wiki:DirectoryAuthPlugin/ConfigurationExamples

Configuration examples for the DirectoryAuthPlugin

All config options go under the [account-manager] configuration heading in your trac.ini file. Options for this module are:

For default values see: auth.py

[account-manager]
#-- To use this module with AccountManager, DirAuthStore must be enabled inside of AccountManager
password_store = DirAuthStore

#-- Text encoding used by the LDAP or Active Directory Server
dir_charset = utf-8
#-- 0=Base, 1=OneLevel, 2=Subtree
dir_scope = 1
#-- URI of the LDAP or Active Directory Server.  
#   A port other than default(389) is set as ldap://hostname:port or ldaps://hostname:port
dir_uri = ldap://adserver.example.com
#-- DN used to bind to AD, leave blank for anonymous bind
dir_binddn = ldapuser@example.com
#-- Password used when binding to AD, leave blank for anonymous bind
dir_bindpw = ldapuserpassword
#-- LDAP response timeout in seconds
dir_timeout = 5
#-- Base DN used for account searches
dir_basedn = DC=example,DC=com

#-- Attribute of the user in the directory
user_attr = sAMAccountName
#-- Attribute of the users name in the directory
name_attr = displayName
#-- Attribute of the users email in the directory
email_attr = mail

#-- Base DN used for group searches
group_basedn = OU=trac groups,OU=Email,DC=serverplus,DC=com
#-- name of group containing valid users. If None, any AD user is valid
#   with the value @alltechs and the group_basedn above, this group would work:
#   cn=alltechs,OU=trac groups,OU=Email,DC=serverplus,DC=com yields @alltechs
#   cn=alltechs,ou=boat,OU=trac groups,OU=Email,DC=serverplus,DC=com also yields @alltechs
#   the cn must be unique in the group_basedn tree!
group_validusers = @alltechs
#-- nameof group containing TRAC_ADMIN users (can also assign TRAC_ADMIN to an LDAP group.)
#   if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as:
#   [trac]
#   permission_store = UserExtensiblePermissionStore
#    
#   using the UserExtensiblePermissionStore all groups below the group_basedn appear as groups for trac permissions
#   cn=administration,OU=trac groups,OU=Email,DC=serverplus,DC=com yields @administration
#   cn=administration,ou=submarine,OU=trac groups,OU=Email,DC=serverplus,DC=com also yields @administration
#   
group_tracadmin = @administration
#-- Binary: expand ldap_groups into trac groups.
group_expand = 1

#-- Cache timeout in seconds 
cache_ttl= 90
#-- Size of memcache in entries, zero to disable
cache_memsize = 400
#-- Warning message for cache pruning in seconds
cache_memsize_warn = 300

If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.

Bebbo's Example config

This configuration is valid for DirectoryAuthPlugin 2.1.0+

[account-manager]
# my domain
dir_basedn = dc=foo,dc=bar

# my system user to use the ldap directory. This system user may read the whole trac tree in the LDAP server.
dir_binddn = uid=systrac,ou=people,dc=foo,dc=bar
dir_bindpw = veryVERY_S_E_C_R_E_T!1elf!

# my ldap server is running on same host as trac
dir_uri = ldap://127.0.0.1:389

# I am using some 'standard' LDAP server, no Active Directory
group_class_attr = groupOfUniqueNames
member_attr = uniqueMember
name_attr = displayName
user_attr = uid

# and I am using the full dn of groups
group_nameattr = dn

# below here are my trac specific groups
group_basedn = ou=trac,ou=groups,dc=foo,dc=bar

# and this is the group for all trac users
group_validusers = @cn=user,ou=trac,ou=groups,dc=foo,dc=bar

...

[trac]
...
permission_store = UserExtensiblePermissionStore
...

  • restart trac

Now you need a LDAP user who is a uniqueMember of the validusers group cn=user,ou=trac,ou=groups,dc=foo,dc=bar. Use this user for login.

If this is working, stop trac and use trac-admin to give your user admin rights:

   trac-admin <tracinstance>
   permission add <username> TRAC_ADMIN
   quit
  • restart trac

After login your user has admin rights. Assign the TRAC_ADMIN permission to the group @cn=admin,ou=trac,ou=groups,dc=foo,dc=bar to grant TRAC_ADMIN to all users in that group: Use 'grant permssion', 'Action:' "TRAC_ADMIN", 'Subject:': "@cn=admin,ou=trac,ou=groups,dc=foo,dc=bar" and click add.

Last modified 3 months ago Last modified on Dec 10, 2016, 9:27:40 PM