Modify

Opened 2 years ago

Closed 2 years ago

#10163 closed enhancement (fixed)

[patch] enable AD groups in permissions

Reported by: sandinak Owned by: sandinak
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords: adoption-request
Cc: rjollos Trac Release: 0.12

Description

This is a combination of ideas from LdapPlugin that will enable AD groups to be used for permissions.

  • groups are prefixed with an '@'
  • spaces are replaced by _
  • recurses up the tree to find parent groups
  • includes the patch from #9219

also

  • caches the ldap handle so we don't reauth
18d17
< from trac.perm import IPermissionGroupProvider
21,22d19
< GROUP_PREFIX = '@'
< 
28c25
<     implements(IPasswordStore, IPermissionUserProvider, IPermissionGroupProvider)
---
>     implements(IPasswordStore, IPermissionUserProvider)
36,38c33
<     
<     def __init__(self,ldap=None):
<       self._ldap = ldap
---
> 
98d92
<             success = True
119d112
< 		self.log.debug("User is in %", self.admin_group)
122,144d114
<       
<     # IPermissionGroupProvider
<     def get_permission_groups(self, username):
<         """Return a list of names of the groups that the user with the 
<         specified name is a member of."""
<                         
<         # get dn
<         dn = self._get_user_dn(username)
<         if dn:  
<             # retrieves the user groups from LDAP
<             groups = self._get_user_groups(dn)
<         
<             if groups:
<                 self.env.log.debug('%s has groups: %s' % (username, ','.join(groups)))
<                 return groups
<             else:
<                self.log.debug("dn: %s has no groups." % dn)
<         else:
<             self.log.debug("username: %s has no dn." % username)
<         return []
<       
<     # Internal methods
< 
145a116
>     # Internal methods
150,152d120
<         if self._ldap:
<             return self._ldap
<             
173d140
<         self._ldap = l
175c142
<    
---
> 
189,209d155
<       
<     def _get_user_groups(self, dn):
<         """Returns a list of all groups a user belongs to"""
<         groups = []
<         lcnx = self._bind_ad()
<         if lcnx:
<             ldapgroups = lcnx.search_s(self.base_dn, ldap.SCOPE_SUBTREE, '(&(objectClass=group)(member=%s))' % dn, ["sAMAccountName"])
<             if ldapgroups:
<                 for group in ldapgroups:
<                     groupname = GROUP_PREFIX + group[1]['sAMAccountName'][0].lower().replace(' ','_')
<                     if groupname not in groups:
<                         groups.append(groupname)
<                         subgroups = self._get_user_groups(group[0])
<                         if subgroups: 
<                            for subgroup in subgroups:
<                               if subgroup not in groups:
<                                    groups.append(subgroup)
<                 return groups
<         else:
<             raise TracError('Unable to bind to Active Directory')
<             return None

Attachments (0)

Change History (6)

comment:1 Changed 2 years ago by sandinak

I have taken this several steps further .. with a complete re-write of the caching system to use the local database .. I am working on the installer for the db now .. but this should work LOTS faster across multiple python/apache instances.

Hold up and i'll send in the new patches.

comment:2 follow-up: Changed 2 years ago by rjollos

I'm fairly sure that pacopablo is not seen around trac-hacks these days. Let me know if you'd like to take over maintainership of the plugin per AdoptingHacks.

comment:3 in reply to: ↑ 2 Changed 2 years ago by anonymous

  • Cc rjollos added
  • Owner changed from pacopablo to anonymous
  • Status changed from new to assigned

Replying to rjollos:

I'm fairly sure that pacopablo is not seen around trac-hacks these days. Let me know if you'd like to take over maintainership of the plugin per AdoptingHacks.

I can do that.

comment:4 Changed 2 years ago by sandinak

  • Keywords adoption-request added
  • Owner changed from anonymous to sandinak
  • Status changed from assigned to new

oops .. meant to take this .. I can adopt this.

comment:5 Changed 2 years ago by rjollos

Cool. You'll just need to do the step listed at AdoptingHacks#HowtoAdoptUnmaintainedHacks, including create a dedicated ticket and post to the mailing list.

comment:6 Changed 2 years ago by sandinak

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.