ticket,summary,type,release,owner,status,created,modified,_description,_reporter 9104,LdapPlugin performs > 2000 queries upon viewing a ticket,defect,0.11,Emmanuel Blot,new,2011-08-18T21:06:20+02:00,2021-12-08T16:58:35+01:00,"When browsing the wiki / other trac pages the LdapPlugin does roughly 7 LDAP lookups against my LDAP server. I have just recorded it performing 2,223 queries when loading a ticket page. We have 64 users in LDAP, and 6 groups. Crunching some numbers from our LDAP logs it seems that there is a hit for each group name 171 times, and a hit for some users 12 times, and a hit for other users 6 times. There are 100 unique usernames being queried for (not sure where the additional users appear from, but they are all present in the 'assign to' box on the ticket page). Due to the length of time it takes to perform the queries this results in excessive load times when viewing a ticket, sometimes upwards of 20 seconds. My trac.ini [ldap] section looks like: {{{ [ldap] enable = true basedn = dc=acme,dc=com group_rdn = ou=group groupmember = member groupmemberisdn = true groupname = groupofnames host = ldap-read2.live.chonp.net uidattr = cn user_rdn = ou=People }}} My LDAP server logs look like: (user/group names changed) {{{ Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=14 SRCH base=""dc=acme,dc=com"" scope=2 deref=0 filter=""(objectClass=groupOfNames)"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=14 SRCH attr=dn Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=14 SEARCH RESULT tag=101 err=0 nentries=6 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=15 SRCH base=""ou=people,dc=acme,dc=com"" scope=2 deref=0 filter=""(cn=joe.bloggs)"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=15 SRCH attr=dn Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=15 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=16 CMP dn=""cn=acme-group1,ou=Group,dc=acme,dc=com"" attr=""member"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=16 RESULT tag=111 err=6 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=17 SRCH base=""ou=people,dc=acme,dc=com"" scope=2 deref=0 filter=""(cn=joe.bloggs)"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=17 SRCH attr=dn Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=17 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=18 CMP dn=""cn=acme-group2,ou=Group,dc=acme,dc=com"" attr=""member"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=18 RESULT tag=111 err=5 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=19 SRCH base=""ou=people,dc=acme,dc=com"" scope=2 deref=0 filter=""(cn=joe.bloggs)"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=19 SRCH attr=dn Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=19 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=20 CMP dn=""cn=acme-group3,ou=Group,dc=acme,dc=com"" attr=""member"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=20 RESULT tag=111 err=5 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=21 SRCH base=""ou=people,dc=acme,dc=com"" scope=2 deref=0 filter=""(cn=joe.bloggs)"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=21 SRCH attr=dn Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=21 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=22 CMP dn=""cn=acme-group4,ou=Group,dc=acme,dc=com"" attr=""member"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=22 RESULT tag=111 err=5 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=23 SRCH base=""ou=people,dc=acme,dc=com"" scope=2 deref=0 filter=""(cn=joe.bloggs)"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=23 SRCH attr=dn Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=23 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=24 CMP dn=""cn=acme-group5,ou=Group,dc=acme,dc=com"" attr=""member"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=24 RESULT tag=111 err=5 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=25 SRCH base=""ou=people,dc=acme,dc=com"" scope=2 deref=0 filter=""(cn=joe.bloggs)"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=25 SRCH attr=dn Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=25 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=26 CMP dn=""cn=acme-group6,ou=Group,dc=acme,dc=com"" attr=""member"" Aug 18 18:08:17 util2 slapd[27174]: conn=124 op=26 RESULT tag=111 err=5 text= }}}",Nick Robinson-Wall 6583,permission_store = LdapPermissionStore not works for MS Active Directory,defect,0.11,Emmanuel Blot,new,2010-02-08T11:38:43+01:00,2020-01-13T23:37:49+01:00,"I want to list users in the Trac account. if I added permission_store = LdapPermissionStore to trac.ini There is an error: TracError: Unable to open LDAP cnx: Invalid credentials But I can login if I comment this line. When I click Trac menu: Accounts -> users, There is an error displaying in the screen ""This password store does not support listing users"" ",anonymous 5996,LdapPlugin should cascade group memberships,defect,0.11,Emmanuel Blot,new,2009-10-20T18:06:38+02:00,2019-01-21T20:57:08+01:00,"Groups can be defined either through its direct members (which can be users or other groups), or through the memberOf attribute of users or other groups. LdapPlugin should support both methods. Also, LdapPlugin should support indirect membership of a group (where a user is a member of a group that is in its turn member of another group). Where supported matching syntax 0.113556.1.4.1941 should be used. Typically, the LDAP query could look something like: {{{ (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=groupName)) }}} ",simon@… 2293,Active Directory Extension for ldapplugin + config + AD-schema,enhancement,0.10,Emmanuel Blot,new,2007-12-11T22:46:52+01:00,2018-09-06T11:29:44+02:00,"I wrote a extension for the ldapplugin. With the