[patch] enable AD groups in permissions
|Reported by:||sandinak||Owned by:||sandinak|
This is a combination of ideas from LdapPlugin that will enable AD groups to be used for permissions.
- groups are prefixed with an '@'
- spaces are replaced by _
- recurses up the tree to find parent groups
- includes the patch from #9219
- caches the ldap handle so we don't reauth
18d17 < from trac.perm import IPermissionGroupProvider 21,22d19 < GROUP_PREFIX = '@' < 28c25 < implements(IPasswordStore, IPermissionUserProvider, IPermissionGroupProvider) --- > implements(IPasswordStore, IPermissionUserProvider) 36,38c33 < < def __init__(self,ldap=None): < self._ldap = ldap --- > 98d92 < success = True 119d112 < self.log.debug("User is in %", self.admin_group) 122,144d114 < < # IPermissionGroupProvider < def get_permission_groups(self, username): < """Return a list of names of the groups that the user with the < specified name is a member of.""" < < # get dn < dn = self._get_user_dn(username) < if dn: < # retrieves the user groups from LDAP < groups = self._get_user_groups(dn) < < if groups: < self.env.log.debug('%s has groups: %s' % (username, ','.join(groups))) < return groups < else: < self.log.debug("dn: %s has no groups." % dn) < else: < self.log.debug("username: %s has no dn." % username) < return  < < # Internal methods < 145a116 > # Internal methods 150,152d120 < if self._ldap: < return self._ldap < 173d140 < self._ldap = l 175c142 < --- > 189,209d155 < < def _get_user_groups(self, dn): < """Returns a list of all groups a user belongs to""" < groups =  < lcnx = self._bind_ad() < if lcnx: < ldapgroups = lcnx.search_s(self.base_dn, ldap.SCOPE_SUBTREE, '(&(objectClass=group)(member=%s))' % dn, ["sAMAccountName"]) < if ldapgroups: < for group in ldapgroups: < groupname = GROUP_PREFIX + group['sAMAccountName'].lower().replace(' ','_') < if groupname not in groups: < groups.append(groupname) < subgroups = self._get_user_groups(group) < if subgroups: < for subgroup in subgroups: < if subgroup not in groups: < groups.append(subgroup) < return groups < else: < raise TracError('Unable to bind to Active Directory') < return None
Change History (6)
comment:3 in reply to: ↑ 2 Changed 3 years ago by anonymous
- Cc rjollos added; anonymous removed
- Owner changed from pacopablo to anonymous
- Status changed from new to assigned
comment:4 Changed 3 years ago by sandinak
- Keywords adoption-request added
- Owner changed from anonymous to sandinak
- Status changed from assigned to new
Note: See TracTickets for help on using tickets.