group_rdn
and u
ser_rdn
(二)
Authenticated LDAP connections
(三)
Ldap permission store
(三)
Permissions
(一)
Group of names
(二)
Global vs. Environment permissions
(四)
Group management
(一)
Activation
(二)
Example
(三)
Important notes
(七)
Known limitations
(八)
ToDo list
(九)
Testing
(十)
History
(11)
Recent Changes
(12)
Author/Contributors
defect |
12 / 38 |
||
---|---|---|---|
enhancement |
4 / 19 |
||
task |
4 / 4 |
<Location /trac/project> PythonOption TracEnv "/local/var/trac/project" PythonOption TracUriRoot "/trac/project" AuthType Basic AuthName "Project" Order Allow,Deny Allow from All AuthLDAPURL "ldap://localhost:389/dc=example,dc=org?uid" Require group cn=tracusers,dc=example,dc=org </Location>
<Location /trac/project> PythonOption TracEnv "/local/var/trac/project" PythonOption TracUriRoot "/trac/project" AuthType Basic AuthName "Project" AuthBasicProvider ldap Order Allow,Deny Allow from All AuthLDAPURL "ldap://localhost:389/dc=example,dc=org?uid" AuthzLDAPAuthoritative on Require ldap-group cn=tracusers,dc=example,dc=org </Location>Note that if you just use "Require valid-user" (to allow everybody with a valid LDAP login to access Trac) you must set "AuthzLDAPAuthoritative off" according to the Apache documentation.
trac.i
ni
file of your project:
(一)Optionally add the path to your plugin directory.
(二)Enable ldapplugin
in[components]
section, so that the Trac engine loads and uses this extension.
(三)Create a new section [ldap]
.
(四)Configure the LDAP directives to fit your LDAP server configuration.
To enable LdapPlugin you must add this line to the [components]
section of trac.ini
:
[components] ldapplugin.* = enabledThe
[ldap]
section may contain the following options (presented here with their default values):
[ldap] # enable LDAP support for Trac enable = false # enable TLS support use_tls = false # LDAP directory host host = localhost # LDAP directory port (default port for LDAPS/TLS connections is 636) port = 389 # BaseDN basedn = dc=example,dc=com # Relative DN for users (defaults to none) user_rdn = # Relative DN for group of names (defaults to none) group_rdn = # objectclass for groups groupname = groupofnames # dn entry in a groupname groupmember = member # attribute name for a group groupattr = cn # attribute name for a user user_name_attr = uid # objectclass for user ; customize to your needs user_class = sambaSamAccount # attribute name to store trac permission permattr = tracperm # filter to search for dn with 'permattr' attributes permfilter = objectclass=* # time, in seconds, before a cached entry is purged out of the local cache. cache_ttl = 900 # maximum number of entries in the cache cache_size = 100 # whether to perform an authenticated bind for group resolution group_bind = false # whether to perform an authenticated bind for permision store operations store_bind = false # user for authenticated connection to the LDAP directory bind_user = # password for authenticated connection bind_passwd = # global permissions (vs. per-environment permissions) global_perms = false # group permissions are managed as addition/removal to the LDAP directory groups manage_groups = true # whether a group member contains the full dn or a simple uid groupmemberisdn = trueYou probably want to define at least
enable=true
and the basedn
. The meaning of the options are straightforward for LDAP administrators.
A typical setup for group resolution would look like this:
[ldap] enable = true basedn = dc=example,dc=orgA typical setup for all LDAP support (group resolution and permission store) would look like this:
[ldap] enable = true basedn = dc=example,dc=org user_rdn = ou=people group_rdn = ou=groups store_bind = true bind_user = cn=tracadmin,dc=example,dc=org bind_passwd = mypasswdNote: If you get an error message like this:
File "build/bdist.linux-x86_64/egg/ldapplugin/api.py", line 106, in get_permission_groups TypeError: __init__() keywords must be stringsyou may have to patch the LdapPlugin source, see #6183.
group_rdn
and user_rd
n
gr
oup_basedn
and user_basedn
options have been superseded with gro
up_rdn
and user_rdn
.
The new settings define the relative DNs respectively for the group and the user subtree, based on the common basedn
trunk. For example:
●ou=people,dc=example,dc=org
would require the following settings:
basedn = dc=example,dc=org user_rdn = ou=people●
ou=groups,dc=example,dc=org
would require the following settings:
basedn = dc=example,dc=org group_rdn = ou=groups
group_bind = true
in the [ldap]
section and define the credentials as follows:
[ldap] group_bind = true bind_user = joeuser bind_passwd = joepasswordIf the server requires an authenticated connection to modify group permissions, you want to set
store_bind = true
in the [ldap]
section and define the credentials as follows:
[ldap] store_bind = true bind_user = joeuser bind_passwd = joepasswordNote: Most LDAP servers require authenticated bind to perform any kind of modifications. Anyway, it would be a bad idea to allow modifications from anybody.