patch it is posible to connect to an MS Active Directory and receive the permissions. I also wrote some exampel-schemas which are needed to be imported into the AD and some example Configuration for Apache-2.2.3 Currently i don't know how/where to publish. Should I make a Branch or attache the patch to the ticket? greets Alex ",Alexander Kasper 6268,"LdapPlugin fails with MS Active Directory, lacks email / full name",defect,0.11,Emmanuel Blot,new,2009-11-27T22:09:52+01:00,2018-09-06T11:28:45+02:00,"I've run into a number of issues using the LdapPlugin against MS Active Directory. The plugin assumed that the Common Name (CN) attribute of a principal's Distinguished Name (DN) was always equivalent to its login name and that you could convert from DN to login name with simple string manipulation. Alas, this is not (remotely) the case with our directory as various users may have as their CN their login name, their full given name, some variation on their given name (nick names), and in some cases completely meaningless identifiers. A mess, no doubt; but out of my control. As far as my understanding of LDAP goes, assuming login == CN is somewhat simplistic and given to failure. I've modified the plugin to connect to the directory whenever a CN/DN/login translation is needed. I've also attempted to cache the conversions where practical in order to reduce the number of queries against the directory as much as possible. I suspect additional caching improvements are possible. Attached to this ticket is a replaced api.py file which implements these changes. I'd ordinarily attach a patch, but the changes were extensive enough to render a patch relatively pointless. Also included in this version is additional logic to extract the user's email and full name from the appropriate directory fields and insert them into the Trac session. The idea of piggybacking on the web filter system is from AccountLdapPlugin with some minor tweaks. To use this version, you'll need to take the rest of the scaffolding from the trunk build of he LdapPlugin-0.11 and replace the ldaplugin/api.py file with the attached one. Configuration settings like the following are working for our ActiveDirectory, but YMMV: {{{ [ldap] enable=true use_tls=false host=your.server port=389 # Note: Must be the full DN, sAMAccount name or email-like domain login will NOT work bind_user=CN=LDAP Search User,OU=Windows Systems,... bind_passwd=pass # Use authenticated bind group_bind = true # Adjust DN's to taste basedn=OU=RTP,... group_rdn = OU=Programming,... user_rdn = OU=users # Group settings - use the Windows login name for the group (sAMAccountname) groupname = group groupattr = sAMAccountName groupmember = member groupmemberisdn = true # Use Windows login name for user uidattr = sAMAccountName # NEW FOR PATCH: # Attributes on the user object from which full name and email address will be read user_fullname_attr = displayName user_email_attr = mail # Our tree is readonly, but you might want to enable this manage_groups = false }}}",Zachary Bedell 1663,Ldap plugin general problem,defect,0.10,Emmanuel Blot,new,2007-06-13T21:43:44+02:00,2018-01-08T22:37:33+01:00,"Hello! I've done some settings with trac including LdapPlugin-0.5.1dev-py2.4.egg. I've read manual but still can't make it work. {{{ Traceback (most recent call last): File ""/var/lib/python-support/python2.4/trac/web/main.py"", line 387, in dispatch_request dispatcher.dispatch(req) File ""/var/lib/python-support/python2.4/trac/web/main.py"", line 183, in dispatch req.perm = PermissionCache(self.env, req.authname) File ""/var/lib/python-support/python2.4/trac/perm.py"", line 263, in __init__ self.perms = PermissionSystem(env).get_user_permissions(username) File ""/var/lib/python-support/python2.4/trac/perm.py"", line 227, in get_user_permissions for perm in self.store.get_user_permissions(username): File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 205, in get_user_permissions File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 108, in get_permission_groups File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 149, in _get_user_groups File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 541, in get_groups File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 564, in get_dn File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 647, in _search File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 640, in _open TypeError: unsubscriptable object }}} Please give any suggestions :( Distro is Debian lenny/sid",stoychev@… 3142,TLS doesn't work,defect,0.10,Emmanuel Blot,new,2008-06-09T09:56:27+02:00,2017-10-25T16:08:46+02:00,"TLS support in the LDAP plugin is broken. First of all, IIRC TLS works over port 389, not 636 (which is the SSL port, SSL != TLS). This should be fixed in api.py Also, there are no options to set certificates in trac.ini. (It doesn't use the (CA) certificate set in /etc/openldap/ldap.conf, does it?) I guess to make TLS really work there is still some work to do. Anyway, I didn't have time to dive into this any further. I hope this can be fixed by someone else. Or perhaps I missed something, in which case the Wiki documentation should be updated to explain how TLS works with ldapplugin. Thanks! ",trac-hacks@… 2917,cache_size being limited to 25,defect,0.10,Emmanuel Blot,assigned,2008-04-16T02:49:41+02:00,2016-09-18T18:17:03+02:00,"Hi, While troubleshooting a performance issue, I found that the LDAP cache_size can't go higher than 25, despite what is set in trac.ini. Here's the relevant code in lines 71 and 187 of api.py: {{{ self._cache_size = min(25, int(self.config.get('ldap', 'cache_size', '100'))) self._cache_size = min(25, int(cache_size)) }}} Why have a default of 100 for cache_size when it's being forced