Opened 7 years ago

Closed 5 years ago

Last modified 5 years ago

#7327 closed enhancement (fixed)

flexibility and Performance of LDAP Traversal

Reported by: Thomas Stümpfig Owned by: branson
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords: group filter
Cc: Trac Release: 0.12


The plugin "only" traverses one AD group hierarchy. What if you have two or more groups in the AD that you want to allow as authenticated users. Today you would have to create a group "Trac" users add the groups to this groups. -> This way you would need to have write Access to the AD. This is not allways easy. -> The performance also is impacted.

It would be more flexible and probably give better performance if the AD query is expressed in the trac.ini directly.

Attachments (0)

Change History (5)

comment:1 Changed 7 years ago by John Hampton

Status: newassigned

I'm open to suggestions on this front.

I agree that it's not optimal, but it's simple. One thing that I am looking to avoid, is complex and ugly ldap queries in the trac.ini. Providing a list of auth groups isn't a bad solution, though I'll have to take a look to see how much work it will be to accommodate that.

So, what are you thinking when you say: "AD query is expressed in the trac.ini directly"

comment:2 Changed 7 years ago by Thomas Stümpfig

First, I agree with you, enumerating groups would be more easy to handle for admins not used to AD/LDAP, and , probably easier to implement.

What I meant with AD query is expressed in the trac.ini directly you would have a variable like: search_filter="(&(objectCategory=person)(objectClass=contact)(|(sn=xxxx)|sn=xxx)))" (In reality you would search for a user instaead of a contact)

here search_filter would be a string that complies to LDAP search filters syntax as defined in RFC 2254.


comment:3 Changed 5 years ago by branson

Owner: changed from John Hampton to branson
Status: assignednew

Please see the extension of groups I just enabled in 0.3 and if it solves your problem. You'd be able to set perms for multiple groups fairly easily.

comment:4 Changed 5 years ago by branson

Resolution: fixed
Status: newclosed

No response .. also I ahve setup recursion on groups.. so if you had a Trac group .. and the members were the Domain Admins, Developers, Moose .. users in all three groups should be able to login.

I don't think it's unreasonable to ask for that. If there's really a need to express the search in the config, I can still do that .. but i'd like feedback on wether the recursion solves the problem.

comment:5 Changed 5 years ago by Thomas Stümpfig

Sorry I loangtime did'nt hear of news about this ticket... It is good to hear that multiple Groups are now available and these are even correlated with trac groups. I am pretty shure my needs will be adressed. Still I'll have to test it. I think there is virtualy alway node that will contain groups of groups ... with users. Except some realy huge organizations.

regards Thomas

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain branson.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.