[[PageOutline]]
= AD Group Management =

The plugin extends Directory group membership into the trac namespace.  This means you can specify permissions for different groups of authenticated individuals. 

== Theory ==
 LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group.  When a request for a group, as defined in the permissions, is searched, the group is expanded to the members.  It's then used to match.

== Usage == 

 1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net ) 
 2. add users to the groups
 3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with
    Subject: @staff
    Permission: WIKI_EDIT

'''NOTE:''' groups will NOT show up per user until they're defined from the Permissions page. 
== Validation ==
 To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use
{{{
 me@here > sudo trac-admin /var/trac/mytrac permission list {user} 
}}}

== Configuration ==

 Any groups found under the base_dn will be expanded into the name space
 - each group will have the name normalized by changing it to lower case, and changing spaces to underscores
 - the group name will be prefixed by an @ sign

   {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users
== Example Configurations == 
For example:
{{{
@domain_users          BLOG_CREATE
@domain_users          BLOG_MODIFY_ALL
@domain_users          BLOG_MODIFY_OWN
@domain_users          BROWSER_VIEW
@domain_users          DISCUSSION_APPEND
@domain_users          MYPAGE_VIEW
@domain_users          PRIVATE_EDIT_ATOL_SECURE
@domain_users          PRIVATE_VIEW_ATOL_SECURE
@domain_users          REPORT_SQL_VIEW
@domain_users          RES_RESERVE_MODIFY
@domain_users          RES_RESERVE_VIEW
@domain_users          RIPE_EDIT
@domain_users          TICKET_ADMIN
@domain_users          TSTATS_VIEW
@domain_users          WIKI_CREATE
@domain_users          WIKI_RENAME
@domain_users          XML_RPC
@branch_admins PRIVATE_VIEW_BRANCH_SECURE
@ops           PRIVATE_EDIT_OPS_SECURE
@ops           XML_RPC  
@sysops        DISCUSSION_ADMIN
@sysops        RIPE_ADMIN 
@sysops        TICKET_EDIT_CC
@sysops        WIKI_DELETE
@trac_admin    TRAC_ADMIN               
 ...
}}}

 - This gives the @domain_users group from AD a specific set of perms
 - the @branch_admins are using the PrivateWiki plugin to hide their passwords
 - as are the @ops group
 - @sysops are god like. 
 - @trac_admins are .. well well trac_admins ;-)