Version 9 (modified by 11 years ago) (diff) | ,
---|
Contents
Directory Auth Plugin
NOTE: Major changes from 0.3
- renamed to DirectoryAuthPlugin
- conf variables are renamed for standardization
- now more directory type agnostic
Description
The Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Lightweight Directory Access Protocol (LDAP) enabled service including OpenLdap, ActiveDirectory and OpenDirectory.
Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the session_attribute
table. See Populating ''Assign To'' Drop Down in Trac for more information on why.
This plugin was built upon the excellent ActiveDirectoryAuthPlugin by pacopablo .. much thanks for the original!
Features
- Can use a service account to do lookups, or anonymous binding
- Can use SSL if openssl is configured correctly ( I am working on some documentation for this )
- Configurable .. many options to deal with the differences between directories and schema
- Uses both memory and db based caching to improve performance
- Now supports LARGE directories Updated
- Searches Groups more efficiently using Member
- Recurses up the tree to find subgroups
- Can expand directory groups into the Trac namespace
See: TheoryOfOperation
Bugs/Feature Requests
Existing bugs and feature requests for DirectoryAuthPlugin are here.
If you have any issues, create a new ticket.
Download
Download the zipped source from [download:directoryauthplugin here]
Source
You can check out DirectoryAuthPlugin from here using Subversion, or browse the source with Trac.
Install
Prerequisites
- You must install AccountManagerPlugin in order to use this plugin.
- Python-LDAP is also required and can be downloaded here
- for SSL, you will have to install and configure OpenSSL to work with valid certificates. ( you can test using ldapsearch -Z )
Installation
Follow the Trac documentation on how to install Trac plugins
- starting with 0.3, a database upgrade will be required as part of the installation.
- install the plugin and it's prerequisites
- update the database
trac-admin /var/trac/instance upgrade
- restart the trac service or your webserver.
Common Errors
- When using SSL, the server won't authenticate. Make sure you can use ldapsearch -Z with the same parameters from the same host, and resolve the issues there. A handy way to do that is use:
joe@admin > ldapsearch -d8 -Z -x -b dc=base,dc=net -D binding@base.net -W -H ldaps://ldap.base.net -s one 'objectclass=person'
The-d8
should show you TLS errors.
- If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct you will want to try connection to active directory on port 3268. This may happen when AD is running across multiple machines.
Recent Changes