Version 8 (modified by 9 years ago) (diff) | ,
---|
Contents
A password store for the AccountManagerPlugin using LDAP
Description
The LdapAuthStorePlugin is a password store for the AccountManagerPlugin that provides authentication and group membership from an LDAP service.
Users are authenticated by performing an LDAP bind against a directory using their credentials. The plugin will also pull the email address and username from the directory and populate the session_attribute
table.
It does work with current Trac (1.0.1) + LdapPlugin + AccountManagerPlugin against OpenLDAP.
This plugin was started at the suggestion from comment:26:ticket:1147, k0s posted the plugin from ticket:1147 as a standalone hack. Based on that work the ticket ldap-auth-store.patch:ticket:1600 was merged in the session store parts of ldap_store.3.py:ticket:1147 and account-manager-ldap.4.patch:ticket:1147.
Bugs/Feature Requests
Existing bugs and feature requests for LdapAuthStorePlugin are here.
If you have any issues, create a new ticket.
defect |
5 / 6 |
||
---|---|---|---|
enhancement |
1 / 1 |
Download
Download the zipped source from [download:ldapauthstoreplugin here].
Source
You can check out LdapAuthStorePlugin from here using Subversion, or browse the source with Trac.
Installation
The plugins AccountManagerPlugin and LdapPlugin must be installed first to use this plugin.
Follow the Trac documentation on how to install Trac plugins.
Configuration
Edit trac.ini
for the following changes:
- Activate acct_mgr, ldapplugin, ldapauthstore in the [components] section.
- Define LDAP related config options in the LdapPlugin [ldap] config section.
This would amount to the following:
[trac] ... permission_store = DefaultPermissionStore [account-manager] ... password_store = LdapAuthStore [components] acct_mgr.admin.accountmanageradminpage = enabled acct_mgr.api.accountmanager = enabled acct_mgr.web_ui.accountmodule = enabled acct_mgr.web_ui.loginmodule = enabled trac.web.auth.loginmodule = disabled ... ldapplugin.* = enabled ldapauthstore.* = enabled [ldap] # enable LDAP support for Trac enable = true # enable TLS support use_tls = false # LDAP directory host host = localhost # LDAP directory port (default port for LDAPS/TLS connections is 636) port = 389 # BaseDN basedn = dc=example,dc=com # Relative DN for users (defaults to none) user_rdn = ou=people # Relative DN for group of names (defaults to none) group_rdn = ou=groups # objectclass for groups groupname = groupOfNames # dn entry in a groupname groupmember = member # attribute name for a group groupattr = cn # attribute name for a user uidattr = uid # attribute name to store trac permission permattr = tracperm # filter to search for dn with 'permattr' attributes permfilter = objectclass=* # time, in seconds, before a cached entry is purged out of the local cache. cache_ttl = 900 # maximum number of entries in the cache cache_size = 100 # whether to perform an authenticated bind for group resolution group_bind = yes # whether to perform an authenticated bind for permision store operations store_bind = true # user for authenticated connection to the LDAP directory bind_user = cn=anonbind,dc=example,dc=com # password for authenticated connection bind_passwd = anonbind # global permissions (vs. per-environment permissions) global_perms = false # group permissions are managed as addition/removal to the LDAP directory groups manage_groups = true # whether a group member contains the full dn or a simple uid groupmemberisdn = yes ... # # ldapauthstore settings # #--- from #1147, not present in #1600 # default: basedn_filter = objectClass=* #basedn_filter = objectClass=inetOrgPerson #--- # default: name = name name = cn # default: email = email email = mail #--- from #1600, not present in #1147 # users must be in this group to use trac allusers_group = tracusers #---
Recent Changes