wiki:DirectoryAuthPlugin/GroupManagement

AD Group Management

The plugin extends Directory group membership into the trac namespace. This means you can specify permissions for different groups of authenticated individuals.

Theory

LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group. When a request for a group, as defined in the permissions, is searched, the group is expanded to the members. It's then used to match.

Usage

  1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net )
  2. add users to the groups
  3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with Subject: @staff Permission: WIKI_EDIT

NOTE: groups will NOT show up per user until they're defined from the Permissions page.

Validation

To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use

 me@here > sudo trac-admin /var/trac/mytrac permission list {user} 

Configuration

Any groups found under the base_dn will be expanded into the name space

  • each group will have the name normalized by changing it to lower case, and changing spaces to underscores
  • the group name will be prefixed by an @ sign

cn=Domain Users,cn=Users,dc=ad,dc=com == @domain_users

Example Configurations

For example:

@domain_users          BLOG_CREATE
@domain_users          BLOG_MODIFY_ALL
@domain_users          BLOG_MODIFY_OWN
@domain_users          BROWSER_VIEW
@domain_users          DISCUSSION_APPEND
@domain_users          MYPAGE_VIEW
@domain_users          PRIVATE_EDIT_ATOL_SECURE
@domain_users          PRIVATE_VIEW_ATOL_SECURE
@domain_users          REPORT_SQL_VIEW
@domain_users          RES_RESERVE_MODIFY
@domain_users          RES_RESERVE_VIEW
@domain_users          RIPE_EDIT
@domain_users          TICKET_ADMIN
@domain_users          TSTATS_VIEW
@domain_users          WIKI_CREATE
@domain_users          WIKI_RENAME
@domain_users          XML_RPC
@branch_admins PRIVATE_VIEW_BRANCH_SECURE
@ops           PRIVATE_EDIT_OPS_SECURE
@ops           XML_RPC  
@sysops        DISCUSSION_ADMIN
@sysops        RIPE_ADMIN 
@sysops        TICKET_EDIT_CC
@sysops        WIKI_DELETE
@trac_admin    TRAC_ADMIN               
 ...
  • This gives the @domain_users group from AD a specific set of perms
  • the @branch_admins are using the PrivateWiki plugin to hide their passwords
  • as are the @ops group
  • @sysops are god like.
  • @trac_admins are .. well well trac_admins ;-)
Last modified 23 months ago Last modified on Sep 18, 2012 12:29:04 PM