Opened 14 years ago
Closed 12 years ago
#8659 closed defect (worksforme)
WinXP HtDigestStore disables AccountModule because the password store does not support writing
Reported by: | Andreas | Owned by: | Steffen Hoffmann |
---|---|---|---|
Priority: | normal | Component: | AccountManagerPlugin |
Severity: | major | Keywords: | htdigest file AccountModule disabled |
Cc: | Trac Release: | 0.12 |
Description (last modified by )
When switching to htdigest authentication mode webui disables AccountModule and RegistrationModule. Login does no longer work.
Windows XP SP3
Apache/2.2.17 (Win32)
Python 2.7.1
trac 0.12.2
tracaccountmanager 0.2.1dev-r4679 0.3dev-r9929
trachttpauth 1.1
tracloginrequiredplugin 0.1.0
tracmercurial 0.12.0.26
Attachments (1)
Change History (16)
comment:1 Changed 14 years ago by
- Windows XP SP3
- Apache/2.2.17 (Win32)
- Python 2.7.1
- trac 0.12.2
- tracaccountmanager 0.2.1dev-r4679
- trachttpauth 1.1
- tracloginrequiredplugin 0.1.0
- tracmercurial 0.12.0.26
Changed 14 years ago by
Attachment: | trac.ini.zip added |
---|
comment:2 Changed 14 years ago by
Keywords: | htdigest file AccountModule disabled added |
---|
What actions do you expect? If I understand correctly from the trac.log snippet in #8660, you've got a read-only htdigest password file, right? At least this is just a local installation and configuration problem.
You still want to use it that way? Do you feel the action taken by AcctMgr is just too harsh, or anything else? And last but not least, as you're using Trac 0.12: Why don't you try a more recent revision of this plugin? :-)
comment:3 Changed 14 years ago by
I have upgraded to "tracaccountmanager 0.3dev-r9929".
What actions do I expect?
- login fails with a "Invalid username or password". I have created the password file with
htdigest -c htdigest trac baloan
Login works fine with htpasswd.
- htdigest is read-write so I was wondering whether updating the password is not supported by tracaccountmanager with htdigest?
D:\Home\web\trac>attrib htdigest A D:\Home\web\trac\htdigest
comment:4 Changed 14 years ago by
I don't use AcctMgr with htdigest right now, but still don't know, why it shouldn't work.
Currently you can't use two or more files on parallel, whether it might might be htpasswd, htdigest or a mix of them. This might lead to confusion, even unintended misconfiguration, so please double-check, what is you effective configuration.
LoginRequiredPlugin is another candidate for disturbance, as it states clearly on the wiki page. Redirection issues have been fixed for AcctMgr lately, dunno, how that suites to LoginRequiredPlugin.
You mentioned "webui disables AccountModule and RegistrationModule" initially. Can you proof such behavior, i.e. by DEBUG log of a Trac environment reload?
comment:6 Changed 14 years ago by
Keywords: | needinfo added |
---|
comment:7 Changed 13 years ago by
This could even be related to #4677 in your case. Please make sure you don't have conflicting configuration - there can be only one of HtDigestStore
and HtPasswdStore
working.
Unless you use the latest code from trunk
. If you do, please read the commit message of changeset [10396] really careful. Would be great to get test feedback for this new code here.
comment:8 Changed 12 years ago by
After such a long time without feedback it might be reasonable to assume, that the issue has been resolved meanwhile, right? If so, tell us as well, please.
However I'll let the next release happen before I finally close this ticket.
comment:9 Changed 12 years ago by
Not fixed. Using tracd on Debian, so perhaps that's a conflict between the trac.ini parameters and the command-line --auth option and its parameters. As for the proof, well the name of the report is pretty much the line of the log (found this report by googling the corresponding log line).
2012-09-27 21:57:56,102 Trac[web_ui] WARNING: AccountModule is disabled because the password store does not support writing. 2012-09-27 21:57:56,103 Trac[web_ui] WARNING: RegistrationModule is disabled because the password store does not support writing.
