Theory of Operations
This page aims to help others understand the use, operations and limitations of the DirectoryAuthPlugin.
- One can specify a group which users must be a member of in order to log in.
- Additionally, one may specify an admin group. If a user is a member of the admin group, then they will automatically be granted the TRAC_ADMIN permission.
- Finally, Directory groups are extended into the Trac namespace. They can be used to extend permissions by group.
- directory groups are prefixed by @
- group names are lowercase and spaces are replaced with underscores.
Groups are now searched using a reverse hierarchy methodology:
- The users Distinguished Name (DN) is extracted based on the username.
- All usergroups that the user belongs to are extracted by searching for Member=$dn.
- User groups are then searched for any with type objectClass=group and belonging to the groups DN and added to the list.
See GroupManagement for more details.
Given the expense of traversing the network for authorizations, a two-stage cache has been implemented:
- Data is cached into memory for quick lookups on repeat operations.
- Data is also cached in the database so that lookups can pass between instances of python without requiring going to the network.
See: CacheManagement for details.