Questions[trac](server)

I want to run Trac in Gunicorn, behind Nginx. Nginx handles user authentication via LDAP (which works), but I can't get the REMOTE_USER passed to Trac.

For uWSGI I would configure Nginx like this (tested and it works):

uwsgi_param REMOTE_USER $remote_user;

For Gunicorn I could not find a similar configuration directive. I have tried setting the header, but it doesn't seem to change anything:

proxy_set_header REMOTE_USER $remote_user;

There is an entry in the Trac wiki about this, noting that "the wsgi entry point does not handle [...] authentication", and a workaround to handle Basic Authentication with a local password file, which is not what I need. Do I need to change my entry point to pass this REMOTE_USER header to the right environment variable? Currently it's just this:

import sys
import os

sys.stdout = sys.stderr

os.environ['TRAC_ENV'] = '/path/to/my/trac'

import trac.web.main
application = trac.web.main.dispatch_request

I'm trying to set-up Trac to authorise users via the LDAP plugin on a Debian (Lenny) server.

LDAP appears to be working correctly, I can query successfully via:

ldapsearch -vLx -h 127.0.0.1 -b "dc=example, dc=com" "(sn=mysurname)"

And if i purposely break my Apache LDAP address settings I can see errors in /var/log/apache2/error.log

2010-08-27 17:19:38,909 Trac[api] WARNING: LDAP error: No such object (dc=examplefoo,dc=com)

When I visit http://example.com:8022/trac and click the login button the authentication window pops up (confirming again that LDAP is kicking in), however, when I enter a correct username/password I just get a Trac web page with:

Trac Error
Authentication information not available. Please refer to the installation documentation.

TracGuide — The Trac User and Administration Guide

The logs are equally unhelpful (ignore the svn error, I'm aware of that):

2010-09-01 14:25:30,553 Trac[api] DEBUG: NEEDS UP?: sys:False, rep:False, stats:False, fields:False, man:False
2010-09-01 14:25:30,577 Trac[env] WARNING: base_url option not set in configuration, generated links may be incorrect
2010-09-01 14:25:30,577 Trac[main] DEBUG: Dispatching <Request "GET u'/login'">
2010-09-01 14:25:30,583 Trac[svn_fs] INFO: Failed to load Subversion bindings
Traceback (most recent call last):
  File "/home/web/example/buildout-cache/eggs/Trac-0.11-py2.6.egg/trac/versioncontrol/svn_fs.py", line 251, in __init__
    _import_svn()
  File "/home/web/example/buildout-cache/eggs/Trac-0.11-py2.6.egg/trac/versioncontrol/svn_fs.py", line 69, in _import_svn
    from svn import fs, repos, core, delta
ImportError: No module named svn
2010-09-01 14:25:30,584 Trac[chrome] DEBUG: Prepare chrome data for request
2010-09-01 14:25:30,586 Trac[api] DEBUG: action controllers for ticket workflow: ['ConfigurableTicketWorkflow']
2010-09-01 14:25:30,597 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_CREATE on None
2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed anonymous performing TRAC_ADMIN on None
2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_GRANT on None
2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_REVOKE on None
2010-09-01 14:25:30,599 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_ADMIN on None
2010-09-01 14:25:30,601 Trac[main] WARNING: 500 Trac Error (Authentication information not available. Please refer to the <a href="/trac/wiki/TracInstall#ConfiguringAuthentication" title="Configuring Authentication">installation documentation</a>.)
2010-09-01 14:25:30,621 Trac[perm] DEBUG: No policy allowed anonymous performing EMAIL_VIEW on None
2010-09-01 14:25:30,621 Trac[session] DEBUG: Retrieving session for ID '20e2cfb643bff0f9121fe615'
2010-09-01 14:25:30,641 Trac[tande_filters] DEBUG: self.billing_reports= set([9, 10, 11, 12, 13, 14, 15, 16, 17])
2010-09-01 14:25:30,642 Trac[ticket_webui] DEBUG: TicketWebUiAddon executing
2010-09-01 14:25:30,774 Trac[main] DEBUG: 124 unreachable objects found.

My apache set-up is as follows.

<VirtualHost example.com:8022>
    ServerName example.com
    ServerAlias example.com

    ProxyRequests Off
    <Proxy *>
      Order deny,allow
      Allow from all
    </Proxy>

    ProxyPreserveHost On
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule ^/(.*) http://127.0.0.1:8002/$1 [P]
</VirtualHost>

<Location /trac/login>
   AuthType Basic
   AuthName "Trac"
   AuthBasicProvider ldap
   Order Allow,Deny
   Allow from All
   AuthLDAPURL "ldap://127.0.0.1:389/dc=example,dc=com?uid"
   #should be on if using groups
   AuthzLDAPAuthoritative off
   Require valid-user
   #Require ldap-group cn=tracusers,dc=example,dc=com
</Location>

The server has a number of other in-development services running, hence the odd port number.

My trac.ini is a fresh install, with the following changes:

[ldap]
basedn = dc=example,dc=com
bind_passwd = foo
bind_user = cn=admin,dc=example,dc=com
enable = true
group_rdn = ou=people
host = 127.0.0.1
port = 389
use_tls = false
user_rdn = ou=users

[components]
ldapplugin.* = enabled

For testing I just start the Trac server with:

bin/tracd --port 8202 parts/trac

Where am I going wrong? It feels as if the Apache config is as fault, as LDAP does seem to be working.

Is that the correct command to be starting the server with (htpasswd for example has it's own options)?

In the long run what's the best way to run the server? WSGI?

I have nginx running on a VM and I want to run a Trac site. I need to run a python FastCGI server, but I cannot tell which is the server to use. I have found the following:

• Lighttpd spawn-fcgi But this seems to require that you compile lighttpd just to get the fcgi server, which is weird.
• fcgi.py But this one seems to be deprecated. At the very least it is poorly documented.
• flup This one comes with dependencies on ubuntu (python-cheetah{a} python-mysqldb{a} python-webpy{a}) that seem unnecessary. Also poorly documented.

Are there any recent guides for setting this up? Trac's own FastCGI setup page seems to miss some steps.

We have some users that have left the company and we have suspended their e-mail address, but trac continues to send notifications to these addresses. How can I remove the e-mail address from their trac profile?

We use separate TRAC instances as our ticket system for many projects and need to have them moved off site several times a day for disaster recovery.

What is the best way to make this happen? Is there something similar to svnsync for subversion?