Configuration examples for the DirectoryAuthPlugin
All config options go under the [account-manager]
configuration heading in your trac.ini
file. Options for this module are:
For default values see: auth.py
[account-manager] #-- To use this module with AccountManager, DirAuthStore must be enabled inside of AccountManager password_store = DirAuthStore #-- Text encoding used by the LDAP or Active Directory Server dir_charset = utf-8 #-- 0=Base, 1=OneLevel, 2=Subtree dir_scope = 1 #-- URI of the LDAP or Active Directory Server. # A port other than default(389) is set as ldap://hostname:port or ldaps://hostname:port dir_uri = ldap://adserver.example.com #-- DN used to bind to AD, leave blank for anonymous bind dir_binddn = ldapuser@example.com #-- Password used when binding to AD, leave blank for anonymous bind dir_bindpw = ldapuserpassword #-- LDAP response timeout in seconds dir_timeout = 5 #-- Base DN used for account searches dir_basedn = DC=example,DC=com #-- Attribute of the user in the directory user_attr = sAMAccountName #-- Attribute of the users name in the directory name_attr = displayName #-- Attribute of the users email in the directory email_attr = mail #-- Base DN used for group searches group_basedn = OU=trac groups,OU=Email,DC=serverplus,DC=com #-- name of group containing valid users. If None, any AD user is valid # with the value @alltechs and the group_basedn above, this group would work: # cn=alltechs,OU=trac groups,OU=Email,DC=serverplus,DC=com yields @alltechs # cn=alltechs,ou=boat,OU=trac groups,OU=Email,DC=serverplus,DC=com also yields @alltechs # the cn must be unique in the group_basedn tree! group_validusers = @alltechs #-- nameof group containing TRAC_ADMIN users (can also assign TRAC_ADMIN to an LDAP group.) # if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as: # [trac] # permission_store = UserExtensiblePermissionStore # # using the UserExtensiblePermissionStore all groups below the group_basedn appear as groups for trac permissions # cn=administration,OU=trac groups,OU=Email,DC=serverplus,DC=com yields @administration # cn=administration,ou=submarine,OU=trac groups,OU=Email,DC=serverplus,DC=com also yields @administration # group_tracadmin = @administration #-- Binary: expand ldap_groups into trac groups. group_expand = 1 #-- Cache timeout in seconds cache_ttl= 90 #-- Size of memcache in entries, zero to disable cache_memsize = 400 #-- Warning message for cache pruning in seconds cache_memsize_warn = 300
If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.
Bebbo's Example configuration
This configuration is valid for DirectoryAuthPlugin 2.1.0+:
[account-manager] # my domain dir_basedn = dc=foo,dc=bar # my system user to use the ldap directory. This system user may read the whole Trac tree in the LDAP server. dir_binddn = uid=systrac,ou=people,dc=foo,dc=bar dir_bindpw = veryVERY_S_E_C_R_E_T!1elf! # my ldap server is running on same host as Trac dir_uri = ldap://127.0.0.1:389 # I am using some 'standard' LDAP server, no Active Directory group_class_attr = groupOfUniqueNames member_attr = uniqueMember name_attr = displayName user_attr = uid # and I am using the full dn of groups group_nameattr = dn # below here are my Trac specific groups group_basedn = ou=trac,ou=groups,dc=foo,dc=bar # and this is the group for all Trac users group_validusers = @cn=user,ou=trac,ou=groups,dc=foo,dc=bar [trac] ... permission_store = UserExtensiblePermissionStore ...
- restart Trac
Now you need a LDAP user who is a uniqueMember of the validusers group cn=user,ou=trac,ou=groups,dc=foo,dc=bar. Use this user for login.
If this is working, stop Trac and use trac-admin to give your user admin rights:
trac-admin <tracinstance> permission add <username> TRAC_ADMIN quit
- restart Trac
After login your user has admin rights. Assign the TRAC_ADMIN permission to the group @cn=admin,ou=trac,ou=groups,dc=foo,dc=bar to grant administrator rights to all users in that group: Use 'grant permission', 'Action:' "TRAC_ADMIN", 'Subject:': "@cn=admin,ou=trac,ou=groups,dc=foo,dc=bar" and click add.