Version 6 (modified by branson, 6 years ago) (diff)


Directory Auth Plugin

NOTE: Major changes from 0.3


The Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Lightweight Directory Access Protocol (LDAP) enabled service including OpenLdap, ActiveDirectory and OpenDirectory.

Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the session_attribute table. See Populating ''Assign To'' Drop Down in Trac for more information on why.


  • Can use a service account to do lookups, or anonymous binding
  • Can use SSL if openssl is configured correctly ( I am working on some documentation for this )
  • Configurable .. many options to deal with the differences between directories and schema
  • Uses both memory and db based caching to improve performance
  • Now supports LARGE directories
  • Can expand directory groups into the Trac namespace

See: TheoryOfOperation

Bugs/Feature Requests

Existing bugs and feature requests for DirectoryAuthPlugin are here.

If you have any issues, create a new ticket.


Download the zipped source from [download:directoryauthplugin here]


You can check out DirectoryAuthPlugin from here using Subversion, or browse the source with Trac.




Follow the Trac documentation on how to install Trac plugins

  • starting with 0.3, a database upgrade will be required as part of the installation.
    1. install the plugin and it's prerequisites
    2. update the database
      trac-admin /var/trac/instance upgrade
    3. restart the trac service or your webserver.

See ConfigurationExamples

Common Errors

If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines.

Recent Changes

17285 by bebbo on 2018-09-14 07:48:16
refs #13061: apply and fix the provided patch
17284 by bebbo on 2018-09-14 07:00:44
refs #13095: added an additional connect attempt in case the connection is broken.

ReconnectLDAPObject seems not to hold what I expect.

Now if search _ldap_search throws an exception _bind_dir is used to obtain a new connection and the _ldap_search is tried again.

16088 by bebbo on 2016-12-13 12:15:24
tag version 2.1.0


Author: pacopablo
Maintainer: sandinak