| | 1 | [[PageOutline(2-5,Contents,pullout)]] |
| | 2 | = Active Directory Auth Plugin = |
| | 3 | |
| | 4 | '''NOTE:''' Major changes from 0.3 |
| | 5 | - conf variables are renamed for standardization |
| | 6 | - now more directory type agnostic |
| | 7 | - soon will be renamed to DirectoryAuthPlugin |
| | 8 | |
| | 9 | == Description == |
| | 10 | |
| | 11 | The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory. |
| | 12 | |
| | 13 | Users are authenticated by performing an ldap_bind against the AD server using their credentials. The plugin will also pull the email address and display name from Active Directory and populate the `session_attribute` table. See [http://pacopablo.com/blog/pacopablo/blog/set-assign-to-drop-down Populating ''Assign To'' Drop Down in Trac] for more information on why. |
| | 14 | |
| | 15 | == Groups == |
| | 16 | - One can specify a group which users must be a member of in order to log in. |
| | 17 | - Additionally, one may specify an ''admin'' group. If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission. |
| | 18 | - Finally, !ActiveDirectory groups are extended into the trac namespace. They can be used to extend permissions by AD group. |
| | 19 | - AD groups are prefixed by @ |
| | 20 | - group names are lowercase and spaces are replaced with underscores. |
| | 21 | |
| | 22 | See [ActiveDirectoryAuthPlugin/GroupManagement GroupManagement] for more details. |
| | 23 | |
| | 24 | == Caching == |
| | 25 | Given the expense of traversing the network for authorizations, a two-stage cache has been implemented. This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: [ActiveDirectoryAuthPlugin/CacheManagement CacheManagement] for details. |
| | 26 | |
| | 27 | == Bugs/Feature Requests == |
| | 28 | |
| | 29 | Existing bugs and feature requests for ActiveDirectoryAuthPlugin are |
| | 30 | [report:9?COMPONENT=ActiveDirectoryAuthPlugin here]. |
| | 31 | |
| | 32 | If you have any issues, create a |
| | 33 | [http://trac-hacks.org/newticket?component=ActiveDirectoryAuthPlugin&owner=sandinak new ticket]. |
| | 34 | |
| | 35 | == Download == |
| | 36 | |
| | 37 | Download the zipped source from [download:activedirectoryauthplugin here] |
| | 38 | |
| | 39 | == Source == |
| | 40 | |
| | 41 | You can check out ActiveDirectoryAuthPlugin from [http://trac-hacks.org/svn/activedirectoryauthplugin here] using Subversion, or [source:activedirectoryauthplugin browse the source] with Trac. |
| | 42 | |
| | 43 | == Install == |
| | 44 | |
| | 45 | ==== Prerequisites ==== |
| | 46 | |
| | 47 | - You must install AccountManagerPlugin in order to use this plugin. |
| | 48 | - Python-LDAP is also required and can be downloaded [http://pypi.python.org/pypi/python-ldap/ here] |
| | 49 | |
| | 50 | ==== Installation ==== |
| | 51 | |
| | 52 | Follow the Trac documentation on how [http://trac.edgewall.org/search?q=TracPlugins to install Trac plugins] |
| | 53 | |
| | 54 | - starting with 0.3, a database upgrade will be required as part of the installation. |
| | 55 | 1. install the plugin and it's prerequisites |
| | 56 | 1. update the database |
| | 57 | {{{ |
| | 58 | #!sh |
| | 59 | trac-admin /var/trac/instance upgrade |
| | 60 | }}} |
| | 61 | 1. restart the trac service or your webserver. |
| | 62 | |
| | 63 | == Examples == |
| | 64 | '''NOTE: this has changed from 0.3 to 0.4!!!!''' |
| | 65 | |
| | 66 | All config options go under the [account-manager] config heading. Options for this module are: |
| | 67 | |
| | 68 | {{{ |
| | 69 | #!ini |
| | 70 | [account-manager] |
| | 71 | #--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager |
| | 72 | password_store = ADAuthStore |
| | 73 | #--define the Active Directory host address here. A port other than default(389) is set as |
| | 74 | # ldap://hostname:port or ldaps://hostname:port |
| | 75 | dir_uri = ldap://adserver.example.com |
| | 76 | #-- the Active Directory's base DN to search from, this is likely just your domain |
| | 77 | dir_basedn = DC=example,DC=com |
| | 78 | #-- the user/password to search the directory from, it must be a valid |
| | 79 | dir_binddn = ldapuser@example.com |
| | 80 | dir_bindpw = ldapuserpassword |
| | 81 | #-- timeout for an ldap operation before in seconds |
| | 82 | dir_timeout = 5 |
| | 83 | #-- the default charset for the ldap server |
| | 84 | dir_charset = utf-9 |
| | 85 | ##### Userinfo |
| | 86 | #-- the attribute containing the users login name, THIS MUST BE UNIQUE! |
| | 87 | user_attr = sAMAccountName |
| | 88 | #-- the attribute containing the users display name |
| | 89 | name_attr = displayName |
| | 90 | #-- the attribute containing the users email addy |
| | 91 | email_attr = mail |
| | 92 | ##### Groups |
| | 93 | #-- where to look for groups, uses dir_basedn if not defined. |
| | 94 | group_basedn = ou=Groups,dc=foo,dc=net |
| | 95 | #-- expand directory groups |
| | 96 | group_expand = 1 |
| | 97 | #-- the name of a group .. uses user_attr if not defined. |
| | 98 | group_attr = cn |
| | 99 | #-- which attribute to look in for members |
| | 100 | group_member_attr = member |
| | 101 | #-- what to look for in the member_attr |
| | 102 | group_member_value = dn |
| | 103 | #-- the dn of a group that has valid users, all users if not enabled |
| | 104 | group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com |
| | 105 | #-- the DN for a group automagically given TRAC_ADMIN |
| | 106 | # if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as: |
| | 107 | # [trac] |
| | 108 | # permission_store = UserExtensiblePermissionStore |
| | 109 | group_tracadmin = CN=Administration,DC=example,DC=com |
| | 110 | #### Cache Tuning |
| | 111 | #-- cached entry time to live in seconds |
| | 112 | cache_ttl= 90 |
| | 113 | #-- memorycache size in entries, and a highwater warning mark |
| | 114 | cache_memsize = 400 |
| | 115 | cache_memsize_warn 300 |
| | 116 | #-- memory cache prune size in percentage |
| | 117 | cache_memprune = 5 |
| | 118 | |
| | 119 | [trac] |
| | 120 | permission_store = UserExtensiblePermissionStore |
| | 121 | }}} |
| | 122 | |
| | 123 | If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN. |
| | 124 | |
| | 125 | == Common Errors == |
| | 126 | |
| | 127 | If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines. |
| | 128 | |
| | 129 | == Recent Changes == |
| | 130 | |
| | 131 | [[ChangeLog(activedirectoryauthplugin, 3)]] |
| | 132 | |
| | 133 | == Author/Contributors == |
| | 134 | |
| | 135 | '''Author:''' [wiki:pacopablo] [[BR]] |
| | 136 | '''Maintainer:''' sandinak [[BR]] |
| | 137 | '''Contributors:''' |
