Elmpowered with elm trees on your side, you can do anything


Enabling Trac Authentication on a Shared Host

As a complete Trac newbie, I thought I'd write up the steps I went through in order to enable Trac authentication on a shared host. I couldn't find these instructions (explicitly) anywhere else, so hopefully others will find them useful. If not, then at least I have written instructions for my own sake.

I did this with Trac 0.12, but the steps should be the same for Trac 0.11. YMMV for older versions of Trac.

Installing Trac on a shared host is a pretty straight-forward operation -- just follow the TracInstall guide. Things get a little bumpy once you get to the  Configuring Authentication section, however. My host (HostMonster) uses FastCGI and the instructions for enabling Trac authentication in a CGI environment entail editing the Apache config files. Being on a shared host, you're not given access to those config files (*shocker*).

Not finding helpful information through various Google searches (I swear I really did look), I turned to the helpful Trac Users Google Group for help (you can see the post here if you'd like).

First suggestion I got was to try adding the Apache config instructions to the .htaccess file. This resulted in a 500 Internal Server Error. The server logs indicated that the <Location> element is not allowed in .htaccess files.

Thankfully, there was a second suggestion -- use the AccountManagerPlugin.

The plugin installed fine with easy_install, although I did have to use "http", rather than "https", for the install URL. The instructions state that you need to restart Apache 2.2.x in order for the plugin to be detected, but this wasn't the case for me. The plugin started working right away.

Configuring the plugin is pretty easy, but the steps aren't laid out very well in the instructions. Below is my attempt to spell them out more explicitly.

Edit trac.ini as follows:

trac.web.auth.loginmodule = disabled
acct_mgr.api = enabled
acct_mgr.web_ui.loginmodule = enabled
acct_mgr.web_ui.registrationmodule = enabled

The first line disables the default Trac authentication module. The second line enables the "core" of the AccountManagerPlugin and is required to use any other components offered by the plugin. The third line enables the AccountManagerPlugin's login module, while the fourth line enables accounts to be created from the webpage. Once you've created all needed accounts, you'll probably want to disable this registration module (so that random people can't create accounts):

acct_mgr.web_ui.registrationmodule = disabled

Before you create accounts, you'll need to enable one of the password storage modules. The HtDigestStore is considered more secure than the HtPasswordStore, so let's use the former.

Continue editing trac.ini as follows:

acct_mgr.htfile.htdigeststore = enabled

; configure the plugin to store passwords in the htdigest format
password_store = HtDigestStore
; the file where user accounts are stored. the webserver will need write permissions to this file and its parent folder
password_file = <some path>/trac.htdigest
; the name of the authentication “realm”. it can be any text to identify your site or project
htdigest_realm = TracRealm

After this, you should be able to go to your Trac portal, register a new account, and login.

Update: I tried another Google search and actually found instructions for enabling security in the .htaccess file (on page 2 of the search results...who looks on the 2nd page? Honestly...). If interested, you can read about it on the Sweating the Details blog.

Comments (2) Trackbacks (0)
  1. You think you’re SO smart! You’re such a techno-nerdy-geeky-nerd-techy geek! This is you: “Hey look at me I’m gonna show you how to plorf the Trac onto the authentication host whilst running against the shared box on prod having pretuned my database parameters via the config plugin extension twardle module!”

    Why don’t you go twiddle with your snazz-gadgetry on the planet Dorkwad!

  2. Thank you, Ryan, for your opposing viewpoint. I’m sure it will help other readers gain insight as they consider the weight of your words.

    By the way, have you finished hacking the aetree?

Leave a comment

No trackbacks yet.