Changes between Version 66 and Version 67 of LdapPlugin


Ignore:
Timestamp:
Sep 7, 2016, 9:00:46 PM (5 years ago)
Author:
figaro
Comment:

Further cosmetic changes: removed reference to Trac 0.9

Legend:

Unmodified
Added
Removed
Modified
  • LdapPlugin

    v66 v67  
    55== Description
    66
    7 LDAP support with group management has been added as a Trac extension. This extension enables the use of existing LDAP groups to grant permissions rather than defining permissions for every single user on the system.
    8 
    9 The latest release also permits storage of permissions (both users and groups permissions) in the LDAP directory itself rather than in the database backend.
     7This plugin adds LDAP support with group management. It enables the use of existing LDAP groups to grant permissions rather than defining permissions for every single user on the system. It furthermore permits storage of permissions (both users and groups permissions) in the LDAP directory itself rather than in the database backend.
    108
    119The original proposal for LDAP ACL is documented under ticket trac:#535 on the official web site.
     
    2018  * Trac 0.12 and 1.0, for the 0.7.x series
    2119
    22 Although initial releases of the plugin (up to '''0.2.2''') have been written against Trac 0.9, they lack many of the latest plugin features and should be considered as ''experimental'' at best.
    23 
    24 You need the Python LDAP module. It can be retrieved from python-ldap.[[BR]]
     20You need the Python LDAP module. It can be retrieved from python-ldap.
     21
    2522LdapPlugin has been tested on a Debian Linux Sarge/Sid (2.4.x and 2.6.x) server, a Windows XP SP2 workstation, as well as on !MacBookPro OS 10.4.8, all of them running Python 2.4 with Trac 'development' releases.
    2623
    27 To use the egg file you need to have setuptools, version 0.6+ installed.[[BR]]
    28 Please refer to the TracPlugins page for information about plugin installation.
     24To use the egg file you need to have setuptools, version 0.6+ installed. Please refer to the TracPlugins page for information about plugin installation.
    2925
    3026'''Notes''':
    31 
    3227 1. You need to apply all patches mentioned in #6268 on Windows, otherwise the plugin will not work.
    3328 1. You need to grab a recent version of Trac from the trunk to make the (optional) Ldap permission store extension work as expected. As the trunk API may vary without notice, the plugin may be broken if you run it with a different release.
     
    3530== Bugs/Feature Requests
    3631
    37 Existing bugs and feature requests for !LdapPlugin are [report:9?COMPONENT=LdapPlugin here].
    38 
    39 If you have any issues, create a [/newticket?component=LdapPlugin new ticket].
     32Existing bugs and feature requests for LdapPlugin are
     33[report:9?COMPONENT=LdapPlugin here].
     34
     35If you have any issues, create a
     36[/newticket?component=LdapPlugin new ticket].
    4037
    4138[[TicketQuery(component=LdapPlugin&group=type,format=progress)]]
     
    4845
    4946You can check out LdapPlugin from [/svn/ldapplugin here] using Subversion, or [source:ldapplugin browse the source] with Trac.
     47
     48== Installation
     49
     50General instructions on installing Trac plugins can be found on the [TracPlugins#InstallingaTracplugin TracPlugins] page.
    5051
    5152== Configuration
     
    195196}}}
    196197
    197 ==== Note
    198 
    199 If you get an error message like this:
     198'''Note''': If you get an error message like this:
    200199{{{#!sh
    201200File "build/bdist.linux-x86_64/egg/ldapplugin/api.py", line 106, in get_permission_groups
     
    307306Once LDAP support has been activated, you can use the web interface menu item `Admin` or `trac-admin` as usual to define TracPermissions. However, you can now use the existing groups defined in your LDAP directory to assign permissions.
    308307
    309 A LDAP group should start with the '`@`' character, such as:
     308A LDAP group should start with the `@` character, such as:
    310309
    311310{{{#!sh
     
    347346member: uid=izzie,ou=groups,dc=example,dc=org
    348347}}}
    349    With such an environment, your [ldap] section would contain the following:
     348   With such an environment, your `[ldap]` section would contain the following:
    350349{{{#!ini
    351350[ldap]
     
