| 1 | [[PageOutline]] |
| 2 | = AD Group Management = |
| 3 | |
| 4 | The plugin extends Directory group membership into the trac namespace. This means you can specify permissions for different groups of authenticated individuals. |
| 5 | |
| 6 | == Theory == |
| 7 | LDAP maintains groups by defining the objectClass, and usually contains member or memberUID as the identifier for each person in a group. When a request for a group, as defined in the permissions, is searched, the group is expanded to the members. It's then used to match. |
| 8 | |
| 9 | == Usage == |
| 10 | |
| 11 | 1. create the groups in the directory you'd like ( say cn=Staff,dc=home,dc=net ) |
| 12 | 2. add users to the groups |
| 13 | 3. goto Admin -> Permissions and create a group by adding permissions to the group name as defined below. Ao for example use Grant Permission with |
| 14 | Subject: @staff |
| 15 | Permission: WIKI_EDIT |
| 16 | |
| 17 | '''NOTE:''' groups will NOT show up per user until they're defined from the Permissions page. |
| 18 | == Validation == |
| 19 | To validate users, you'll need to login wiht perms to the TRAC_HOME directory .. and then use |
| 20 | {{{ |
| 21 | me@here > sudo trac-admin /var/trac/mytrac permission list {user} |
| 22 | }}} |
| 23 | |
| 24 | == Configuration == |
| 25 | |
| 26 | Any groups found under the base_dn will be expanded into the name space |
| 27 | - each group will have the name normalized by changing it to lower case, and changing spaces to underscores |
| 28 | - the group name will be prefixed by an @ sign |
| 29 | |
| 30 | {{{cn=Domain Users,cn=Users,dc=ad,dc=com}}} == @domain_users |
| 31 | == Example Configurations == |
| 32 | For example: |
| 33 | {{{ |
| 34 | @domain_users BLOG_CREATE |
| 35 | @domain_users BLOG_MODIFY_ALL |
| 36 | @domain_users BLOG_MODIFY_OWN |
| 37 | @domain_users BROWSER_VIEW |
| 38 | @domain_users DISCUSSION_APPEND |
| 39 | @domain_users MYPAGE_VIEW |
| 40 | @domain_users PRIVATE_EDIT_ATOL_SECURE |
| 41 | @domain_users PRIVATE_VIEW_ATOL_SECURE |
| 42 | @domain_users REPORT_SQL_VIEW |
| 43 | @domain_users RES_RESERVE_MODIFY |
| 44 | @domain_users RES_RESERVE_VIEW |
| 45 | @domain_users RIPE_EDIT |
| 46 | @domain_users TICKET_ADMIN |
| 47 | @domain_users TSTATS_VIEW |
| 48 | @domain_users WIKI_CREATE |
| 49 | @domain_users WIKI_RENAME |
| 50 | @domain_users XML_RPC |
| 51 | @branch_admins PRIVATE_VIEW_BRANCH_SECURE |
| 52 | @ops PRIVATE_EDIT_OPS_SECURE |
| 53 | @ops XML_RPC |
| 54 | @sysops DISCUSSION_ADMIN |
| 55 | @sysops RIPE_ADMIN |
| 56 | @sysops TICKET_EDIT_CC |
| 57 | @sysops WIKI_DELETE |
| 58 | @trac_admin TRAC_ADMIN |
| 59 | ... |
| 60 | }}} |
| 61 | |
| 62 | - This gives the @domain_users group from AD a specific set of perms |
| 63 | - the @branch_admins are using the PrivateWiki plugin to hide their passwords |
| 64 | - as are the @ops group |
| 65 | - @sysops are god like. |
| 66 | - @trac_admins are .. well well trac_admins ;-) |