1 | | [[PageOutline(2-5,Contents,pullout)]] |
2 | | = Active Directory Auth Plugin = |
3 | | |
4 | | '''NOTE:''' Major changes from 0.3 |
5 | | - conf variables are renamed for standardization |
6 | | - now more directory type agnostic |
7 | | - soon will be renamed to DirectoryAuthPlugin |
8 | | |
9 | | == Description == |
10 | | |
11 | | The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory. |
12 | | |
13 | | Users are authenticated by performing an ldap_bind against the AD server using their credentials. The plugin will also pull the email address and display name from Active Directory and populate the `session_attribute` table. See [http://pacopablo.com/blog/pacopablo/blog/set-assign-to-drop-down Populating ''Assign To'' Drop Down in Trac] for more information on why. |
14 | | |
15 | | == Groups == |
16 | | - One can specify a group which users must be a member of in order to log in. |
17 | | - Additionally, one may specify an ''admin'' group. If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission. |
18 | | - Finally, !ActiveDirectory groups are extended into the trac namespace. They can be used to extend permissions by AD group. |
19 | | - AD groups are prefixed by @ |
20 | | - group names are lowercase and spaces are replaced with underscores. |
21 | | |
22 | | See [ActiveDirectoryAuthPlugin/GroupManagement GroupManagement] for more details. |
23 | | |
24 | | == Caching == |
25 | | Given the expense of traversing the network for authorizations, a two-stage cache has been implemented. This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: [ActiveDirectoryAuthPlugin/CacheManagement CacheManagement] for details. |
26 | | |
27 | | == Bugs/Feature Requests == |
28 | | |
29 | | Existing bugs and feature requests for ActiveDirectoryAuthPlugin are |
30 | | [report:9?COMPONENT=ActiveDirectoryAuthPlugin here]. |
31 | | |
32 | | If you have any issues, create a |
33 | | [http://trac-hacks.org/newticket?component=ActiveDirectoryAuthPlugin&owner=sandinak new ticket]. |
34 | | |
35 | | == Download == |
36 | | |
37 | | Download the zipped source from [download:activedirectoryauthplugin here] |
38 | | |
39 | | == Source == |
40 | | |
41 | | You can check out ActiveDirectoryAuthPlugin from [http://trac-hacks.org/svn/activedirectoryauthplugin here] using Subversion, or [source:activedirectoryauthplugin browse the source] with Trac. |
42 | | |
43 | | == Install == |
44 | | |
45 | | ==== Prerequisites ==== |
46 | | |
47 | | - You must install AccountManagerPlugin in order to use this plugin. |
48 | | - Python-LDAP is also required and can be downloaded [http://pypi.python.org/pypi/python-ldap/ here] |
49 | | |
50 | | ==== Installation ==== |
51 | | |
52 | | Follow the Trac documentation on how [http://trac.edgewall.org/search?q=TracPlugins to install Trac plugins] |
53 | | |
54 | | - starting with 0.3, a database upgrade will be required as part of the installation. |
55 | | 1. install the plugin and it's prerequisites |
56 | | 1. update the database |
57 | | {{{ |
58 | | #!sh |
59 | | trac-admin /var/trac/instance upgrade |
60 | | }}} |
61 | | 1. restart the trac service or your webserver. |
62 | | |
63 | | == Examples == |
64 | | '''NOTE: this has changed from 0.3 to 0.4!!!!''' |
65 | | |
66 | | All config options go under the [account-manager] config heading. Options for this module are: |
67 | | |
68 | | {{{ |
69 | | #!ini |
70 | | [account-manager] |
71 | | #--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager |
72 | | password_store = ADAuthStore |
73 | | #--define the Active Directory host address here. A port other than default(389) is set as |
74 | | # ldap://hostname:port or ldaps://hostname:port |
75 | | dir_uri = ldap://adserver.example.com |
76 | | #-- the Active Directory's base DN to search from, this is likely just your domain |
77 | | dir_basedn = DC=example,DC=com |
78 | | #-- the user/password to search the directory from, it must be a valid |
79 | | dir_binddn = ldapuser@example.com |
80 | | dir_bindpw = ldapuserpassword |
81 | | #-- timeout for an ldap operation before in seconds |
82 | | dir_timeout = 5 |
83 | | #-- the default charset for the ldap server |
84 | | dir_charset = utf-9 |
85 | | ##### Userinfo |
86 | | #-- the attribute containing the users login name, THIS MUST BE UNIQUE! |
87 | | user_attr = sAMAccountName |
88 | | #-- the attribute containing the users display name |
89 | | name_attr = displayName |
90 | | #-- the attribute containing the users email addy |
91 | | email_attr = mail |
92 | | ##### Groups |
93 | | #-- where to look for groups, uses dir_basedn if not defined. |
94 | | group_basedn = ou=Groups,dc=foo,dc=net |
95 | | #-- expand directory groups |
96 | | group_expand = 1 |
97 | | #-- the name of a group .. uses user_attr if not defined. |
98 | | group_attr = cn |
99 | | #-- which attribute to look in for members |
100 | | group_member_attr = member |
101 | | #-- what to look for in the member_attr |
102 | | group_member_value = dn |
103 | | #-- the dn of a group that has valid users, all users if not enabled |
104 | | group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com |
105 | | #-- the DN for a group automagically given TRAC_ADMIN |
106 | | # if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as: |
107 | | # [trac] |
108 | | # permission_store = UserExtensiblePermissionStore |
109 | | group_tracadmin = CN=Administration,DC=example,DC=com |
110 | | #### Cache Tuning |
111 | | #-- cached entry time to live in seconds |
112 | | cache_ttl= 90 |
113 | | #-- memorycache size in entries, and a highwater warning mark |
114 | | cache_memsize = 400 |
115 | | cache_memsize_warn 300 |
116 | | #-- memory cache prune size in percentage |
117 | | cache_memprune = 5 |
118 | | |
119 | | [trac] |
120 | | permission_store = UserExtensiblePermissionStore |
121 | | }}} |
122 | | |
123 | | If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN. |
124 | | |
125 | | == Common Errors == |
126 | | |
127 | | If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines. |
128 | | |
129 | | == Recent Changes == |
130 | | |
131 | | [[ChangeLog(activedirectoryauthplugin, 3)]] |
132 | | |
133 | | == Author/Contributors == |
134 | | |
135 | | '''Author:''' [wiki:pacopablo] [[BR]] |
136 | | '''Maintainer:''' sandinak [[BR]] |
137 | | '''Contributors:''' |
| 1 | [[redirect(wiki:DirectoryAuthPlugin)]] |