Authentication on Apache

Basic Authentication

Create the htpasswd file using the program of the same name:

htpasswd -c trac.htpasswd $USERNAME

Then add the following to your VirtualHost:

<Location /trac/login>
    AuthType Basic
    AuthName "Trac Login"
    AuthUserFile /path/to/trac.htpasswd
    Require valid-user
</Location>

The AuthName can be set to whatever you like, and will shown to the user in the authentication dialog in their browser.

In a multiple environment setup, you can use the following to use the same authentication on all environments:

<LocationMatch /trac/[^/]+/login>
    AuthType Basic
    AuthName "Trac Login"
    AuthUserFile /path/to/htpasswd
    Require valid-user
</LocationMatch>

See also

Authentication, Authorization and Access Control
Apache guide to setting up authentication.
mod_auth_basic
Documentation for mod_auth_basic.

Digest Authentication

Create the htdigest file as with basic:

htdigest -c trac.htdigest realm $USERNAME

realm needs to match the value of AuthName used in the configuration.

Then add the following to your VirtualHost:

<Location /trac/login>
    AuthType Digest
    AuthName "realm"
    AuthDigestFile /path/to/trac.htdigest
    Require valid-user
</Location>

You can use the same LocationMatch as above for multiple environments.

See also

mod_auth_digest
Documentation for mod_auth_digest.

LDAP Authentication

You can use mod_authnz_ldap to authenticate against an LDAP directory.

Add the following to your VirtualHost:

<Location /trac/login>
    AuthType Basic
    AuthName "Trac Login"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://127.0.0.1/dc=example,dc=com?uid?sub?(objectClass=inetOrgPerson)"
    AuthzLDAPAuthoritative Off
    Require valid-user
</Location>

You can also require the user be a member of a certain LDAP group, instead of just having a valid login:

Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com

Windows Active Directory

You can use LDAP as a way to authenticate to a AD server.

Use the following as your LDAP URL:

AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"

You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you should be sure to use an account specifically for this task:

AuthLDAPBindDN ldap-auth-user@example.com
AuthLDAPBindPassword "password"

See also

mod_authnz_ldap
Documentation for mod_authnz_ldap.
mod_ldap
Documentation for mod_ldap, which provides connection pooling and a shared cache.
LdapPlugin
Store Trac permissions in LDAP.

SSPI Authentication

If you are using Apache on Windows, you can use mod_auth_sspi to provide single-sign-on. Download the module from its webpage and then add the following to your VirtualHost:

<Location /trac/login>
    AuthType SSPI
    AuthName "Trac Login"
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain MyLocalDomain
    SSPIOfferBasic On
    SSPIOmitDomain Off
    SSPIBasicPreferred On
    Require valid-user
</Location>

Using the above, usernames in Trac will be of the form DOMAIN\username, so you may have to re-add permissions and such. If you do not want the domain to be part of the username, set SSPIOmitDomain On instead.

Note

Version 1.0.2 and earlier of mod_auth_sspi do not support SSPIOmitDomain and have bug in basic authentication. >= 1.0.3 is recommended.

See also

mod_auth_sspi
Apache 2.x SSPI authentication module.
Some common problems with SSPI authentication
#1055, #1168, #3338