LdapPlugin fails with MS Active Directory, lacks email / full name
|Reported by:||Zachary Bedell||Owned by:||Emmanuel Blot|
|Severity:||normal||Keywords:||ldap, active directory, activedirectory, windows, group, permissions|
I've run into a number of issues using the LdapPlugin against MS Active Directory. The plugin assumed that the Common Name (CN) attribute of a principal's Distinguished Name (DN) was always equivalent to its login name and that you could convert from DN to login name with simple string manipulation.
Alas, this is not (remotely) the case with our directory as various users may have as their CN their login name, their full given name, some variation on their given name (nick names), and in some cases completely meaningless identifiers. A mess, no doubt; but out of my control.
As far as my understanding of LDAP goes, assuming login == CN is somewhat simplistic and given to failure. I've modified the plugin to connect to the directory whenever a CN/DN/login translation is needed. I've also attempted to cache the conversions where practical in order to reduce the number of queries against the directory as much as possible. I suspect additional caching improvements are possible.
Attached to this ticket is a replaced api.py file which implements these changes. I'd ordinarily attach a patch, but the changes were extensive enough to render a patch relatively pointless.
Also included in this version is additional logic to extract the user's email and full name from the appropriate directory fields and insert them into the Trac session. The idea of piggybacking on the web filter system is from AccountLdapPlugin with some minor tweaks.
To use this version, you'll need to take the rest of the scaffolding from the trunk build of he LdapPlugin-0.11 and replace the ldaplugin/api.py file with the attached one.
Configuration settings like the following are working for our ActiveDirectory, but YMMV:
[ldap] enable=true use_tls=false host=your.server port=389 # Note: Must be the full DN, sAMAccount name or email-like domain login will NOT work bind_user=CN=LDAP Search User,OU=Windows Systems,... bind_passwd=pass # Use authenticated bind group_bind = true # Adjust DN's to taste basedn=OU=RTP,... group_rdn = OU=Programming,... user_rdn = OU=users # Group settings - use the Windows login name for the group (sAMAccountname) groupname = group groupattr = sAMAccountName groupmember = member groupmemberisdn = true # Use Windows login name for user uidattr = sAMAccountName # NEW FOR PATCH: # Attributes on the user object from which full name and email address will be read user_fullname_attr = displayName user_email_attr = mail # Our tree is readonly, but you might want to enable this manage_groups = false