Theory of Operations
I am writing this page to help others understand the use, operations and limitations of this plugin.
- One can specify a group which users must be a member of in order to log in.
- Additionally, one may specify an admin group. If a user is a member of the admin group, then they will automatically be granted the TRAC_ADMIN permission.
- Finally, Directory groups are extended into the trac namespace. They can be used to extend permissions by group.
- directory groups are prefixed by @
- group names are lowercase and spaces are replaced with underscores.
Groups are now searched using a reverse hierarchy methodology:
- Users DN is extracted based on the username
- All usergroups the user belongs to is extracted by searching for Member=$dn
- User groups are then searched for any with type objectClass=group and belonging to the groups DN and added to the list.
See GroupManagement for more details.
Given the expense of traversing the network for authorizations, a two-stage cache has been implemented.
- Data is cached into memory for quick lookups on repeat operations.
- Data is also cached in the database so that lookups can pass between instances of python w/o requiring going to the network.
See: CacheManagement for details.