Version 5 (modified by 15 years ago) (diff) | ,
---|
Active Directory Auth Plugin
Description
The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication against Active Directory.
One can specify a group which users must be a member of in order to log in. Additionally, one may specify an admin group. If a user is a member of the admin group, then they will automatically be granted the TRAC_ADMIN
permission.
The Active Directory Auth plugin will also pull the email address and display name from Active Directory and populate the session_attribute
table. See Populating ''Assign To'' Drop Down in Trac for more information on why.
Bugs/Feature Requests
Existing bugs and feature requests for ActiveDirectoryAuthPlugin are here.
If you have any issues, create a new ticket.
Download
Download the zipped source from [download:activedirectoryauthplugin here].
Source
You can check out ActiveDirectoryAuthPlugin from here using Subversion, or browse the source with Trac.
Install
Prerequisites
You must install AccountManagerPlugin in order to use this plugin. Python-LDAP is also required and can be downloaded here
Installation
Follow the Trac documentation on how to install Trac plugins
Examples
All config options go under the [account-manager] config heading. Options for this module are:
[account-manager] #to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager password_store = ADAuthStore #define the Active Directory host address here. A port other than default is set as #hostname:port ad_server = adserver.example.com #the Active Directory's base DN to search from, this is likely just your domain base_dn = DC=example,DC=com #the user/password to search active directory from, it must be a valid #username/password inside of active directory bind_dn = ldapuser@example.com bind_passwd = ldapuserpassword #the DN (distinguishing name) for the group that contains users that can login to Trac #if this isn't specified then any valid user in active directory is accepted auth_group = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com #the DN for the group that contains users that should have the TRAC_ADMIN #permission. If this option is not given, no user groups will be give the #TRAC_ADMIN permission. This this option is enabled you must specify the #UserExtensiblePermissionStore as the trac permission store, such as: #[trac] #permission_store = UserExtensiblePermissionStore admin_group = CN=Administration,DC=example,DC=com [trac] permission_store = UserExtensiblePermissionStore
If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.
Common Errors
If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines.
Recent Changes
Author/Contributors
Author: pacopablo
Contributors: