wiki:DirectoryAuthPlugin

A password store for the AccountManagerPlugin

Description

This plugin is a password store for the AccountManagerPlugin. It provides authentication and groups from Lightweight Directory Access Protocol (LDAP) enabled services, including OpenLdap, ActiveDirectory and OpenDirectory.

Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the session_attribute table.

Key features:

  • Can use a service account to do lookups, or anonymous binding.
  • Can use SSL if openssl is configured correctly.
  • Configurable: many options to deal with the differences between directories and schema.
  • Uses both memory and db based caching to improve performance.
  • Supports large directories:
    • Searches Groups more efficiently using Member.
    • Traverses up the tree to find subgroups.
  • Can expand directory groups into the Trac namespace.

See: TheoryOfOperation

Bugs/Feature Requests

Existing bugs and feature requests for DirectoryAuthPlugin are here.

If you have any issues, create a new ticket.

defect

43 / 47

enhancement

7 / 9

task

2 / 2

Download

Download the zipped source from here.

Source

You can check out DirectoryAuthPlugin from here using Subversion, or browse the source with Trac.

Installation

Prerequisites

  • You must install AccountManagerPlugin to use this plugin.
  • Python-LDAP is also required.
  • For SSL, you will have to install and configure OpenSSL to work with valid certificates. You can test using ldapsearch -Z.

Installation steps

General instructions on installing Trac plugins can be found on the TracPlugins page.

Starting from v0.3, a database upgrade will be required as part of the installation.

  1. Install the plugin and its prerequisites.
  2. Update the database:
    trac-admin /var/trac/instance upgrade
    
  3. Restart the tracd service or your webserver.

See ConfigurationExamples.

Common Issues

  • When using SSL, the server won't authenticate. Make sure you can use ldapsearch -Z with the same parameters from the same host, and resolve the issues there. A handy way to do that is to use:
    joe@admin > ldapsearch -d8 -Z -x -b dc=base,dc=net -D binding@base.net -W -H ldaps://ldap.base.net -s one 'objectclass=person' 
    
    The -d8 should show you TLS errors.
  • If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct, then try connecting to Active Directory on port 3268. This may happen when Active Directory is running across multiple machines.

Recent Changes

16076 by bebbo on 2016-12-11 13:46:41

refs #11305

  • the user's groups are all added from the assigned group to the top level group if the config option 'group_nested' is set to True
16073 by bebbo on 2016-12-10 21:16:07
change dir_scope default to 2 = SUBTREE
16072 by bebbo on 2016-12-10 20:46:49
refs #11307

fixed handling to use the configured attribute instead of 'cn'

(more)

Author/Contributors

Author: pacopablo
Maintainer: bebbo
Contributors: sandinak, rjollos

Last modified 3 days ago Last modified on Dec 9, 2016, 12:06:59 AM