Plugin has no source code

[figaro]

The plugin currently does not have source code. Would you kindly add it?

[Ryan J Ollos]

@c0redumb. Would you be interested in collaborating to adopt and maintain some existing LDAP plugins such as LdapPlugin and LdapAuthStorePlugin, rather than adding another LDAP plugin to trac-hacks.org? There are many unmaintained LDAP plugins on trac-hacks.org and I'm interested in your idea to have one well-maintained plugin. Even better if we can adopt and improve an existing plugin (see AdoptingHacks for more info).

[c0redumb]

@rjollos. Certainly. I was thinking about building something quick. Collaborating together would be great! Which one do you have in mind? One of my interest is to add SSL/TLS to the LDAP connections. I have done some testing and it seems is relatively easy to get it to work. Now I just need to remember where I left the code, since later I have moved to Apache for authentication (which seems to work for what I wanted). Another thing I believe would be nice to have is to maintain instructions of installation on the wiki. It seems is all a guessing game among all the choices of plugins there.

[Ryan J Ollos]

Replying to c0redumb:

@rjollos. Certainly. I was thinking about building something quick. Collaborating together would be great! Which one do you have in mind?

I'm learning my way through LDAP. The main reason I wanted to use a plugin was so that the user's name and email would be pulled from LDAP and used to populate the session data. Based on recent discussion in ​gmessage:trac-users:Koimg5owkYM/jbmfEOU42cAJ, it seems we may be able to add this behavior to Trac without too much difficulty.

Now I wonder if Apache authentication is enough. Perhaps though, there is need for a plugin to add LDAP support to AccountManagerPlugin. Would there be any additional features provided by AccountManagerPlugin in this case? For example, typically one can create and delete user accounts from AccountManagerPlugin, but I imagine that LDAP must be a read-only data store. Account locking and some other small features might be possible though.

One of my interest is to add SSL/TLS to the LDAP connections. I have done some testing and it seems is relatively easy to get it to work. Now I just need to remember where I left the code, since later I have moved to Apache for authentication (which seems to work for what I wanted).

I'm unsure of how SSL/TLS fits into this. When using Apache for authentication it seems to be possible to connect to LDAP over HTTPS.

What other features are you aiming to get out of an LDAP plugin?

Another thing I believe would be nice to have is to maintain instructions of installation on the wiki. It seems is all a guessing game among all the choices of plugins there.

Yes, definitely, both for the plugins and for Apache with LDAP. For Apache with LDAP there is some information on the Trac wiki (​trac:TracModWSGI#UsingLDAPAuthentication), but I don't believe it is easily found by users and it could be improved. Also we need examples of how to configure with Apache 2.4 (the differences are minor vs 2.2).

[c0redumb]

That's why I am a bit lazy in finding my source code.

There are basically two choices: (A) Apache with LDAP, (B) tracd with LDAP plugin. So I care about security. So I need to protect both browser-to-tracd/Apache and LDAPplugin-to-LDAPserver. Protecting browser-to-tracd would be a lot of trouble (have to ​run stunnel4), compared to simply run SSL with Apache. Actually I got that working with both options.

Indeed the real blocking issue is running svnserve (which is on the same server as Trac) with LDAP. There is no easy way to protect the first communication leg (because you will have to use saslauthd which with LDAP backend can only do clear text). So the only sensible way to serve subversion securely is to do it through Apache. For that, I might as well do Trac through Apache.

Back to your questions: Yes, Apache auth is enough. You don't need to create user accounts. When user login (with their LDAP username and password), the account is automatically recorded.

[Ryan J Ollos]

Replying to c0redumb:

When user login (with their LDAP username and password), the account is automatically recorded.

More specifically, a session is created using the user id. However, the real name and email address are not pulled from LDAP to populate the user session. On the other hand LdapAuthStorePlugin populates the user session attributes. Hopefully we can modify Trac to do the same for Trac with Apache.

[Ryan J Ollos]

Project will be removed in approximately 30 days as part of routine cleanup of trac-hacks.org unless there is a commitment to add source code in the near future.

[c0redumb]

Code is committed in r14712. Configuration and step-by-step screen shots are updated at the wiki:LDAPAcctMngrPlugin.

[c0redumb]

Release v0.9 is tagged in r14713.