Changes between Initial Version and Version 1 of DirectoryAuthPlugin/GroupManagement

Sep 18, 2012, 10:29:04 AM (6 years ago)
Ryan J Ollos

Content moved from ActiveDirectoryAuthPlugin/GroupManagement.


  • DirectoryAuthPlugin/GroupManagement

    v1 v1  
     2= AD Group Management =
     4The plugin extends Directory group membership into the trac namespace.  This means you can specify permissions for different groups of authenticated individuals.
     6== Theory ==
     7 LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group.  When a request for a group, as defined in the permissions, is searched, the group is expanded to the members.  It's then used to match.
     9== Usage ==
     11 1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net )
     12 2. add users to the groups
     13 3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with
     14    Subject: @staff
     15    Permission: WIKI_EDIT
     17'''NOTE:''' groups will NOT show up per user until they're defined from the Permissions page.
     18== Validation ==
     19 To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use
     21 me@here > sudo trac-admin /var/trac/mytrac permission list {user}
     24== Configuration ==
     26 Any groups found under the base_dn will be expanded into the name space
     27 - each group will have the name normalized by changing it to lower case, and changing spaces to underscores
     28 - the group name will be prefixed by an @ sign
     30   {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users
     31== Example Configurations ==
     32For example:
     34@domain_users          BLOG_CREATE
     35@domain_users          BLOG_MODIFY_ALL
     36@domain_users          BLOG_MODIFY_OWN
     37@domain_users          BROWSER_VIEW
     38@domain_users          DISCUSSION_APPEND
     39@domain_users          MYPAGE_VIEW
     40@domain_users          PRIVATE_EDIT_ATOL_SECURE
     41@domain_users          PRIVATE_VIEW_ATOL_SECURE
     42@domain_users          REPORT_SQL_VIEW
     43@domain_users          RES_RESERVE_MODIFY
     44@domain_users          RES_RESERVE_VIEW
     45@domain_users          RIPE_EDIT
     46@domain_users          TICKET_ADMIN
     47@domain_users          TSTATS_VIEW
     48@domain_users          WIKI_CREATE
     49@domain_users          WIKI_RENAME
     50@domain_users          XML_RPC
     51@branch_admins PRIVATE_VIEW_BRANCH_SECURE
     52@ops           PRIVATE_EDIT_OPS_SECURE
     53@ops           XML_RPC 
     54@sysops        DISCUSSION_ADMIN
     55@sysops        RIPE_ADMIN
     56@sysops        TICKET_EDIT_CC
     57@sysops        WIKI_DELETE
     58@trac_admin    TRAC_ADMIN               
     59 ...
     62 - This gives the @domain_users group from AD a specific set of perms
     63 - the @branch_admins are using the PrivateWiki plugin to hide their passwords
     64 - as are the @ops group
     65 - @sysops are god like.
     66 - @trac_admins are .. well well trac_admins ;-)