| | 1 | [[PageOutline]] |
|---|
| | 2 | = AD Group Management = |
|---|
| | 3 | |
|---|
| | 4 | The plugin extends Directory group membership into the trac namespace. This means you can specify permissions for different groups of authenticated individuals. |
|---|
| | 5 | |
|---|
| | 6 | == Theory == |
|---|
| | 7 | LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group. When a request for a group, as defined in the permissions, is searched, the group is expanded to the members. It's then used to match. |
|---|
| | 8 | |
|---|
| | 9 | == Usage == |
|---|
| | 10 | |
|---|
| | 11 | 1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net ) |
|---|
| | 12 | 2. add users to the groups |
|---|
| | 13 | 3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with |
|---|
| | 14 | Subject: @staff |
|---|
| | 15 | Permission: WIKI_EDIT |
|---|
| | 16 | |
|---|
| | 17 | '''NOTE:''' groups will NOT show up per user until they're defined from the Permissions page. |
|---|
| | 18 | == Validation == |
|---|
| | 19 | To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use |
|---|
| | 20 | {{{ |
|---|
| | 21 | me@here > sudo trac-admin /var/trac/mytrac permission list {user} |
|---|
| | 22 | }}} |
|---|
| | 23 | |
|---|
| | 24 | == Configuration == |
|---|
| | 25 | |
|---|
| | 26 | Any groups found under the base_dn will be expanded into the name space |
|---|
| | 27 | - each group will have the name normalized by changing it to lower case, and changing spaces to underscores |
|---|
| | 28 | - the group name will be prefixed by an @ sign |
|---|
| | 29 | |
|---|
| | 30 | {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users |
|---|
| | 31 | == Example Configurations == |
|---|
| | 32 | For example: |
|---|
| | 33 | {{{ |
|---|
| | 34 | @domain_users BLOG_CREATE |
|---|
| | 35 | @domain_users BLOG_MODIFY_ALL |
|---|
| | 36 | @domain_users BLOG_MODIFY_OWN |
|---|
| | 37 | @domain_users BROWSER_VIEW |
|---|
| | 38 | @domain_users DISCUSSION_APPEND |
|---|
| | 39 | @domain_users MYPAGE_VIEW |
|---|
| | 40 | @domain_users PRIVATE_EDIT_ATOL_SECURE |
|---|
| | 41 | @domain_users PRIVATE_VIEW_ATOL_SECURE |
|---|
| | 42 | @domain_users REPORT_SQL_VIEW |
|---|
| | 43 | @domain_users RES_RESERVE_MODIFY |
|---|
| | 44 | @domain_users RES_RESERVE_VIEW |
|---|
| | 45 | @domain_users RIPE_EDIT |
|---|
| | 46 | @domain_users TICKET_ADMIN |
|---|
| | 47 | @domain_users TSTATS_VIEW |
|---|
| | 48 | @domain_users WIKI_CREATE |
|---|
| | 49 | @domain_users WIKI_RENAME |
|---|
| | 50 | @domain_users XML_RPC |
|---|
| | 51 | @branch_admins PRIVATE_VIEW_BRANCH_SECURE |
|---|
| | 52 | @ops PRIVATE_EDIT_OPS_SECURE |
|---|
| | 53 | @ops XML_RPC |
|---|
| | 54 | @sysops DISCUSSION_ADMIN |
|---|
| | 55 | @sysops RIPE_ADMIN |
|---|
| | 56 | @sysops TICKET_EDIT_CC |
|---|
| | 57 | @sysops WIKI_DELETE |
|---|
| | 58 | @trac_admin TRAC_ADMIN |
|---|
| | 59 | ... |
|---|
| | 60 | }}} |
|---|
| | 61 | |
|---|
| | 62 | - This gives the @domain_users group from AD a specific set of perms |
|---|
| | 63 | - the @branch_admins are using the PrivateWiki plugin to hide their passwords |
|---|
| | 64 | - as are the @ops group |
|---|
| | 65 | - @sysops are god like. |
|---|
| | 66 | - @trac_admins are .. well well trac_admins ;-) |
|---|
