1 | | [[PageOutline]] |
2 | | = AD Group Management = |
3 | | |
4 | | The plugin extends Directory group membership into the trac namespace. This means you can specify permissions for different groups of authenticated individuals. |
5 | | |
6 | | == Theory == |
7 | | LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group. When a request for a group, as defined in the permissions, is searched, the group is expanded to the members. It's then used to match. |
8 | | |
9 | | == Usage == |
10 | | |
11 | | 1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net ) |
12 | | 2. add users to the groups |
13 | | 3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with |
14 | | Subject: @staff |
15 | | Permission: WIKI_EDIT |
16 | | |
17 | | '''NOTE:''' groups will NOT show up per user until they're defined from the Permissions page. |
18 | | == Validation == |
19 | | To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use |
20 | | {{{ |
21 | | me@here > sudo trac-admin /var/trac/mytrac permission list {user} |
22 | | }}} |
23 | | |
24 | | == Configuration == |
25 | | |
26 | | Any groups found under the base_dn will be expanded into the name space |
27 | | - each group will have the name normalized by changing it to lower case, and changing spaces to underscores |
28 | | - the group name will be prefixed by an @ sign |
29 | | |
30 | | {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users |
31 | | == Example Configurations == |
32 | | For example: |
33 | | {{{ |
34 | | @domain_users BLOG_CREATE |
35 | | @domain_users BLOG_MODIFY_ALL |
36 | | @domain_users BLOG_MODIFY_OWN |
37 | | @domain_users BROWSER_VIEW |
38 | | @domain_users DISCUSSION_APPEND |
39 | | @domain_users MYPAGE_VIEW |
40 | | @domain_users PRIVATE_EDIT_ATOL_SECURE |
41 | | @domain_users PRIVATE_VIEW_ATOL_SECURE |
42 | | @domain_users REPORT_SQL_VIEW |
43 | | @domain_users RES_RESERVE_MODIFY |
44 | | @domain_users RES_RESERVE_VIEW |
45 | | @domain_users RIPE_EDIT |
46 | | @domain_users TICKET_ADMIN |
47 | | @domain_users TSTATS_VIEW |
48 | | @domain_users WIKI_CREATE |
49 | | @domain_users WIKI_RENAME |
50 | | @domain_users XML_RPC |
51 | | @branch_admins PRIVATE_VIEW_BRANCH_SECURE |
52 | | @ops PRIVATE_EDIT_OPS_SECURE |
53 | | @ops XML_RPC |
54 | | @sysops DISCUSSION_ADMIN |
55 | | @sysops RIPE_ADMIN |
56 | | @sysops TICKET_EDIT_CC |
57 | | @sysops WIKI_DELETE |
58 | | @trac_admin TRAC_ADMIN |
59 | | ... |
60 | | }}} |
61 | | |
62 | | - This gives the @domain_users group from AD a specific set of perms |
63 | | - the @branch_admins are using the PrivateWiki plugin to hide their passwords |
64 | | - as are the @ops group |
65 | | - @sysops are god like. |
66 | | - @trac_admins are .. well well trac_admins ;-) |
| 1 | [[redirect(wiki:DirectoryAuthPlugin/GroupManagement)]] |