Version 4 (modified by harbulot, 5 years ago) (diff)


(I thought I'd published this as I had been trying this out, only to realise that this was mostly redundant with the LdapAuthStorePlugin. I'll compare and provide contributions for the TracLdapAuthPlugin instead.)


I've tried to integrate the LdapPlugin with the AccountManagerPlugin, so as to be able to authenticate via the form provided via the account manager (instead of relying on Apache Httpd or other server authentication) and manage passwords.

The LdapAccountManagerPasswordStore in this file implements an IPasswordStore (see AccountManagerPlugin), which can currently check and set a password, and get the list of users.

This has been tested rather successfully with Trac 0.11.6, but you're going to need to apply the fix in 6183 first, and apply this patch to LdapPlugin's


    a b setup ( 
    2020    entry_points = {
    2121        'trac.plugins': [
    2222            'ldapplugin.api = ldapplugin.api',
     23            'ldapplugin.acctmgr = ldapplugin.acctmgr'
    2324        ]
    2425    }

(AccountManagerPlugin also needs to be installed.)


There is no major change compared with the LdapPlugin configuration. You'll probably need to bind the user to something that is allowed to list users and change passwords in your LDAP server (see bind_user).

The AccountManagerPlugin should be configured like this:

password_file = /path/to/trac.htpasswd
password_store = LdapAccountManagerPasswordStore, HtPasswdStore

Extra notes

  • This is an early implementation, rely on it at your own risks.
  • Relying on IPasswordStore.get_users() might not be ideal for a large LDAP directory (displaying on the admin page might not be appropriate in this case). Currently, the AccountManagerPlugin preference panel relies on calling this to display the preference panel for a given user, rather than using has_user().
  • LDAP could be a good place to store the user full name and e-mail address. Unfortunately, this seems harder to hook into Trac since (at least in version 0.11), this is handled separately in the main SQL database by the core API.
  • Setting the password will currently use the {SHA} method in LDAP. Other methods could be implemented.


This code was developed by Bruno Harbulot (bruno --, based on the existing code in the LdapPlugin.

Attachments (1)

Download all attachments as: .zip