Changes between Initial Version and Version 1 of DirectoryAuthPlugin

Sep 18, 2012, 10:26:11 AM (5 years ago)
Ryan J Ollos

Moved from ActiveDirectoryAuthPlugin.


  • DirectoryAuthPlugin

    v1 v1  
     2= Active Directory Auth Plugin =
     4'''NOTE:''' Major changes from 0.3
     5 - conf variables are renamed for standardization
     6 - now more directory type agnostic
     7 - soon will be renamed to DirectoryAuthPlugin
     9== Description ==
     11The Active Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory.
     13Users are authenticated by performing an ldap_bind against the AD server using their credentials.  The plugin will also pull the email address and display name from Active Directory and populate the `session_attribute` table.  See [ Populating ''Assign To'' Drop Down in Trac] for more information on why.
     15== Groups ==
     16 - One can specify a group which users must be a member of in order to log in. 
     17 - Additionally, one may specify an ''admin'' group.  If a user is a member of the ''admin'' group, then they will automatically be granted the `TRAC_ADMIN` permission.
     18 - Finally, !ActiveDirectory groups are extended into the trac namespace.  They can be used to extend permissions by AD group.
     19   - AD groups are prefixed by @
     20   - group names are lowercase and spaces are replaced with underscores.
     22 See [ActiveDirectoryAuthPlugin/GroupManagement GroupManagement] for more details.
     24== Caching ==
     25Given the expense of traversing the network for authorizations, a two-stage cache has been implemented.  This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: [ActiveDirectoryAuthPlugin/CacheManagement CacheManagement] for details.
     27== Bugs/Feature Requests ==
     29Existing bugs and feature requests for ActiveDirectoryAuthPlugin are
     30[report:9?COMPONENT=ActiveDirectoryAuthPlugin here].
     32If you have any issues, create a
     33[ new ticket].
     35== Download ==
     37Download the zipped source from [download:activedirectoryauthplugin here]
     39== Source ==
     41You can check out ActiveDirectoryAuthPlugin from [ here] using Subversion, or [source:activedirectoryauthplugin browse the source] with Trac.
     43== Install ==
     45==== Prerequisites ====
     47 - You must install AccountManagerPlugin in order to use this plugin. 
     48 - Python-LDAP is also required and can be downloaded [ here]
     50==== Installation ====
     52Follow the Trac documentation on how [ to install Trac plugins]
     54 - starting with 0.3, a database upgrade will be required as part of the installation.
     55   1. install the plugin and it's prerequisites
     56   1. update the database
     59trac-admin /var/trac/instance upgrade
     61   1. restart the trac service or your webserver.
     63== Examples ==
     64'''NOTE: this has changed from 0.3 to 0.4!!!!'''
     66All config options go under the [account-manager] config heading.  Options for this module are:
     71#--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager
     72password_store = ADAuthStore
     73#--define the Active Directory host address here.  A port other than default(389) is set as
     74#  ldap://hostname:port or ldaps://hostname:port
     75dir_uri = ldap://
     76#-- the Active Directory's base DN to search from, this is likely just your domain
     77dir_basedn = DC=example,DC=com
     78#-- the user/password to search the directory from, it must be a valid
     79dir_binddn =
     80dir_bindpw = ldapuserpassword
     81#-- timeout for an ldap operation before in seconds
     82dir_timeout = 5
     83#-- the default charset for the ldap server
     84dir_charset = utf-9
     85##### Userinfo
     86#-- the attribute containing the users login name, THIS MUST BE UNIQUE!
     87user_attr = sAMAccountName
     88#-- the attribute containing the users display name
     89name_attr = displayName
     90#-- the attribute containing the users email addy
     91email_attr = mail
     92##### Groups
     93#-- where to look for groups, uses dir_basedn if not defined.
     94group_basedn = ou=Groups,dc=foo,dc=net
     95#-- expand directory groups
     96group_expand = 1
     97#-- the name of a group .. uses user_attr if not defined.
     98group_attr = cn
     99#-- which attribute to look in for members
     100group_member_attr = member
     101#-- what to look for in the member_attr
     102group_member_value = dn
     103#-- the dn of a group that has valid users, all users if not enabled
     104group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com
     105#-- the DN for a group automagically given TRAC_ADMIN
     106#   if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as:
     107#   [trac]
     108#   permission_store = UserExtensiblePermissionStore
     109group_tracadmin = CN=Administration,DC=example,DC=com
     110#### Cache Tuning
     111#-- cached entry time to live in seconds
     112cache_ttl= 90
     113#-- memorycache size in entries, and a highwater warning mark
     114cache_memsize = 400
     115cache_memsize_warn 300
     116#-- memory cache prune size in percentage
     117cache_memprune = 5
     120permission_store = UserExtensiblePermissionStore
     123If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.
     125== Common Errors ==
     127If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268.  This may happen when AD is running across multiple machines.
     129== Recent Changes ==
     131[[ChangeLog(activedirectoryauthplugin, 3)]]
     133== Author/Contributors ==
     135'''Author:''' [wiki:pacopablo] [[BR]]
     136'''Maintainer:''' sandinak [[BR]]