February 3, 2013

Trac on CentOS 6.3, Part 3

Now for the exciting conclusion of our three-part series on installing Trac on a 64-bit server running CentOS 6.3. In part 1 I installed some prerequisite software and Trac itself. In part 2, I installed and configured Apache as a front end to Trac. In part 3, I will configure Trac to use an Active Directory domain for authentication.

First a few notes about the server we are targeting. The server already has Samba installed and has been joined to the Active Directory domain. Users can log into the machine using their Active Directory accounts.

With that out of the way, we are ready to install mod_auth_ntlm_winbind for authentication. A big hat tip to the folks at for doing a lot of the heqavy lifting for me. See for their excellent write up.

We need a few prerequisites:

yum install httpd-devel gcc autoconf

Processes that wish to use Samba and winbind for authentication need access to the /var/lib/samba/winbindd_privileged/ directory. The simplest solution to allow that access, is to add user apache to the group wbpriv:

usermod -G wbpriv apache

Furthermore we need to let the SELinux security infrastructure know that Apache is allowed to authenticate via winbind:

setsebool -P allow_httpd_mod_auth_ntlm_winbind on

There are no prebuilt binaries for mod_aut_ntln_winbind so we will need to download and compile it ourselves:

svn co svn:// mod_auth_ntlm_winbind
cd mod_auth_ntlm_winbind/
apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c

Now the interesting part, configuring Apache. Make the following changes to /etc/httpd/conf/httpd.conf:

LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/
KeepAlive On
MaxKeepAliveRequests 1000
KeepAliveTimeout 600

Also add the following to /etc/httpd/conf.d/myproject.mydomain.tld.conf (if you have forgotten, this is the configuration file we created in part 2 to configure the virtual server for Trac):

    <Location /login>
      Options ExecCGI
      AllowOverride None
      Order allow,deny
      Allow from all
      AuthName "Change to something meaningful"
      AuthType NTLM
      Require valid-user
      NTLMAuth on
      NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
      NTLMBasicAuthoritative on

All that is left is to restart Apache and you are good to go.

Your server is now all set up with Trac and configured in a manner that will easily allow you to add additional instances:

  1. Initialize another Trac instance.
  2. Copy (and edit) the /etc/httpd/conf.d/myproject.mydomain.tld.conf file.
  3. Make a new directory under /var/www for the new virtual server
  4. Export Trac resources using trac-admin deploy and copy them to the new web root.