#7327 closed enhancement (fixed)
flexibility and Performance of LDAP Traversal
| Reported by: | Thomas Stümpfig | Owned by: | branson |
|---|---|---|---|
| Priority: | normal | Component: | DirectoryAuthPlugin |
| Severity: | normal | Keywords: | group filter |
| Cc: | Trac Release: | 0.12 |
Description
The plugin "only" traverses one AD group hierarchy. What if you have two or more groups in the AD that you want to allow as authenticated users. Today you would have to create a group "Trac" users add the groups to this groups. -> This way you would need to have write Access to the AD. This is not allways easy. -> The performance also is impacted.
It would be more flexible and probably give better performance if the AD query is expressed in the trac.ini directly.
Attachments (0)
Change History (5)
comment:1 Changed 14 years ago by
| Status: | new → assigned |
|---|
comment:2 Changed 13 years ago by
First, I agree with you, enumerating groups would be more easy to handle for admins not used to AD/LDAP, and , probably easier to implement.
What I meant with AD query is expressed in the trac.ini directly you would have a variable like: search_filter="(&(objectCategory=person)(objectClass=contact)(|(sn=xxxx)|sn=xxx)))" (In reality you would search for a user instaead of a contact)
here search_filter would be a string that complies to LDAP search filters syntax as defined in RFC 2254.
regards
comment:3 Changed 12 years ago by
| Owner: | changed from John Hampton to branson |
|---|---|
| Status: | assigned → new |
Please see the extension of groups I just enabled in 0.3 and if it solves your problem. You'd be able to set perms for multiple groups fairly easily.
comment:4 Changed 12 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
No response .. also I ahve setup recursion on groups.. so if you had a Trac group .. and the members were the Domain Admins, Developers, Moose .. users in all three groups should be able to login.
I don't think it's unreasonable to ask for that. If there's really a need to express the search in the config, I can still do that .. but i'd like feedback on wether the recursion solves the problem.
comment:5 Changed 12 years ago by
Sorry I loangtime did'nt hear of news about this ticket... It is good to hear that multiple Groups are now available and these are even correlated with trac groups. I am pretty shure my needs will be adressed. Still I'll have to test it. I think there is virtualy alway node that will contain groups of groups ... with users. Except some realy huge organizations.
regards Thomas
I'm open to suggestions on this front.
I agree that it's not optimal, but it's simple. One thing that I am looking to avoid, is complex and ugly ldap queries in the trac.ini. Providing a list of auth groups isn't a bad solution, though I'll have to take a look to see how much work it will be to accommodate that.
So, what are you thinking when you say: "AD query is expressed in the trac.ini directly"