore] module documentation for more details.
+
+=== Create users
+
 Create the first user through browser-based registration enabled by following additional lines in `components` section of `trac.ini`:
-{{{
-#!cfg
+{{{#!cfg
 [components]
 acct_mgr.register.* = enabled
@@ -132 +125 @@
 
 Don't add another `components` section, just the configuration line with 'enabled' into an existing `components` section. After user creation you may choose to disable registration by uncommenting the [AccountManagerPlugin#RegistrationModule RegistrationModule] setting above or changing it to:
-{{{
-#!cfg
+{{{#!cfg
 [components]
 ;need this for first user
 acct_mgr.register.* = disabled
 }}}
-Or just use the plugins admin page form Trac's web interface, after you've given admin priviledges to the first user you created.
-
-=== Award an existing user account for Trac admin ===
-{{{
-#!sh
+Or just use the plugins admin page form Trac's web interface, after you've given admin privileges to the first user you created.
+
+=== Award an existing user account for Trac admin
+
+{{{#!sh
 trac-admin /path/to/env permission add <username> TRAC_ADMIN permission list <username>
 }}}
 
-=== Goodies ===
-There are some misc options for `account-manager` section of `trac.ini` you may want to set/unset depending on your requirements:
+=== Goodies
+
+There are some miscellaneous options for `account-manager` section of `trac.ini` you may want to set/unset depending on your requirements:
 ||'''Option'''||'''Default Value'''||'''Recommendation'''||'''Available Since'''||
 ||reset_password || True ||Disallow password reset if needed. ||acct_mgr-0.? ||
 ||generated_password_length ||8 ||Useful only with reset enabled. Raise the bar for brute-force attacks on user passwords, if you feel this is needed. [AccountManagerPlugin#AccountGuard AccountGuard] might still be a more powerful alternative, see [#AccountLocking Account Locking] section below. ||acct_mgr-0.? ||
-||force_passwd_change ||True ||Useful only with reset enabled. Randomly generated passwords should be motivation enough to change them, but YMMV.||acct_mgr-0.? ||
+||force_passwd_change ||True ||Useful only with reset enabled. Randomly generated passwords should be motivation enough to change them, but this depends on local policy.||acct_mgr-0.? ||
 
 See the paragraphs below for a more detailed explanation of some of these settings.
 
-== Advanced configurations ==
-=== Password Reset ===
+== Advanced configurations
+
+=== Password Reset
+
 You need an authentication store enabled and configured correctly as a pre-requisite here. Additionally explicitly enable or unset the following option:
-{{{
-#!cfg
+{{{#!cfg
 [account-manager]
 ;reset_password = false
 }}}
-{{{
-#!cfg
+{{{#!cfg
 [components]
 acct_mgr.notification.accountchangelistener = enabled
@@ -174 +167 @@
 A detailed explanation of the [wiki:AccountManagerPlugin/Modules#Lostpasswordprocedure 'lost password' procedure] is available too.
 
-''Note:'' Hiding of non-functional parts from the web-UI has been corrected for acct_mgr-0.4.1, and the plugin complains on misconfiguration too, see trac.log
-
-=== Persistent Sessions ===
-{{{
-#!cfg
+'''Note:''' Hiding of non-functional parts from the web-UI has been corrected for acct_mgr-0.4.1, and the plugin complains on misconfiguration too, see trac.log.
+
+=== Persistent Sessions
+
+{{{#!cfg
 [account-manager]
 persistent_sessions = true
 }}}
-will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time he visits the site, he/she will be remembered.
-
-=== Single Sign On ===
+will allow users to be remembered across sessions without needing to re-authenticate. That is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time the user visits the site, he/she will be remembered.
+
+=== Single Sign On
+
 In a setup with multiple Trac environments per domain/host chances are that users want to work with several projects simultaneously. 40 and more environments served by a single Trac install have been reported from private networks as well as seen on the web.
 
@@ -190 +184 @@
 
 In order to achieve this, set `auth_cookie_path` in the `[trac]` section of your `trac.ini` file to the '''URL''' path of your installations `TRAC_PARENT_DIR`. Assumed your projects use the URL `http://www.example.com/trac/<project_name>`, this should look like:
-{{{
-#!cfg
+{{{#!cfg
 [trac]
 auth_cookie_path = /trac
 }}}
+
 If you made this change to an existing setup, and encounter login problems afterwards, check the cookies stored in your browser. If it holds any `trac_auth` cookies with a path other than the one defined by `auth_cookie_path`, you might have to remove those as they might conflict.
 
 Hint: Even if this setting has been introduced in Trac 0.12, it could be set in `trac.ini` for older Trac versions, and !AcctMgr will use it, specifically providing a cookie path fix-up for `trac_auth` cookies generated by Trac 0.11 and above.
 
-An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid and works well.
-
-=== Account Locking ===
+An inherited `trac.ini` file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path changes. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both authentication sharing and non-sharing environments side-by-side is valid and works well.
+
+=== Account Locking
+
  * new feature since acct_mgr-0.3
  * available options (displayed with default values here):
 
-{{{
-#!cfg
+{{{#!cfg
 [account-manager]
 login_attempt_max_count = 0
@@ -213 +207 @@
 user_lock_time_progression = 1
 }}}
-{{{
-#!cfg
+{{{#!cfg
 [components]
 acct_mgr.guard.accountguard = enabled
 }}}
-but this does '''nothing''' for backwards-compatibility, preventing surprises for unaware plugin-upgraders
-
-As long as login_attempt_max_count == 0, login failure tracking is actually disabled and no other related option matters. The account locking section in the configuration admin panel (since acct_mgr-0.4.1) is quite self-explaining in the way how it conditionally hides irrelevant options. So it's worth a look even for the console guru, who doesn't immediately understand these options.
-
-==== Hard Lock-up ====
-{{{
-#!cfg
+but this does '''nothing''' for backwards-compatibility, preventing surprises for unaware plugin-upgraders.
+
+As long as login_attempt_max_count == 0, login failure tracking is actually disabled and no other related option matters. The account locking section in the configuration admin panel (since acct_mgr-0.4.1) is quite self-explanatory in the way it conditionally hides irrelevant options. So it's worth a look even for the console guru, who doesn't immediately understand these options.
+
+==== Hard Lock-up
+
+{{{#!cfg
 [account-manager]
 login_attempt_max_count = 5
@@ -233 +226 @@
  * no lock expiration, so release strictly '''requires administrator interaction'''
 
-==== Fixed login retry delay ====
-fixed delay time regardless of number of successive failed login attempts
-
-{{{
-#!cfg
+==== Fixed login retry delay
+
+Fixed delay time regardless of number of successive failed login attempts
+
+{{{#!cfg
 [account-manager]
 login_attempt_max_count = 3
@@ -246 +239 @@
  * release account lock 30 seconds after last failed login attempt
 
-==== Modestly progressing login retry delay ====
-{{{
-#!cfg
+==== Modestly progressing login retry delay
+
+{{{#!cfg
 [account-manager]
 login_attempt_max_count = 2
@@ -279 +272 @@
 ^![1]^ time after previous failed login attempt
 
-==== Aggressively progressing, but limited login retry delay ====
-{{{
-#!cfg
+==== Aggressively progressing, but limited login retry delay
+
+{{{#!cfg
 [account-manager]
 login_attempt_max_count = 4