A LDAP / Active Directory password and permission store for the AccountManagerPlugin


This plugin is a password store for the AccountManagerPlugin. It provides authentication and groups from Lightweight Directory Access Protocol (LDAP) enabled services, including BEJY LDAP, OpenLdap, ActiveDirectory and OpenDirectory.

Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the session_attribute table.

Key features:

  • Can use a service account to do lookups, or anonymous binding.
  • Can use SSL if openssl is configured correctly.
  • Configurable: many options to deal with the differences between directories and schema.
  • Uses both memory and db based caching to improve performance.
  • Supports large directories:
    • Searches Groups more efficiently using Member.
    • Traverses up the tree to find subgroups.
  • Can expand directory groups into the Trac namespace.
  • Supports paged LDAP searches to circumvent server size limits.

See: TheoryOfOperation

Bugs/Feature Requests

Existing bugs and feature requests for DirectoryAuthPlugin are here.

If you have any issues, create a new ticket.


54 / 55


11 / 11


2 / 2


Download the zipped source from here.


You can check out DirectoryAuthPlugin from here using Subversion, or browse the source with Trac.



  • You must install AccountManagerPlugin to use this plugin.
  • Python-LDAP is also required.
  • For SSL, you will have to install and configure OpenSSL to work with valid certificates. You can test using ldapsearch -Z.

Installation steps

General instructions on installing Trac plugins can be found on the TracPlugins page.

Starting from v0.3, a database upgrade will be required as part of the installation.

  1. Install the plugin and its prerequisites.
  2. Update the database:
    trac-admin /var/trac/instance upgrade
  3. Restart the tracd service or your webserver.

See ConfigurationExamples.

Common Issues

  • When using SSL, the server won't authenticate. Make sure you can use ldapsearch -Z with the same parameters from the same host, and resolve the issues there. A handy way to do that is to use:
    joe@admin > ldapsearch -d8 -Z -x -b dc=base,dc=net -D -W -H ldaps:// -s one 'objectclass=person' 
    The -d8 should show you TLS errors.
  • If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct, then try connecting to Active Directory on port 3268. This may happen when Active Directory is running across multiple machines.

Recent Changes

17455 by rjollos on 2019-08-18 19:53:23
Remove duplicated option

Fixes #13548.

17358 by rjollos on 2019-04-05 15:25:01
Remove unnecessary line terminators
17357 by rjollos on 2019-04-05 15:15:06
Stip trailing whitespace


Author: pacopablo
Maintainer: bebbo
Contributors: sandinak, rjollos

Last modified 8 years ago Last modified on Dec 14, 2016, 2:37:28 PM