Opened 6 years ago

Closed 6 years ago

#10163 closed enhancement (fixed)

[patch] enable AD groups in permissions

Reported by: branson Owned by: branson
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords: adoption-request
Cc: Ryan J Ollos Trac Release: 0.12


This is a combination of ideas from LdapPlugin that will enable AD groups to be used for permissions.

  • groups are prefixed with an '@'
  • spaces are replaced by _
  • recurses up the tree to find parent groups
  • includes the patch from #9219


  • caches the ldap handle so we don't reauth
< from trac.perm import IPermissionGroupProvider
<     implements(IPasswordStore, IPermissionUserProvider, IPermissionGroupProvider)
>     implements(IPasswordStore, IPermissionUserProvider)
<     def __init__(self,ldap=None):
<       self._ldap = ldap
<             success = True
< 		self.log.debug("User is in %", self.admin_group)
<     # IPermissionGroupProvider
<     def get_permission_groups(self, username):
<         """Return a list of names of the groups that the user with the 
<         specified name is a member of."""
<         # get dn
<         dn = self._get_user_dn(username)
<         if dn:  
<             # retrieves the user groups from LDAP
<             groups = self._get_user_groups(dn)
<             if groups:
<                 self.env.log.debug('%s has groups: %s' % (username, ','.join(groups)))
<                 return groups
<             else:
<                self.log.debug("dn: %s has no groups." % dn)
<         else:
<             self.log.debug("username: %s has no dn." % username)
<         return []
<     # Internal methods
>     # Internal methods
<         if self._ldap:
<             return self._ldap
<         self._ldap = l
<     def _get_user_groups(self, dn):
<         """Returns a list of all groups a user belongs to"""
<         groups = []
<         lcnx = self._bind_ad()
<         if lcnx:
<             ldapgroups = lcnx.search_s(self.base_dn, ldap.SCOPE_SUBTREE, '(&(objectClass=group)(member=%s))' % dn, ["sAMAccountName"])
<             if ldapgroups:
<                 for group in ldapgroups:
<                     groupname = GROUP_PREFIX + group[1]['sAMAccountName'][0].lower().replace(' ','_')
<                     if groupname not in groups:
<                         groups.append(groupname)
<                         subgroups = self._get_user_groups(group[0])
<                         if subgroups: 
<                            for subgroup in subgroups:
<                               if subgroup not in groups:
<                                    groups.append(subgroup)
<                 return groups
<         else:
<             raise TracError('Unable to bind to Active Directory')
<             return None

Attachments (0)

Change History (6)

comment:1 Changed 6 years ago by branson

I have taken this several steps further .. with a complete re-write of the caching system to use the local database .. I am working on the installer for the db now .. but this should work LOTS faster across multiple python/apache instances.

Hold up and i'll send in the new patches.

comment:2 Changed 6 years ago by Ryan J Ollos

I'm fairly sure that pacopablo is not seen around trac-hacks these days. Let me know if you'd like to take over maintainership of the plugin per AdoptingHacks.

comment:3 in reply to:  2 Changed 6 years ago by anonymous

Cc: Ryan J Ollos added; anonymous removed
Owner: changed from John Hampton to anonymous
Status: newassigned

Replying to rjollos:

I'm fairly sure that pacopablo is not seen around trac-hacks these days. Let me know if you'd like to take over maintainership of the plugin per AdoptingHacks.

I can do that.

comment:4 Changed 6 years ago by branson

Keywords: adoption-request added
Owner: changed from anonymous to branson
Status: assignednew

oops .. meant to take this .. I can adopt this.

comment:5 Changed 6 years ago by Ryan J Ollos

Cool. You'll just need to do the step listed at AdoptingHacks#HowtoAdoptUnmaintainedHacks, including create a dedicated ticket and post to the mailing list.

comment:6 Changed 6 years ago by branson

Resolution: fixed
Status: newclosed

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain branson.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.