wiki:ActiveDirectoryAuthPlugin

Version 13 (modified by sandinak, 21 months ago) (diff)

--

Active Directory Auth Plugin

Description

The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory.

Users are authenticated by performing an ldap_bind against the AD server using their credentials. The plugin will also pull the email address and display name from Active Directory and populate the session_attribute table. See Populating ''Assign To'' Drop Down in Trac for more information on why.

Groups

  • One can specify a group which users must be a member of in order to log in.
  • Additionally, one may specify an admin group. If a user is a member of the admin group, then they will automatically be granted the TRAC_ADMIN permission.
  • Finally, ActiveDirectory groups are extended into the trac namespace. They can be used to extend permissions by AD group.
    • AD groups are prefixed by @
    • group names are lowercase and spaces are replaced with underscores.

See GroupManagement for more details.

Caching

Given the expense of traversing the network for authorizations, a two-stage cache has been implemented. This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: CacheManagement for details.

Bugs/Feature Requests

Existing bugs and feature requests for ActiveDirectoryAuthPlugin are here.

If you have any issues, create a new ticket.

Download

Download the zipped source from here

Source

You can check out ActiveDirectoryAuthPlugin from here using Subversion, or browse the source with Trac.

Install

Prerequisites

Installation

Follow the Trac documentation on how to install Trac plugins

  • starting with 0.3, a database upgrade will be required as part of the installation.
    1. install the plugin and it's prerequisites
    2. update the database
        trac-admin /var/trac/instance upgrade
      
    3. restart apache

Examples

All config options go under the [account-manager] config heading. Options for this module are:

[account-manager]
#--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager
password_store = ADAuthStore
#--define the Active Directory host address here.  A port other than default(389) is set as
#  hostname:port
ad_server = adserver.example.com
#-- the Active Directory's base DN to search from, this is likely just your domain
base_dn = DC=example,DC=com
#-- the user/password to search active directory from, it must be a valid
bind_dn = ldapuser@example.com
bind_passwd = ldapuserpassword
#-- show disabled users
#   remember users MUST have logged in to get into the session table before they
#   show up.  
show_disabled_users = 1
#-- timeout for an ldap operation before in seconds
ldap_timeout = 5
#-- the default charset for the ldap server
charset = utf-9
#-- the DN (distinguishing name) for the group that contains users that can login to Trac
#   if this isn't specified then any valid user in active directory is accepted
auth_group = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com
#-- the DN for the group that contains users that should have the TRAC_ADMIN
#   permission.  If this option is not given, no user groups will be give the
#   TRAC_ADMIN permission.  This this option is enabled you must specify the
#   UserExtensiblePermissionStore as the trac permission store, such as:
#   [trac]
#   permission_store = UserExtensiblePermissionStore
admin_group = CN=Administration,DC=example,DC=com
#-- cached entry timeout in seconds 
cache_timeout = 90
#-- memorycache size in entries
memcache_size = 100
#-- memory cache prune size in percentage
memcache_prune_percent = 5

[trac]
permission_store = UserExtensiblePermissionStore

If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.

Common Errors

If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines.

Recent Changes

[12046] by hasienda on 2012-09-21 22:38:03
AccountManagerPlugin: Restore translatable email input field label, refs #874.

And I recover pre-existing translations (from before [11930]) here too.

[12013] by sandinak on 2012-09-17 20:54:23
added fixes for group name attributes.
[12012] by sandinak on 2012-09-17 19:37:14
added support for separate groupdn searching when needed.

Author/Contributors

Author: pacopablo
Maintainer: sandinak
Contributors: