wiki:DirectoryAuthPlugin/GroupManagement

ActiveDirectory Group Management

The plugin extends ActiveDirectory group membership into the Trac namespace. This means you can specify permissions for different groups of authenticated individuals.

Theory

LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group. When a request for a group, as defined in the permissions, is searched, the group is expanded to the members. It's then used to match.

Usage

  1. Create the groups in the directory you would like, for example: cn=Staff,dc=home,dc=net.
  2. Add users to the groups.
  3. Go to Admin -> Permissions and create a group by adding permissions to the group name as defined below. For example use Grant Permission with
    • Subject: @staff
    • Permission: WIKI_EDIT

Note: groups will NOT show up per user until they're defined from the Permissions page.

Validation

To validate users, you will need to login with permissions to the TRAC_HOME directory, and then use:

sudo trac-admin /var/trac/mytrac permission list {user} 

Configuration

Any groups found under the base_dn will be expanded into the name space:

  • each group will have the name normalized by changing it to lower case, and changing spaces to underscores
  • the group name will be prefixed by an @ sign:

cn=Domain Users,cn=Users,dc=ad,dc=com == @domain_users

Example Configurations

For example:

@domain_users          BLOG_CREATE
@domain_users          BLOG_MODIFY_ALL
@domain_users          BLOG_MODIFY_OWN
@domain_users          BROWSER_VIEW
@domain_users          DISCUSSION_APPEND
@domain_users          MYPAGE_VIEW
@domain_users          PRIVATE_EDIT_ATOL_SECURE
@domain_users          PRIVATE_VIEW_ATOL_SECURE
@domain_users          REPORT_SQL_VIEW
@domain_users          RES_RESERVE_MODIFY
@domain_users          RES_RESERVE_VIEW
@domain_users          RIPE_EDIT
@domain_users          TICKET_ADMIN
@domain_users          TSTATS_VIEW
@domain_users          WIKI_CREATE
@domain_users          WIKI_RENAME
@domain_users          XML_RPC
@branch_admins PRIVATE_VIEW_BRANCH_SECURE
@ops           PRIVATE_EDIT_OPS_SECURE
@ops           XML_RPC  
@sysops        DISCUSSION_ADMIN
@sysops        RIPE_ADMIN 
@sysops        TICKET_EDIT_CC
@sysops        WIKI_DELETE
@trac_admin    TRAC_ADMIN               
 ...

This gives the @domain_users group from ActiveDirectory a specific set of permissions. The @branch_admins are using the PrivateWiki plugin to hide their passwords, as are the @ops group.

  • @sysops are god like
  • @trac_admins are trac_admins
Last modified 9 years ago Last modified on Mar 22, 2015, 11:39:53 AM