Trac Single Signon not working as mentioned in the cookbook

Question

I am using Trac 0.12.3 in a multi project setup with subversion and am using AccountManagerPlugin from the trunk. The default index page enlists all the project directories and clicking on any of them takes me to the trac page for that project. When I try to login, I am successfully authenticated, however, coming to another project needs me to log in again. I wanted to use single sign on and followed the steps mentioned at http://trac-hacks.org/wiki/CookBook/AccountManagerPluginConfiguration#SingleSignOn

It always asks me to sign in for every project.

My apache config:

<VirtualHost *:80>
  ServerName trac.myproject.com
  ServerAdmin your@email.com

  DocumentRoot /trac

  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>
  <Directory />
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
  </Directory>

  ErrorLog /var/log/apache2/error.log
  LogLevel warn
  CustomLog /var/log/apache2/access.log combined
  ServerSignature On

<Location /svn>
   DAV svn
   SVNParentPath /svn

   AuthType Basic
   AuthName "Subversion Repository"
   AuthUserFile /etc/svnauth
   Require valid-user
   AuthzSVNAccessFile /etc/svnaccess
</Location>

<LocationMatch "/.+">
   SetHandler mod_python
   PythonHandler trac.web.modpython_frontend
   PythonOption TracEnvParentDir /trac/
   PythonOption TracUriRoot /
   #AuthType Basic
   #AuthName "Trac"
   #AuthUserFile /etc/svnauth
   #Require valid-user
</LocationMatch>

</VirtualHost>

Trac.ini file, from which all the other project specific trac.ini files are inherited:

[trac]
trac_auth = /trac/cookie
trac_auth_session = /trac/session
#I have also tried setting it as trac_auth_cookie = /trac/cookie
[header_logo]
alt = Logo
height = -1
link = /
src = http://projects.hostgeyser.com/templates/frost/images/logo%20250%20x%2089_new.png
width = -1

[components]
acct_mgr.admin.* = enabled
acct_mgr.api.* = enabled
acct_mgr.db.sessionstore = enabled
acct_mgr.htfile.htdigeststore = disabled
acct_mgr.htfile.htpasswdstore = enabled
acct_mgr.http.httpauthstore = disabled
acct_mgr.notification.* = enabled
acct_mgr.pwhash.htdigesthashmethod = disabled
acct_mgr.pwhash.htpasswdhashmethod = disabled
acct_mgr.svnserve.* = enabled
acct_mgr.svnserve.svnservepasswordstore = disabled
acct_mgr.web_ui.* = enabled
trac.web.auth.loginmodule = disabled
acct_mgr.http.httpauthstore = enabled


[account-manager]
password_store = HtPasswdStore
htpasswd_hash_type = md5
htpasswd_file = /etc/svnauth

Answer 1

You can't mix authentication as you do here:

• Apache config by AuthType Basic
• AccountManager LoginModule (enabled by acct_mgr.web_ui.* = enabled)

Decide for only one of these. If you want SSO from AcctMgr, then stick to auth_cookie_path = <all-env-common-basepath>. The wiki page TracIni has all valid configuration keys for your Trac application, what is Trac environment-specific, depending on enabled components and installed Trac plugins.

Answer 2

Double-tricky. I just tapped into the same gaffes. Documentation (as well as hasienda's answer) speak of a "base-path", which easily let's one think about the file-system (and something like the session files used by PHP sessions). That's mistake number one: It's the URL path to the trac parent environment. So if your trac projects are using something like http://www.example.org/trac/<project>, your setting must be auth_cookie_path = /trac.

Second trap: Old cookies remaining in the browser. Though I finally adjusted my auth_cookie_path as described above, I was still unable to authenticate. There was an old trac_auth cookie from one project sitting in my jar. After I removed that one, it started working like a charm!