Changes between Version 65 and Version 66 of LdapPlugin
- Timestamp:
- Nov 7, 2015, 1:05:20 PM (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
LdapPlugin
v65 v66 1 [[PageOutline(2- 4)]]1 [[PageOutline(2-5,Contents,pullout)]] 2 2 3 3 = LDAP extensions to grant group permissions … … 7 7 LDAP support with group management has been added as a Trac extension. This extension enables the use of existing LDAP groups to grant permissions rather than defining permissions for every single user on the system. 8 8 9 The latest release also permits storage of permissions (both users and groups permissions) in the LDAP directory itself rather than in the SQLbackend.9 The latest release also permits storage of permissions (both users and groups permissions) in the LDAP directory itself rather than in the database backend. 10 10 11 11 The original proposal for LDAP ACL is documented under ticket trac:#535 on the official web site. … … 13 13 This plugin uses the same license as Trac. 14 14 15 == Requirements15 === Requirements 16 16 17 17 This plugin works with the following versions: … … 33 33 1. You need to grab a recent version of Trac from the trunk to make the (optional) Ldap permission store extension work as expected. As the trunk API may vary without notice, the plugin may be broken if you run it with a different release. 34 34 35 == Bugs/Feature Requests 36 37 Existing bugs and feature requests for !LdapPlugin are [report:9?COMPONENT=LdapPlugin here]. 38 39 If you have any issues, create a [/newticket?component=LdapPlugin new ticket]. 40 41 [[TicketQuery(component=LdapPlugin&group=type,format=progress)]] 42 35 43 == Download 36 44 37 Download the zipped source from [ download:ldapplugin here].45 Download the zipped source from [export:ldapplugin here]. 38 46 39 47 == Source 40 48 41 You can check out LdapPlugin from [ http://trac-hacks.org/svn/ldapplugin here] using Subversion, or [source:ldapplugin browse the source] with Trac.49 You can check out LdapPlugin from [/svn/ldapplugin here] using Subversion, or [source:ldapplugin browse the source] with Trac. 42 50 43 51 == Configuration 44 52 45 You must configure 3 differentplaces:53 You must configure this plugin in the following places: 46 54 1. Authentication (Apache configuration): Get access to the ldap server for reading out the groups. 47 55 1. Configure the plugin (section [ldap] in trac.ini): Get the groups by mapping the interesting part of the server's LDAP directory to this plugin. … … 63 71 Here is an example of a typical LDAP section of an Apache2.0 configuration file: 64 72 65 {{{ 66 #!apache 73 {{{#!apache 67 74 <Location /trac/project> 68 75 PythonOption TracEnv "/local/var/trac/project" … … 79 86 ==== Apache 2.2 80 87 81 Since the mod_auth_ldap module has been superseded by the mod_authnz_ldap module for Apache 2.2, the configuration also needs a little tweaking. The above example would now look like: 82 83 {{{ 84 #!apache 88 Since the mod_auth_ldap module has been superseded by the mod_authnz_ldap module for Apache 2.2, the configuration also needs tweaking. The above example would now look like: 89 90 {{{#!apache 85 91 <Location /trac/project> 86 92 PythonOption TracEnv "/local/var/trac/project" … … 109 115 To enable LdapPlugin you must add this line to the `[components]` section of `trac.ini`: 110 116 111 {{{ 112 #!ini 117 {{{#!ini 113 118 [components] 114 119 ldapplugin.* = enabled … … 117 122 The `[ldap]` section may contain the following options (presented here with their default values): 118 123 119 {{{ 120 #!ini 124 {{{#!ini 121 125 [ldap] 122 126 # enable LDAP support for Trac … … 172 176 A typical setup for group resolution would look like this: 173 177 174 {{{ 175 #!ini 178 {{{#!ini 176 179 [ldap] 177 180 enable = true … … 181 184 A typical setup for all LDAP support (group resolution and permission store) would look like this: 182 185 183 {{{ 184 #!ini 186 {{{#!ini 185 187 [ldap] 186 188 enable = true … … 196 198 197 199 If you get an error message like this: 198 {{{ 199 #!sh 200 {{{#!sh 200 201 File "build/bdist.linux-x86_64/egg/ldapplugin/api.py", line 106, in get_permission_groups 201 202 TypeError: __init__() keywords must be strings 202 203 }}} 203 you may have to patch the LdapPlugin source, see: 204 https://trac-hacks.org/ticket/6183 204 205 you may have to patch the LdapPlugin source, see #6183. 