down to 25? A limit for sanity checking makes sense, but I think it should be much higher. Fixing this in our installation made our Trac significantly faster. ",John A. Barbuto 3036,LdapPlugin should follow LDAP aliases,enhancement,0.10,Emmanuel Blot,reopened,2008-05-16T04:08:30+02:00,2016-05-06T12:26:01+02:00,"I'm using an LDAP configuration where I need to place my Trac groups in one part of the tree, as aliases to groups that are defined in other parts of the tree. In case anybody's wondering, this is to allow me to administer my Trac instances through my Apple OSX Leopard Server's Workgroup Administrator application. There's a feature built into the LDAP libraries which specifies that lookups should follow aliases, and it appears that this isn't currently enabled. If you can recommend a workaround and/or a code fix on the plugin, that would very much appreciated.",r_j_h_box-buy@… 7339,LdapPermissionGroupProvider.get_permission_groups() too slow,enhancement,0.12,Emmanuel Blot,new,2010-07-06T20:43:57+02:00,2015-10-25T12:26:37+01:00,"Hi, we are using LdapPlugin to get group info from LDAP database. It worked perfectly until one day I decided to enable 'restrict_owner' option. Things became very slow with that option enabled, new ticket form took ~10 seconds to display. I did some debugging and it seems that the problem is in the LDAP plugin, the algorithm which extracts user's groups from LDAP is not very efficient. From my understanding of the code it works by first exctracting the complete list of all groups from LDAP and then checking that given user is a member of every LDAP group. With too many groups (our LDAP server has more than 700 groups) combinatorial complexity kills performance. In principle the group membership for a given user name can be obtained with a single LDAP search. Below is a patch that reimplments _get_user_groups() method to use one LDAP operation with a filter like ""(&(objectclass=PosixGroup)(memberid=USER))"". This patch was tested and it works much faster in our environment. Would be nice if you could include this optimization into the next plugin release. Thanks, Andy {{{ *** api.py.orig 2010-07-06 08:51:52.000000000 -0700 --- api.py 2010-07-06 11:13:33.000000000 -0700 *************** *** 147,161 **** def _get_user_groups(self, username): """"""Returns a list of all groups a user belongs to"""""" ! ldap_groups = self._ldap.get_groups() groups = [] for group in ldap_groups: ! if self._ldap.is_in_group(self.util.user_attrdn(username), group): ! m = DN_RE.search(group) ! if m: ! groupname = GROUP_PREFIX + m.group('rdn') ! if groupname not in groups: ! groups.append(groupname) return groups class LdapPermissionStore(Component): --- 147,160 ---- def _get_user_groups(self, username): """"""Returns a list of all groups a user belongs to"""""" ! ldap_groups = self._ldap.get_user_groups(self.util.user_attrdn(username)) groups = [] for group in ldap_groups: ! m = DN_RE.search(group) ! if m: ! groupname = GROUP_PREFIX + m.group('rdn') ! if groupname not in groups: ! groups.append(groupname) return groups class LdapPermissionStore(Component): *************** *** 570,575 **** --- 569,588 ---- return cr return False + def get_user_groups(self, userdn): + """"""Return a list of group dns where user is a member"""""" + if self.groupmemberisdn: + udn = userdn + else: + m = re.match('[^=]+=([^,]+)', userdn) + if m is None: + self.log.warn('Malformed userdn: %s' % userdn) + return [] + udn = m.group(1) + filter = ""(&(objectclass=%s)(%s=%s))"" % (self.groupname, self.groupmember, udn) + groups = self.get_dn(self.basedn, filter) + return groups + def get_dn(self, basedn, filterstr): """"""Return a list of dns that satisfy the LDAP filter"""""" dns = [] }}} ",Andy S 11866,Nginx Support/Examples,enhancement,1.0,Emmanuel Blot,new,2014-07-08T21:11:01+02:00,2014-07-10T06:07:45+02:00,"It would be nice if this plugin supported Nginx, (if it doesn't already, I can't get Nginx to work with this plugin) or at least had example configurations for Nginx",Varriount 11335,Allowing different URI schemes than ldap://,defect,1.0,Emmanuel Blot,new,2013-09-25T16:29:31+02:00,2013-09-25T16:44:29+02:00,"At our site we are using LdapPlugin to access a local slapd-instance via ldapi:// and the default socket in /var/run/slapd/ldapi. I want to share the modifications i had to make to LdapPlugin here. Unfortunately the changes are not backwards compatible, so an existing configuration will not work. If there is interest I can change that though.",robert.fenk@… 6397,Plugin provides error that is unclear for troubleshooting,defect,0.11,Emmanuel Blot,new,2010-01-04T23:43:24+01:00,2013-08-19T12:20:50+02:00,"Logins/Authentications/Authorizations work fine until I attempt to authorize different forms of access via a group with the Ldap Plugin. I have created a group called TracAdmins and added myself to that group within Active Directory. Within the trac site I have enabled the trac ldap plugin and configured the needed directives in the trac.ini. I also created a group called @TracAdmins (Same Name as the AD group) within trac. When I try to gain Admin level access to the trac site I am given standard user access. I am authenticated but not with the proper level of access. I enabled debugging in the logs but the error isnt giving me anything to go on. The lines from the Debug log follow: {{{ 2010-01-04 17:20:51,650 Trac[chrome] DEBUG: Prepare chrome data for request 2010-01-04 17:20:51,651 Trac[api] DEBUG: action controllers for ticket workflow: ['ConfigurableTicketWorkflow'] 2010-01-04 17:20:51,658 Trac[api] ERROR: LDAP error: Operations error 2010-01-04 17:20:51,662 Trac[api] ERROR: LDAP error: Operations error 2010-01-04 17:20:51,664 Trac[perm] DEBUG: No policy allowed mamadmin performing TRAC_ADMIN on None 2010-01-04 17:20:51,664 Trac[perm] DEBUG: No policy allowed mamadmin performing PERMISSION_GRANT on None 2010-01-04 17:20:51,665 Trac[perm] DEBUG: No policy allowed mamadmin performing PERMISSION_REVOKE on None 2010-01-04 17:20:51,665 Trac[perm] DEBUG: No policy allowed mamadmin performing TICKET_ADMIN on None 2010-01-04 17:20:51,667 Trac[perm] DEBUG: No policy allowed mamadmin performing EMAIL_VIEW on None 2010-01-04 17:20:51,667 Trac[session] DEBUG: Retrieving session for ID 'mamadmin' }}} Trac.ini Bits: {{{#!ini [components] ldapplugin.