|Version 9 (modified by 4 years ago) (diff),|
Directory Auth Plugin
NOTE: Major changes from 0.3
- renamed to DirectoryAuthPlugin
- conf variables are renamed for standardization
- now more directory type agnostic
The Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Lightweight Directory Access Protocol (LDAP) enabled service including OpenLdap, ActiveDirectory and OpenDirectory.
Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the
session_attribute table. See Populating ''Assign To'' Drop Down in Trac for more information on why.
- Can use a service account to do lookups, or anonymous binding
- Can use SSL if openssl is configured correctly ( I am working on some documentation for this )
- Configurable .. many options to deal with the differences between directories and schema
- Uses both memory and db based caching to improve performance
- Now supports LARGE directories Updated
- Searches Groups more efficiently using Member
- Recurses up the tree to find subgroups
- Can expand directory groups into the Trac namespace
If you have any issues, create a new ticket.
Download the zipped source from [download:directoryauthplugin here]
- You must install AccountManagerPlugin in order to use this plugin.
- Python-LDAP is also required and can be downloaded here
- for SSL, you will have to install and configure OpenSSL to work with valid certificates. ( you can test using ldapsearch -Z )
Follow the Trac documentation on how to install Trac plugins
- starting with 0.3, a database upgrade will be required as part of the installation.
- install the plugin and it's prerequisites
- update the database
trac-admin /var/trac/instance upgrade
- restart the trac service or your webserver.
- When using SSL, the server won't authenticate. Make sure you can use ldapsearch -Z with the same parameters from the same host, and resolve the issues there. A handy way to do that is use:
joe@admin > ldapsearch -d8 -Z -x -b dc=base,dc=net -D firstname.lastname@example.org -W -H ldaps://ldap.base.net -s one 'objectclass=person'The
-d8should show you TLS errors.
- If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines.
- 16088 by bebbo on 2016-12-13 12:15:24
tag version 2.1.0
- 16087 by bebbo on 2016-12-13 12:11:19
Release Version 2.1.0
- 16086 by bebbo on 2016-12-13 11:12:12
- added a new switch:
group_knownusers = BoolOption('account-manager', 'group_knownusers', False,
"Boolean: Display only the already known users.")