tags:

views:

222

answers:

3
+1  Q: 

Setting up authentication in Trac

Hi,

I am in the works of setting up a Trac server for my (small) company and need a bit of help/guidance with the authentication mechanism.

We have for some time developed our own web application which our users access in their day to day work. It is build in php5.3 and includes a users database stored in a mysql database. I have been asked to look into the possibilities for Trac to use our existing user database in order to keep user maintenance to a minimum. Do you have any suggestions or tips for doing that?

Here is what I have come up with so far:

  1. Install Trac on our server (currently done with mysql/apache2/mod_python), but don't grant access to anyone on the net.
  2. Write a php wrapper script that
    1. Handles the authentication mechanism.
    2. Passes the request to Trac with the username included.
  3. Trac handles the request as the specified user

The problem is; I don't know how to do step 2.

Any comments?

Best regards Jørn

A: 

First off, don't use mod_python, use mod_wsgi.

Second, you have several options for how to do authentication. One option might be to just use mod_authn_dbd with a MySQL backend, keeping your authn in the apache2 config.

Third, look into Trac's AccountManager. It's one of the most useful Trac plugins (we use it at work), and will help you get this right. http://trac-hacks.org/wiki/AccountManagerPlugin

djc  2010-02-17 15:59:43
could you please point out the benefits of using mod_wsgi over mod_pyhton ?
Rufinus  2010-02-17 16:03:43
For one thing, it's actually being maintained (mod_python hasn't released a new version in years). For another, performance (http://code.google.com/p/modwsgi/wiki/PerformanceEstimates).
djc  2010-02-17 16:14:19
I chose mod_python because I got the impression that it was more stable than wsgi. From http://trac.edgewall.org/wiki/TracInstall:"If you're not afraid of running newer code, you can also try running Trac on mod_wsgi. This should deliver even better performance than mod_python, but the module isn't as extensively tested as mod_python."
Jørn Christensen  2010-02-17 16:22:00
The module mod_authn_dbd might work (and I might choose that option) - but it is not SSO - which Pekka so nicely made me aware of is what I want :-)Trac's AccountManager looks nice - but I don't quite see how that can be used without migrating the user database to some other format.
Jørn Christensen  2010-02-17 16:25:20
A: 

What you are looking for is called Single Sign On.

Are you running Trac on Apache? In that case, it seems to be possible to make use of what user authentication interfaces (LDAP...) Apache can interface with. Check out this conversation.

There are also some SSO plugins available at Trac Hacks, among them an LDAP one.

Pekka  2010-02-17 16:03:02
I have not looked into LDAP before - and am a bit reluctant to do this, because this would (AFAICS) require a relocation of our user database and a rewrite of our current permission scheme. But we have talked about the current scheme lacking features - so perhaps one should look into LDAP.But for a start, we would appreciate, if we could just wrap Trac in our current authenication methods.
Jørn Christensen  2010-02-17 16:27:58
@Jørn I see. mod_authn_dbd that @djc mentions wouldn't be SSO but probably the easiest way to go. On TrackHacks is a plugin that connects to a different Open Source SSO solution, CoSign: http://trac-hacks.org/wiki/TracCoSignPlugin I haven't heard of it and it looks rather big, but seems to have been built for providing SSO inside intranets. Take a look, maybe it's something.
Pekka  2010-02-17 16:33:23
@Pekka TracCoSign looks promising, though I just skimmed the page... I am on my way home. But thanks for the input - I will definitely look into that later this week :-)
Jørn Christensen  2010-02-17 17:28:56
A: 

Just a quick follow up: I ended up using Carsten Fuchs ScriptAuthPlugin (modifying it to md5-hash the password). Similar to TracCoSign, all you have to provide, is an address to which ScriptAuthPlugin can validate user credentials. Works nicely :-)

http://trac-hacks.org/wiki/ScriptAuthPlugin

~Jørn

Jørn Christensen  2010-02-23 10:12:14

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases