.. index:: pair: Apache; authentication .. highlight:: apache .. _install-apacheauth: ======================== Authentication on Apache ======================== .. index:: triple: Apache; basic; authentication .. _install-apacheauth-basic: Basic Authentication ==================== Create the htpasswd file using the program of the same name: .. code-block:: bash htpasswd -c trac.htpasswd $USERNAME Then add the following to your VirtualHost:: AuthType Basic AuthName "Trac Login" AuthUserFile /path/to/trac.htpasswd Require valid-user The ``AuthName`` can be set to whatever you like, and will shown to the user in the authentication dialog in their browser. In a multiple environment setup, you can use the following to use the same authentication on all environments:: AuthType Basic AuthName "Trac Login" AuthUserFile /path/to/htpasswd Require valid-user .. seealso:: `Authentication, Authorization and Access Control `_ Apache guide to setting up authentication. `mod_auth_basic `_ Documentation for mod_auth_basic. .. index:: triple: Apache; digest; authentication Digest Authentication ===================== Create the htdigest file as with basic: .. code-block:: bash htdigest -c trac.htdigest realm $USERNAME ``realm`` needs to match the value of ``AuthName`` used in the configuration. Then add the following to your VirtualHost:: AuthType Digest AuthName "realm" AuthDigestFile /path/to/trac.htdigest Require valid-user You can use the same ``LocationMatch`` as above for multiple environments. .. seealso:: `mod_auth_digest `_ Documentation for mod_auth_digest. .. index:: triple: Apache; LDAP; authentication LDAP Authentication =================== You can use ``mod_authnz_ldap`` to authenticate against an LDAP directory. Add the following to your VirtualHost:: AuthType Basic AuthName "Trac Login" AuthBasicProvider ldap AuthLDAPURL "ldap://127.0.0.1/dc=example,dc=com?uid?sub?(objectClass=inetOrgPerson)" AuthzLDAPAuthoritative Off Require valid-user You can also require the user be a member of a certain LDAP group, instead of just having a valid login:: Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com .. index:: triple: Apache; Active Directory; authentication Windows Active Directory ------------------------ You can use LDAP as a way to authenticate to a AD server. Use the following as your LDAP URL:: AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you should be sure to use an account specifically for this task:: AuthLDAPBindDN ldap-auth-user@example.com AuthLDAPBindPassword "password" .. seealso:: `mod_authnz_ldap `_ Documentation for mod_authnz_ldap. `mod_ldap `_ Documentation for mod_ldap, which provides connection pooling and a shared cache. `LdapPlugin `_ Store :ref:`Trac permissions ` in LDAP. .. index:: triple: Apache; SSPI; authentication SSPI Authentication =================== If you are using Apache on Windows, you can use mod_auth_sspi to provide single-sign-on. Download the module `from its webpage`__ and then add the following to your VirtualHost:: AuthType SSPI AuthName "Trac Login" SSPIAuth On SSPIAuthoritative On SSPIDomain MyLocalDomain SSPIOfferBasic On SSPIOmitDomain Off SSPIBasicPreferred On Require valid-user __ http://sourceforge.net/project/showfiles.php?group_id=162518 Using the above, usernames in Trac will be of the form ``DOMAIN\username``, so you may have to re-add permissions and such. If you do not want the domain to be part of the username, set ``SSPIOmitDomain On`` instead. .. note:: Version 1.0.2 and earlier of mod_auth_sspi do not support SSPIOmitDomain and have bug in basic authentication. >= 1.0.3 is recommended. .. seealso:: `mod_auth_sspi `_ Apache 2.x SSPI authentication module. Some common problems with SSPI authentication `#1055 `_, `#1168 `_, `#3338 `_