Ticket #7327 (closed enhancement: fixed)

Opened 3 years ago

Last modified 8 months ago

flexibility and Performance of LDAP Traversal

Reported by: thomas.stuempfig@siemens.com Assigned to: sandinak
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords: group filter
Cc: Trac Release: 0.12

Description

The plugin "only" traverses one AD group hierarchy. What if you have two or more groups in the AD that you want to allow as authenticated users. Today you would have to create a group "Trac" users add the groups to this groups. -> This way you would need to have write Access to the AD. This is not allways easy. -> The performance also is impacted.

It would be more flexible and probably give better performance if the AD query is expressed in the trac.ini directly.

Attachments

Change History

10/19/10 09:21:56 changed by pacopablo

  • status changed from new to assigned.

I'm open to suggestions on this front.

I agree that it's not optimal, but it's simple. One thing that I am looking to avoid, is complex and ugly ldap queries in the trac.ini. Providing a list of auth groups isn't a bad solution, though I'll have to take a look to see how much work it will be to accommodate that.

So, what are you thinking when you say: "AD query is expressed in the trac.ini directly"

12/09/10 09:17:24 changed by stuempfig

First, I agree with you, enumerating groups would be more easy to handle for admins not used to AD/LDAP, and , probably easier to implement.

What I meant with AD query is expressed in the trac.ini directly you would have a variable like: search_filter="(&(objectCategory=person)(objectClass=contact)(|(sn=xxxx)|sn=xxx)))" //(In reality you would search for a user instaead of a contact)

here search_filter would be a string that complies to LDAP search filters syntax as defined in RFC 2254.

regards

07/25/12 21:40:49 changed by sandinak

  • status changed from assigned to new.
  • owner changed from pacopablo to sandinak.

Please see the extension of groups I just enabled in 0.3 and if it solves your problem. You'd be able to set perms for multiple groups fairly easily.

09/18/12 14:17:50 changed by sandinak

  • status changed from new to closed.
  • resolution set to fixed.

No response .. also I ahve setup recursion on groups.. so if you had a Trac group .. and the members were the Domain Admins, Developers, Moose .. users in all three groups should be able to login.

I don't think it's unreasonable to ask for that. If there's really a need to express the search in the config, I can still do that .. but i'd like feedback on wether the recursion solves the problem.

09/24/12 08:44:28 changed by stuempfig

Sorry I loangtime did'nt hear of news about this ticket... It is good to hear that multiple Groups are now available and these are even correlated with trac groups. I am pretty shure my needs will be adressed. Still I'll have to test it. I think there is virtualy alway node that will contain groups of groups ... with users. Except some realy huge organizations.

regards Thomas

Add/Change #7327 (flexibility and Performance of LDAP Traversal)




Change Properties
Action