[[PageOutline(2-5,Contents,pullout)]] = Directory Auth Plugin = '''NOTE:''' Major changes from 0.3 - renamed to DirectoryAuthPlugin - conf variables are renamed for standardization - now more directory type agnostic - soon will be renamed to DirectoryAuthPlugin == Description == The Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from [http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol Lightweight Directory Access Protocol (LDAP)] enabled service including [http://www.openldap.org OpenLdap], [http://en.wikipedia.org/wiki/Active_Directory ActiveDirectory] and [http://en.wikipedia.org/wiki/Apple_Open_Directory OpenDirectory]. Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the `session_attribute` table. See [http://pacopablo.com/blog/pacopablo/blog/set-assign-to-drop-down Populating ''Assign To'' Drop Down in Trac] for more information on why. This plugin was built upon the excellent ActiveDirectoryAuthPlugin by pacopablo .. much thanks for the original! == Features == - Can use a service account to do lookups, or anonymous binding - Can use SSL if openssl is configured correctly ( I am working on some documentation for this ) - Configurable .. many options to deal with the differences between directories and schema - Uses both memory and db based caching to improve performance - Now supports LARGE directories '''Updated''' - Searches Groups more efficiently using Member - Recurses up the tree to find subgroups - Can expand directory groups into the Trac namespace See: [DirectoryAuthPlugin/TheoryOfOperation TheoryOfOperation] == Bugs/Feature Requests == Existing bugs and feature requests for DirectoryAuthPlugin are [report:9?COMPONENT=DirectoryAuthPlugin here]. If you have any issues, create a [http://trac-hacks.org/newticket?component=DirectoryAuthPlugin&owner=sandinak new ticket]. == Download == Download the zipped source from [download:directoryauthplugin here] == Source == You can check out DirectoryAuthPlugin from [http://trac-hacks.org/svn/directoryauthplugin here] using Subversion, or [source:directoryauthplugin browse the source] with Trac. == Install == ==== Prerequisites ==== - You must install AccountManagerPlugin in order to use this plugin. - Python-LDAP is also required and can be downloaded [http://pypi.python.org/pypi/python-ldap/ here] - for SSL, you will have to install and configure OpenSSL to work with valid certificates. ( you can test using ldapsearch -Z ) ==== Installation ==== Follow the Trac documentation on how [http://trac.edgewall.org/search?q=TracPlugins to install Trac plugins] - starting with 0.3, a database upgrade will be required as part of the installation. 1. install the plugin and it's prerequisites 1. update the database {{{ #!sh trac-admin /var/trac/instance upgrade }}} 1. restart the trac service or your webserver. See [DirectoryAuthPlugin/ConfigurationExamples ConfigurationExamples] == Common Errors == - When using SSL, the server won't authenticate. Make sure you can use ldapsearch -Z with the same parameters from the same host, and resolve the issues there. A handy way to do that is use: {{{ joe@admin > ldapsearch -d8 -Z -x -b dc=base,dc=net -D binding@base.net -W -H ldaps://ldap.base.net -s one 'objectclass=person' }}} The {{{-d8}}} should show you TLS errors. - If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines. == Recent Changes == [[ChangeLog(directoryauthplugin, 3)]] == Author/Contributors == '''Author:''' [wiki:pacopablo] [[BR]] '''Maintainer:''' sandinak [[BR]] '''Contributors:'''