Changes between Version 2 and Version 3 of ActiveDirectoryAuthPlugin/GroupManagement


Ignore:
Timestamp:
Sep 18, 2012 12:29:18 PM (23 months ago)
Author:
rjollos
Comment:

Content moved to DirectoryAuthPlugin/GroupManagement.

Legend:

Unmodified
Added
Removed
Modified
  • ActiveDirectoryAuthPlugin/GroupManagement

    v2 v3  
    1 [[PageOutline]] 
    2 = AD Group Management = 
    3  
    4 The plugin extends Directory group membership into the trac namespace.  This means you can specify permissions for different groups of authenticated individuals.  
    5  
    6 == Theory == 
    7  LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group.  When a request for a group, as defined in the permissions, is searched, the group is expanded to the members.  It's then used to match. 
    8  
    9 == Usage ==  
    10  
    11  1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net )  
    12  2. add users to the groups 
    13  3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with 
    14     Subject: @staff 
    15     Permission: WIKI_EDIT 
    16  
    17 '''NOTE:''' groups will NOT show up per user until they're defined from the Permissions page.  
    18 == Validation == 
    19  To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use 
    20 {{{ 
    21  me@here > sudo trac-admin /var/trac/mytrac permission list {user}  
    22 }}} 
    23  
    24 == Configuration == 
    25  
    26  Any groups found under the base_dn will be expanded into the name space 
    27  - each group will have the name normalized by changing it to lower case, and changing spaces to underscores 
    28  - the group name will be prefixed by an @ sign 
    29  
    30    {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users 
    31 == Example Configurations ==  
    32 For example: 
    33 {{{ 
    34 @domain_users          BLOG_CREATE 
    35 @domain_users          BLOG_MODIFY_ALL 
    36 @domain_users          BLOG_MODIFY_OWN 
    37 @domain_users          BROWSER_VIEW 
    38 @domain_users          DISCUSSION_APPEND 
    39 @domain_users          MYPAGE_VIEW 
    40 @domain_users          PRIVATE_EDIT_ATOL_SECURE 
    41 @domain_users          PRIVATE_VIEW_ATOL_SECURE 
    42 @domain_users          REPORT_SQL_VIEW 
    43 @domain_users          RES_RESERVE_MODIFY 
    44 @domain_users          RES_RESERVE_VIEW 
    45 @domain_users          RIPE_EDIT 
    46 @domain_users          TICKET_ADMIN 
    47 @domain_users          TSTATS_VIEW 
    48 @domain_users          WIKI_CREATE 
    49 @domain_users          WIKI_RENAME 
    50 @domain_users          XML_RPC 
    51 @branch_admins PRIVATE_VIEW_BRANCH_SECURE 
    52 @ops           PRIVATE_EDIT_OPS_SECURE 
    53 @ops           XML_RPC   
    54 @sysops        DISCUSSION_ADMIN 
    55 @sysops        RIPE_ADMIN  
    56 @sysops        TICKET_EDIT_CC 
    57 @sysops        WIKI_DELETE 
    58 @trac_admin    TRAC_ADMIN                
    59  ... 
    60 }}} 
    61  
    62  - This gives the @domain_users group from AD a specific set of perms 
    63  - the @branch_admins are using the PrivateWiki plugin to hide their passwords 
    64  - as are the @ops group 
    65  - @sysops are god like.  
    66  - @trac_admins are .. well well trac_admins ;-) 
     1[[redirect(wiki:DirectoryAuthPlugin/GroupManagement)]]