Changes between Initial Version and Version 1 of DirectoryAuthPlugin/GroupManagement


Ignore:
Timestamp:
Sep 18, 2012 12:29:04 PM (2 years ago)
Author:
rjollos
Comment:

Content moved from ActiveDirectoryAuthPlugin/GroupManagement.

Legend:

Unmodified
Added
Removed
Modified
  • DirectoryAuthPlugin/GroupManagement

    v1 v1  
     1[[PageOutline]] 
     2= AD Group Management = 
     3 
     4The plugin extends Directory group membership into the trac namespace.  This means you can specify permissions for different groups of authenticated individuals.  
     5 
     6== Theory == 
     7 LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group.  When a request for a group, as defined in the permissions, is searched, the group is expanded to the members.  It's then used to match. 
     8 
     9== Usage ==  
     10 
     11 1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net )  
     12 2. add users to the groups 
     13 3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with 
     14    Subject: @staff 
     15    Permission: WIKI_EDIT 
     16 
     17'''NOTE:''' groups will NOT show up per user until they're defined from the Permissions page.  
     18== Validation == 
     19 To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use 
     20{{{ 
     21 me@here > sudo trac-admin /var/trac/mytrac permission list {user}  
     22}}} 
     23 
     24== Configuration == 
     25 
     26 Any groups found under the base_dn will be expanded into the name space 
     27 - each group will have the name normalized by changing it to lower case, and changing spaces to underscores 
     28 - the group name will be prefixed by an @ sign 
     29 
     30   {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users 
     31== Example Configurations ==  
     32For example: 
     33{{{ 
     34@domain_users          BLOG_CREATE 
     35@domain_users          BLOG_MODIFY_ALL 
     36@domain_users          BLOG_MODIFY_OWN 
     37@domain_users          BROWSER_VIEW 
     38@domain_users          DISCUSSION_APPEND 
     39@domain_users          MYPAGE_VIEW 
     40@domain_users          PRIVATE_EDIT_ATOL_SECURE 
     41@domain_users          PRIVATE_VIEW_ATOL_SECURE 
     42@domain_users          REPORT_SQL_VIEW 
     43@domain_users          RES_RESERVE_MODIFY 
     44@domain_users          RES_RESERVE_VIEW 
     45@domain_users          RIPE_EDIT 
     46@domain_users          TICKET_ADMIN 
     47@domain_users          TSTATS_VIEW 
     48@domain_users          WIKI_CREATE 
     49@domain_users          WIKI_RENAME 
     50@domain_users          XML_RPC 
     51@branch_admins PRIVATE_VIEW_BRANCH_SECURE 
     52@ops           PRIVATE_EDIT_OPS_SECURE 
     53@ops           XML_RPC   
     54@sysops        DISCUSSION_ADMIN 
     55@sysops        RIPE_ADMIN  
     56@sysops        TICKET_EDIT_CC 
     57@sysops        WIKI_DELETE 
     58@trac_admin    TRAC_ADMIN                
     59 ... 
     60}}} 
     61 
     62 - This gives the @domain_users group from AD a specific set of perms 
     63 - the @branch_admins are using the PrivateWiki plugin to hide their passwords 
     64 - as are the @ops group 
     65 - @sysops are god like.  
     66 - @trac_admins are .. well well trac_admins ;-)