Version 7 (modified by rjollos, 3 years ago) (diff)

Cleaned up history.



The LdapAuthStorePlugin is a password store for the AccountManagerPlugin that provides authentication and group membership from an LDAP service. Users are authenticated by performing an LDAP bind against a directory using their credentials. The plugin will also pull the email address and username from the directory and populate the session_attribute table.

It does work with current Trac (1.0.1) + LdapPlugin + AccountManagerPlugin against OpenLDAP.


At the suggestion from comment:26:ticket:1147, k0s posted the plugin from ticket:1147 as a standalone hack.

Based on his work i have taken ldap-auth-store.patch:ticket:1600 and merged in the session store parts of, account-manager-ldap.4.patch:ticket:1147.

Bugs/Feature Requests

Existing bugs and feature requests for LdapAuthStorePlugin are here.

If you have any issues, create a new ticket.


Download the zipped source from [download:ldapauthstoreplugin here].


You can check out LdapAuthStorePlugin from here using Subversion, or browse the source with Trac.



You must install AccountManagerPlugin and LdapPlugin in order to use this plugin.


Follow the Trac documentation on how to install Trac plugins


Activate acct_mgr, ldapplugin, ldapauthstore in the [components] section. Define LDAP related config options in the LdapPlugin [ldap] config section.

permission_store = DefaultPermissionStore

password_store = LdapAuthStore

acct_mgr.admin.accountmanageradminpage = enabled
acct_mgr.api.accountmanager = enabled
acct_mgr.web_ui.accountmodule = enabled
acct_mgr.web_ui.loginmodule = enabled
trac.web.auth.loginmodule = disabled
ldapplugin.* = enabled
ldapauthstore.* = enabled

# enable LDAP support for Trac
enable = true
# enable TLS support
use_tls = false
# LDAP directory host
host = localhost
# LDAP directory port (default port for LDAPS/TLS connections is 636)
port = 389
# BaseDN
basedn = dc=example,dc=com
# Relative DN for users (defaults to none)
user_rdn = ou=people
# Relative DN for group of names (defaults to none)
group_rdn = ou=groups
# objectclass for groups
groupname = groupOfNames
# dn entry in a groupname
groupmember = member
# attribute name for a group
groupattr = cn
# attribute name for a user
uidattr = uid
# attribute name to store trac permission
permattr = tracperm
# filter to search for dn with 'permattr' attributes
permfilter = objectclass=*
# time, in seconds, before a cached entry is purged out of the local cache.
cache_ttl = 900
# maximum number of entries in the cache
cache_size = 100
# whether to perform an authenticated bind for group resolution
group_bind = yes
# whether to perform an authenticated bind for permision store operations
store_bind = true
# user for authenticated connection to the LDAP directory
bind_user =  cn=anonbind,dc=example,dc=com
# password for authenticated connection
bind_passwd = anonbind
# global permissions (vs. per-environment permissions)
global_perms = false
# group permissions are managed as addition/removal to the LDAP directory groups
manage_groups = true
# whether a group member contains the full dn or a simple uid
groupmemberisdn = yes
# ldapauthstore settings
#--- from #1147, not present in #1600 
# default: basedn_filter = objectClass=*
#basedn_filter = objectClass=inetOrgPerson
# default: name = name
name = cn
# default: email = email
email = mail
#--- from #1600, not present in #1147
# users must be in this group to use trac
allusers_group = tracusers

Recent Changes

14623 by rjollos on 2015-06-02 02:21:58
0.3.2dev: Add setup.cfg.
14622 by rjollos on 2015-06-02 02:21:15
0.3.2dev: Avoid KeyError when attributes can't be retrieved. Fixes #12157.

Patch by igoltz.

14584 by rjollos on 2015-05-13 02:59:19
0.3.1: Indentation and PEP-0008 changes.


Author: k0s
Maintainer: igoltz