Modify

Opened 8 years ago

Closed 8 years ago

#12994 closed defect (fixed)

Always expand groups from LDAP

Reported by: anonymous Owned by: bebbo
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

I tested 2.1.0-SNAPSHOT of DirectoryAuthPlugin. Plugin always expand groups from LDAP even if in trac.ini

[account-manager]
group_expand = 0

Attachments (0)

Change History (10)

comment:1 Changed 8 years ago by bebbo

In 16081:

refs #12994

  • group_expand is now applied if group users are looked up. group_expand == 1: follow resolve also group members, group_expand == 0: only list direct group users.

comment:2 in reply to:  1 Changed 8 years ago by mazzibig@…

Replying to bebbo:

In 16081:

refs #12994

  • group_expand is now applied if group users are looked up. group_expand == 1: follow resolve also group members, group_expand == 0: only list direct group users.

I test this changes, but get_permission_groups calls self._expand_user_groups and do LDAP group search if group_expand = 0

comment:3 Changed 8 years ago by bebbo

So your expectation if 'group_expand == 1' is, that no ldap groups are returned at all.

comment:4 in reply to:  3 Changed 8 years ago by anonymous

Replying to bebbo:

So your expectation if 'group_expand == 1' is, that no ldap groups are returned at all.

if 'group_expand == 0'

Something like this in def _expand_user_groups(self, user, use_cache=1)

            if not self.group_expand:
              self.log.debug('group_expand set %s. Do not extend LDAP groups' % self.group_expand)
              return []

comment:5 Changed 8 years ago by bebbo

In 16082:

refs #12994

  • if group_expand == 0: no LDAP groups are returned.

comment:6 Changed 8 years ago by mazzibig@…

Tested. All fine.

comment:7 Changed 8 years ago by bebbo

In 16083:

refs #12994

  • if group_expand == 0: if group_validusers is configured, login will still work, but that group is not shown under Admin permissions. To disable: do not configure group_validusers.

comment:8 Changed 8 years ago by bebbo

Resolution: fixed
Status: newclosed

comment:9 Changed 8 years ago by mazzibig@…

Resolution: fixed
Status: closedreopened

WISH

if group_expand = 0 and group_validusers is not configured all users from dir_basedn shown in AdminPanel Users.

May be only Trac users with LDAP data (mail, displayname) must be showing?

comment:10 Changed 8 years ago by bebbo

Resolution: fixed
Status: reopenedclosed

There is distinct code from the primary author of this plugin, which explicitly defines the behaviour to return all LDAP users.

You may consider creating a new ticket for an additional option to support a different behaviour.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain bebbo.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.