Changes between Version 3 and Version 4 of LdapPlugin
- Timestamp:
- Nov 5, 2005, 1:28:34 AM (18 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
LdapPlugin
v3 v4 4 4 5 5 LDAP support with group management has been added as a Trac extension. This 6 extension allows to use existing LDAP groups to grant permissions,rather than6 extension enables to use existing LDAP groups to grant permissions rather than 7 7 defining permissions for every single user on the system. The latest release also 8 8 permits to store permissions (both users and groups permissions) in the LDAP 9 directory itself ,rather than in the SQL backend.9 directory itself rather than in the SQL backend. 10 10 11 11 The original proposition about LDAP ACL is documented under ticket 12 12 [http://projects.edgewall.com/trac/ticket/535 Trac#535] on the official web site. 13 13 14 This software is [http://trac.edgewall.com/license.html licen sed] with the same14 This software is [http://trac.edgewall.com/license.html licenced] with the same 15 15 license than Trac. 16 16 … … 20 20 [http://python-ldap.sourceforge.net/ python-ldap].[[BR]] LdapPlugin has been 21 21 tested on a Debian Linux Sarge/Sid (2.4.x and 2.6.x) server, as well as on a 22 Windows XP SP2 workstation, both running Python 2.3 ,with Trac-0.9b2.23 24 To use the egg file ,you need to have22 Windows XP SP2 workstation, both running Python 2.3 with Trac-0.9b2. 23 24 To use the egg file you need to have 25 25 [http://peak.telecommunity.com/DevCenter/setuptools setuptools], version 0.6+ 26 26 installed.[[BR]]Please refer to the … … 40 40 41 41 * Source code is available from http://trac-hacks.swapoff.org/svn/ldapplugin [[BR]] It has been written against Trac [http://projects.edgewall.com/trac/changeset/2353 trunk:2353]. 42 * You can also find [wiki:LdapPlugin#Testing unit tests] at the same location , under the `tests` directory, which may help you todeploy the plugin.42 * You can also find [wiki:LdapPlugin#Testing unit tests] at the same location - under the `tests` directory -, which may help you deploy the plugin. 43 43 44 44 == Installation == 45 45 46 * Build the ''egg'' file , followingplugin packaging [http://projects.edgewall.com/trac/wiki/TracDev/PluginDevelopment#Packaginganddeployingplugins instructions]46 * Build the ''egg'' file following the plugin packaging [http://projects.edgewall.com/trac/wiki/TracDev/PluginDevelopment#Packaginganddeployingplugins instructions] 47 47 * Copy the `dist/LdapPlugin-0.y.z-py2.3.egg` file in your ''plugins'' project directory. 48 48 … … 51 51 LdapPlugin does '''not''' perform authentication: Apache2 does, through the HTTP 52 52 protocol, as with any other Trac installation.[[BR]] 53 LdapPlugin retrieves the groups to which the authenticated user belongs ,and53 LdapPlugin retrieves the groups to which the authenticated user belongs and 54 54 checks the [http://projects.edgewall.com/trac/wiki/TracPermissions TracPermissions] 55 55 against these groups, along with the regular permissions for the user. 56 56 57 57 You probably want to use Apache2 LDAP authentication as well.[[BR]] 58 This topic is out of scope of this document ,but you may find useful information58 This topic is out of scope of this document but you may find useful information 59 59 on the official Apache2 [http://httpd.apache.org/docs-2.0/mod/mod_ldap.html mod_ldap] 60 60 web site. … … 82 82 this extension. 83 83 1. Optionnally add the path to your plugin directory 84 1. Configure the LDAP directives to fit toyour LDAP server configuration84 1. Configure the LDAP directives to fit your LDAP server configuration 85 85 86 86 The section may also contain the following options (which are presented down … … 127 127 }}} 128 128 129 You 'dprobably want to define at least `enable=true` and the `basedn`[[BR]]129 You probably want to define at least `enable=true` and the `basedn`[[BR]] 130 130 The meaning of the options are pretty straightforward for LDAP administrators. 131 131 132 A typical setup for group resolution would look like 132 A typical setup for group resolution would look like this: 133 133 134 134 {{{ … … 138 138 }}} 139 139 140 A typical setup for all LDAP support (group resolution and permission store 141 would look like 140 A typical setup for all LDAP support (group resolution and permission store) 141 would look like this: 142 142 143 143 {{{ … … 153 153 == Authenticated LDAP connections == 154 154 155 If yourserver requires an authenticated connection to retrieve group permissions,156 you want to set `group_bind = true` in the `[ldap]` section ,and define157 the credentials , as follow:155 If the server requires an authenticated connection to retrieve group permissions, 156 you want to set `group_bind = true` in the `[ldap]` section and define 157 the credentials as follows: 158 158 159 159 {{{ … … 164 