Modify

Opened 4 years ago

Closed 2 years ago

Last modified 2 years ago

#7327 closed enhancement (fixed)

flexibility and Performance of LDAP Traversal

Reported by: thomas.stuempfig@… Owned by: sandinak
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords: group filter
Cc: Trac Release: 0.12

Description

The plugin "only" traverses one AD group hierarchy. What if you have two or more groups in the AD that you want to allow as authenticated users. Today you would have to create a group "Trac" users add the groups to this groups. -> This way you would need to have write Access to the AD. This is not allways easy. -> The performance also is impacted.

It would be more flexible and probably give better performance if the AD query is expressed in the trac.ini directly.

Attachments (0)

Change History (5)

comment:1 Changed 4 years ago by pacopablo

  • Status changed from new to assigned

I'm open to suggestions on this front.

I agree that it's not optimal, but it's simple. One thing that I am looking to avoid, is complex and ugly ldap queries in the trac.ini. Providing a list of auth groups isn't a bad solution, though I'll have to take a look to see how much work it will be to accommodate that.

So, what are you thinking when you say: "AD query is expressed in the trac.ini directly"

comment:2 Changed 4 years ago by stuempfig

First, I agree with you, enumerating groups would be more easy to handle for admins not used to AD/LDAP, and , probably easier to implement.

What I meant with AD query is expressed in the trac.ini directly you would have a variable like: search_filter="(&(objectCategory=person)(objectClass=contact)(|(sn=xxxx)|sn=xxx)))" (In reality you would search for a user instaead of a contact)

here search_filter would be a string that complies to LDAP search filters syntax as defined in RFC 2254.

regards

comment:3 Changed 2 years ago by sandinak

  • Owner changed from pacopablo to sandinak
  • Status changed from assigned to new

Please see the extension of groups I just enabled in 0.3 and if it solves your problem. You'd be able to set perms for multiple groups fairly easily.

comment:4 Changed 2 years ago by sandinak

  • Resolution set to fixed
  • Status changed from new to closed

No response .. also I ahve setup recursion on groups.. so if you had a Trac group .. and the members were the Domain Admins, Developers, Moose .. users in all three groups should be able to login.

I don't think it's unreasonable to ask for that. If there's really a need to express the search in the config, I can still do that .. but i'd like feedback on wether the recursion solves the problem.

comment:5 Changed 2 years ago by stuempfig

Sorry I loangtime did'nt hear of news about this ticket... It is good to hear that multiple Groups are now available and these are even correlated with trac groups. I am pretty shure my needs will be adressed. Still I'll have to test it. I think there is virtualy alway node that will contain groups of groups ... with users. Except some realy huge organizations.

regards Thomas

Add Comment

Modify Ticket

Action
as closed The owner will remain sandinak.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.