Hacker for Hire

Trac, PAM, and Anonymous Access

Wyatt • • Technology

Recently at HTG, we had the need to have anonymous access to create Trac tickets. This is all well and good if you are using Trac with it’s own built in authentication; however, it gets a little more hairy when you are trying to use PAM for authentication. The big gain from PAM is that our developers only need 1 password for login to the box, login to SVN, and login to Trac. I could have figured this out a lot sooner if I’d read the documentation better; however, that’s not a typical engineer/hacker attitude. Also, this wasn’t able to be found by Google because so many people have “provided by ‘Trac’” in their pages that sifting just took forever. Anyway, here’s our setup for PAM authentication (this goes in your location /projects tag):

<location /projects>
        SetHandler mod_python
        PythonHandler trac.web.modpython_frontend
        PythonOption TracEnvParentDir /opt/trac
        PythonOption TracUriRoot "/projects"
        PythonDebug on

        PythonPath "sys.path + [‘/opt/trac’]"

        AuthType Basic
        AuthName "Dev"
        AuthPAM_Enabled on
        Require group admin
</location>

Pretty simple, just sets up our generic stuff. This is what I had to add to change it to get anonymous authentication AND HTTP basic auth when you click the little login button (our Trac is setup so anonymous can read the how-to’s in the wiki, but nothing else).

<location /projects>
        SetHandler mod_python
        PythonHandler trac.web.modpython_frontend
        PythonOption TracEnvParentDir /opt/trac
        PythonOption TracUriRoot "/projects"

        PythonPath "sys.path + [‘/opt/trac’]"

#       AuthType Basic
#       AuthName "Dev"
#       AuthPAM_Enabled on
#       Require group admin
</location>

<location /projects/*/login>;
        SetHandler mod_python
        PythonHandler trac.web.modpython_frontend
        PythonOption TracEnvParentDir /opt/trac
        PythonOption TracUriRoot "/projects"

        PythonPath "sys.path + [‘/opt/trac’]"

       AuthType Basic
       AuthName "Dev"
       AuthPAM_Enabled on
       Require group admin
</location>

There is probably some repeat stuff in there; but it doesn’t seem to break things. Hope this helps someone else out there looking to do the same thing. As a side note, this is not generally a good idea since your are sending basic auth (i.e. plain text) login info over unencrypted connections.

Update:Stupid WordPress wasn’t auto-escaping the code correctly, if you view it now, you should be able to see the location tags used in the apache configuration.

comments powered by Disqus