side by side
lines around each change
Show the changes in full context
White space changes
Jun 18, 2006, 7:28:19 PM (
Update for release 0.4.1
= LDAP extensions =
== Abstract ==
[http://projects.edgewall.com/trac/ticket/535 Trac#535] on the official web site.
This software is [http://trac.edgewall.com/license.html licenced] with the same
license as Trac.
This plugin follows the same [http://trac.edgewall.com/license.html licence] as Trac.
== Requirements ==
information about plugin installation.
= Important note =
You need to grab a recent version of Trac from the trunk to make the Ldap permission store extension work as expected.[[BR]]
# global permissions (vs. per-environment permissions)
global_perms = false
# group permissions are managed as addition/removal to the LDAP directory groups
manage_groups = true
`/var/local/trac/test` and `/var/db/test`, they are both named "test" and share the same permissions. This is a known limitation of the current implementation.
== Group management ==
Starting from release '''v0.4.1''', the LdapPlugin permission store offers two ways to store group membership:
* Permission-based management (default setting):[[BR]]
In this configuration, the plugin mimics the original Trac membership management, but does not follow the LDAP way: group membership is defined as permission actions, which leads to manage permissions concurrently from the permission actions and the existing LDAP groups
* Ldap group management (recommended settings):[[BR]]
In this configuration, the plugin only uses the LDAP groups to manage group membership. The plugin adds or removes group members from existing LDAP groups
The new group management scheme can be activated using the `manage_groups` option.
==== Important notes ====
1. The LDAP plugin is not able to create new groups or new users from scratch. Users and groups must already exist in the LDAP directory. It would be difficult to create a new LDAP group or a new LDAP user from Trac, as the creation of a LDAP resource usually requires properties which are not made available to the LDAP plugin.[[BR]]
The above point means that the Trac administrator should probably creates the users and the groups from outside the Trac administration console (or [trac:wiki:WebAdmin WebAdmin]). LdapPlugin is designed to integrate Trac with an existing LDAP directory, not to manage the directory.
1. Default LDAP group policy usually requires that each group contains at least one member. If the administrator tries to remove the last member of a LDAP group, the LdapPlugin may refuse to perform this action (depending on the LDAP server setup).
== Known limitations ==
* '''v0.3.0''': Introduce per-environment permissions: permissions are defined to the current environment and do not overlap with other Trac environments using the same LDAP directory, unless the `global_perms` configuration parameters is set.
* '''v0.4.0''': Major rewrite of the LdapPlugin to support Trac trunk [trac:changeset:3419 3419], including better support for groups (user dns may be part of a different subtree than group dns, such as `ou=people` vs. `ou=groups`), improved cache management, as well as many bug fixes and code clean up.
* '''v0.4.1''': Introduce a new feature: group management is done as addition and removal to the LDAP groups of names: instead of storing groups as trac permissions (as the default permission store does), the plugin is not able to add and remove members to the LDAP group of names.
== Author/Contributors ==
'''Author:''' [wiki:eblot eblot] [[BR]]