Changes between Version 2 and Version 3 of DirectoryAuthPlugin/TheoryOfOperation


Ignore:
Timestamp:
Mar 22, 2015, 11:45:27 AM (9 years ago)
Author:
figaro
Comment:

Cosmetic changes

Legend:

Unmodified
Added
Removed
Modified
  • DirectoryAuthPlugin/TheoryOfOperation

    v2 v3  
    11
    2 = Theory of Operations =
     2= Theory of Operations
    33 
    4 I am writing this page to help others understand the use, operations and limitations of this plugin.
     4This page to help others understand the use, operations and limitations of the DirectoryAuthPlugin.
    55
    6 == Groups ==
     6== Groups
     7
    78 - One can specify a group which users must be a member of in order to log in. 
    8  - Additionally, one may specify an ''admin'' group.  If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission.
    9  - Finally, Directory groups are extended into the trac namespace. They can be used to extend permissions by group.
    10    - directory groups are prefixed by @
     9 - Additionally, one may specify an ''admin'' group. If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission.
     10 - Finally, Directory groups are extended into the Trac namespace. They can be used to extend permissions by group.
     11   - directory groups are prefixed by `@`
    1112   - group names are lowercase and spaces are replaced with underscores.
    1213
    13 === Searching ===
     14=== Searching
     15
    1416Groups are now searched using a reverse hierarchy methodology:
    15  1. Users DN is extracted based on the username
    16  1. All usergroups the user belongs to is extracted by searching for Member=$dn
    17  1. User groups are then searched for any with type objectClass=group and belonging to the groups DN and added to the list.
     17 1. Users [https://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx DN] is extracted based on the username.
     18 1. All usergroups that the user belongs to are extracted by searching for `Member=$dn`.
     19 1. User groups are then searched for any with type `objectClass=group` and belonging to the groups DN and added to the list.
    1820
    19  See [DirectoryAuthPlugin/GroupManagement GroupManagement] for more details.
     21See [DirectoryAuthPlugin/GroupManagement GroupManagement] for more details.
    2022
    21 == Caching ==
     23== Caching
    2224
    23 Given the expense of traversing the network for authorizations, a two-stage cache has been implemented. 
     25Given the expense of traversing the network for authorizations, a two-stage cache has been implemented: 
    2426
    2527 1. Data is cached into memory for quick lookups on repeat operations. 
    26  1. Data is also cached in the database so that lookups can pass between instances of python w/o requiring going to the network.
     28 1. Data is also cached in the database so that lookups can pass between instances of python without requiring going to the network.
    2729
    28  See: [DirectoryAuthPlugin/CacheManagement CacheManagement] for details.
     30See: [DirectoryAuthPlugin/CacheManagement CacheManagement] for details.