    366365memberUid: uid=izzie
    367366}}}
    368    With such an environment, your [ldap] section would contain the following:
     367   With such an environment, your `[ldap]` section would contain the following:
    369368{{{#!ini
    370369[ldap]
     
    376375}}}
    377376
    378 Beware, if you use this second scheme, you should have these lines in your apache configuration:
     377Beware, if you use this second scheme, you should have these lines in your Apache configuration:
    379378
    380379{{{#!apache
     
    420419Starting from release '''v0.4.1''', the LdapPlugin permission store offers two ways to store group membership:
    421420 1. Permission-based management (default setting):[[BR]]
    422    In this configuration, the plugin mimics the original Trac membership management, but does not follow the LDAP way: group membership is defined as permission actions, which leads to manage permissions concurrently from the permission actions and the existing LDAP groups
     421   In this configuration, the plugin mimics the original Trac membership management, but does not follow the LDAP way: group membership is defined as permission actions, which leads to manage permissions concurrently from the permission actions and the existing LDAP groups.
    423422 1. Ldap group management (recommended settings):[[BR]]
    424    In this configuration, the plugin only uses the LDAP groups to manage group membership. The plugin adds or removes group members from existing LDAP groups[[BR]]
     423   In this configuration, the plugin only uses the LDAP groups to manage group membership. The plugin adds or removes group members from existing LDAP groups.
    425424
    426425==== Activation
     
    459458  The above point means that the Trac administrator should probably creates the users and the groups from outside the Trac administration console (or [trac:wiki:WebAdmin WebAdmin]). LdapPlugin is designed to integrate Trac with an existing LDAP directory, not to manage the directory.
    460459 1. Default LDAP group policy usually requires that each group contains at least one member. If the administrator tries to remove the last member of a LDAP group, the LdapPlugin may refuse to perform this action (depending on the LDAP server setup).
    461  1. Note that LDAP group management only deals with explicit groups, ''i.e.'' any word that starts with a `@` character. You can therefore mix aliases and LDAP directory groups:
    462    * {{{permission add eblot devteam}}} is a group alias, managed as any Trac permission
    463    * {{{permission add devteam @developers}}} is managed as a LDAP directory group (if `manage_groups` option is enabled)
     460 1. Note that LDAP group management only deals with explicit groups, ie any word that starts with a `@` character. You can therefore mix aliases and LDAP directory groups:
     461   * {{{permission add eblot devteam}}} is a group alias, managed as any Trac permission.
     462   * {{{permission add devteam @developers}}} is managed as a LDAP directory group, if `manage_groups` option is enabled.
    464463
    465464== Known limitations
    466465
    467  * Only LDAP v3 protocol is supported. This extension may work with v2 protocol
    468    as well, if the v3 specifier is removed from the code.
    469  * Several assumptions made by the plugin proved to be unreliable in at leave one Active Directory based implementation.  #6268 contains fixes to work better with AD in cases where the Common Name is not the same as the sAMAccountName.
     466 * Only LDAP v3 protocol is supported. This extension may work with v2 protocol as well, if the v3 specifier is removed from the code.
     467 * Several assumptions made by the plugin proved to be unreliable in at leave one Active Directory based implementation. #6268 contains fixes to work better with AD in cases where the Common Name is not the same as the sAMAccountName.
    470468
    471469== !ToDo list
    472470 
    473  * Add user detail support so that the full name and email address are retrieved from the LDAP server. It would require a new extension point in Trac engine, which might be called `IUserDirectory` (not before Trac 0.11 at best) - Note: A patch on #6268 implements this. It's a bit of a kludge, but it's been working without issue thus far.
     471 * Add user detail support so that the full name and email address are retrieved from the LDAP server. It would require a new extension point in Trac engine, which might be called `IUserDirectory` (not before Trac 0.11 at best). A patch on #6268 implements this. It's a bit of a kludge, but it's been working without issue thus far.
    474472 * There's probably a lot of room for improvement and debugging.
    475473