Modify ↓
Opened 12 years ago
Closed 12 years ago
#10163 closed enhancement (fixed)
[patch] enable AD groups in permissions
| Reported by: | branson | Owned by: | branson |
|---|---|---|---|
| Priority: | normal | Component: | DirectoryAuthPlugin |
| Severity: | normal | Keywords: | adoption-request |
| Cc: | Ryan J Ollos | Trac Release: | 0.12 |
Description
This is a combination of ideas from LdapPlugin that will enable AD groups to be used for permissions.
- groups are prefixed with an '@'
- spaces are replaced by _
- recurses up the tree to find parent groups
- includes the patch from #9219
also
- caches the ldap handle so we don't reauth
18d17
< from trac.perm import IPermissionGroupProvider
21,22d19
< GROUP_PREFIX = '@'
<
28c25
< implements(IPasswordStore, IPermissionUserProvider, IPermissionGroupProvider)
---
> implements(IPasswordStore, IPermissionUserProvider)
36,38c33
<
< def __init__(self,ldap=None):
< self._ldap = ldap
---
>
98d92
< success = True
119d112
< self.log.debug("User is in %", self.admin_group)
122,144d114
<
< # IPermissionGroupProvider
< def get_permission_groups(self, username):
< """Return a list of names of the groups that the user with the
< specified name is a member of."""
<
< # get dn
< dn = self._get_user_dn(username)
< if dn:
< # retrieves the user groups from LDAP
< groups = self._get_user_groups(dn)
<
< if groups:
< self.env.log.debug('%s has groups: %s' % (username, ','.join(groups)))
< return groups
< else:
< self.log.debug("dn: %s has no groups." % dn)
< else:
< self.log.debug("username: %s has no dn." % username)
< return []
<
< # Internal methods
<
145a116
> # Internal methods
150,152d120
< if self._ldap:
< return self._ldap
<
173d140
< self._ldap = l
175c142
<
---
>
189,209d155
<
< def _get_user_groups(self, dn):
< """Returns a list of all groups a user belongs to"""
< groups = []
< lcnx = self._bind_ad()
< if lcnx:
< ldapgroups = lcnx.search_s(self.base_dn, ldap.SCOPE_SUBTREE, '(&(objectClass=group)(member=%s))' % dn, ["sAMAccountName"])
< if ldapgroups:
< for group in ldapgroups:
< groupname = GROUP_PREFIX + group[1]['sAMAccountName'][0].lower().replace(' ','_')
< if groupname not in groups:
< groups.append(groupname)
< subgroups = self._get_user_groups(group[0])
< if subgroups:
< for subgroup in subgroups:
< if subgroup not in groups:
< groups.append(subgroup)
< return groups
< else:
< raise TracError('Unable to bind to Active Directory')
< return None
Attachments (0)
Change History (6)
comment:1 Changed 12 years ago by
comment:2 follow-up: 3 Changed 12 years ago by
I'm fairly sure that pacopablo is not seen around trac-hacks these days. Let me know if you'd like to take over maintainership of the plugin per AdoptingHacks.
comment:3 Changed 12 years ago by
| Cc: | Ryan J Ollos added; anonymous removed |
|---|---|
| Owner: | changed from John Hampton to anonymous |
| Status: | new → assigned |
Replying to rjollos:
I'm fairly sure that pacopablo is not seen around trac-hacks these days. Let me know if you'd like to take over maintainership of the plugin per AdoptingHacks.
I can do that.
comment:4 Changed 12 years ago by
| Keywords: | adoption-request added |
|---|---|
| Owner: | changed from anonymous to branson |
| Status: | assigned → new |
oops .. meant to take this .. I can adopt this.
comment:5 Changed 12 years ago by
Cool. You'll just need to do the step listed at AdoptingHacks#HowtoAdoptUnmaintainedHacks, including create a dedicated ticket and post to the mailing list.
comment:6 Changed 12 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
I have taken this several steps further .. with a complete re-write of the caching system to use the local database .. I am working on the installer for the db now .. but this should work LOTS faster across multiple python/apache instances.
Hold up and i'll send in the new patches.