Changes between Version 17 and Version 18 of ActiveDirectoryAuthPlugin


Ignore:
Timestamp:
Sep 18, 2012 12:25:54 PM (23 months ago)
Author:
rjollos
Comment:

Page moved to DirectoryAuthPlugin.

Legend:

Unmodified
Added
Removed
Modified
  • ActiveDirectoryAuthPlugin

    v17 v18  
    1 [[PageOutline(2-5,Contents,pullout)]] 
    2 = Active Directory Auth Plugin = 
    3  
    4 '''NOTE:''' Major changes from 0.3  
    5  - conf variables are renamed for standardization 
    6  - now more directory type agnostic 
    7  - soon will be renamed to DirectoryAuthPlugin 
    8  
    9 == Description == 
    10  
    11 The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory.  
    12  
    13 Users are authenticated by performing an ldap_bind against the AD server using their credentials.  The plugin will also pull the email address and display name from Active Directory and populate the `session_attribute` table.  See [http://pacopablo.com/blog/pacopablo/blog/set-assign-to-drop-down Populating ''Assign To'' Drop Down in Trac] for more information on why.  
    14  
    15 == Groups ==  
    16  - One can specify a group which users must be a member of in order to log in.   
    17  - Additionally, one may specify an ''admin'' group.  If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission. 
    18  - Finally, !ActiveDirectory groups are extended into the trac namespace.  They can be used to extend permissions by AD group. 
    19    - AD groups are prefixed by @  
    20    - group names are lowercase and spaces are replaced with underscores. 
    21  
    22  See [ActiveDirectoryAuthPlugin/GroupManagement GroupManagement] for more details. 
    23  
    24 == Caching ==  
    25 Given the expense of traversing the network for authorizations, a two-stage cache has been implemented.  This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: [ActiveDirectoryAuthPlugin/CacheManagement CacheManagement] for details.  
    26  
    27 == Bugs/Feature Requests ==  
    28  
    29 Existing bugs and feature requests for ActiveDirectoryAuthPlugin are  
    30 [report:9?COMPONENT=ActiveDirectoryAuthPlugin here]. 
    31  
    32 If you have any issues, create a  
    33 [http://trac-hacks.org/newticket?component=ActiveDirectoryAuthPlugin&owner=sandinak new ticket]. 
    34  
    35 == Download == 
    36  
    37 Download the zipped source from [download:activedirectoryauthplugin here] 
    38  
    39 == Source == 
    40  
    41 You can check out ActiveDirectoryAuthPlugin from [http://trac-hacks.org/svn/activedirectoryauthplugin here] using Subversion, or [source:activedirectoryauthplugin browse the source] with Trac. 
    42  
    43 == Install == 
    44  
    45 ==== Prerequisites ==== 
    46  
    47  - You must install AccountManagerPlugin in order to use this plugin.   
    48  - Python-LDAP is also required and can be downloaded [http://pypi.python.org/pypi/python-ldap/ here] 
    49  
    50 ==== Installation ==== 
    51  
    52 Follow the Trac documentation on how [http://trac.edgewall.org/search?q=TracPlugins to install Trac plugins] 
    53  
    54  - starting with 0.3, a database upgrade will be required as part of the installation.  
    55    1. install the plugin and it's prerequisites 
    56    1. update the database 
    57 {{{ 
    58 #!sh 
    59 trac-admin /var/trac/instance upgrade 
    60 }}} 
    61    1. restart the trac service or your webserver.  
    62  
    63 == Examples == 
    64 '''NOTE: this has changed from 0.3 to 0.4!!!!''' 
    65  
    66 All config options go under the [account-manager] config heading.  Options for this module are: 
    67  
    68 {{{ 
    69 #!ini 
    70 [account-manager] 
    71 #--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager 
    72 password_store = ADAuthStore 
    73 #--define the Active Directory host address here.  A port other than default(389) is set as 
    74 #  ldap://hostname:port or ldaps://hostname:port 
    75 dir_uri = ldap://adserver.example.com 
    76 #-- the Active Directory's base DN to search from, this is likely just your domain 
    77 dir_basedn = DC=example,DC=com 
    78 #-- the user/password to search the directory from, it must be a valid 
    79 dir_binddn = ldapuser@example.com 
    80 dir_bindpw = ldapuserpassword 
    81 #-- timeout for an ldap operation before in seconds 
    82 dir_timeout = 5 
    83 #-- the default charset for the ldap server 
    84 dir_charset = utf-9 
    85 ##### Userinfo 
    86 #-- the attribute containing the users login name, THIS MUST BE UNIQUE! 
    87 user_attr = sAMAccountName 
    88 #-- the attribute containing the users display name 
    89 name_attr = displayName 
    90 #-- the attribute containing the users email addy 
    91 email_attr = mail 
    92 ##### Groups 
    93 #-- where to look for groups, uses dir_basedn if not defined. 
    94 group_basedn = ou=Groups,dc=foo,dc=net 
    95 #-- expand directory groups 
    96 group_expand = 1 
    97 #-- the name of a group .. uses user_attr if not defined.  
    98 group_attr = cn 
    99 #-- which attribute to look in for members 
    100 group_member_attr = member 
    101 #-- what to look for in the member_attr 
    102 group_member_value = dn 
    103 #-- the dn of a group that has valid users, all users if not enabled 
    104 group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com 
    105 #-- the DN for a group automagically given TRAC_ADMIN 
    106 #   if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as: 
    107 #   [trac] 
    108 #   permission_store = UserExtensiblePermissionStore 
    109 group_tracadmin = CN=Administration,DC=example,DC=com 
    110 #### Cache Tuning 
    111 #-- cached entry time to live in seconds  
    112 cache_ttl= 90 
    113 #-- memorycache size in entries, and a highwater warning mark 
    114 cache_memsize = 400 
    115 cache_memsize_warn 300 
    116 #-- memory cache prune size in percentage 
    117 cache_memprune = 5 
    118  
    119 [trac] 
    120 permission_store = UserExtensiblePermissionStore 
    121 }}} 
    122  
    123 If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN. 
    124  
    125 == Common Errors == 
    126  
    127 If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268.  This may happen when AD is running across multiple machines. 
    128  
    129 == Recent Changes == 
    130  
    131 [[ChangeLog(activedirectoryauthplugin, 3)]] 
    132  
    133 == Author/Contributors == 
    134  
    135 '''Author:''' [wiki:pacopablo] [[BR]] 
    136 '''Maintainer:''' sandinak [[BR]] 
    137 '''Contributors:''' 
     1[[redirect(wiki:DirectoryAuthPlugin)]]