Changes between Version 1 and Version 2 of DirectoryAuthPlugin/GroupManagement
- Timestamp:
- Mar 22, 2015, 11:39:53 AM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
DirectoryAuthPlugin/GroupManagement
v1 v2 1 [[PageOutline]] 2 = AD Group Management = 1 [[PageOutline(2-5,Contents,pullout)]] 3 2 4 The plugin extends Directory group membership into the trac namespace. This means you can specify permissions for different groups of authenticated individuals. 3 = ActiveDirectory Group Management 5 4 6 == Theory == 7 LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group. When a request for a group, as defined in the permissions, is searched, the group is expanded to the members. It's then used to match. 5 The plugin extends ActiveDirectory group membership into the Trac namespace. This means you can specify permissions for different groups of authenticated individuals. 8 6 9 == Usage ==7 == Theory 10 8 11 1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net ) 12 2. add users to the groups 13 3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with 14 Subject: @staff 15 Permission: WIKI_EDIT 9 LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group. When a request for a group, as defined in the permissions, is searched, the group is expanded to the members. It's then used to match. 16 10 17 '''NOTE:''' groups will NOT show up per user until they're defined from the Permissions page. 18 == Validation == 19 To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use 11 == Usage 12 13 1. Create the groups in the directory you would like, for example: cn=Staff,dc=home,dc=net. 14 2. Add users to the groups. 15 3. Go to Admin -> Permissions and create a group by adding permissions to the group name as defined below. For example use Grant Permission with 16 * Subject: @staff 17 * Permission: WIKI_EDIT 18 19 '''Note:''' groups will NOT show up per user until they're defined from the Permissions page. 20 21 == Validation 22 23 To validate users, you will need to login with permissions to the TRAC_HOME directory, and then use: 20 24 {{{ 21 me@here >sudo trac-admin /var/trac/mytrac permission list {user}25 sudo trac-admin /var/trac/mytrac permission list {user} 22 26 }}} 23 27 24 == Configuration ==28 == Configuration 25 29 26 Any groups found under the base_dn will be expanded into the name space 30 Any groups found under the base_dn will be expanded into the name space: 27 31 - each group will have the name normalized by changing it to lower case, and changing spaces to underscores 28 - the group name will be prefixed by an @ sign32 - the group name will be prefixed by an `@` sign: 29 33 30 34 {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users 31 == Example Configurations == 35 36 == Example Configurations 37 32 38 For example: 33 39 {{{ … … 60 66 }}} 61 67 62 - This gives the @domain_users group from AD a specific set of perms 63 - the @branch_admins are using the PrivateWiki plugin to hide their passwords 64 - as are the @ops group 65 - @sysops are god like. 66 - @trac_admins are .. well well trac_admins ;-) 68 This gives the @domain_users group from ActiveDirectory a specific set of permissions. 69 The @branch_admins are using the PrivateWiki plugin to hide their passwords, as are the @ops group. 70 - @sysops are god like 71 - @trac_admins are trac_admins