205 206 206 207 ===== Note about `group_rdn` and `user_rdn` 207 208 208 Starting from release '''v0.4.0''', `group_basedn` and `user_basedn` options have been superseeded with `group_rdn` and `user_rdn`.[[BR]] 209 Starting from release '''v0.4.0''', `group_basedn` and `user_basedn` options have been superseded with `group_rdn` and `user_rdn`. 210 209 211 The new settings define the relative DNs respectively for the group and the user subtree, based on the common `basedn` trunk. For example: 210 212 * `ou=people,dc=example,dc=org` would require the following settings: 211 {{{ 212 #!ini 213 {{{#!ini 213 214 basedn = dc=example,dc=org 214 215 user_rdn = ou=people 215 216 }}} 216 217 * `ou=groups,dc=example,dc=org` would require the following settings: 217 {{{ 218 #!ini 218 {{{#!ini 219 219 basedn = dc=example,dc=org 220 220 group_rdn = ou=groups … … 225 225 If the server requires an authenticated connection to retrieve group permissions, you want to set `group_bind = true` in the `[ldap]` section and define the credentials as follows: 226 226 227 {{{ 228 #!ini 227 {{{#!ini 229 228 [ldap] 230 229 group_bind = true … … 235 234 If the server requires an authenticated connection to modify group permissions, you want to set `store_bind = true` in the `[ldap]` section and define the credentials as follows: 236 235 237 {{{ 238 #!ini 236 {{{#!ini 239 237 [ldap] 240 238 store_bind = true … … 247 245 ==== Ldap permission store 248 246 249 If you wish to use the LDAP permission store feature, you need to tell Trac to use the LDAP extension rather than the internal default permission store which relies on the SQLdatabase.247 If you wish to use the LDAP permission store feature, you need to tell Trac to use the LDAP extension rather than the internal default permission store which relies on the database. 250 248 251 249 Note that if you decide to store Trac permissions as a ''new'' LDAP attribute, you will need LDAP schema management rights. Furthermore, some LDAP servers, eg Active Directory, might not allow the deletion of attribute definitions. … … 253 251 To achieve this setting, add the following line to the main `[trac]` section of your `trac.ini` configuration file: 254 252 255 {{{ 256 #!ini 253 {{{#!ini 257 254 [trac] 258 255 # ... … … 262 259 You also need to enable `LdapPermissionStore` for LdapPlugin by adding: 263 260 264 {{{ 265 #!ini 261 {{{#!ini 266 262 [components] 267 263 ldapplugin.* = enabled … … 279 275 tracperm: TICKET_ADMIN 280 276 }}} 281 and define user permission to LDAP entries such as 277 278 and define user permission to LDAP entries such as: 282 279 {{{ 283 280 dn: uid=courtney,dc=example,dc=org … … 291 288 It is worth noting that the '''dn''' used for groups and for users may be different, which should make things easier to add TracPermissions into your existing LDAP directory. 292 289 293 To differentiate a group name from a user name in `trac-admin`, prefix the group name with the `@` characters. This syntax has been borrowed from Sambaand many other software dealing with group management.290 To differentiate a group name from a user name in `trac-admin`, prefix the group name with the `@` characters. This syntax has been borrowed from [https://www.samba.org/ Samba] and many other software dealing with group management. 