| 1 | | [[PageOutline]] |
| 2 | | = AD Group Management = |
| 3 | | |
| 4 | | The plugin extends Directory group membership into the trac namespace. This means you can specify permissions for different groups of authenticated individuals. |
| 5 | | |
| 6 | | == Theory == |
| 7 | | LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group. When a request for a group, as defined in the permissions, is searched, the group is expanded to the members. It's then used to match. |
| 8 | | |
| 9 | | == Usage == |
| 10 | | |
| 11 | | 1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net ) |
| 12 | | 2. add users to the groups |
| 13 | | 3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with |
| 14 | | Subject: @staff |
| 15 | | Permission: WIKI_EDIT |
| 16 | | |
| 17 | | '''NOTE:''' groups will NOT show up per user until they're defined from the Permissions page. |
| 18 | | == Validation == |
| 19 | | To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use |
| 20 | | {{{ |
| 21 | | me@here > sudo trac-admin /var/trac/mytrac permission list {user} |
| 22 | | }}} |
| 23 | | |
| 24 | | == Configuration == |
| 25 | | |
| 26 | | Any groups found under the base_dn will be expanded into the name space |
| 27 | | - each group will have the name normalized by changing it to lower case, and changing spaces to underscores |
| 28 | | - the group name will be prefixed by an @ sign |
| 29 | | |
| 30 | | {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users |
| 31 | | == Example Configurations == |
| 32 | | For example: |
| 33 | | {{{ |
| 34 | | @domain_users BLOG_CREATE |
| 35 | | @domain_users BLOG_MODIFY_ALL |
| 36 | | @domain_users BLOG_MODIFY_OWN |
| 37 | | @domain_users BROWSER_VIEW |
| 38 | | @domain_users DISCUSSION_APPEND |
| 39 | | @domain_users MYPAGE_VIEW |
| 40 | | @domain_users PRIVATE_EDIT_ATOL_SECURE |
| 41 | | @domain_users PRIVATE_VIEW_ATOL_SECURE |
| 42 | | @domain_users REPORT_SQL_VIEW |
| 43 | | @domain_users RES_RESERVE_MODIFY |
| 44 | | @domain_users RES_RESERVE_VIEW |
| 45 | | @domain_users RIPE_EDIT |
| 46 | | @domain_users TICKET_ADMIN |
| 47 | | @domain_users TSTATS_VIEW |
| 48 | | @domain_users WIKI_CREATE |
| 49 | | @domain_users WIKI_RENAME |
| 50 | | @domain_users XML_RPC |
| 51 | | @branch_admins PRIVATE_VIEW_BRANCH_SECURE |
| 52 | | @ops PRIVATE_EDIT_OPS_SECURE |
| 53 | | @ops XML_RPC |
| 54 | | @sysops DISCUSSION_ADMIN |
| 55 | | @sysops RIPE_ADMIN |
| 56 | | @sysops TICKET_EDIT_CC |
| 57 | | @sysops WIKI_DELETE |
| 58 | | @trac_admin TRAC_ADMIN |
| 59 | | ... |
| 60 | | }}} |
| 61 | | |
| 62 | | - This gives the @domain_users group from AD a specific set of perms |
| 63 | | - the @branch_admins are using the PrivateWiki plugin to hide their passwords |
| 64 | | - as are the @ops group |
| 65 | | - @sysops are god like. |
| 66 | | - @trac_admins are .. well well trac_admins ;-) |
| | 1 | [[redirect(wiki:DirectoryAuthPlugin/GroupManagement)]] |
