Changes between Version 17 and Version 18 of ActiveDirectoryAuthPlugin


Ignore:
Timestamp:
Sep 18, 2012, 12:25:54 PM (2 years ago)
Author:
rjollos
Comment:

Page moved to DirectoryAuthPlugin.

Legend:

Unmodified
Added
Removed
Modified
  • ActiveDirectoryAuthPlugin

    v17 v18  
    1 [[PageOutline(2-5,Contents,pullout)]]
    2 = Active Directory Auth Plugin =
    3 
    4 '''NOTE:''' Major changes from 0.3
    5  - conf variables are renamed for standardization
    6  - now more directory type agnostic
    7  - soon will be renamed to DirectoryAuthPlugin
    8 
    9 == Description ==
    10 
    11 The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory.
    12 
    13 Users are authenticated by performing an ldap_bind against the AD server using their credentials.  The plugin will also pull the email address and display name from Active Directory and populate the `session_attribute` table.  See [http://pacopablo.com/blog/pacopablo/blog/set-assign-to-drop-down Populating ''Assign To'' Drop Down in Trac] for more information on why.
    14 
    15 == Groups ==
    16  - One can specify a group which users must be a member of in order to log in. 
    17  - Additionally, one may specify an ''admin'' group.  If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission.
    18  - Finally, !ActiveDirectory groups are extended into the trac namespace.  They can be used to extend permissions by AD group.
    19    - AD groups are prefixed by @
    20    - group names are lowercase and spaces are replaced with underscores.
    21 
    22  See [ActiveDirectoryAuthPlugin/GroupManagement GroupManagement] for more details.
    23 
    24 == Caching ==
    25 Given the expense of traversing the network for authorizations, a two-stage cache has been implemented.  This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: [ActiveDirectoryAuthPlugin/CacheManagement CacheManagement] for details.
    26 
    27 == Bugs/Feature Requests ==
    28 
    29 Existing bugs and feature requests for ActiveDirectoryAuthPlugin are
    30 [report:9?COMPONENT=ActiveDirectoryAuthPlugin here].
    31 
    32 If you have any issues, create a
    33 [http://trac-hacks.org/newticket?component=ActiveDirectoryAuthPlugin&owner=sandinak new ticket].
    34 
    35 == Download ==
    36 
    37 Download the zipped source from [download:activedirectoryauthplugin here]
    38 
    39 == Source ==
    40 
    41 You can check out ActiveDirectoryAuthPlugin from [http://trac-hacks.org/svn/activedirectoryauthplugin here] using Subversion, or [source:activedirectoryauthplugin browse the source] with Trac.
    42 
    43 == Install ==
    44 
    45 ==== Prerequisites ====
    46 
    47  - You must install AccountManagerPlugin in order to use this plugin. 
    48  - Python-LDAP is also required and can be downloaded [http://pypi.python.org/pypi/python-ldap/ here]
    49 
    50 ==== Installation ====
    51 
    52 Follow the Trac documentation on how [http://trac.edgewall.org/search?q=TracPlugins to install Trac plugins]
    53 
    54  - starting with 0.3, a database upgrade will be required as part of the installation.
    55    1. install the plugin and it's prerequisites
    56    1. update the database
    57 {{{
    58 #!sh
    59 trac-admin /var/trac/instance upgrade
    60 }}}
    61    1. restart the trac service or your webserver.
    62 
    63 == Examples ==
    64 '''NOTE: this has changed from 0.3 to 0.4!!!!'''
    65 
    66 All config options go under the [account-manager] config heading.  Options for this module are:
    67 
    68 {{{
    69 #!ini
    70 [account-manager]
    71 #--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager
    72 password_store = ADAuthStore
    73 #--define the Active Directory host address here.  A port other than default(389) is set as
    74 #  ldap://hostname:port or ldaps://hostname:port
    75 dir_uri = ldap://adserver.example.com
    76 #-- the Active Directory's base DN to search from, this is likely just your domain
    77 dir_basedn = DC=example,DC=com
    78 #-- the user/password to search the directory from, it must be a valid
    79 dir_binddn = ldapuser@example.com
    80 dir_bindpw = ldapuserpassword
    81 #-- timeout for an ldap operation before in seconds
    82 dir_timeout = 5
    83 #-- the default charset for the ldap server
    84 dir_charset = utf-9
    85 ##### Userinfo
    86 #-- the attribute containing the users login name, THIS MUST BE UNIQUE!
    87 user_attr = sAMAccountName
    88 #-- the attribute containing the users display name
    89 name_attr = displayName
    90 #-- the attribute containing the users email addy
    91 email_attr = mail
    92 ##### Groups
    93 #-- where to look for groups, uses dir_basedn if not defined.
    94 group_basedn = ou=Groups,dc=foo,dc=net
    95 #-- expand directory groups
    96 group_expand = 1
    97 #-- the name of a group .. uses user_attr if not defined.
    98 group_attr = cn
    99 #-- which attribute to look in for members
    100 group_member_attr = member
    101 #-- what to look for in the member_attr
    102 group_member_value = dn
    103 #-- the dn of a group that has valid users, all users if not enabled
    104 group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com
    105 #-- the DN for a group automagically given TRAC_ADMIN
    106 #   if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as:
    107 #   [trac]
    108 #   permission_store = UserExtensiblePermissionStore
    109 group_tracadmin = CN=Administration,DC=example,DC=com
    110 #### Cache Tuning
    111 #-- cached entry time to live in seconds
    112 cache_ttl= 90
    113 #-- memorycache size in entries, and a highwater warning mark
    114 cache_memsize = 400
    115 cache_memsize_warn 300
    116 #-- memory cache prune size in percentage
    117 cache_memprune = 5
    118 
    119 [trac]
    120 permission_store = UserExtensiblePermissionStore
    121 }}}
    122 
    123 If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.
    124 
    125 == Common Errors ==
    126 
    127 If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268.  This may happen when AD is running across multiple machines.
    128 
    129 == Recent Changes ==
    130 
    131 [[ChangeLog(activedirectoryauthplugin, 3)]]
    132 
    133 == Author/Contributors ==
    134 
    135 '''Author:''' [wiki:pacopablo] [[BR]]
    136 '''Maintainer:''' sandinak [[BR]]
    137 '''Contributors:'''
     1[[redirect(wiki:DirectoryAuthPlugin)]]