Changes between Version 15 and Version 16 of LdapPlugin
- Timestamp:
- Jun 20, 2006, 12:30:54 AM (18 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
LdapPlugin
v15 v16 344 344 345 345 Starting from release '''v0.4.1''', the LdapPlugin permission store offers two ways to store group membership: 346 *Permission-based management (default setting):[[BR]]346 1. Permission-based management (default setting):[[BR]] 347 347 In this configuration, the plugin mimics the original Trac membership management, but does not follow the LDAP way: group membership is defined as permission actions, which leads to manage permissions concurrently from the permission actions and the existing LDAP groups 348 * Ldap group management (recommended settings):[[BR]] 349 In this configuration, the plugin only uses the LDAP groups to manage group membership. The plugin adds or removes group members from existing LDAP groups 348 1. Ldap group management (recommended settings):[[BR]] 349 In this configuration, the plugin only uses the LDAP groups to manage group membership. The plugin adds or removes group members from existing LDAP groups[[BR]] 350 351 ==== Activation ==== 350 352 351 353 The new group management scheme can be activated using the `manage_groups` option. 354 355 ==== Example ==== 356 The following permission command 357 {{{ 358 permission add eblot @developers 359 }}} 360 would lead to a very modification in the LDAP directory 361 362 1. The ''permission-based'' setting would add a `tracperm` attribute to the user entry 363 {{{ 364 # eblot, people, example.org 365 dn: uid=eblot,ou=people,dc=example.org 366 objectClass: tracuser 367 tracperm: @developers 368 ... 369 }}} 370 1. The ''LDAP group'' setting would add a new `member` attribute to the group entry 371 {{{ 372 # developers, groups, example.org 373 dn: cn=developers,ou=groups,dc=example.org 374 objectClass: groupOfNames 375 objectClass: tracgroup 376 member: uid=eblot,ou=people,dc=example.org 377 ... 378 }}} 352 379 353 380 ==== Important notes ==== … … 356 383 The above point means that the Trac administrator should probably creates the users and the groups from outside the Trac administration console (or [trac:wiki:WebAdmin WebAdmin]). LdapPlugin is designed to integrate Trac with an existing LDAP directory, not to manage the directory. 357 384 1. Default LDAP group policy usually requires that each group contains at least one member. If the administrator tries to remove the last member of a LDAP group, the LdapPlugin may refuse to perform this action (depending on the LDAP server setup). 385 1. Note that LDAP group management only deals with explicit groups, ''i.e.'' any word that starts with a `@` character. You can therefore mix aliases and LDAP directory groups: 386 * {{{permission add eblot devteam}}} is a group alias, managed as any Trac permission 387 * {{{permission add devteam @developers}}} is managed as a LDAP directory group (if `manage_groups` option is enabled) 358 388 359 389 == Known limitations == … … 387 417 * '''v0.4.0''': Major rewrite of the LdapPlugin to support Trac trunk [trac:changeset:3419 3419], including better support for groups (user dns may be part of a different subtree than group dns, such as `ou=people` vs. `ou=groups`), improved cache management, as well as many bug fixes and code clean up. 388 418 * '''v0.4.1''': Introduce a new feature: group management is done as addition and removal to the LDAP groups of names: instead of storing groups as trac permissions (as the default permission store does), the plugin is not able to add and remove members to the LDAP group of names. 419 * '''v0.4.2''': Fix up an important issue with the management of the caches. The plugin has also been tested with the [trac:wiki:WebAdmin WebAdmin] plugin. 389 420 390 421 == Author/Contributors ==