294 291 295 292 One would grant the above permissions using the following `trac-admin` commands: 296 {{{ 297 #!sh 293 {{{#!sh 298 294 permission add @managers WIKI_ADMIN 299 295 permission add @managers TICKET_ADMIN … … 313 309 A LDAP group should start with the '`@`' character, such as: 314 310 315 {{{ 316 #!sh 311 {{{#!sh 317 312 Trac [/var/local/db/trac/public]> permission list 318 313 … … 336 331 You can obviously still use permissions for regular user such as ''eblot'' in the example above. 337 332 338 '''Note''': Please remember that ''anonymous'' and ''authenticated'' are special users but are considered by the permission backend just like any other regular user.[[BR]] 339 This means that you need to add both these special users in your LDAP directory if you wish to assign permission to these joker entries. 340 The directory configuration proposed in the test page may give you some hints about how to setup your LDAP directory. 333 '''Note''': Please remember that ''anonymous'' and ''authenticated'' are special users but are considered by the permission backend just like any other regular user. This means that you need to add both these special users in your LDAP directory if you wish to assign permission to these joker entries. The directory configuration proposed in the test page may give you some hints about how to setup your LDAP directory. 341 334 342 335 ===== Group of names … … 355 348 }}} 356 349 With such an environment, your [ldap] section would contain the following: 357 {{{ 358 #!ini 350 {{{#!ini 359 351 [ldap] 360 352 ... … … 375 367 }}} 376 368 With such an environment, your [ldap] section would contain the following: 377 {{{ 378 #!ini 369 {{{#!ini 379 370 [ldap] 380 371 ... … … 387 378 Beware, if you use this second scheme, you should have these lines in your apache configuration: 388 379 389 {{{ 390 #!apache 380 {{{#!apache 391 381 <Location /trac/project> 392 382 ... … … 415 405 416 406 It is still possible to use global permissions by setting in the `[ldap]` section of the environment configuration file: 417 {{{ 418 #!ini 407 {{{#!ini 419 408 global_perms = true 420 409 }}} … … 442 431 443 432 The following permission command: 444 {{{ 445 #!sh 433 {{{#!sh 446 434 permission add eblot @developers 447 435 }}} … … 490 478 The LdapPluginTests page gives some hints about how to test the Ldap extension for Trac. 491 479 492 == Bugs/Feature Requests493 494 Existing bugs and feature requests for !LdapPlugin are [report:9?COMPONENT=LdapPlugin here].495 496 If you have any issues, create a [/newticket?component=LdapPlugin new ticket].497 498 [[TicketQuery(component=LdapPlugin&group=type,format=progress)]]499 500 480 == History 501 481 … … 504 484 * includes a cache to dramatically reduce LDAP requests 505 485 * better handling of LDAP errors[[BR]]This extension works with Trac 0.9-pre1 and requires the setuptools, version 0.5a13 506 * '''v0.2''': This new release fixes up a couple of bugs and works with Trac 0.9-pre2. It requires the [http://peak.telecommunity.com/DevCenter/setuptools setuptools], version 0.6+.[[BR]]It introduces support for LDAP permission store: TracPermissions can now be stored into the LDAP directory, rather than in the SQLbackend.[[BR]]Each feature (LDAP as a provider of group permissions, LDAP as a permission store) are independent and can be enabled or disabled on demand.486 * '''v0.2''': This new release fixes up a couple of bugs and works with Trac 0.9-pre2. It requires the [http://peak.telecommunity.com/DevCenter/setuptools setuptools], version 0.6+.[[BR]]It introduces support for LDAP permission store: TracPermissions can now be stored into the LDAP directory, rather than in the database backend.[[BR]]Each feature (LDAP as a provider of group permissions, LDAP as a permission store) are independent and can be enabled or disabled on demand. 507 487 * '''v0.2.1''': Bug fixing 508 488 * '''v0.2.2''': Introduce support for disting DN for users and groups (implemented suggestion described in #75)