I’m going to describe how to get two of my favourite development tools, Trac and Subversion, to authenticate against PAM (Pluggable Authentication Module). For those who might not be familiar, Trac is a wiki that has integrated SCM and issue tracking. It’s written in Python and it’s incredibly useful. I’ve been using Subversion for version control for a long time and Trac is perfect for documenting a project as you go, and for keeping track of tasks and bugs. It’s access control settings allow you to specify levels of access for different users, so I often create one group for me and any other developers, and another group for my clients. The clients group can update the wiki, create tickets and get reports or look at milestones, etc. The developers group can administer all aspects of the site. Anyway, as useful as Trac and SVN are, I started to get really sick of handling authentication for them. I used to set up htpasswd files for each repository and wiki and it got to be a real pain, especially when I wanted my clients or developers to also have email, shell access, etc. So I decided to try and get mod_pam_auth working so I could use existing system accounts for Trac and Subversion access (over SSL of course).
mod_auth_pam is an Apache module that implements Basic authentication on top of the Pluggable Authentication Module. Unfortunately, as the project page says, the module is no longer being maintained which is unfortunate, but it works well enough with Apache 2.0.
Installing the module is pretty straightforward if you’re familiar installing Apache modules. I won’t go into too much detail, but as usual you’ll need to load the module in your Apache configuration:
LoadModule auth_pam_module modules/mod_auth_pam.so LoadModule auth_sys_group_module modules/mod_auth_sys_group.so
Once that’s done you can easily set up basic authentication with PAM. Because Basic authentication involves sending a username + password combination in plain text, this setup should not be used without SSL. Within my VirtualHost configuration, I define separate location configs for each trac site and svn repository. It all looks something like this:
<VirtualHost 123.321.123.321:443>
ServerName host.domain.tld
SSLEngine On
...
# Trac config
<Location /trac>
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir /var/lib/trac
PythonOption TracUriRoot /trac
</Location>
<Location "/trac/tracsiteone/login">
AuthPAM_Enabled On
AuthType Basic
AuthName "trac site # 1"
Require user paul
</Location>
<Location "/trac/tracsitetwo/login">
AuthPAM_Enabled On
AuthType Basic
AuthName "trac site # 2"
Require group developers
</Location>
# Subversion config
<Location /svn>
DAV svn
SVNParentPath /var/svn
SVNListParentPath On
SVNAutoVersioning On
</Location>
<Location "/svn/repositoryone">
AuthPAM_Enabled On
AuthType Basic
AuthName "Repo # 1"
Require user paul
</Location>
<Location "/svn/repositorytwo">
AuthPAM_Enabled On
AuthType Basic
AuthName "Repo # 2"
Require group developers
</Location>
</VirtualHost>
So what we have now is two SVN repositories and two Trac wikis. For the first trac wiki and the first subversion repository, only the user 'paul' is given access. For the second, any valid user in the 'developers' group has access. Unfortunately there’s an issue with shadow passwords and this module and I’m not entirely happy with the work-around so I may have to edit this setup to use mod_authnz_external or maybe I’ll eventually move to LDAP. Regardless, I find this works well enough for now and saves a lot of hassle maintaining separate authentication files.
Please write up a report when you end up moving to mod_authnz_external. I for one would find this information extremely useful!
In most setups, apache takes up residence in /usr/local/apache, chances are that's where it is, and if so, chances are your configuration file is /usr/local/apache/conf/httpd.conf. No?
Yes, if apache is installed in /usr/local/apache, chances are that the configuration file will be in /usr/local/apache/conf (newer versions of apache break the configuration up into several, modular files). This of course is configurable when installing apache though (configurable by you when installing apache from source, or by the manager of the package if you're installing from a distribution / os specific package), so it could reside elsewhere depending on your system. This server (Apache 2.x on Fedora Core 7) has it's apache configuration spread out over several files in /etc/httpd/conf and /etc/httpd/conf.d.
hi,
I have setup a svn server on FC8 successfully. users are being authorized using mod_dav_authz and . Now i have setup a trac for one of my project but it is showing full svn repository instead of that project that it is setup for. Neither it is asking for a username/pwd Nor reading the security settings i setup in /etc/httpd/conf.d/trac.conf.
can anybody help?
Can I expect any problems with running either of methods and multi
tracs? The final solution must be able to provide group access (trac,
svn) and managing permissions.
Nope, shouldn't have any problems. I run multiple trac sites with this setup... just use a Location directive for each trac site and 'Require group' for permissions.