wiki:DirectoryAuthPlugin

Directory Auth Plugin

Description

The Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Lightweight Directory Access Protocol (LDAP) enabled service including OpenLdap, ActiveDirectory and OpenDirectory.

Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the session_attribute table.

Key features:

  • Can use a service account to do lookups, or anonymous binding.
  • Can use SSL if openssl is configured correctly.
  • Configurable: many options to deal with the differences between directories and schema.
  • Uses both memory and db based caching to improve performance.
  • Supports large directories:
    • Searches Groups more efficiently using Member.
    • Recurses up the tree to find subgroups.
  • Can expand directory groups into the Trac namespace.

See: TheoryOfOperation

Bugs/Feature Requests

Existing bugs and feature requests for DirectoryAuthPlugin are here.

If you have any issues, create a new ticket.

defect

25 / 39

enhancement

5 / 7

task

1 / 2

Download

Download the zipped source from here

Source

You can check out DirectoryAuthPlugin from here using Subversion, or browse the source with Trac.

Installation

Prerequisites

  • You must install AccountManagerPlugin to use this plugin.
  • Python-LDAP is also required.
  • For SSL, you will have to install and configure OpenSSL to work with valid certificates. You can test using ldapsearch -Z.

Installation steps

Follow the Trac documentation on how to install Trac plugins.

  • Starting with v0.3, a database upgrade will be required as part of the installation.
    1. Install the plugin and its prerequisites.
    2. Update the database:
      trac-admin /var/trac/instance upgrade
      
    3. Restart the tracd service or your webserver.

See ConfigurationExamples.

Common Issues

  • When using SSL, the server won't authenticate. Make sure you can use ldapsearch -Z with the same parameters from the same host, and resolve the issues there. A handy way to do that is to use:
    joe@admin > ldapsearch -d8 -Z -x -b dc=base,dc=net -D binding@base.net -W -H ldaps://ldap.base.net -s one 'objectclass=person' 
    
    The -d8 should show you TLS errors.
  • If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct, then try connect to Active Directory on port 3268. This may happen when AD is running across multiple machines.

Recent Changes

[14503] by rjollos on 2015-03-22 23:25:42
2.0.0dev: Sweeping fixes of indentation and style code violations.

The plugin is probably still not working correctly. Incremental fixes will be provided from thsi baseline. The plugin needs to be adapted to the Trac 1.0 database API.

[13570] by rjollos on 2014-01-11 20:39:26
Replace table name ad_cache with dir_cache in database queries. Fixes #11495.

This change was necessary after [12767]. Patch by patrick.

[13391] by rjollos on 2013-09-18 08:24:57
Use IntOption for integer configuration options. Refs #10581.

Thanks to korn for the patch.

Author/Contributors

Author: pacopablo
Maintainer: rjollos
Contributors: sandinak

Last modified 8 days ago Last modified on Apr 19, 2015, 1:36:10 PM