Changes between Version 6 and Version 7 of LdapPlugin

Jan 2, 2006, 11:50:03 PM (12 years ago)
Emmanuel Blot

Add info for 0.3.0 new feature: per-environment permissions


  • LdapPlugin

    v6 v7  
    129129# password for authenticated store bind
    130130store_passwd =
     131# global permissions (vs. per-environment permissions)
     132global_perms = false
    287289your LDAP directory.
     291=== Global vs. Environment permissions ===
     293Starting from release '''v0.3.0''', permissions are not defined globally (unless `global_perms` is set in the environment configuration file), but on per-environment basis.
     295With environment-wide permissions, it is now possible to define distinct permissions for each Trac environment (as long as their name differ) even if they access the same LDAP directory.[[BR]]
     297The Trac LDAP permission attribute value are prefixed with the environment name.[[BR]]
     298Using the previous example, assuming the environment name is named "test", permission attributes would become:
     300dn: uid=courtney,dc=example,dc=org
     301objectclass: user
     302objectclass: trac
     303tracperm: test:TICKET_VIEW
     304tracperm: test:REPORT_CREATE
     305tracperm: test:REPORT_VIEW
     308It is still possible to use global permissions by setting in the `[ldap]` section of the environment configuration file:
     310global_perms = true
     313When a directory contains global permission directives, those permissions apply on every Trac environment accessing the LDAP directory, whichever the `global_perms` value. However, permissions are always created using the current environment permission setting.
     315From the administrative point of view (`trac-admin`, [ WebAdmin], ...), there are no changes: permission are defined and retrieved as usual.
     317''Note:'' The environment ''name'' is based on the root directory of the Trac environment. This means that if you use different environment with the same name, such as:
     318`/var/local/trac/test` and `/var/db/test`, they are both named "test" and share the same permissions. This is a known limitation of the current implementation.
    289320== Known limitations ==
    314345 * '''v0.2.2''': Introduce support for disting DN for users and groups (implemented suggestion described in #75)
    315346 * '''v0.2.3''': Update to support the new boolean parsing introduced in the official Trac trunk
     347 * '''v0.3.0''': Introduce per-environment permissions: permissions are defined to the current environment and do not overlap with other Trac environments using the same LDAP directory, unless the `global_perms` configuration parameters is set.
    317349== Author/Contributors ==