Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Version 66 and Version 67 of LdapPlugin

Timestamp:: Sep 7, 2016, 9:00:46 PM (9 years ago)
Author:: figaro
Comment:: Further cosmetic changes: removed reference to Trac 0.9

Legend:

: Unmodified
: Added
: Removed
: Modified

LdapPlugin

-                      v66
+                      v67
 == Description
+LDAP support with group management has been added as a Trac extension. This extension enables the use of existing LDAP groups to grant permissions rather than defining permissions for every single user on the system.
+The latest release also permits storage of permissions (both users and groups permissions) in the LDAP directory itself rather than in the database backend.
+This plugin adds LDAP support with group management. It enables the use of existing LDAP groups to grant permissions rather than defining permissions for every single user on the system. It furthermore permits storage of permissions (both users and groups permissions) in the LDAP directory itself rather than in the database backend.
 The original proposal for LDAP ACL is documented under ticket trac:#535 on the official web site.
 …
   * Trac 0.12 and 1.0, for the 0.7.x series
+Although initial releases of the plugin (up to '''0.2.2''') have been written against Trac 0.9, they lack many of the latest plugin features and should be considered as ''experimental'' at best.
+You need the Python LDAP module. It can be retrieved from python-ldap.[[BR]]
+You need the Python LDAP module. It can be retrieved from python-ldap.
 LdapPlugin has been tested on a Debian Linux Sarge/Sid (2.4.x and 2.6.x) server, a Windows XP SP2 workstation, as well as on !MacBookPro OS 10.4.8, all of them running Python 2.4 with Trac 'development' releases.
+To use the egg file you need to have setuptools, version 0.6+ installed.[[BR]]
+Please refer to the TracPlugins page for information about plugin installation.
+To use the egg file you need to have setuptools, version 0.6+ installed. Please refer to the TracPlugins page for information about plugin installation.
 '''Notes''':
 . You need to apply all patches mentioned in #6268 on Windows, otherwise the plugin will not work.
 . You need to grab a recent version of Trac from the trunk to make the (optional) Ldap permission store extension work as expected. As the trunk API may vary without notice, the plugin may be broken if you run it with a different release.
 …
 == Bugs/Feature Requests
+Existing bugs and feature requests for !LdapPlugin are [report:9?COMPONENT=LdapPlugin here].
+If you have any issues, create a [/newticket?component=LdapPlugin new ticket].
+Existing bugs and feature requests for LdapPlugin are
+[report:9?COMPONENT=LdapPlugin here].
+If you have any issues, create a
+[/newticket?component=LdapPlugin new ticket].
 [[TicketQuery(component=LdapPlugin&group=type,format=progress)]]
 …
 You can check out LdapPlugin from [/svn/ldapplugin here] using Subversion, or [source:ldapplugin browse the source] with Trac.
+== Installation
+General instructions on installing Trac plugins can be found on the [TracPlugins#InstallingaTracplugin TracPlugins] page.
 == Configuration
 …
 }}}
+==== Note
+If you get an error message like this:
+'''Note''': If you get an error message like this:
 {{{#!sh
 File "build/bdist.linux-x86_64/egg/ldapplugin/api.py", line 106, in get_permission_groups
 …
 Once LDAP support has been activated, you can use the web interface menu item `Admin` or `trac-admin` as usual to define TracPermissions. However, you can now use the existing groups defined in your LDAP directory to assign permissions.
 A LDAP group should start with the '`@`' character, such as:
+A LDAP group should start with the `@` character, such as:
 {{{#!sh
 …
 member: uid=izzie,ou=groups,dc=example,dc=org
 }}}
    With such an environment, your [ldap] section would contain the following:
+   With such an environment, your `[ldap]` section would contain the following:
 {{{#!ini
 [ldap]
 …
 memberUid: uid=izzie
 }}}
    With such an environment, your [ldap] section would contain the following:
+   With such an environment, your `[ldap]` section would contain the following:
 {{{#!ini
 [ldap]
 …
 }}}
 Beware, if you use this second scheme, you should have these lines in your apache configuration:
+Beware, if you use this second scheme, you should have these lines in your Apache configuration:
 {{{#!apache
 …
 Starting from release '''v0.4.1''', the LdapPlugin permission store offers two ways to store group membership:
 . Permission-based management (default setting):[[BR]]
    In this configuration, the plugin mimics the original Trac membership management, but does not follow the LDAP way: group membership is defined as permission actions, which leads to manage permissions concurrently from the permission actions and the existing LDAP groups
+   In this configuration, the plugin mimics the original Trac membership management, but does not follow the LDAP way: group membership is defined as permission actions, which leads to manage permissions concurrently from the permission actions and the existing LDAP groups.
 . Ldap group management (recommended settings):[[BR]]
    In this configuration, the plugin only uses the LDAP groups to manage group membership. The plugin adds or removes group members from existing LDAP groups[[BR]]
+   In this configuration, the plugin only uses the LDAP groups to manage group membership. The plugin adds or removes group members from existing LDAP groups.
 ==== Activation
 …
   The above point means that the Trac administrator should probably creates the users and the groups from outside the Trac administration console (or [trac:wiki:WebAdmin WebAdmin]). LdapPlugin is designed to integrate Trac with an existing LDAP directory, not to manage the directory.
 . Default LDAP group policy usually requires that each group contains at least one member. If the administrator tries to remove the last member of a LDAP group, the LdapPlugin may refuse to perform this action (depending on the LDAP server setup).
 . Note that LDAP group management only deals with explicit groups, ''i.e.'' any word that starts with a `@` character. You can therefore mix aliases and LDAP directory groups:
    * {{{permission add eblot devteam}}} is a group alias, managed as any Trac permission
    * {{{permission add devteam @developers}}} is managed as a LDAP directory group (if `manage_groups` option is enabled)
+. Note that LDAP group management only deals with explicit groups, ie any word that starts with a `@` character. You can therefore mix aliases and LDAP directory groups:
+   * {{{permission add eblot devteam}}} is a group alias, managed as any Trac permission.
+   * {{{permission add devteam @developers}}} is managed as a LDAP directory group, if `manage_groups` option is enabled.
 == Known limitations
+ * Only LDAP v3 protocol is supported. This extension may work with v2 protocol
+   as well, if the v3 specifier is removed from the code.
+ * Several assumptions made by the plugin proved to be unreliable in at leave one Active Directory based implementation.  #6268 contains fixes to work better with AD in cases where the Common Name is not the same as the sAMAccountName.
+ * Only LDAP v3 protocol is supported. This extension may work with v2 protocol as well, if the v3 specifier is removed from the code.
+ * Several assumptions made by the plugin proved to be unreliable in at leave one Active Directory based implementation. #6268 contains fixes to work better with AD in cases where the Common Name is not the same as the sAMAccountName.
 == !ToDo list
  * Add user detail support so that the full name and email address are retrieved from the LDAP server. It would require a new extension point in Trac engine, which might be called `IUserDirectory` (not before Trac 0.11 at best) - Note: A patch on #6268 implements this. It's a bit of a kludge, but it's been working without issue thus far.
+ * Add user detail support so that the full name and email address are retrieved from the LDAP server. It would require a new extension point in Trac engine, which might be called `IUserDirectory` (not before Trac 0.11 at best). A patch on #6268 implements this. It's a bit of a kludge, but it's been working without issue thus far.
  * There's probably a lot of room for improvement and debugging.