Changes between Version 5 and Version 6 of DirectoryAuthPlugin


Ignore:
Timestamp:
Sep 18, 2012, 2:50:20 PM (2 years ago)
Author:
sandinak
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • DirectoryAuthPlugin

    v5 v6  
    1010== Description ==
    1111
    12 The Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Lightweight Directory Access Protocol (LDAP) enabled service including [[http://www.openldap.org|OpenLdap]], [[http://en.wikipedia.org/wiki/Active_Directory|ActiveDirectory]] and [[en.wikipedia.org/wiki/Apple_Open_Directory|OpenDirectory]].
     12The Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from [http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol Lightweight Directory Access Protocol (LDAP)] enabled service including [http://www.openldap.org OpenLdap], [http://en.wikipedia.org/wiki/Active_Directory ActiveDirectory] and [http://en.wikipedia.org/wiki/Apple_Open_Directory OpenDirectory].
    1313
    1414Users are authenticated by performing an ldap_bind against a directory using their credentials.  The plugin will also pull the email address and displayName from Directory and populate the `session_attribute` table.  See [http://pacopablo.com/blog/pacopablo/blog/set-assign-to-drop-down Populating ''Assign To'' Drop Down in Trac] for more information on why.
     
    2222 - Can expand directory groups into the Trac namespace
    2323
    24 See: [DirectoryAuthPlugin/TheoryOfOperation] for details
     24See: [./TheoryOfOperation]
    2525
    2626
     
    6161   1. restart the trac service or your webserver.
    6262
    63 == Examples ==
    64 '''NOTE: this has changed from 0.3 to 0.4!!!!'''
     63See [./ConfigurationExamples]
    6564
    66 All config options go under the [account-manager] config heading.  Options for this module are:
    67 
    68 {{{
    69 #!ini
    70 [account-manager]
    71 #--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager
    72 password_store = ADAuthStore
    73 #--define the Active Directory host address here.  A port other than default(389) is set as
    74 #  ldap://hostname:port or ldaps://hostname:port
    75 dir_uri = ldap://adserver.example.com
    76 #-- the Active Directory's base DN to search from, this is likely just your domain
    77 dir_basedn = DC=example,DC=com
    78 #-- the user/password to search the directory from, it must be a valid
    79 dir_binddn = ldapuser@example.com
    80 dir_bindpw = ldapuserpassword
    81 #-- timeout for an ldap operation before in seconds
    82 dir_timeout = 5
    83 #-- the default charset for the ldap server
    84 dir_charset = utf-9
    85 ##### Userinfo
    86 #-- the attribute containing the users login name, THIS MUST BE UNIQUE!
    87 user_attr = sAMAccountName
    88 #-- the attribute containing the users display name
    89 name_attr = displayName
    90 #-- the attribute containing the users email addy
    91 email_attr = mail
    92 ##### Groups
    93 #-- where to look for groups, uses dir_basedn if not defined.
    94 group_basedn = ou=Groups,dc=foo,dc=net
    95 #-- expand directory groups
    96 group_expand = 1
    97 #-- the name of a group .. uses user_attr if not defined.
    98 group_attr = cn
    99 #-- which attribute to look in for members
    100 group_member_attr = member
    101 #-- what to look for in the member_attr
    102 group_member_value = dn
    103 #-- the dn of a group that has valid users, all users if not enabled
    104 group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com
    105 #-- the DN for a group automagically given TRAC_ADMIN
    106 #   if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as:
    107 #   [trac]
    108 #   permission_store = UserExtensiblePermissionStore
    109 group_tracadmin = CN=Administration,DC=example,DC=com
    110 #### Cache Tuning
    111 #-- cached entry time to live in seconds
    112 cache_ttl= 90
    113 #-- memorycache size in entries, and a highwater warning mark
    114 cache_memsize = 400
    115 cache_memsize_warn = 300
    116 #-- memory cache prune size in percentage
    117 cache_memprune = 5
    118 
    119 [trac]
    120 permission_store = UserExtensiblePermissionStore
    121 }}}
    122 
    123 If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.
    12465
    12566== Common Errors ==