|Version 3 (modified by rjollos, 3 years ago) (diff)|
Active Directory Auth Plugin
NOTE: Major changes from 0.3
- conf variables are renamed for standardization
- now more directory type agnostic
- soon will be renamed to DirectoryAuthPlugin
The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory.
Users are authenticated by performing an ldap_bind against the AD server using their credentials. The plugin will also pull the email address and display name from Active Directory and populate the session_attribute table. See Populating ''Assign To'' Drop Down in Trac for more information on why.
- One can specify a group which users must be a member of in order to log in.
- Additionally, one may specify an admin group. If a user is a member of the admin group, then they will automatically be granted the TRAC_ADMIN permission.
- Finally, ActiveDirectory groups are extended into the trac namespace. They can be used to extend permissions by AD group.
- AD groups are prefixed by @
- group names are lowercase and spaces are replaced with underscores.
See GroupManagement for more details.
Given the expense of traversing the network for authorizations, a two-stage cache has been implemented. This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: CacheManagement for details.
If you have any issues, create a new ticket.
Download the zipped source from here
- You must install AccountManagerPlugin in order to use this plugin.
- Python-LDAP is also required and can be downloaded here
Follow the Trac documentation on how to install Trac plugins
- starting with 0.3, a database upgrade will be required as part of the installation.
- install the plugin and it's prerequisites
- update the database
trac-admin /var/trac/instance upgrade
- restart the trac service or your webserver.
NOTE: this has changed from 0.3 to 0.4!!!'''
All config options go under the [account-manager] config heading. Options for this module are:
[account-manager] #--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager password_store = ADAuthStore #--define the Active Directory host address here. A port other than default(389) is set as # ldap://hostname:port or ldaps://hostname:port dir_uri = ldap://adserver.example.com #-- the Active Directory's base DN to search from, this is likely just your domain dir_basedn = DC=example,DC=com #-- the user/password to search the directory from, it must be a valid dir_binddn = firstname.lastname@example.org dir_bindpw = ldapuserpassword #-- timeout for an ldap operation before in seconds dir_timeout = 5 #-- the default charset for the ldap server dir_charset = utf-9 ##### Userinfo #-- the attribute containing the users login name, THIS MUST BE UNIQUE! user_attr = sAMAccountName #-- the attribute containing the users display name name_attr = displayName #-- the attribute containing the users email addy email_attr = mail ##### Groups #-- where to look for groups, uses dir_basedn if not defined. group_basedn = ou=Groups,dc=foo,dc=net #-- expand directory groups group_expand = 1 #-- the name of a group .. uses user_attr if not defined. group_attr = cn #-- which attribute to look in for members group_member_attr = member #-- what to look for in the member_attr group_member_value = dn #-- the dn of a group that has valid users, all users if not enabled group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com #-- the DN for a group automagically given TRAC_ADMIN # if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as: # [trac] # permission_store = UserExtensiblePermissionStore group_tracadmin = CN=Administration,DC=example,DC=com #### Cache Tuning #-- cached entry time to live in seconds cache_ttl= 90 #-- memorycache size in entries, and a highwater warning mark cache_memsize = 400 cache_memsize_warn = 300 #-- memory cache prune size in percentage cache_memprune = 5 [trac] permission_store = UserExtensiblePermissionStore
If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.
If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines.
-  by rjollos on 2015-03-22 23:25:42
2.0.0dev: Sweeping fixes of indentation and style code violations.
The plugin is probably still not working correctly. Incremental fixes will be provided from thsi baseline. The plugin needs to be adapted to the Trac 1.0 database API.
-  by rjollos on 2014-01-11 20:39:26
Replace table name ad_cache with dir_cache in database queries. Fixes #11495.
This change was necessary after . Patch by patrick.
-  by rjollos on 2013-09-18 08:24:57
Use IntOption for integer configuration options. Refs #10581.
Thanks to korn for the patch.