Changes between Initial Version and Version 1 of DirectoryAuthPlugin


Ignore:
Timestamp:
Sep 18, 2012, 10:26:11 AM (5 years ago)
Author:
Ryan J Ollos
Comment:

Moved from ActiveDirectoryAuthPlugin.

Legend:

Unmodified
Added
Removed
Modified
  • DirectoryAuthPlugin

    v1 v1  
     1[[PageOutline(2-5,Contents,pullout)]]
     2= Active Directory Auth Plugin =
     3
     4'''NOTE:''' Major changes from 0.3
     5 - conf variables are renamed for standardization
     6 - now more directory type agnostic
     7 - soon will be renamed to DirectoryAuthPlugin
     8
     9== Description ==
     10
     11The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory.
     12
     13Users are authenticated by performing an ldap_bind against the AD server using their credentials.  The plugin will also pull the email address and display name from Active Directory and populate the `session_attribute` table.  See [http://pacopablo.com/blog/pacopablo/blog/set-assign-to-drop-down Populating ''Assign To'' Drop Down in Trac] for more information on why.
     14
     15== Groups ==
     16 - One can specify a group which users must be a member of in order to log in. 
     17 - Additionally, one may specify an ''admin'' group.  If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission.
     18 - Finally, !ActiveDirectory groups are extended into the trac namespace.  They can be used to extend permissions by AD group.
     19   - AD groups are prefixed by @
     20   - group names are lowercase and spaces are replaced with underscores.
     21
     22 See [ActiveDirectoryAuthPlugin/GroupManagement GroupManagement] for more details.
     23
     24== Caching ==
     25Given the expense of traversing the network for authorizations, a two-stage cache has been implemented.  This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: [ActiveDirectoryAuthPlugin/CacheManagement CacheManagement] for details.
     26
     27== Bugs/Feature Requests ==
     28
     29Existing bugs and feature requests for ActiveDirectoryAuthPlugin are
     30[report:9?COMPONENT=ActiveDirectoryAuthPlugin here].
     31
     32If you have any issues, create a
     33[http://trac-hacks.org/newticket?component=ActiveDirectoryAuthPlugin&owner=sandinak new ticket].
     34
     35== Download ==
     36
     37Download the zipped source from [download:activedirectoryauthplugin here]
     38
     39== Source ==
     40
     41You can check out ActiveDirectoryAuthPlugin from [http://trac-hacks.org/svn/activedirectoryauthplugin here] using Subversion, or [source:activedirectoryauthplugin browse the source] with Trac.
     42
     43== Install ==
     44
     45==== Prerequisites ====
     46
     47 - You must install AccountManagerPlugin in order to use this plugin. 
     48 - Python-LDAP is also required and can be downloaded [http://pypi.python.org/pypi/python-ldap/ here]
     49
     50==== Installation ====
     51
     52Follow the Trac documentation on how [http://trac.edgewall.org/search?q=TracPlugins to install Trac plugins]
     53
     54 - starting with 0.3, a database upgrade will be required as part of the installation.
     55   1. install the plugin and it's prerequisites
     56   1. update the database
     57{{{
     58#!sh
     59trac-admin /var/trac/instance upgrade
     60}}}
     61   1. restart the trac service or your webserver.
     62
     63== Examples ==
     64'''NOTE: this has changed from 0.3 to 0.4!!!!'''
     65
     66All config options go under the [account-manager] config heading.  Options for this module are:
     67
     68{{{
     69#!ini
     70[account-manager]
     71#--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager
     72password_store = ADAuthStore
     73#--define the Active Directory host address here.  A port other than default(389) is set as
     74#  ldap://hostname:port or ldaps://hostname:port
     75dir_uri = ldap://adserver.example.com
     76#-- the Active Directory's base DN to search from, this is likely just your domain
     77dir_basedn = DC=example,DC=com
     78#-- the user/password to search the directory from, it must be a valid
     79dir_binddn = ldapuser@example.com
     80dir_bindpw = ldapuserpassword
     81#-- timeout for an ldap operation before in seconds
     82dir_timeout = 5
     83#-- the default charset for the ldap server
     84dir_charset = utf-9
     85##### Userinfo
     86#-- the attribute containing the users login name, THIS MUST BE UNIQUE!
     87user_attr = sAMAccountName
     88#-- the attribute containing the users display name
     89name_attr = displayName
     90#-- the attribute containing the users email addy
     91email_attr = mail
     92##### Groups
     93#-- where to look for groups, uses dir_basedn if not defined.
     94group_basedn = ou=Groups,dc=foo,dc=net
     95#-- expand directory groups
     96group_expand = 1
     97#-- the name of a group .. uses user_attr if not defined.
     98group_attr = cn
     99#-- which attribute to look in for members
     100group_member_attr = member
     101#-- what to look for in the member_attr
     102group_member_value = dn
     103#-- the dn of a group that has valid users, all users if not enabled
     104group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com
     105#-- the DN for a group automagically given TRAC_ADMIN
     106#   if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as:
     107#   [trac]
     108#   permission_store = UserExtensiblePermissionStore
     109group_tracadmin = CN=Administration,DC=example,DC=com
     110#### Cache Tuning
     111#-- cached entry time to live in seconds
     112cache_ttl= 90
     113#-- memorycache size in entries, and a highwater warning mark
     114cache_memsize = 400
     115cache_memsize_warn 300
     116#-- memory cache prune size in percentage
     117cache_memprune = 5
     118
     119[trac]
     120permission_store = UserExtensiblePermissionStore
     121}}}
     122
     123If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.
     124
     125== Common Errors ==
     126
     127If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268.  This may happen when AD is running across multiple machines.
     128
     129== Recent Changes ==
     130
     131[[ChangeLog(activedirectoryauthplugin, 3)]]
     132
     133== Author/Contributors ==
     134
     135'''Author:''' [wiki:pacopablo] [[BR]]
     136'''Maintainer:''' sandinak [[BR]]
     137'''Contributors:'''