Apache, Trac and LDAP - how to glue them all together?

Question

I'm trying to set-up Trac to authorise users via the LDAP plugin on a Debian (Lenny) server.

LDAP appears to be working correctly, I can query successfully via:

ldapsearch -vLx -h 127.0.0.1 -b "dc=example, dc=com" "(sn=mysurname)"

And if i purposely break my Apache LDAP address settings I can see errors in /var/log/apache2/error.log

2010-08-27 17:19:38,909 Trac[api] WARNING: LDAP error: No such object (dc=examplefoo,dc=com)

When I visit http://example.com:8022/trac and click the login button the authentication window pops up (confirming again that LDAP is kicking in), however, when I enter a correct username/password I just get a Trac web page with:

Trac Error
Authentication information not available. Please refer to the installation documentation.

TracGuide — The Trac User and Administration Guide

The logs are equally unhelpful (ignore the svn error, I'm aware of that):

2010-09-01 14:25:30,553 Trac[api] DEBUG: NEEDS UP?: sys:False, rep:False, stats:False, fields:False, man:False
2010-09-01 14:25:30,577 Trac[env] WARNING: base_url option not set in configuration, generated links may be incorrect
2010-09-01 14:25:30,577 Trac[main] DEBUG: Dispatching <Request "GET u'/login'">
2010-09-01 14:25:30,583 Trac[svn_fs] INFO: Failed to load Subversion bindings
Traceback (most recent call last):
  File "/home/web/example/buildout-cache/eggs/Trac-0.11-py2.6.egg/trac/versioncontrol/svn_fs.py", line 251, in __init__
    _import_svn()
  File "/home/web/example/buildout-cache/eggs/Trac-0.11-py2.6.egg/trac/versioncontrol/svn_fs.py", line 69, in _import_svn
    from svn import fs, repos, core, delta
ImportError: No module named svn
2010-09-01 14:25:30,584 Trac[chrome] DEBUG: Prepare chrome data for request
2010-09-01 14:25:30,586 Trac[api] DEBUG: action controllers for ticket workflow: ['ConfigurableTicketWorkflow']
2010-09-01 14:25:30,597 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_CREATE on None
2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed anonymous performing TRAC_ADMIN on None
2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_GRANT on None
2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_REVOKE on None
2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_ADMIN on None
2010-09-01 14:25:30,601 Trac[main] WARNING: 500 Trac Error (Authentication information not available. Please refer to the <a href="/trac/wiki/TracInstall#ConfiguringAuthentication" title="Configuring Authentication">installation documentation</a>.)
2010-09-01 14:25:30,621 Trac[perm] DEBUG: No policy allowed anonymous performing EMAIL_VIEW on None
2010-09-01 14:25:30,621 Trac[session] DEBUG: Retrieving session for ID '20e2cfb643bff0f9121fe615'
2010-09-01 14:25:30,641 Trac[tande_filters] DEBUG: self.billing_reports= set([9, 10, 11, 12, 13, 14, 15, 16, 17])
2010-09-01 14:25:30,642 Trac[ticket_webui] DEBUG: TicketWebUiAddon executing
2010-09-01 14:25:30,774 Trac[main] DEBUG: 124 unreachable objects found.

My apache set-up is as follows.

<VirtualHost example.com:8022>
    ServerName example.com
    ServerAlias example.com

    ProxyRequests Off
    <Proxy *>
      Order deny,allow
      Allow from all
    </Proxy>

    ProxyPreserveHost On
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule ^/(.*) http://127.0.0.1:8002/$1 [P]
</VirtualHost>

<Location /trac/login>
   AuthType Basic
   AuthName "Trac"
   AuthBasicProvider ldap
   Order Allow,Deny
   Allow from All
   AuthLDAPURL "ldap://127.0.0.1:389/dc=example,dc=com?uid"
   #should be on if using groups
   AuthzLDAPAuthoritative off
   Require valid-user
   #Require ldap-group cn=tracusers,dc=example,dc=com
</Location>

The server has a number of other in-development services running, hence the odd port number.

My trac.ini is a fresh install, with the following changes:

[ldap]
basedn = dc=example,dc=com
bind_passwd = foo
bind_user = cn=admin,dc=example,dc=com
enable = true
group_rdn = ou=people
host = 127.0.0.1
port = 389
use_tls = false
user_rdn = ou=users

[components]
ldapplugin.* = enabled

For testing I just start the Trac server with:

bin/tracd --port 8202 parts/trac

Where am I going wrong? It feels as if the Apache config is as fault, as LDAP does seem to be working.

Is that the correct command to be starting the server with (htpasswd for example has it's own options)?

In the long run what's the best way to run the server? WSGI?

Answer 1

If you need to test your "Apache+LDAP+Trac" binding, you don't need to run standalone bin/tracd.

First try to use Apache LDAP authentification with Trac without LdapPlugin(it just adds ability to manage trac permissions for LDAP groups). You should configure authentifacation on /trac/login location, and Trac will automatically get authentificated user name. Look here: TracModWSGI - ConfiguringAuthentication This works fine in my setup(Debian Squeeze, Trac 0.12). So just remove all your modifications from from trac.ini.

When you will get working authentification, you may start configuring LdapPlugin.

WSGI is IMHO best way to run python application on Apache, it's fast and simple.