164 }}} 165 165 166 If yourserver requires an authenticated connection to modify group permissions,167 you want to set `store_bind = true` in the `[ldap]` section ,and define168 the credentials , as follow:166 If the server requires an authenticated connection to modify group permissions, 167 you want to set `store_bind = true` in the `[ldap]` section and define 168 the credentials as follows: 169 169 170 170 {{{ … … 192 192 }}} 193 193 194 The extension sdifferenciates '''group permissions''' from '''user permission'''.195 This allowto use distinct objectclasses in the LDAP directory, to store196 permission. For example ,thanks to the `groupattr` and `uidattr`194 The extension differenciates '''group permissions''' from '''user permission'''. 195 This permits to use distinct objectclasses in the LDAP directory, to store 196 permission. For example thanks to the `groupattr` and `uidattr` 197 197 attributes, you can define group permission to LDAP entries such as 198 198 {{{ … … 234 234 Please note that the LDAP permission store '''never''' attemps to create a new 235 235 entry in the LDAP directory. To grant (or revoke) permissions to/from the LDAP 236 directory, the targetted LDAP entry should exist in the directory ,and the236 directory, the targetted LDAP entry should exist in the directory and the 237 237 attribute defined by the `permattr` option should be writtable for the 238 238 `store_user` user. … … 273 273 LDAP group have the `WIKI_CREATE` and `WIKI_MODIFY` permission. 274 274 275 You can obviously still use permissions for regular user ,such as ''eblot'' in276 the aforementionned example.277 278 '''Note''': Please remember that ''anonymous'' and ''authenticated'' are special users ,275 You can obviously still use permissions for regular user such as ''eblot'' in 276 the example above. 277 278 '''Note''': Please remember that ''anonymous'' and ''authenticated'' are special users 279 279 but are considered by the permission backend just like any other regular user.[[BR]] 280 280 This means that you need to add both these special users in your LDAP directory … … 287 287 288 288 * Only LDAP v3 protocol is supported. This extension may work with v2 protocol 289 as well, if the v3 specifier is removed from the code 289 as well, if the v3 specifier is removed from the code. 290 290 291 291 == !ToDo list == 292 292 293 * Add user detail support ,so that the full name and email address are293 * Add user detail support so that the full name and email address are 294 294 retrieved from the LDAP server. It would require a new extension point in 295 295 Trac engine. … … 298 298 == Testing == 299 299 300 The LdapPluginTests page gives some hint about how to test the Ldap extension for300 The LdapPluginTests page gives some hints about how to test the Ldap extension for 301 301 Trac 302 302 303 303 == History == 304 304 305 * '''v0.0''': First attempt to write a LDAP bridge for Trac , based on Trac 0.8, which required some hacks into the Trac engine. Too bad305 * '''v0.0''': First attempt to write a LDAP bridge for Trac based on Trac 0.8, which required some hacks into the Trac engine. 306 306 * '''v0.1''': A new implementation has started on September, 1st '05, to profit from the new [http://projects.edgewall.com/trac/wiki/TracPlugins TracPlugins] module architecture introduced in Trac 0.9-pre.[[BR]] This implementation should bring the following improvements: 307 307 * includes a cache to dramatically reduce LDAP requests 308 * better handling of LDAP errors[[BR]]This extension works with Trac 0.9-pre1 ,and requires the [http://peak.telecommunity.com/DevCenter/setuptools setuptools], version 0.5a13309 * '''v0.2''': This new release fixes up a couple of bugs , and works with Trac 0.9-pre2. It requires the [http://peak.telecommunity.com/DevCenter/setuptools setuptools], version 0.6+.[[BR]]It introduces support for LDAP permission store: TracPermissions can nowstored into the LDAP directory, rather than in the SQL backend.[[BR]]Each feature (LDAP as a provider of group permissions, LDAP as a permission store) are independent and can be enabled or disabled on demand.308 * better handling of LDAP errors[[BR]]This extension works with Trac 0.9-pre1 and requires the [http://peak.telecommunity.com/DevCenter/setuptools setuptools], version 0.5a13 309 * '''v0.2''': This new release fixes up a couple of bugs and works with Trac 0.9-pre2. It requires the [http://peak.telecommunity.com/DevCenter/setuptools setuptools], version 0.6+.[[BR]]It introduces support for LDAP permission store: TracPermissions can now be stored into the LDAP directory, rather than in the SQL backend.[[BR]]Each feature (LDAP as a provider of group permissions, LDAP as a permission store) are independent and can be enabled or disabled on demand. 310 310 311 311 == Author/Contributors ==