I tried without authentication info in trac.ini, without --auth on the command line (that disabled authentication as expected), with the same info on the command line and in trac.ini, with a distinct (but similar) copy of the password file in each, and a few other even dumber things (same or different realms etc). Nothing worked. I think I'll just conclude that tracd is not compatible with the Registration or Account modules, install a minimalist web server such as boa an let it deal with the passwords. That would be consistent with the need to manually hash the passwords for tracd command-line options...
comment:10 follow-up: 11 Changed 12 years ago by
Description: | modified (diff) |
---|
Did you try acct_mgr-0.3
or better: latest development code of acct_mgr-0.4dev
aka trunk
yet?
But I suspect there's no issue with AcctMgr at all. You want to use tracd with HTTP Basic Auth, but manage the htdigest
file with AcctMgr, right? Make sure, that tracd process is running with a suitable UID, so you have r/w access to that file. You didn't talk about that by now. It seems that you continue to fail with that in your configuration - nothing that AcctMgr could be blamed for. If you're sure, that you'll be able to write to the file from tracd, post your [account-manager]
configuration here, please.
Login is yet a different topic. For tracd with HTTP Basic Auth you need to follow t:wiki:TracStandalone#UsingAuthentication. Make sure to not enable AcctMgr's login form.
Btw, what is HttpAuthPlugin (you listed trachttpauth
) meant to be fore? It's not needed for normal login as mentioned in the wiki docs, and I think you have more, than you need, or you don't know exactly what to do, so you risk interfering plugin actions. Try to build you setup step-by-step. Activating multiple plugins while having issues is a bad idea - just sort out each one on it's own, ok?
comment:11 Changed 12 years ago by
[PiLS] formerly [anonymous] Replying to hasienda:
Did you try
acct_mgr-0.3
or better: latest development code ofacct_mgr-0.4dev
akatrunk
yet?
Nope. But as you say further down, that doesn't look like a acct_mgr error to me.
But I suspect there's no issue with AcctMgr at all.
I suspect the same.
You want to use tracd with HTTP Basic Auth,
No, I want the htdigest auth if possible. I never actually tried the basic auth.
but manage the
htdigest
file with AcctMgr, right?
Right-ish.
Make sure, that tracd process is running with a suitable UID, so you have r/w access to that file. You didn't talk about that by now.
My bad. I have otherwise pretty good security and isolation so I run tracd as root on port 80 in that case. The password file, store, etc (and everything else in my Trac install) are owned by www-data in prevision of a move towards more sensible settings, but I think we can agree that root should have write access to them nonetheless ;-)
It seems that you continue to fail with that in your configuration
Not sure what you mean but yes I keep failing
- nothing that AcctMgr could be blamed for.
Again, I do agree. Did my post somehow imply that? If so, that was definitely not my intention.
If you're sure, that you'll be able to write to the file from tracd, post your
[account-manager]
configuration here, please.
I can post one of the ten or so that did not work.
[account-manager] account_changes_notify_addresses = force_passwd_change = true htdigest_realm = trac password_file = /some/place/owned/by/www-data/trac/passwords/pass.digest password_store = HtPasswdStore persistent_sessions = true
"trac" is the realm I specify on the command line. I tried with nothing, and with a different realm
"pass.digest" is the password file I specify on the command line. It contains hashed passwords. I tried with nothing, with a non-existent file, with an exact copy of the same file, with the source file containing the undigested passwords, and with an ghost file (created with touch).
I tried removing "HtPasswdStore" but I never tried using basic auth instead (and I don't want to).
Login is yet a different topic.
How so?
For tracd with HTTP Basic Auth
Which I am not interested in even trying
you need to follow t:wiki:TracStandalone#UsingAuthentication. Make sure to not enable AcctMgr's login form.
Is that still valid if I really, REALLY don't want basic auth, to the point that I'd switch projects if Trac doesn't allow anything else? Again, I am willing to install a web server if tracd can't deal with that issue. I will NOT use basic auth. EVER. I hope that is clear ;-)
Btw, what is HttpAuthPlugin (you listed
trachttpauth
) meant to be fore?
Ho ha OK. Well I am not Baloan, I am the anonymous guy you reply to. Sorry, I'm in a rush so I did not create an account. I will ASAP Call me PiLS if you must, that's gonna be my ID if still available.
It's not needed for normal login as mentioned in the wiki docs,
No discussion about that
and I think you have more, than you need,
Tell me about that, I used to run GForge...
or you don't know exactly what to do,
If I knew exactly what to do we would not be having that discussion, would we? But I do believe that you are answering someone else. Someone who runs XP and not Debian... someone wo did not find this report by googling a line in the logs...
so you risk interfering plugin actions.
