[[PageOutline(2-5,Contents,pullout)]] = ActiveDirectory Group Management The plugin extends ActiveDirectory group membership into the Trac namespace. This means you can specify permissions for different groups of authenticated individuals. == Theory LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group. When a request for a group, as defined in the permissions, is searched, the group is expanded to the members. It's then used to match. == Usage 1. Create the groups in the directory you would like, for example: cn=Staff,dc=home,dc=net. 2. Add users to the groups. 3. Go to Admin -> Permissions and create a group by adding permissions to the group name as defined below. For example use Grant Permission with * Subject: @staff * Permission: WIKI_EDIT '''Note:''' groups will NOT show up per user until they're defined from the Permissions page. == Validation To validate users, you will need to login with permissions to the TRAC_HOME directory, and then use: {{{ sudo trac-admin /var/trac/mytrac permission list {user} }}} == Configuration Any groups found under the base_dn will be expanded into the name space: - each group will have the name normalized by changing it to lower case, and changing spaces to underscores - the group name will be prefixed by an `@` sign: {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users == Example Configurations For example: {{{ @domain_users BLOG_CREATE @domain_users BLOG_MODIFY_ALL @domain_users BLOG_MODIFY_OWN @domain_users BROWSER_VIEW @domain_users DISCUSSION_APPEND @domain_users MYPAGE_VIEW @domain_users PRIVATE_EDIT_ATOL_SECURE @domain_users PRIVATE_VIEW_ATOL_SECURE @domain_users REPORT_SQL_VIEW @domain_users RES_RESERVE_MODIFY @domain_users RES_RESERVE_VIEW @domain_users RIPE_EDIT @domain_users TICKET_ADMIN @domain_users TSTATS_VIEW @domain_users WIKI_CREATE @domain_users WIKI_RENAME @domain_users XML_RPC @branch_admins PRIVATE_VIEW_BRANCH_SECURE @ops PRIVATE_EDIT_OPS_SECURE @ops XML_RPC @sysops DISCUSSION_ADMIN @sysops RIPE_ADMIN @sysops TICKET_EDIT_CC @sysops WIKI_DELETE @trac_admin TRAC_ADMIN ... }}} This gives the @domain_users group from ActiveDirectory a specific set of permissions. The @branch_admins are using the PrivateWiki plugin to hide their passwords, as are the @ops group. - @sysops are god like - @trac_admins are trac_admins