Version 5 (modified by branson, 8 years ago) (diff)


Directory Auth Plugin

NOTE: Major changes from 0.3


The Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Lightweight Directory Access Protocol (LDAP) enabled service including OpenLdap, ActiveDirectory and OpenDirectory?.

Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the session_attribute table. See Populating ''Assign To'' Drop Down in Trac for more information on why.


  • Can use a service account to do lookups, or anonymous binding
  • Can use SSL if openssl is configured correctly ( I am working on some documentation for this )
  • Configurable .. many options to deal with the differences between directories and schema
  • Uses both memory and db based caching to improve performance
  • Now supports LARGE directories
  • Can expand directory groups into the Trac namespace

See: [DirectoryAuthPlugin/TheoryOfOperation] for details

Bugs/Feature Requests

Existing bugs and feature requests for DirectoryAuthPlugin are here.

If you have any issues, create a new ticket.


Download the zipped source from [download:directoryauthplugin here]


You can check out DirectoryAuthPlugin from here using Subversion, or browse the source with Trac.




Follow the Trac documentation on how to install Trac plugins

  • starting with 0.3, a database upgrade will be required as part of the installation.
    1. install the plugin and it's prerequisites
    2. update the database
      trac-admin /var/trac/instance upgrade
    3. restart the trac service or your webserver.


NOTE: this has changed from 0.3 to 0.4!!!'''

All config options go under the [account-manager] config heading. Options for this module are:

#--to use this module with AccountManager, ADAuthStore must be enabled inside of AccountManager
password_store = ADAuthStore
#--define the Active Directory host address here.  A port other than default(389) is set as
#  ldap://hostname:port or ldaps://hostname:port
dir_uri = ldap://
#-- the Active Directory's base DN to search from, this is likely just your domain
dir_basedn = DC=example,DC=com
#-- the user/password to search the directory from, it must be a valid
dir_binddn =
dir_bindpw = ldapuserpassword
#-- timeout for an ldap operation before in seconds
dir_timeout = 5
#-- the default charset for the ldap server
dir_charset = utf-9
##### Userinfo
#-- the attribute containing the users login name, THIS MUST BE UNIQUE!
user_attr = sAMAccountName
#-- the attribute containing the users display name
name_attr = displayName
#-- the attribute containing the users email addy
email_attr = mail
##### Groups
#-- where to look for groups, uses dir_basedn if not defined.
group_basedn = ou=Groups,dc=foo,dc=net
#-- expand directory groups
group_expand = 1
#-- the name of a group .. uses user_attr if not defined. 
group_attr = cn
#-- which attribute to look in for members
group_member_attr = member
#-- what to look for in the member_attr
group_member_value = dn
#-- the dn of a group that has valid users, all users if not enabled
group_validusers = CN=Alltechs,OU=Mail enabled groups,OU=Email,DC=serverplus,DC=com
#-- the DN for a group automagically given TRAC_ADMIN
#   if this option is enabled you must specify the UserExtensiblePermissionStore as the trac permission store, such as:
#   [trac]
#   permission_store = UserExtensiblePermissionStore
group_tracadmin = CN=Administration,DC=example,DC=com
#### Cache Tuning
#-- cached entry time to live in seconds 
cache_ttl= 90
#-- memorycache size in entries, and a highwater warning mark
cache_memsize = 400
cache_memsize_warn = 300
#-- memory cache prune size in percentage
cache_memprune = 5

permission_store = UserExtensiblePermissionStore

If you are unsure of what the DNs for your groups are, you may want to use an LDAP browser to inspect your Active Directory schema to find out a group's DN.

Common Errors

If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines.

Recent Changes

17455 by rjollos on 2019-08-18 19:53:23
Remove duplicated option

Fixes #13548.

17358 by rjollos on 2019-04-05 15:25:01
Remove unnecessary line terminators
17357 by rjollos on 2019-04-05 15:15:06
Stip trailing whitespace


Author: pacopablo
Maintainer: sandinak