[[PageOutline(2-5,Contents,pullout)]] = Active Directory Auth Plugin = == Description == The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory. Users are authenticated by performing an ldap_bind against the AD server using their credentials. The plugin will also pull the email address and display name from Active Directory and populate the `session_attribute` table. See [http://pacopablo.com/blog/pacopablo/blog/set-assign-to-drop-down Populating ''Assign To'' Drop Down in Trac] for more information on why. == Groups == - One can specify a group which users must be a member of in order to log in. - Additionally, one may specify an ''admin'' group. If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission. - Finally, ActiveDirectory groups are extended into the trac namespace. They can be used to extend permissions by AD group. - AD groups are prefixed by @ - group names are lowercase and spaces are replaced with underscores. See [[./GroupManagement]] for more details. == Caching == Given the expense of traversing the network for authorizations, a two-stage cache has been implemented. This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: [[./CacheManagement]] for details. == Bugs/Feature Requests == Existing bugs and feature requests for ActiveDirectoryAuthPlugin are [report:9?COMPONENT=ActiveDirectoryAuthPlugin here]. If you have any issues, create a [http://trac-hacks.org/newticket?component=ActiveDirectoryAuthPlugin&owner=sandinak new ticket]. == Download == Download the zipped source from [download:activedirectoryauthplugin here] == Source == You can check out ActiveDirectoryAuthPlugin from [http://trac-hacks.org/svn/activedirectoryauthplugin here] using Subversion, or [source:activedirectoryauthplugin browse the source] with Trac. == Install == ==== Prerequisites ==== - You must install AccountManagerPlugin in order to use this plugin. - Python-LDAP is also required and can be downloaded [http://pypi.python.org/pypi/python-ldap/ here] ==== Installation ==== Follow the Trac documentation on how [http://trac.edgewall.org/search?q=TracPlugins to install Trac plugins] == Examples == All config options go under the [account-manager] config heading. Options for this module are: {{{ [account-manager] #--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager password_store = ADAuthStore #--define the Active Directory host address here. A port other than default(389) is set as # hostname:port ad_server = adserver.example.com #-- the Active Directory's base DN to search from, this is likely just your domain base_dn = DC=example,DC=com #-- the user/password to search active directory from, it must be a valid bind_dn = ldapuser@example.com bind_passwd = ldapuserpassword #-- show disabled users # remember users MUST have logged in to get into the session table before they # show up. show_disabled_users = 1 #-- timeout for an ldap operation before in seconds ldap_timeout = 5 #-- the default charset for the ldap server charset = utf-9 #-- the DN (distinguishing name) for the group that contains users that can login to Trac # if this isn't specified then any valid user in active directory is accepted auth_group = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com #-- the DN for the group that contains users that should have the TRAC_ADMIN # permission. If this option is not given, no user groups will be give the # TRAC_ADMIN permission. This this option is enabled you must specify the # UserExtensiblePermissionStore as the trac permission store, such as: # [trac] # permission_store = UserExtensiblePermissionStore admin_group = CN=Administration,DC=example,DC=com #-- cached entry timeout in seconds cache_timeout = 90 #-- memorycache size in entries memcache_size = 100 #-- memory cache prune size in percentage memcache_prune_percent = 5 [trac] permission_store = UserExtensiblePermissionStore }}} If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN. == Common Errors == If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines. == Recent Changes == [[ChangeLog(activedirectoryauthplugin, 3)]] == Author/Contributors == '''Author:''' [wiki:pacopablo] [[BR]] '''Maintainer:''' sandinak [[BR]] '''Contributors:'''