* = enabled ldapplugin.api.ldappermissiongroupprovider = enabled ldapplugin.api.ldappermissionstore = disabled }}} {{{#!ini [ldap] basedn = DC=foo,DC=com bind_passwd = XXXXXX bind_user = cn=LDAPReader,cn=Users,dc=srahosting,dc=com enable = true host = XXXXX cache_ttl = 900 cache_size = 100 }}} I can see the logins/outs on the ldap server and there does not seem to be any errors. How can I trace out what this LDAP error Trac is reporting really is? ",mattmnx@… 11121,LDAP with 2 Active Directory nodes (2 DC),defect,0.12,Emmanuel Blot,new,2013-05-28T14:55:50+02:00,2013-05-28T14:55:50+02:00,"Hi, thanks for your plugin. I've attached a very rough solution to auth users from two domain controller (DC) of MS Active Directory. The code is from #6268.",Giuseppe Ursino 10609,ldap-plugin should handle a list of user- and group-dn,enhancement,0.12,Emmanuel Blot,new,2012-11-08T14:22:45+01:00,2012-11-09T10:35:26+01:00,"My ldap structure is quite deep with users and looks something like: {{{ dc=com dc=site ou=People uid=user1 ou=Groups cn=group1 ou=Projects ou=Project1 ou=People uid=user2 ou=Groups cn=group2 }}} The current ldap-plugin only supports users and groups a one (and the same) level. I would like to be able to specify a list of user and group, maybe something like: {{{ userdn = ou=People,dc=site,dc=com | ou=People,ou=Project1,ou=Projects,dc=site,dc=com groupdn = ou=Groups,dc=site,dc=com | ou=Groups,ou=Project1,ou=Projects,dc=site,dc=com }}} ",richard.baldauf@… 10232,Expose the LDAP bind functionality,defect,0.12,Emmanuel Blot,new,2012-08-06T11:36:44+02:00,2012-08-06T11:36:44+02:00,"Here's a patch that adds a new method, `bind()`, that performs a bind as per the configuration of the LDAP plugin. It also, internally, switched `_open()` to use the new `bind()`, raising `TracError`s on failure, as it did previously.",anonymous 9802,"TypeError: argument 3 must be string or read-only buffer, not None",defect,0.11,Emmanuel Blot,new,2012-02-15T10:27:46+01:00,2012-02-15T10:27:46+01:00,"On web interface page Admin-->Permission, try to add a new subject to a group. The result will be: {{{ Datei ""build/bdist.win32/egg/trac/web/main.py"", Zeile 511, in _dispatch_request dispatcher.dispatch(req) Datei ""build/bdist.win32/egg/trac/web/main.py"", Zeile 237, in dispatch resp = chosen_handler.process_request(req) Datei ""build/bdist.win32/egg/trac/admin/web_ui.py"", Zeile 116, in process_request path_info) Datei ""build/bdist.win32/egg/trac/admin/web_ui.py"", Zeile 357, in render_admin_panel for action in perm.get_user_permissions(group): Datei ""build/bdist.win32/egg/trac/perm.py"", Zeile 372, in get_user_permissions for perm in self.store.get_user_permissions(username) or []: Datei ""build/bdist.win32/egg/trac/perm.py"", Zeile 173, in get_user_permissions subjects.update(provider.get_permission_groups(username) or []) Datei ""build/bdist.win32/egg/ldapplugin/api.py"", Zeile 128, in get_permission_groups ldapgroups = self._get_user_groups(username) Datei ""build/bdist.win32/egg/ldapplugin/api.py"", Zeile 177, in _get_user_groups if self._ldap.is_in_group(userdn, group): Datei ""build/bdist.win32/egg/ldapplugin/api.py"", Zeile 548, in is_in_group cr = self._compare(groupdn, self.groupmember, userdn) Datei ""build/bdist.win32/egg/ldapplugin/api.py"", Zeile 656, in _compare cr = self._ds.compare_s(dn, attribute, value) Datei ""D:/bitnami-trac-0.12.2/python/Lib/site-packages/ldap/ldapobject.py"", Zeile 266, in compare_s return self.compare_ext_s(dn,attr,value,None,None) Datei ""D:/bitnami-trac-0.12.2/python/Lib/site-packages/ldap/ldapobject.py"", Zeile 253, in compare_ext_s msgid = self.compare_ext(dn,attr,value,serverctrls,clientctrls) Datei ""D:/bitnami-trac-0.12.2/python/Lib/site-packages/ldap/ldapobject.py"", Zeile 250, in compare_ext return self._ldap_call(self._l.compare_ext,dn,attr,value,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) Datei ""D:/bitnami-trac-0.12.2/python/Lib/site-packages/ldap/ldapobject.py"", Zeile 100, in _ldap_call result = func(*args,**kwargs) }}}",falkb 9761,how can I use LDAP groups in authzpolicy.conf file of fine grained permission?,enhancement,0.11,Emmanuel Blot,new,2012-02-04T00:10:49+01:00,2012-02-04T00:10:49+01:00,"Can you describe on your wiki page if it's possible, and if yes, how it's possible. I played around but can't get it work to use those LDAP groups (starting with '@') in my authzpolicy.conf, anyway it has no effect or leads to errors... In the end I want to restrict wiki page access by using user groups defined via LDAP since I don't want to configure again what LDAP has set at first anyway.",falkb 9601,Add a quick-start right into the source-tree,enhancement,0.12,Emmanuel Blot,new,2011-12-10T14:08:40+01:00,2011-12-10T14:08:40+01:00,"I had very much problems with the documentation, lost many hours if not days. A way to simplify the installation of the plugin for future users (especially those not familiar with openldap) would be to include the necessary config-files and a quick-start readme right into the source-code, thus things are kept in synch. Find attached an example, which can be applied as a patch. The files are tested on a windows installation (after I started