A LDAP / Active Directory password and permission store for the AccountManagerPlugin
This plugin is a password store for the AccountManagerPlugin. It provides authentication and groups from Lightweight Directory Access Protocol (LDAP) enabled services, including BEJY LDAP, OpenLdap, ActiveDirectory and OpenDirectory.
Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the session_attribute table.
- Can use a service account to do lookups, or anonymous binding.
- Can use SSL if openssl is configured correctly.
- Configurable: many options to deal with the differences between directories and schema.
- Uses both memory and db based caching to improve performance.
- Supports large directories:
- Searches Groups more efficiently using Member.
- Traverses up the tree to find subgroups.
- Can expand directory groups into the Trac namespace.
- Supports paged LDAP searches to circumvent server size limits.
If you have any issues, create a new ticket.
Download the zipped source from here.
- You must install AccountManagerPlugin to use this plugin.
- Python-LDAP is also required.
- For SSL, you will have to install and configure OpenSSL to work with valid certificates. You can test using ldapsearch -Z.
General instructions on installing Trac plugins can be found on the TracPlugins page.
Starting from v0.3, a database upgrade will be required as part of the installation.
- Install the plugin and its prerequisites.
- Update the database:
trac-admin /var/trac/instance upgrade
- Restart the tracd service or your webserver.
- When using SSL, the server won't authenticate. Make sure you can use ldapsearch -Z with the same parameters from the same host, and resolve the issues there. A handy way to do that is to use:
joe@admin > ldapsearch -d8 -Z -x -b dc=base,dc=net -D firstname.lastname@example.org -W -H ldaps://ldap.base.net -s one 'objectclass=person'The -d8 should show you TLS errors.
- If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct, then try connecting to Active Directory on port 3268. This may happen when Active Directory is running across multiple machines.
- 16088 by bebbo on 2016-12-13 13:15:24
tag version 2.1.0
- 16087 by bebbo on 2016-12-13 13:11:19
Release Version 2.1.0
- 16086 by bebbo on 2016-12-13 12:12:12
- added a new switch:
group_knownusers = BoolOption('account-manager', 'group_knownusers', False,
"Boolean: Display only the already known users.")