I have a standalone server (Ubuntu 9.04) set up for a project that uses Trac (Apache, mod_python) and subversion. I create local user accounts so project members that are given commit access to the repository use ssh...
sudo adduser --ingroup uomdev --force-badname JohnDoe
...and it makes it easy for them to checkout...
svn checkout svn+ssh://[email protected]/usr/local/svn/uom
...and given them an identical Trac account...
sudo htdigest /usr/local/trac/users.htdigest trac JohnDoe
...and I manually synchronize the passwords between the two accounts (generate a new password, force it on the two accounts, then email it to the user).
This is fine when the user has forgotten their password, but doesn't work if the user wants to change their password themselves. They can ssh into the server and run passwd, but that leaves the Trac account behind.
On the mgood has written:
Unlike other bug-tracking systems that simply have another database table for storing the users, Trac took the approach of allowing users to leverage the numerous authentication modules available for their web server. This means that many users won't need to manage the Trac users by hand, since they can tie Trac into something like LDAP, Active Directory, or whatever centralized user system that they already have in place.
I am not keen on installing/configuring LDAP or Active Directory just to keep these synced. I'm not convinced that the AccountManagerPlugin hack will help. Any ideas?
This page has information about how to authenticate against Unix users in Apache.
Joel, I have equal setup to yours. I've configured svn+ssh using key authentication and all the browser related stuff keeps passwords in apache file which is the same for /etc/passwd, trac, mail, and other things.
What I have done is a simple web interface, where the user can change it's password which then will update wherever I need, plus some extra options.
There is another option - your own bash script, which users will execute in the same way as passwd. In fact, you can change this bash script name so it will wrap around passwd. For me, this should be even nicer solution, but most people in my organization are not used to command line so the browser is the best solution.