| 1 | [[PageOutline(2-5,Contents,pullout)]] |
| 2 | = Active Directory Auth Plugin = |
| 3 | |
| 4 | '''NOTE:''' Major changes from 0.3 |
| 5 | - conf variables are renamed for standardization |
| 6 | - now more directory type agnostic |
| 7 | - soon will be renamed to DirectoryAuthPlugin |
| 8 | |
| 9 | == Description == |
| 10 | |
| 11 | The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory. |
| 12 | |
| 13 | Users are authenticated by performing an ldap_bind against the AD server using their credentials. The plugin will also pull the email address and display name from Active Directory and populate the `session_attribute` table. See [http://pacopablo.com/blog/pacopablo/blog/set-assign-to-drop-down Populating ''Assign To'' Drop Down in Trac] for more information on why. |
| 14 | |
| 15 | == Groups == |
| 16 | - One can specify a group which users must be a member of in order to log in. |
| 17 | - Additionally, one may specify an ''admin'' group. If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission. |
| 18 | - Finally, !ActiveDirectory groups are extended into the trac namespace. They can be used to extend permissions by AD group. |
| 19 | - AD groups are prefixed by @ |
| 20 | - group names are lowercase and spaces are replaced with underscores. |
| 21 | |
| 22 | See [ActiveDirectoryAuthPlugin/GroupManagement GroupManagement] for more details. |
| 23 | |
| 24 | == Caching == |
| 25 | Given the expense of traversing the network for authorizations, a two-stage cache has been implemented. This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: [ActiveDirectoryAuthPlugin/CacheManagement CacheManagement] for details. |
| 26 | |
| 27 | == Bugs/Feature Requests == |
| 28 | |
| 29 | Existing bugs and feature requests for ActiveDirectoryAuthPlugin are |
| 30 | [report:9?COMPONENT=ActiveDirectoryAuthPlugin here]. |
| 31 | |
| 32 | If you have any issues, create a |
| 33 | [http://trac-hacks.org/newticket?component=ActiveDirectoryAuthPlugin&owner=sandinak new ticket]. |
| 34 | |
| 35 | == Download == |
| 36 | |
| 37 | Download the zipped source from [download:activedirectoryauthplugin here] |
| 38 | |
| 39 | == Source == |
| 40 | |
| 41 | You can check out ActiveDirectoryAuthPlugin from [http://trac-hacks.org/svn/activedirectoryauthplugin here] using Subversion, or [source:activedirectoryauthplugin browse the source] with Trac. |
| 42 | |
| 43 | == Install == |
| 44 | |
| 45 | ==== Prerequisites ==== |
| 46 | |
| 47 | - You must install AccountManagerPlugin in order to use this plugin. |
| 48 | - Python-LDAP is also required and can be downloaded [http://pypi.python.org/pypi/python-ldap/ here] |
| 49 | |
| 50 | ==== Installation ==== |
| 51 | |
| 52 | Follow the Trac documentation on how [http://trac.edgewall.org/search?q=TracPlugins to install Trac plugins] |
| 53 | |
| 54 | - starting with 0.3, a database upgrade will be required as part of the installation. |
| 55 | 1. install the plugin and it's prerequisites |
| 56 | 1. update the database |
| 57 | {{{ |
| 58 | #!sh |
| 59 | trac-admin /var/trac/instance upgrade |
| 60 | }}} |
| 61 | 1. restart the trac service or your webserver. |
| 62 | |
| 63 | == Examples == |
| 64 | '''NOTE: this has changed from 0.3 to 0.4!!!!''' |
| 65 | |
| 66 | All config options go under the [account-manager] config heading. Options for this module are: |
| 67 | |
| 68 | {{{ |
| 69 | #!ini |
| 70 | [account-manager] |
| 71 | #--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager |
| 72 | password_store = ADAuthStore |
| 73 | #--define the Active Directory host address here. A port other than default(389) is set as |
| 74 | # ldap://hostname:port or ldaps://hostname:port |
| 75 | dir_uri = ldap://adserver.example.com |
| 76 | #-- the Active Directory's base DN to search from, this is likely just your domain |
| 77 | dir_basedn = DC=example,DC=com |
| 78 | #-- the user/password to search the directory from, it must be a valid |
| 79 | dir_binddn = ldapuser@example.com |
| 80 | dir_bindpw = ldapuserpassword |
| 81 | #-- timeout for an ldap operation before in seconds |
| 82 | dir_timeout = 5 |
| 83 | #-- the default charset for the ldap server |
| 84 | dir_charset = utf-9 |
| 85 | ##### Userinfo |
| 86 | #-- the attribute containing the users login name, THIS MUST BE UNIQUE! |
| 87 | user_attr = sAMAccountName |
| 88 | #-- the attribute containing the users display name |
| 89 | name_attr = displayName |
| 90 | #-- the attribute containing the users email addy |
| 91 | email_attr = mail |
| 92 | ##### Groups |
| 93 | #-- where to look for groups, uses dir_basedn if not defined. |
| 94 | group_basedn = ou=Groups,dc=foo,dc=net |
| 95 | #-- expand directory groups |
| 96 | group_expand = 1 |
| 97 | #-- the name of a group .. uses user_attr if not defined. |
| 98 | group_attr = cn |
| 99 | #-- which attribute to look in for members |
| 100 | group_member_attr = member |
| 101 | #-- what to look for in the member_attr |
| 102 | group_member_value = dn |
| 103 | #-- the dn of a group that has valid users, all users if not enabled |
| 104 | group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com |
| 105 | #-- the DN for a group automagically given TRAC_ADMIN |
| 106 | # if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as: |
| 107 | # [trac] |
| 108 | # permission_store = UserExtensiblePermissionStore |
| 109 | group_tracadmin = CN=Administration,DC=example,DC=com |
| 110 | #### Cache Tuning |
| 111 | #-- cached entry time to live in seconds |
| 112 | cache_ttl= 90 |
| 113 | #-- memorycache size in entries, and a highwater warning mark |
| 114 | cache_memsize = 400 |
| 115 | cache_memsize_warn 300 |
| 116 | #-- memory cache prune size in percentage |
| 117 | cache_memprune = 5 |
| 118 | |
| 119 | [trac] |
| 120 | permission_store = UserExtensiblePermissionStore |
| 121 | }}} |
| 122 | |
| 123 | If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN. |
| 124 | |
| 125 | == Common Errors == |
| 126 | |
| 127 | If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines. |
| 128 | |
| 129 | == Recent Changes == |
| 130 | |
| 131 | [[ChangeLog(activedirectoryauthplugin, 3)]] |
| 132 | |
| 133 | == Author/Contributors == |
| 134 | |
| 135 | '''Author:''' [wiki:pacopablo] [[BR]] |
| 136 | '''Maintainer:''' sandinak [[BR]] |
| 137 | '''Contributors:''' |