from scratch). (the next step would be to provide an apache config file and to refine the tests more)",lazaridis_com 4700,group_bind=true,defect,0.11,Emmanuel Blot,new,2009-02-25T16:35:30+01:00,2011-04-15T17:22:46+02:00,"When I sets group_bind = true, Trac returns an error: ------------------ Traceback (most recent call last): File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/web/api.py"", line 367, in send_error 'text/html') File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/web/chrome.py"", line 708, in render_template data = self.populate_data(req, data) File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/web/chrome.py"", line 618, in populate_data d['chrome'].update(req.chrome) File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/web/api.py"", line 194, in __getattr__ value = self.callbacks[name](self) File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/web/chrome.py"", line 476, in prepare_request for category, name, text in contributor.get_navigation_items(req): File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/ticket/web_ui.py"", line 163, in get_navigation_items if 'TICKET_CREATE' in req.perm: File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/perm.py"", line 524, in has_permission return self._has_permission(action, resource) File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/perm.py"", line 538, in _has_permission check_permission(action, perm.username, resource, perm) File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/perm.py"", line 425, in check_permission perm) File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/perm.py"", line 282, in check_permission get_user_permissions(username) File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/perm.py"", line 357, in get_user_permissions for perm in self.store.get_user_permissions(username): File ""/usr/lib/python2.5/site-packages/Trac-0.11.3-py2.5.egg/trac/perm.py"", line 170, in get_user_permissions subjects.update(provider.get_permission_groups(username)) File ""build/bdist.linux-x86_64/egg/ldapplugin/api.py"", line 108, in get_permission_groups ldapgroups = self._get_user_groups(username) File ""build/bdist.linux-x86_64/egg/ldapplugin/api.py"", line 149, in _get_user_groups ldap_groups = self._ldap.get_groups() File ""build/bdist.linux-x86_64/egg/ldapplugin/api.py"", line 541, in get_groups groups = self.get_dn(self.basedn, 'objectclass=' + self.groupname) File ""build/bdist.linux-x86_64/egg/ldapplugin/api.py"", line 564, in get_dn sr = self._search(basedn, filterstr, ['dn'], ldap.SCOPE_SUBTREE) File ""build/bdist.linux-x86_64/egg/ldapplugin/api.py"", line 647, in _search self._open() File ""build/bdist.linux-x86_64/egg/ldapplugin/api.py"", line 632, in _open self._ds.simple_bind_s(self.bind_user, self.bind_passwd) File ""/usr/lib/python2.5/site-packages/ldap/ldapobject.py"", line 197, in simple_bind_s msgid = self.simple_bind(who,cred,serverctrls,clientctrls) File ""/usr/lib/python2.5/site-packages/ldap/ldapobject.py"", line 191, in simple_bind return self._ldap_call(self._l.simple_bind,who,cred,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls)) File ""/usr/lib/python2.5/site-packages/ldap/ldapobject.py"", line 96, in _ldap_call result = func(*args,**kwargs) TypeError: argument 2 must be string or read-only buffer, not None ",nlp@… 8650,ldapplugin group lookup performance,defect,0.11,Emmanuel Blot,new,2011-03-30T23:57:59+02:00,2011-03-30T23:57:59+02:00,"The ldapplugin for trac provides group membership lookups in order to assign permissions - a nice feature. The trouble is that in order to do this it dumps an entire ldap database of groups, and then does another lookup and regex on all of them to see if a user is in the set. Not only is that really inefficient for large ldap dbs, it can also be incorrect for those (like AD) that impose limits on the number of entires they'll return. Attached is a patch that fixes this by using an ldap search filter based on the settings the admin specified in the trac.ini. In my environment it results in .005s lookup time instead of ~10s. Tested with memberUid, member (eg: DNs) attrs, and openldap, and AD systems. My perl isn't python, so the code could potentially be cleaned up. Poke me if you have any questions. Thanks, Brian",bpkroth@… 4943,Pluging won't work for users belonging to LDAP upper cased groups,defect,0.11,Emmanuel Blot,new,2009-04-18T00:41:14+02:00,2011-03-22T11:48:38+01:00,"On the LDAP setup I'm using, there are some upper cased groups. I can't change them since I'm not the administrator of that server and the tool I use to add those groups to the LDAP server, uses an upper cased prefix, ie: MY_DEPARTMENT-, then I can define whatever comes afterwards, so, MY_DEPARTMENT-ADMINS. So, as you see, I cant' do anything here :-( Anyway, when I give @MY_DEPARTMENT-ADMINS into the trac Admins interface, it just complains and says: ""All upper-cased tokens are reserved for permission names"" If I give @my_department-admins into the Admin interface, then the group comparison into your plugging will fail since it compares this lowered string with the original name of the LDAP group. Well, this seems to be a trac problem since it has reserved uppercased names for permissions :-( Anyway, it would be nice if you add some kind of option that lowercases the groups to which a user belongs to, ie: **ignore_group_case**. There is a trac setting: ignore_auth_case, but it only seems to lowercase the username. It won't work with the groups. For the moment, I'm always lowercasing each group into the _get_user_groups method of the LdapPermissionGroupProvider class; however, I thing a trac.ini variable would be much more elegant. Best regards Josef",jmeile@… 8335,Connections erroneously closed when