Opened 2 years ago

Closed 2 years ago

#10163 closed enhancement (fixed)

[patch] enable AD groups in permissions

Reported by: sandinak Owned by: sandinak
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords: adoption-request
Cc: rjollos Trac Release: 0.12


This is a combination of ideas from LdapPlugin that will enable AD groups to be used for permissions.

  • groups are prefixed with an '@'
  • spaces are replaced by _
  • recurses up the tree to find parent groups
  • includes the patch from #9219


  • caches the ldap handle so we don't reauth
< from trac.perm import IPermissionGroupProvider
<     implements(IPasswordStore, IPermissionUserProvider, IPermissionGroupProvider)
>     implements(IPasswordStore, IPermissionUserProvider)
<     def __init__(self,ldap=None):
<       self._ldap = ldap
<             success = True
< 		self.log.debug("User is in %", self.admin_group)
<     # IPermissionGroupProvider
<     def get_permission_groups(self, username):
<         """Return a list of names of the groups that the user with the 
<         specified name is a member of."""
<         # get dn
<         dn = self._get_user_dn(username)
<         if dn:  
<             # retrieves the user groups from LDAP
<             groups = self._get_user_groups(dn)
<             if groups:
<                 self.env.log.debug('%s has groups: %s' % (username, ','.join(groups)))
<                 return groups
<             else:
<                self.log.debug("dn: %s has no groups." % dn)
<         else:
<             self.log.debug("username: %s has no dn." % username)
<         return []
<     # Internal methods
>     # Internal methods
<         if self._ldap:
<             return self._ldap
<         self._ldap = l
<     def _get_user_groups(self, dn):
<         """Returns a list of all groups a user belongs to"""
<         groups = []
<         lcnx = self._bind_ad()
<         if lcnx:
<             ldapgroups = lcnx.search_s(self.base_dn, ldap.SCOPE_SUBTREE, '(&(objectClass=group)(member=%s))' % dn, ["sAMAccountName"])
<             if ldapgroups:
<                 for group in ldapgroups:
<                     groupname = GROUP_PREFIX + group[1]['sAMAccountName'][0].lower().replace(' ','_')
<                     if groupname not in groups:
<                         groups.append(groupname)
<                         subgroups = self._get_user_groups(group[0])
<                         if subgroups: 
<                            for subgroup in subgroups:
<                               if subgroup not in groups:
<                                    groups.append(subgroup)
<                 return groups
<         else:
<             raise TracError('Unable to bind to Active Directory')
<             return None

Attachments (0)

Change History (6)

comment:1 Changed 2 years ago by sandinak

I have taken this several steps further .. with a complete re-write of the caching system to use the local database .. I am working on the installer for the db now .. but this should work LOTS faster across multiple python/apache instances.

Hold up and i'll send in the new patches.

comment:2 follow-up: Changed 2 years ago by rjollos

I'm fairly sure that pacopablo is not seen around trac-hacks these days. Let me know if you'd like to take over maintainership of the plugin per AdoptingHacks.

comment:3 in reply to: ↑ 2 Changed 2 years ago by anonymous

  • Cc rjollos added
  • Owner changed from pacopablo to anonymous
  • Status changed from new to assigned

Replying to rjollos:

I'm fairly sure that pacopablo is not seen around trac-hacks these days. Let me know if you'd like to take over maintainership of the plugin per AdoptingHacks.

I can do that.

comment:4 Changed 2 years ago by sandinak

  • Keywords adoption-request added
  • Owner changed from anonymous to sandinak
  • Status changed from assigned to new

oops .. meant to take this .. I can adopt this.

comment:5 Changed 2 years ago by rjollos

Cool. You'll just need to do the step listed at AdoptingHacks#HowtoAdoptUnmaintainedHacks, including create a dedicated ticket and post to the mailing list.

comment:6 Changed 2 years ago by sandinak

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from sandinak. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.