Changes between Version 7 and Version 8 of CookBook/AccountManagerPluginConfiguration

Jan 8, 2012, 10:29:38 PM (6 years ago)
Steffen Hoffmann

add SSO setup advise


  • CookBook/AccountManagerPluginConfiguration

    v7 v8  
    129129||force_passwd_change ||True ||Useful only with reset enabled. Randomly generated passwords should be motivation enough to change them, but YMMV.||acct_mgr-0.? ||
     131See the paragraphs below for a more detailed explanation of some of these settings.
    131133== Advanced configurations ==
    132134=== Password Reset ===
     135=== Persistent Sessions ===
     138persistent_sessions = true
     141will allow users to be remembered across sessions without needing to re-authenticate. This is, a user checks a "Remember Me" checkbox on the [wiki:AccountManagerPlugin/Modules#LoginModule login page] and, next time he visits the site, he'll be remembered.
     143=== Single Sign On ===
     144In a setup with multiple Trac environments per domain/host chances are that users want to work with several projects simultaneously. 40 and more environments served by a single Trac install have been reported from private networks as well as seen on the web.
     146To address the demand for authentication information sharing between some/all of the Trac environments in such a setup a login synchronization process has been introduced for acct_mgr-0.4. It relies on a non-default value for the path of `trac_auth` and `trac_auth_session` cookies. Otherwise the cookie wouldn't be recognized as related to different Trac environments by the web browser client:
     149auth_cookie_path = /var/www/trac
     151Hint: Even if this setting has been introduced in Trac 0.12, it could be set in `trac.ini` for older Trac versions, and !AcctMgr will use it, specifically providing a cookie path fix-up for `trac_auth` cookies generated by Trac 0.11 and above.
     153An inherited trac.ini file is perfect for sharing this common setting and more between several Trac environments. Additionally delete existing `trac_auth` browser cookies. This is a one-time cleanup and only necessary to avoid unexpected login results after a cookie path change. Of course logging out in one Trac environment will terminate the authenticated session for all participants sharing authentication as indicated by the equal cookie path setting. A mixed setup containing both, authentication sharing and non-sharing environments side-by-side is valid an working well.
    133155=== Account Locking ===
    134156 * new feature for acct_mgr-0.3