Changes between Version 2 and Version 3 of ActiveDirectoryAuthPlugin/GroupManagement


Ignore:
Timestamp:
Sep 18, 2012, 12:29:18 PM (2 years ago)
Author:
rjollos
Comment:

Content moved to DirectoryAuthPlugin/GroupManagement.

Legend:

Unmodified
Added
Removed
Modified
  • ActiveDirectoryAuthPlugin/GroupManagement

    v2 v3  
    1 [[PageOutline]]
    2 = AD Group Management =
    3 
    4 The plugin extends Directory group membership into the trac namespace.  This means you can specify permissions for different groups of authenticated individuals.
    5 
    6 == Theory ==
    7  LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group.  When a request for a group, as defined in the permissions, is searched, the group is expanded to the members.  It's then used to match.
    8 
    9 == Usage ==
    10 
    11  1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net )
    12  2. add users to the groups
    13  3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with
    14     Subject: @staff
    15     Permission: WIKI_EDIT
    16 
    17 '''NOTE:''' groups will NOT show up per user until they're defined from the Permissions page.
    18 == Validation ==
    19  To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use
    20 {{{
    21  me@here > sudo trac-admin /var/trac/mytrac permission list {user}
    22 }}}
    23 
    24 == Configuration ==
    25 
    26  Any groups found under the base_dn will be expanded into the name space
    27  - each group will have the name normalized by changing it to lower case, and changing spaces to underscores
    28  - the group name will be prefixed by an @ sign
    29 
    30    {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users
    31 == Example Configurations ==
    32 For example:
    33 {{{
    34 @domain_users          BLOG_CREATE
    35 @domain_users          BLOG_MODIFY_ALL
    36 @domain_users          BLOG_MODIFY_OWN
    37 @domain_users          BROWSER_VIEW
    38 @domain_users          DISCUSSION_APPEND
    39 @domain_users          MYPAGE_VIEW
    40 @domain_users          PRIVATE_EDIT_ATOL_SECURE
    41 @domain_users          PRIVATE_VIEW_ATOL_SECURE
    42 @domain_users          REPORT_SQL_VIEW
    43 @domain_users          RES_RESERVE_MODIFY
    44 @domain_users          RES_RESERVE_VIEW
    45 @domain_users          RIPE_EDIT
    46 @domain_users          TICKET_ADMIN
    47 @domain_users          TSTATS_VIEW
    48 @domain_users          WIKI_CREATE
    49 @domain_users          WIKI_RENAME
    50 @domain_users          XML_RPC
    51 @branch_admins PRIVATE_VIEW_BRANCH_SECURE
    52 @ops           PRIVATE_EDIT_OPS_SECURE
    53 @ops           XML_RPC 
    54 @sysops        DISCUSSION_ADMIN
    55 @sysops        RIPE_ADMIN
    56 @sysops        TICKET_EDIT_CC
    57 @sysops        WIKI_DELETE
    58 @trac_admin    TRAC_ADMIN               
    59  ...
    60 }}}
    61 
    62  - This gives the @domain_users group from AD a specific set of perms
    63  - the @branch_admins are using the PrivateWiki plugin to hide their passwords
    64  - as are the @ops group
    65  - @sysops are god like.
    66  - @trac_admins are .. well well trac_admins ;-)
     1[[redirect(wiki:DirectoryAuthPlugin/GroupManagement)]]