Changes between Version 2 and Version 3 of DirectoryAuthPlugin/TheoryOfOperation
- Timestamp:
- Mar 22, 2015, 11:45:27 AM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
DirectoryAuthPlugin/TheoryOfOperation
v2 v3 1 1 2 = Theory of Operations =2 = Theory of Operations 3 3 4 I am writing this page to help others understand the use, operations and limitations of this plugin.4 This page to help others understand the use, operations and limitations of the DirectoryAuthPlugin. 5 5 6 == Groups == 6 == Groups 7 7 8 - One can specify a group which users must be a member of in order to log in. 8 - Additionally, one may specify an ''admin'' group. 9 - Finally, Directory groups are extended into the trac namespace.They can be used to extend permissions by group.10 - directory groups are prefixed by @9 - Additionally, one may specify an ''admin'' group. If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission. 10 - Finally, Directory groups are extended into the Trac namespace. They can be used to extend permissions by group. 11 - directory groups are prefixed by `@` 11 12 - group names are lowercase and spaces are replaced with underscores. 12 13 13 === Searching === 14 === Searching 15 14 16 Groups are now searched using a reverse hierarchy methodology: 15 1. Users DN is extracted based on the username16 1. All usergroups th e user belongs to is extracted by searching for Member=$dn17 1. User groups are then searched for any with type objectClass=groupand belonging to the groups DN and added to the list.17 1. Users [https://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx DN] is extracted based on the username. 18 1. All usergroups that the user belongs to are extracted by searching for `Member=$dn`. 19 1. User groups are then searched for any with type `objectClass=group` and belonging to the groups DN and added to the list. 18 20 19 21 See [DirectoryAuthPlugin/GroupManagement GroupManagement] for more details. 20 22 21 == Caching ==23 == Caching 22 24 23 Given the expense of traversing the network for authorizations, a two-stage cache has been implemented .25 Given the expense of traversing the network for authorizations, a two-stage cache has been implemented: 24 26 25 27 1. Data is cached into memory for quick lookups on repeat operations. 26 1. Data is also cached in the database so that lookups can pass between instances of python w /orequiring going to the network.28 1. Data is also cached in the database so that lookups can pass between instances of python without requiring going to the network. 27 29 28 30 See: [DirectoryAuthPlugin/CacheManagement CacheManagement] for details.