Now we're talking. I have both accountmodule and registrationmodule installed. They are both disabled at startup because of that password store issue (as shown in the log extract in my previous post, the anon one). I suspect it's not the plugins interfering with each other, but each of the plugins interfering with tracd (and losing the fight, as should damn well be).
Try to build you setup step-by-step. Activating multiple plugins while having issues is a bad idea - just sort out each one on it's own, ok?
That's a sensible idea. I tested my install without any plugin at all -everything went fine-, then with both registrationmodule and accountmodule at once (because I know for a fact that users will moan otherwise). The fact that the errors shows up that early in the logs, before any of the module is actually used, and the fact that it is exactly the same, at the very same time for both plugins, and the fact that is causes webui to disable both plugins at startup (so neither actually get a chance to cause interference, because they are just disabled before they have a chance to cause any trouble -correct me if I am wrong), all that suggests to me that this has in fact nothing to do with interference between plugins. I may of course be completely wrong... legend has it, that it has happenned before ;-)
PiLS
comment:12 follow-up: 13 Changed 12 years ago by
OK, so I finally created an account. I was the guy on
09/28/12 04:11:24
and
09/29/12 04:19:42
I am definitely not the original reporter.
I do no encounter issues with login; however, the same error shows up in my logs, and that prevents validation emails from being sent.
For more info about my config please read the two anonymous messages further up. The line I use for tracd is
#tracd -p80 --auth="*,/some/place/owned/by/www-data/passwords/pass.digest,trac" /my/trac/place/tracsite-1 /my/trac/place/tracsite-2
comment:13 follow-up: 14 Changed 12 years ago by
Replying to PiLS:
OK, so I finally created an account.
Much better, thanks. So the communication link is more reliable.
I am definitely not the original reporter.
Got that wrong by your comment start 'Not fixed.', and overlooked the mismatch with OP in the following sentence, indeed. Clear now.
I do no encounter issues with login; however, the same error shows up in my logs, and that prevents validation emails from being sent.
For more info about my config please read the two anonymous messages further up. The line I use for tracd is
#tracd -p80 --auth="*,/some/place/owned/by/www-data/passwords/pass.digest,trac" /my/trac/place/tracsite-1 /my/trac/place/tracsite-2
Here you fire tracd with authentication information, that is required only, if you intend to use Trac itself for authentication/login. But in your previous comment you made already clear, that you would want to do it with AcctMgr and it's form-based LoginModule alone, right?
- use simple htdigest file store configuration - see i.e. README in your AcctMgr version as a starting point
- make sure, that you enabled AcctMgr's LoginModule, but disabled Trac's own - this is even done for you in latest
trunk
automatically, sotrac.ini
looks similar to the htdigest example in our cookbook wiki page - start tracd like so instead:
#tracd -p80 /my/trac/place/tracsite-1 /my/trac/place/tracsite-2
I use tracd in a similar setup in production on a Gnu/Linux (Debian) system, so I know it works, as soon as we've sorted out your installation/configuration issues. All this would certainly better fit into our mailing-list. Tickets here are meant for development, and resolved configuration issues have much less visibility here than on the list archive.
comment:14 Changed 12 years ago by
Replying to hasienda:g to PiLS:
Thanks. I apparently missed a few lines in trac.ini, among which
acct_mgr.htfile.htdigeststore = enabled
for some reason. Pretty much everything else was set up automatically by initenv.
The line
trac.web.auth.loginmodule = disabled
is also required to use the web login form, but I went back as http auth is more efficient.
I use tracd in a similar setup in production on a Gnu/Linux (Debian) system, so I know it works, as soon as we've sorted out your installation/configuration issues. All this would certainly better fit into our mailing-list. Tickets here are meant for development, and resolved configuration issues have much less visibility here than on the list archive.
Sorry, I'll keep that in mind next time. Feel free to repost it there.
comment:15 Changed 12 years ago by
Keywords: | needinfo removed |
---|---|
Resolution: | → worksforme |
Status: | new → closed |
Pretty much information for similar cases.
Your implicit "Ok" seems to confirm, that all this is related to local installation/configuration of Trac and AcctMgr, not to a real defect of the plugin, as this ticket might suggest - so I'm closing this now.
Welcome to ask on the mailing-list next time. Thanks for taking care.