using mod_wsgi,defect,0.11,Emmanuel Blot,new,2010-12-23T10:54:38+01:00,2011-01-21T00:25:56+01:00,"When multiple connections are made concurrently, an error may occur: {{{ ""AttributeError: 'bool' object has no attribute 'compare_s'"". This is most likely a concurrency issue. Without delving too deep into the source code, changing the following line seems to fix the issue: }}} {{{ #!patch --- api.py 2010-12-23 10:41:01.000000000 +0100 +++ api.py.orig 2010-11-16 16:31:34.000000000 +0100 @@ -668,11 +668,11 @@ return cr except ldap.NO_SUCH_OBJECT, e: self.log.warn(""LDAP error: %s (%s)"", e[0]['desc'], dn) - return False; + return False; except ldap.LDAPError, e: if attribute != 'member': - self.log.error(""LDAP error: %s (%s - %s - %s) [_compare]"", e[0]['desc'], dn, attribute, value) - self._ds = False + self.log.error(""LDAP error: %s (%s - %s - %s) [_compare]"", e[0]['desc'], dn, attribute, value) + self._ds = False return False # Following methods moved from LdapUtil since many of them really need access to the connection }}} ",anonymous 7969,Autocomplete cc and owner fields in ticketing system from LDAP,enhancement,0.12,Emmanuel Blot,new,2010-11-01T23:30:39+01:00,2010-11-01T23:46:02+01:00,"I have LdapPlugin working... the last important piece for me is to get autocomplete working in the ticketing system for owner / cc fields. Is this already possible? I don't think I saw any mention of it. Thanks, ",da.webs@… 5790,wrong behaviour with empty base-dn,defect,0.11,Emmanuel Blot,new,2009-09-06T21:02:43+02:00,2009-09-06T21:02:43+02:00,"When leaving base-dn empty and group-rdn and user-rdn set ldapplugin does not work. It produces wrong dn's then. I made a hack in api.py of version 0.6.0. I fixed it in methods user_attrdn an group_attrdn starting at line 477 of api.py {{{ def group_attrdn(self, group): """"""Build the dn for a group"""""" if self.group_rdn: if self.basedn: return ""%s=%s,%s,%s"" % \ (self.groupattr, group, self.group_rdn, self.basedn) else: return ""%s=%s,%s"" % \ (self.groupattr, group, self.group_rdn) else: if self.basedn: return ""%s=%s,%s"" % (self.groupattr, group, self.basedn) else: return ""%s=%s"" % (self.groupattr, group) def user_attrdn(self, user): """"""Build the dn for a user"""""" if self.user_rdn: if self.basedn: return ""%s=%s,%s,%s"" % \ (self.uidattr, user, self.user_rdn, self.basedn) else: return ""%s=%s,%s"" % \ (self.uidattr, user, self.user_rdn) else: if self.basedn: return ""%s=%s,%s"" % (self.uidattr, user, self.basedn) else: return ""%s=%s"" % (self.uidattr, user) }}} ",anonymous 5693,ldap-plugin should handle a list of user- and group-dn,enhancement,0.11,Emmanuel Blot,new,2009-08-20T19:03:35+02:00,2009-08-20T19:03:35+02:00,"My ldap structure is quite deep with users and looks something like: {{{ dc=com dc=site ou=People uid=user1 ou=Groups cn=group1 ou=Projects ou=Project1 ou=People uid=user2 ou=Groups cn=group2 }}} The current ''ldap-plugin'' only supports users and groups a one (and the same) level. I would like to be able to specify a list of user and group, maybe something like: {{{ userdn = ou=People,dc=site,dc=com | ou=People,ou=Project1,ou=Projects,dc=site,dc=com groupdn = ou=Groups,dc=site,dc=com | ou=Groups,ou=Project1,ou=Projects,dc=site,dc=com }}} ",emsa@… 985,users with different dn in same group,defect,0.10,Emmanuel Blot,new,2006-12-12T21:58:12+01:00,2009-06-17T23:31:10+02:00,"Could not see a way to specify the dn for the user if the users are contained in different ou's I have an ldap structure that separates offices o=Company[[BR]] ou=Region[[BR]] ou=City[[BR]] ou=Users (not in all cities)[[BR]] so we could in the same group have say a user named [[BR]] username1.Users.Tampa.America.Company[[BR]] username2.Shanghi.Asia.Company[[BR]] username3.Chicago.America.Company[[BR]] username4.London.Europe.Company[[BR]] Could this, since we are already logged in (if we are using ldap i'm assuming authentication is done with ldap also and has been verified or at least know the username) search for the user and get the correct dn to pass to the ldapsearch. Probably should be in another ticket but while trouble shooting this i was looking at the packets it appears that its searching for all groups in the tree then searches each group to see if the user is a member could we just search the groups that are specified in the permissions table? We have around 100 groups and only one/two groups specified in the permissions table seems a waste to see if the user is in each of the other 98 that trac doesn't care about.",anonymous 3993,Trac LDAP plugin makes too many round trips for group membership,defect,0.11,Emmanuel Blot,new,2008-10-27T19:05:32+01:00,2009-06-17T23:14:21+02:00,"I have written a group membership routine to allow faster searches to be performed. The Trac plugin need only go to the LDAP server one time to get a user's groups listing, instead of running a separate query for each group on the server. {{{ #!diff Index: ldapplugin/api.py =================================================================== --- ldapplugin/api.py (revision 4594) +++ ldapplugin/api.py (working copy) @@ -146,16 +146,7 @@ def _get_user_groups(self, username): """"""Returns a list of all groups a user belongs to"""""" - ldap_groups = self._ldap.get_groups() - groups = [] - for group in ldap_groups: - if self._ldap.is_in_group(self.util.user_attrdn(username), group): - m = DN_RE.search(group) - if m: - groupname = GROUP_PREFIX + m.group('rdn') - if groupname not in groups: - groups.append(groupname) - return groups + return [GROUP_PREFIX + g for g in self._ldap.groups_for_user(username)] class LdapPermissionStore(Component): """""" @@ -541,6 +532,25 @@ groups = self.get_dn(self.basedn, 'objectclass=' + self.groupname) return groups + def