[[PageOutline(2-5,Contents,pullout)]] = A password store for the !AccountManagerPlugin using LDAP == Description The LdapAuthStorePlugin is a password store for the AccountManagerPlugin that provides authentication and group membership from an LDAP service. Users are authenticated by performing an LDAP bind against a directory using their credentials. The plugin will also pull the email address and username from the directory and populate the `session_attribute` table. It does work with current Trac (1.0.1) + LdapPlugin + AccountManagerPlugin against OpenLDAP. This plugin was started at the suggestion from comment:26:ticket:1147, k0s posted the plugin from ticket:1147 as a standalone hack. Based on that work the ticket [attachment:ldap-auth-store.patch:ticket:1600] was merged in the session store parts of [attachment:ldap_store.3.py:ticket:1147] and [attachment:account-manager-ldap.4.patch:ticket:1147]. == Bugs/Feature Requests Existing bugs and feature requests for LdapAuthStorePlugin are [report:9?COMPONENT=LdapAuthStorePlugin here]. If you have any issues, create a [http://trac-hacks.org/newticket?component=LdapAuthStorePlugin&owner=igoltz new ticket]. [[TicketQuery(component=LdapAuthStorePlugin,group=type,format=progress)]] == Download Download the zipped source from [download:ldapauthstoreplugin here]. == Source You can check out LdapAuthStorePlugin from [http://trac-hacks.org/svn/ldapauthstoreplugin here] using Subversion, or [source:ldapauthstoreplugin browse the source] with Trac. == Installation The plugins AccountManagerPlugin and LdapPlugin must be installed first to use this plugin. Follow the Trac documentation on how [http://trac.edgewall.org/search?q=TracPlugins to install Trac plugins]. == Configuration Edit `trac.ini` for the following changes: * Activate acct_mgr, ldapplugin, ldapauthstore in the [components] section. * Define LDAP related config options in the LdapPlugin [ldap] config section. This would amount to the following: {{{ #!ini [trac] ... permission_store = DefaultPermissionStore [account-manager] ... password_store = LdapAuthStore [components] acct_mgr.admin.accountmanageradminpage = enabled acct_mgr.api.accountmanager = enabled acct_mgr.web_ui.accountmodule = enabled acct_mgr.web_ui.loginmodule = enabled trac.web.auth.loginmodule = disabled ... ldapplugin.* = enabled ldapauthstore.* = enabled [ldap] # enable LDAP support for Trac enable = true # enable TLS support use_tls = false # LDAP directory host host = localhost # LDAP directory port (default port for LDAPS/TLS connections is 636) port = 389 # BaseDN basedn = dc=example,dc=com # Relative DN for users (defaults to none) user_rdn = ou=people # Relative DN for group of names (defaults to none) group_rdn = ou=groups # objectclass for groups groupname = groupOfNames # dn entry in a groupname groupmember = member # attribute name for a group groupattr = cn # attribute name for a user uidattr = uid # attribute name to store trac permission permattr = tracperm # filter to search for dn with 'permattr' attributes permfilter = objectclass=* # time, in seconds, before a cached entry is purged out of the local cache. cache_ttl = 900 # maximum number of entries in the cache cache_size = 100 # whether to perform an authenticated bind for group resolution group_bind = yes # whether to perform an authenticated bind for permision store operations store_bind = true # user for authenticated connection to the LDAP directory bind_user = cn=anonbind,dc=example,dc=com # password for authenticated connection bind_passwd = anonbind # global permissions (vs. per-environment permissions) global_perms = false # group permissions are managed as addition/removal to the LDAP directory groups manage_groups = true # whether a group member contains the full dn or a simple uid groupmemberisdn = yes ... # # ldapauthstore settings # #--- from #1147, not present in #1600 # default: basedn_filter = objectClass=* #basedn_filter = objectClass=inetOrgPerson #--- # default: name = name name = cn # default: email = email email = mail #--- from #1600, not present in #1147 # users must be in this group to use trac allusers_group = tracusers #--- }}} == Recent Changes [[ChangeLog(ldapauthstoreplugin, 3)]] == Author/Contributors '''Author:''' [wiki:k0s] [[BR]] '''Maintainer:''' [[Maintainer]][[BR]] '''Contributors:'''