Theory of Operations
This page aims to help others understand the use, operations and limitations of the DirectoryAuthPlugin.
Groups
- One can specify a group which users must be a member of in order to log in.
- Additionally, one may specify an admin group. If a user is a member of the admin group, then they will automatically be granted the
TRAC_ADMIN
permission. - Finally, Directory groups are extended into the Trac namespace. They can be used to extend permissions by group.
- directory groups are prefixed by
@
- group names are lowercase and spaces are replaced with underscores.
- directory groups are prefixed by
Group Searching
Groups are now searched using a reverse hierarchy methodology:
- The users Distinguished Name (DN) is extracted based on the username.
- All usergroups that the user belongs to are extracted by searching for
Member=$dn
. - User groups are then searched for any with type
objectClass=group
and belonging to the groups DN and added to the list.
See GroupManagement for more details.
Caching
Given the expense of traversing the network for authorizations, a two-stage cache has been implemented:
- Data is cached into memory for quick lookups on repeat operations.
- Data is also cached in the database so that lookups can pass between instances of python without requiring going to the network.
See: CacheManagement for details.
Last modified 9 years ago
Last modified on Jul 16, 2016, 2:50:14 PM