Opened 16 years ago
Last modified 14 years ago
#4943 new defect
Pluging won't work for users belonging to LDAP upper cased groups
| Reported by: | Owned by: | Emmanuel Blot | |
|---|---|---|---|
| Priority: | normal | Component: | LdapPlugin |
| Severity: | normal | Keywords: | |
| Cc: | jmeile@…, tim.gouma@… | Trac Release: | 0.11 |
Description
On the LDAP setup I'm using, there are some upper cased groups. I can't change them since I'm not the administrator of that server and the tool I use to add those groups to the LDAP server, uses an upper cased prefix, ie: MY_DEPARTMENT-, then I can define whatever comes afterwards, so, MY_DEPARTMENT-ADMINS. So, as you see, I cant' do anything here :-(
Anyway, when I give @MY_DEPARTMENT-ADMINS into the trac Admins interface, it just complains and says: "All upper-cased tokens are reserved for permission names"
If I give @my_department-admins into the Admin interface, then the group comparison into your plugging will fail since it compares this lowered string with the original name of the LDAP group.
Well, this seems to be a trac problem since it has reserved uppercased names for permissions :-(
Anyway, it would be nice if you add some kind of option that lowercases the groups to which a user belongs to, ie: ignore_group_case. There is a trac setting: ignore_auth_case, but it only seems to lowercase the username. It won't work with the groups.
For the moment, I'm always lowercasing each group into the _get_user_groups method of the LdapPermissionGroupProvider class; however, I thing a trac.ini variable would be much more elegant.
Best regards Josef
Attachments (0)
Change History (4)
comment:1 follow-ups: 2 3 Changed 15 years ago by
comment:2 Changed 15 years ago by
Replying to anonymous:
This is only a workaround, but the trac-admin script does not suffer that limitation. You can add the group with
I would not:
There are reasons why Trac web interface rejects uppercase names: there are reserved for permissions. Do not mess up with Trac, or bear with the consequences: you may introduce subtle bugs.
trac-admin should not accept uppercased groups.
On the other side, LDAP is usually case insensitive for group matching.
comment:3 Changed 15 years ago by
Replying to anonymous:
This is only a workaround, but the trac-admin script does not suffer that limitation. You can add the group with
trac-admin /path/to/trac-env permission add @MY_DEPARTMENT-ADMINS SOME_ACTIONI don't know of a way to do this using the web interface.
MMM, thanks for your reply. I think I'm going to follow the suggestion from eblot and not using this workarround.
Anyway, I just figured out that the only part I can't change in my groups is MY_DEPARTMENT, so, I just added a group like this: MY_DEPARTMENT-admins and now if I just refer to @MY_DEPARTMENT-admins it works.
Anyway, reserving upper cased names for trac permissions isn't a very nice thing, but I can leave with that.
Thanks to ebot as well for pointing the problems you can arise if you use upper case groups with the trac-admin.
comment:4 Changed 14 years ago by
| Cc: | tim.gouma@… added |
|---|
Are there any plans for fixing this? My group names are also mostly uppercase.
This is only a workaround, but the trac-admin script does not suffer that limitation. You can add the group with
I don't know of a way to do this using the web interface.