Version 4 (modified by branson, 8 years ago) (diff)


Directory Auth Plugin

NOTE: Major changes from 0.3


The Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Active Directory.

Users are authenticated by performing an ldap_bind against an LDAP or AD server using their credentials. The plugin will also pull the email address and displayName from Directory and populate the session_attribute table. See Populating ''Assign To'' Drop Down in Trac for more information on why.


  • One can specify a group which users must be a member of in order to log in.
  • Additionally, one may specify an admin group. If a user is a member of the admin group, then they will automatically be granted the TRAC_ADMIN permission.
  • Finally, Directory groups are extended into the trac namespace. They can be used to extend permissions by group.
    • directory groups are prefixed by @
    • group names are lowercase and spaces are replaced with underscores.

See GroupManagement for more details.


Given the expense of traversing the network for authorizations, a two-stage cache has been implemented. This caches data in the database for all instances of python, and in memory for each instance; while maintaining expiration and flushing the cache(s) as necessary. See: CacheManagement for details.

Bugs/Feature Requests

Existing bugs and feature requests for DirectoryAuthPlugin are here.

If you have any issues, create a new ticket.


Download the zipped source from [download:directoryauthplugin here]


You can check out DirectoryAuthPlugin from here using Subversion, or browse the source with Trac.




Follow the Trac documentation on how to install Trac plugins

  • starting with 0.3, a database upgrade will be required as part of the installation.
    1. install the plugin and it's prerequisites
    2. update the database
      trac-admin /var/trac/instance upgrade
    3. restart the trac service or your webserver.


NOTE: this has changed from 0.3 to 0.4!!!'''

All config options go under the [account-manager] config heading. Options for this module are:

#--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager
password_store = ADAuthStore
#--define the Active Directory host address here.  A port other than default(389) is set as
#  ldap://hostname:port or ldaps://hostname:port
dir_uri = ldap://
#-- the Active Directory's base DN to search from, this is likely just your domain
dir_basedn = DC=example,DC=com
#-- the user/password to search the directory from, it must be a valid
dir_binddn =
dir_bindpw = ldapuserpassword
#-- timeout for an ldap operation before in seconds
dir_timeout = 5
#-- the default charset for the ldap server
dir_charset = utf-9
##### Userinfo
#-- the attribute containing the users login name, THIS MUST BE UNIQUE!
user_attr = sAMAccountName
#-- the attribute containing the users display name
name_attr = displayName
#-- the attribute containing the users email addy
email_attr = mail
##### Groups
#-- where to look for groups, uses dir_basedn if not defined.
group_basedn = ou=Groups,dc=foo,dc=net
#-- expand directory groups
group_expand = 1
#-- the name of a group .. uses user_attr if not defined. 
group_attr = cn
#-- which attribute to look in for members
group_member_attr = member
#-- what to look for in the member_attr
group_member_value = dn
#-- the dn of a group that has valid users, all users if not enabled
group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com
#-- the DN for a group automagically given TRAC_ADMIN
#   if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as:
#   [trac]
#   permission_store = UserExtensiblePermissionStore
group_tracadmin = CN=Administration,DC=example,DC=com
#### Cache Tuning
#-- cached entry time to live in seconds 
cache_ttl= 90
#-- memorycache size in entries, and a highwater warning mark
cache_memsize = 400
cache_memsize_warn = 300
#-- memory cache prune size in percentage
cache_memprune = 5

permission_store = UserExtensiblePermissionStore

If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.

Common Errors

If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines.

Recent Changes

17455 by rjollos on 2019-08-18 19:53:23
Remove duplicated option

Fixes #13548.

17358 by rjollos on 2019-04-05 15:25:01
Remove unnecessary line terminators
17357 by rjollos on 2019-04-05 15:15:06
Stip trailing whitespace


Author: pacopablo
Maintainer: sandinak