groups_for_user(self, uid): + """"""Obtain group listing for a particular uid."""""" + if self.groupmemberisdn: + dns = get_dn(self.basedn, '(uid=%s)' % uid) + if dns: + uidstr = dns[0] + else: + return False + else: + uidstr = uid + filter = ('(&(objectclass=%s)(%s=%s))' % + (self.groupname, self.groupmember, uidstr)) + results = self._search( self.basedn + , filter + , [self.groupattr] + , ldap.SCOPE_SUBTREE ) + self.log.error(""Found: %s"", str(results)) + return [ attrs[self.groupattr][0] for (dn, attrs) in results ] + def is_in_group(self, userdn, groupdn): """"""Tell whether the uid is member of the group"""""" if self.groupmemberisdn: }}}",Jason Dusek 4773,LdapPlugin does not honour group_rdn in get_groups,defect,0.11,Emmanuel Blot,new,2009-03-12T12:25:54+01:00,2009-04-15T07:34:30+02:00,"The group_rdn option specified in the config is not used in get_groups. This leads to a problem when there are groups with the same names in the different parts of the LDAP tree. The proposed patch is below: {{{ diff --git a/api.py b/api.py index 13a912e..35792ba 100644 --- a/api.py +++ b/api.py @@ -32,12 +32,12 @@ LDAP_MODULE_CONFIG = [ 'enable', 'permfilter', 'global_perms', 'manage_groups' 'cache_ttl', 'cache_size', 'group_bind', 'store_bind', - 'user_rdn', 'group_rdn' ] + 'user_rdn' ] LDAP_DIRECTORY_PARAMS = [ 'host', 'port', 'use_tls', 'basedn', 'bind_user', 'bind_passwd', 'groupname', 'groupmember', 'groupmemberisdn', - 'groupattr', 'uidattr', 'permattr'] + 'groupattr', 'group_rdn', 'uidattr', 'permattr'] GROUP_PREFIX = '@' @@ -510,6 +510,7 @@ class LdapConnection(object): self.groupname = 'groupofnames' self.groupmember = 'member' self.groupattr = 'cn' + self.group_rdn = None self.uidattr = 'uid' self.permattr = 'tracperm' self.bind_user = None @@ -538,7 +539,10 @@ class LdapConnection(object): def get_groups(self): """"""Return a list of available group dns"""""" - groups = self.get_dn(self.basedn, 'objectclass=' + self.groupname) + if self.group_rdn: + groups = self.get_dn('%s,%s' % (self.group_rdn, self.basedn), 'obje + else: + groups = self.get_dn(self.basedn, 'objectclass=' + self.groupname) return groups def is_in_group(self, userdn, groupdn): }}}",Lev Shamardin 4923,"Can't get it to work with 0.11, need some debugging help",defect,0.11,Emmanuel Blot,new,2009-04-15T03:45:13+02:00,2009-04-15T03:45:13+02:00,"I'm using trac 0.11 on opensuse. I can see the queries being done on my ldap server and they appear correct in the logs, however the plugin isn't putting my user in the appropriate groups. My ldap setup works with PAM, using posixGroup for groups and memberUID for members of the groups with simple uids listed. Any suggestions? My config is below. {{{ [ldap] enable = true basedn = dc=bum,dc=bbn,dc=com group_rdn = ou=group user_rdn = ou=people groupmemberisdn = false groupname = posixGroup groupmember = memberUid manage_groups = false }}}",Jon Schewe 508,LDAP server fail over,enhancement,0.10,Emmanuel Blot,assigned,2006-07-14T15:38:04+02:00,2008-08-28T22:52:37+02:00,"I made some small (local) changes to the LDAPConnection class to support more than one host. I did it kind of brute force and don't really know if there are other consequences which I have neglected. I'll attach the diff agains the current revision.",Martin Sternevald 1939,Add possibility to set name/email/password in ldap,enhancement,0.11,Emmanuel Blot,new,2007-08-17T09:29:46+02:00,2008-08-15T22:08:07+02:00,"Hi there, we'd be very happy about an extension to trac & the trac LDAP plugin to finally be able to change the important values - real name - email - password from the preferences panel and store them in LDAP. How could i help? Is there an way to support development of this extension/feature? The used trac version is 0.11-trunk here. BR, Seb",sebastian.roth@… 3417,Leaking LDAP connections,defect,0.10,Emmanuel Blot,new,2008-07-19T21:26:01+02:00,2008-07-19T22:21:34+02:00,"LdapPlugin doesn't seem to close the LDAP connections it makes. With every hit to a Trac page the system connection count grows. I haven't seen a single call to close() in LdapPlugin's source, why is that?",memfis 2360,Hack TracLDAP for resolve mail adress before request of group permission,defect,0.10,Emmanuel Blot,new,2008-01-08T13:10:28+01:00,2008-01-08T13:10:28+01:00,"Hi, I would use the LDAP hacks for provide a LDAP group support in my trac environnement. Actualy I've an LDAP athentification with UID but I use the AuthLDAPRemoteUserAttribute option in apache for display the mail addresse in the place of the UID. But the LDAP hacks don't work with this option, I've try to modifiy it with a ""out of box"" script. In fact I've modify the api.py file for replace the mail by the uid in the _get_user_groups function (and only here), for do that I've add a new function in the LdapPermissionGroupProvider class. When I try my function in other code it's work, when I load api.py in the python interpreter it's good too but when I deploy the hack LDAP Trac on my server I've that : 008-01-08 12:41:20,731 Trac[loader] ERROR: Failed to load plugin ldapplugin.api from /Library/Python/2.3/site-packages/LdapPlugin-0.5.1dev_r1611-py2.3.egg Traceback (most recent call last): File ""/System/Library/Frameworks/Python.framework/Versions/2.3/lib/python2.3/site-packages/trac/loader.py"", line 101, in load_components entry_point.load() File ""/Library/Python/2.3/site-packages/setuptools-0.6c7-py2.3.egg/pkg_resources.py"", line 1912, in load entry = __import__(self.module_name, globals(),globals(), ['__name__']) File ""/System/Library/Frameworks/Python.framework/Versions/2.3/lib/python2.3/site-packages/LdapPlugin-0.5.1dev_r1611-py2.3.egg/ldapplugin/__init__.py"", line 2, in ? ZipImportError: bad local file header in /System/Library/Frameworks/Python.framework/Versions/2.3/lib/python2.3/site-packages/LdapPlugin-0.5.1dev_r1611-py2.3.egg Can you help me ? :-)",yoann.gini@… 2283,Session Settings Population,enhancement,0.10,Emmanuel Blot,new,2007-12-10T21:26:38+01:00,2007-12-10T21:26:38+01:00,"I think the next logical step for LdapPlugin to grow into an LDAP backend for Trac would be to actually use the LDAP data, specifically name and e-mail address for session settings. There is already a patch (LdapSessionSettingsPatch) to automatically fill this information into the page, however this data is not being managed by the LDAP service, simply provided once. I personally would really like to see something like this as it would allow Trac to drop right into existing corporate IT structures (!OpenDirectory, Active Directory) Note: This is unlike ticket:1939 which aims to store data back into LDAP, simply to retrieve back into the session store DB.",bryce@… 1907,bind_passwd special characters,defect,0.10,Emmanuel Blot,new,2007-08-08T16:13:31+02:00,2007-08-08T16:13:31+02:00,"My LDAP server needs to have an authenticated bind. I know this works, as I have other services on the same machine that use this login information. BTW, the LDAP server is Active Directory. Here is the login information from the [ldap] section of trac.ini: {{{ bind_user=TRACUSER@domain.com bind_passwd=4@x3r63ks! }}} I suspect those special characters, either the @ signs, the !, or something else, is messing with the plugin's ability to authenticate, as when I hit trac with the ldapplugin enabled, I get this error: {{{ Traceback (most recent call last): File ""/var/lib/python-support/python2.5/trac/web/main.py"", line 406, in dispatch_request dispatcher.dispatch(req) File ""/var/lib/python-support/python2.5/trac/web/main.py"", line 183, in dispatch req.perm = PermissionCache(self.env, req.authname) File ""/var/lib/python-support/python2.5/trac/perm.py"", line 263, in __init__ self.perms = PermissionSystem(env).get_user_permissions(username) File ""/var/lib/python-support/python2.5/trac/perm.py"", line 227, in get_user_permissions for perm in self.store.get_user_permissions(username): File ""/var/lib/python-support/python2.5/trac/perm.py"", line 106, in get_user_permissions subjects += list(provider.get_permission_groups(username)) File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 108, in get_permission_groups ldapgroups = self._get_user_groups(username) File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 149, in _get_user_groups ldap_groups = self._ldap.get_groups() File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 541, in get_groups groups = self.get_dn(self.basedn, 'objectclass=' + self.groupname) File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 564, in get_dn sr = self._search(basedn, filterstr, ['dn'], ldap.SCOPE_SUBTREE) File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 647, in _search self._open() File ""build/bdist.linux-i686/egg/ldapplugin/api.py"", line 640, in _open raise TracError(""Unable to open LDAP cnx: %s"" % e[0]['desc']) TracError: Unable to open LDAP cnx: Invalid credentials }}} I suspect that I may need to escape certain characters somehow, but I haven't been able to find (or figure out) what to do.",candrews@… 1622,Support for users in multiple LDAP containers,enhancement,0.10,JimPage,reopened,2007-06-07T01:48:57+02:00,2007-06-07T06:09:37+02:00,"The LdapPlugin only supports one rdn value in user_rdn. This means that if the user trying to log in is in a different dn, they will not be assigned permissions in Trac properly even if the user's group membership is properly set up. This means that LdapPlugin does not work properly with users in many different containers.",JimPage 1623,LdapPlugin stack traces on empty groups,defect,0.10,JimPage,reopened,2007-06-07T01:54:26+02:00,2007-06-07T06:09:14+02:00,On some systems (eg Win2k3 server) the LdapPlugin stack traces when empty LDAP groups are present in the directory.,JimPage 1431,sample ldap schema for trac,enhancement,0.10,Emmanuel Blot,new,2007-04-08T21:23:02+02:00,2007-04-08T21:23:02+02:00,"I didn't found one, so here is a draft...",pkoelle@… 1036,SCOPE_ONELEVEL vs SCOPE_SUBTREE,defect,0.10,Emmanuel Blot,new,2006-12-20T18:39:39+01:00,2006-12-20T18:39:39+01:00,"I'm using ldapplugin-0.5.1dev_r1611 and have found that anonymous users are unable to browser and I cannot login with my admin ID. Looking into this further I've discovered that I can manually search my ldap tree for the uid=anonymous (for example) but using a scope = SCOPE_SUBTREE. However, when trac searches for this uid it's using a scope = SCOPE_ONELEVEL. I applied the following patch to get this working. Is this the correct to fix this or is there a parameter that can be used in trac.ini to modify the search depth?[[BR]] [[BR]] {{{ --- api.py 2006-12-10 11:39:17.000000000 -0500 +++ api_20061220.py 2006-12-20 12:27:46.000000000 -0500 @@ -640,7 +640,7 @@ raise TracError(""Unable to open LDAP cnx: %s"" % e[0]['desc']) def _search(self, basedn, filterstr='(objectclass=*)', attributes=None, - scope=ldap.SCOPE_ONELEVEL): + scope=ldap.SCOPE_SUBTREE): """"""Search the LDAP directory"""""" try: if not self.__dict__.has_key('_ds') or not self.__dict__['_ds']: }}} ",anonymous 222,Additional Feature to LDAP Plugin,enhancement,,Emmanuel Blot,new,2006-03-16T02:32:19+01:00,2006-06-18T19:27:56+02:00,"I have been tasked with investigating using LDAP groups to manage permissions in a trac instance. I've come across your LdapPlugin and believe it is exactly what we require. There is one feature that I need that I think is missing. Is it possible to enable a mechanism to allow users to change thier LDAP password from within trac, either via this plugin or some other way? With thanks. -Corey",wallis@…