Modify

Opened 8 years ago

Closed 8 years ago

#286 closed defect (fixed)

Revision 615 does not properly handle LDAP groups with a dash

Reported by: trac-ldapplugin@… Owned by: eblot
Priority: normal Component: LdapPlugin
Severity: major Keywords:
Cc: Trac Release: 0.10

Description

After following all of the steps required to install/configure the plugin for Trac 0.9.4 (rev 615 of the plugin) I found that groups with a dash in them will not work for permissions.

Apache 2.0.x does not have issues with this, just the plugin.

Example groups (ldif format):

description: Access to Trac Administration features
dn: cn=trac-admins,ou=groups,o=whyaskwhy
objectClass: posixGroup
objectClass: top
cn: trac-admins
gidNumber: 309
memberUid: uid=myuser,ou=people,o=whyaskwhy
description: Testing LDAP plugin for trac
dn: cn=testing,ou=groups,o=whyaskwhy
objectClass: posixGroup
objectClass: top
cn: testing
gidNumber: 310
memberUid: uid=myuser,ou=people,o=whyaskwhy

Here is the ldap section of my trac.ini file:

[components]
ldapplugin.* = enabled

# http://trac-hacks.org/wiki/LdapPlugin
[ldap]
# enable LDAP support for Trac
enable = true
# LDAP directory host
host = localhost
# LDAP directory port
port = 389
# BaseDN
basedn = o=whyaskwhy
# BaseDN for users (defaults to basedn)
user_basedn = ou=people,o=whyaskwhy
# BaseDN for group of names (defaults to basedn)
group_basedn = ou=groups,o=whyaskwhy
# objectclass for groups
groupname = posixGroup
# dn entry in a groupname 
groupmember = memberUid
# attribute name for a group
groupattr = cn
# attribute name for a user
uidattr = uid
# attribute name to store trac permission
permattr = tracperm
# filter to search for dn with 'permattr' attributes
permfilter = objectclass=*
# time, in seconds, before a cached entry is purged out of the local cache.
cache_ttl = 900
# maximum number of entries in the cache
cache_size = 100
# whether to perform an authenticated bind for group resolution
group_bind = true
# user for authenticated group bind
group_user = uid=trac.binduser,ou=bind-accounts
# password for authenticated group bind
group_passwd = PASSWORD
# whether to perform an authenticated bind for permision store operations
store_bind = false
# user for authenticated store bind
store_user =
# password for authenticated store bind
store_passwd =
# global permissions (vs. per-environment permissions)
global_perms = false

Here is the result of a search (via a page view after Apache has authenticated by user)

/var/log/slapd.log

Apr  4 22:00:09 foi slapd[11162]: conn=353 fd=23 ACCEPT from IP=127.0.0.1:34946 (IP=0.0.0.0:389)
Apr  4 22:00:09 foi slapd[11164]: conn=353 op=0 BIND dn="uid=trac.binduser,ou=bind-accounts,o=whyaskwhy" method=128
Apr  4 22:00:09 foi slapd[11164]: conn=353 op=0 BIND dn="uid=trac.binduser,ou=bind-accounts,o=whyaskwhy" mech=SIMPLE ssf=0
Apr  4 22:00:09 foi slapd[11164]: conn=353 op=0 RESULT tag=97 err=0 text=
Apr  4 22:00:09 foi slapd[11165]: conn=353 op=1 CMP dn="cn=trac,ou=groups,o=whyaskwhy" attr="memberUid"
Apr  4 22:00:09 foi slapd[11165]: conn=353 op=1 RESULT tag=111 err=32 text=
Apr  4 22:00:09 foi slapd[11164]: conn=353 op=2 UNBIND
Apr  4 22:00:09 foi slapd[11164]: conn=353 fd=23 closed
Apr  4 22:00:09 foi slapd[11162]: conn=354 fd=23 ACCEPT from IP=127.0.0.1:34947 (IP=0.0.0.0:389)
Apr  4 22:00:09 foi slapd[11165]: conn=354 op=0 BIND dn="uid=trac.binduser,ou=bind-accounts,o=whyaskwhy" method=128
Apr  4 22:00:09 foi slapd[11165]: conn=354 op=0 BIND dn="uid=trac.binduser,ou=bind-accounts,o=whyaskwhy" mech=SIMPLE ssf=0
Apr  4 22:00:09 foi slapd[11165]: conn=354 op=0 RESULT tag=97 err=0 text=
Apr  4 22:00:09 foi slapd[11164]: conn=354 op=1 CMP dn="cn=testing,ou=groups,o=whyaskwhy" attr="memberUid"
Apr  4 22:00:09 foi slapd[11164]: conn=354 op=1 RESULT tag=111 err=6 text=
Apr  4 22:00:10 foi slapd[11162]: conn=355 fd=24 ACCEPT from IP=127.0.0.1:34948 (IP=0.0.0.0:389)
Apr  4 22:00:10 foi slapd[11165]: bind: invalid dn (trac.binduser,ou=bind-accounts,o=whyaskwhy,o=whyaskwhy)
Apr  4 22:00:10 foi slapd[11165]: conn=355 op=0 RESULT tag=97 err=34 text=invalid DN
Apr  4 22:00:10 foi slapd[11164]: conn=355 op=1 UNBIND
Apr  4 22:00:10 foi slapd[11164]: conn=355 fd=24 closed

I'll be glad to furnish other information upon request.

Thank you for your time.

Attachments (0)

Change History (1)

comment:1 Changed 8 years ago by eblot

  • Resolution set to fixed
  • Status changed from new to closed
  • Trac Release changed from 0.9 to 0.10

Should be fixed in [905]

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from eblot. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.