Modify

#10163 closed enhancement (fixed)

[patch] enable AD groups in permissions

Reported by: sandinak Owned by: sandinak
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords: adoption-request
Cc: rjollos Trac Release: 0.12

Description

This is a combination of ideas from LdapPlugin that will enable AD groups to be used for permissions.

  • groups are prefixed with an '@'
  • spaces are replaced by _
  • recurses up the tree to find parent groups
  • includes the patch from #9219

also

  • caches the ldap handle so we don't reauth
18d17
< from trac.perm import IPermissionGroupProvider
21,22d19
< GROUP_PREFIX = '@'
< 
28c25
<     implements(IPasswordStore, IPermissionUserProvider, IPermissionGroupProvider)
---
>     implements(IPasswordStore, IPermissionUserProvider)
36,38c33
<     
<     def __init__(self,ldap=None):
<       self._ldap = ldap
---
> 
98d92
<             success = True
119d112
< 		self.log.debug("User is in %", self.admin_group)
122,144d114
<       
<     # IPermissionGroupProvider
<     def get_permission_groups(self, username):
<         """Return a list of names of the groups that the user with the 
<         specified name is a member of."""
<                         
<         # get dn
<         dn = self._get_user_dn(username)
<         if dn:  
<             # retrieves the user groups from LDAP
<             groups = self._get_user_groups(dn)
<         
<             if groups:
<                 self.env.log.debug('%s has groups: %s' % (username, ','.join(groups)))
<                 return groups
<             else:
<                self.log.debug("dn: %s has no groups." % dn)
<         else:
<             self.log.debug("username: %s has no dn." % username)
<         return []
<       
<     # Internal methods
< 
145a116
>     # Internal methods
150,152d120
<         if self._ldap:
<             return self._ldap
<             
173d140
<         self._ldap = l
175c142
<    
---
> 
189,209d155
<       
<     def _get_user_groups(self, dn):
<         """Returns a list of all groups a user belongs to"""
<         groups = []
<         lcnx = self._bind_ad()
<         if lcnx:
<             ldapgroups = lcnx.search_s(self.base_dn, ldap.SCOPE_SUBTREE, '(&(objectClass=group)(member=%s))' % dn, ["sAMAccountName"])
<             if ldapgroups:
<                 for group in ldapgroups:
<                     groupname = GROUP_PREFIX + group[1]['sAMAccountName'][0].lower().replace(' ','_')
<                     if groupname not in groups:
<                         groups.append(groupname)
<                         subgroups = self._get_user_groups(group[0])
<                         if subgroups: 
<                            for subgroup in subgroups:
<                               if subgroup not in groups:
<                                    groups.append(subgroup)
<                 return groups
<         else:
<             raise TracError('Unable to bind to Active Directory')
<             return None

Attachments (0)

Change History (6)

comment:1 Changed 21 months ago by sandinak

I have taken this several steps further .. with a complete re-write of the caching system to use the local database .. I am working on the installer for the db now .. but this should work LOTS faster across multiple python/apache instances.

Hold up and i'll send in the new patches.

comment:2 follow-up: Changed 21 months ago by rjollos

I'm fairly sure that pacopablo is not seen around trac-hacks these days. Let me know if you'd like to take over maintainership of the plugin per AdoptingHacks.

comment:3 in reply to: ↑ 2 Changed 21 months ago by anonymous

  • Cc rjollos added
  • Owner changed from pacopablo to anonymous
  • Status changed from new to assigned

Replying to rjollos:

I'm fairly sure that pacopablo is not seen around trac-hacks these days. Let me know if you'd like to take over maintainership of the plugin per AdoptingHacks.

I can do that.

comment:4 Changed 21 months ago by sandinak

  • Keywords adoption-request added
  • Owner changed from anonymous to sandinak
  • Status changed from assigned to new

oops .. meant to take this .. I can adopt this.

comment:5 Changed 21 months ago by rjollos

Cool. You'll just need to do the step listed at AdoptingHacks#HowtoAdoptUnmaintainedHacks, including create a dedicated ticket and post to the mailing list.

comment:6 Changed 21 months ago by sandinak

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from sandinak. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.