[tra
c]
section of your trac.ini
configuration file:
[trac] # ... permission_store = LdapPermissionStoreYou also need to enable
LdapPerm
issionStore
for LdapPlugin by adding:
[components] ldapplugin.* = enabledThe extension differentiates group permissions from user permission. This permits to use distinct objectclasses in the LDAP directory, to store permission. For example thanks to the
groupattr
and uidattr
attributes, you can define group permission to LDAP entries such as:
dn: cn=managers,dc=example,dc=org objectclass: groupofnames objectclass: trac member: uid=chandler,dc=example,dc=org member: uid=joey,dc=example,dc=org tracperm: WIKI_ADMIN tracperm: TICKET_ADMINand define user permission to LDAP entries such as:
dn: uid=courtney,dc=example,dc=org objectclass: user objectclass: trac tracperm: TICKET_VIEW tracperm: REPORT_CREATE tracperm: REPORT_VIEWIt is worth noting that the dnused for groups and for users may be different, which should make things easier to add TracPermissions into your existing LDAP directory. To differentiate a group name from a user name in
trac-admin
, prefix the group name with the @
characters. This syntax has been borrowed from Samba and many other software dealing with group management.
One would grant the above permissions using the following trac-a
dmin
commands:
permission add @managers WIKI_ADMIN permission add @managers TICKET_ADMIN permission add courtney TICKET_VIEW permission add courtney REPORT_CREATE permission add courtney REPORT_VIEWPlease note that the LDAP permission store never attemps to create a new entry in the LDAP directory. To grant (or revoke) permissions to/from the LDAP directory, the targetted LDAP entry should exist in the directory and the attribute defined by the
perma
ttr
option should be writtable for the store_user
user.
Please have a look at the LdapPluginTests page to get an overview of LDAP ACLs (access control lists) that manages LDAP operations on a directory.
Admin
ortrac-admin
as usual to define TracPermissions. However, you can now use the existing groups defined in your LDAP directory to assign permissions.
ALDAP group should start with the @
character, such as:
Trac [/var/local/db/trac/public]> permission list User Action ------------------------------- @administrators TRAC_ADMIN @betatesters WIKI_CREATE @betatesters WIKI_MODIFY eblot TRAC_ADMIN anonymous BROWSER_VIEW anonymous CHANGESET_VIEW anonymous FILE_VIEW anonymous LOG_VIEW anonymous SEARCH_VIEW anonymous TIMELINE_VIEW anonymous WIKI_VIEWHere, people who are declared in the 'administrator' LDAP group have the
TRAC_ADMIN
permission, and people who are declared in the 'betatesters' LDAP group have the WIKI_CREATE
and WIKI_MODIFY
permission.
You can obviously still use permissions for regular user such as eblot in the example above.
Note: Please remember that anonymous and authenticated are special users but are considered by the permission backend just like any other regular user. This means that you need to add both these special users in your LDAP directory if you wish to assign permission to these joker entries. The directory configuration proposed in the test page may give you some hints about how to setup your LDAP directory.
dn: cn=fakedoctors,ou=groups,dc=example,dc=org cn: fakedoctors objectClass: groupOfNames objectClass: top member: uid=meredith,ou=groups,dc=example,dc=org member: uid=georges,ou=groups,dc=example,dc=org member: uid=izzie,ou=groups,dc=example,dc=orgWith such an environment, your
[ldap]
section would contain the following:
[ldap] ... group_rdn = ou=groups groupmemberisdn = true groupname = groupofnames groupmember = member(二)The group contains a list of simple uids:
dn: cn=fakedoctors,ou=groups,dc=example,dc=org cn: fakedoctors objectClass: posixGroup objectClass: top memberUid: uid=meredith memberUid: uid=georges memberUid: uid=izzieWith such an environment, your
[ldap]
section would contain the following:
[ldap] ... group_rdn = ou=groups groupmemberisdn = false groupname = posixgroup groupmember = memberUidBeware, if you use this second scheme, you should have these lines in your Apache configuration:
<Location /trac/project> ... AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off ... </Location>
global_perms
is set in the environment configuration file), but on per-environment basis.
With environment-wide permissions, it is now possible to define distinct permissions for each Trac environment (as long as their name differ) even if they access the same LDAP directory.
The Trac LDAP permission attribute value are prefixed with the environment name. Using the previous example, assuming the environment name is named "test", permission attributes would become:
dn: uid=courtney,dc=example,dc=org objectclass: user objectclass: trac tracperm: test:TICKET_VIEW tracperm: test:REPORT_CREATE tracperm: test:REPORT_VIEWIt is still possible to use global permissions by setting in the
[ldap]
section of the environment configuration file:
global_perms = trueWhen a directory contains global permission directives, those permissions apply on every Trac environment accessing the LDAP directory, whichever the
global_per
ms
value. However, permissions are always created using the current environment permission setting.
From the administrative point of view (trac-admin
, WebAdmin, ...), there are no changes: permission are defined and retrieved as usual.
Note: The environment name is based on the root directory of the Trac environment. This means that if you use different environment with the same name, such as:
/var/local/trac/test
and /var/db
/test
, they are both named "test" and share the same permissions. This is a known limitation of the current implementation.
manag
e_groups
option.
permission add eblot @developerswould lead to a modification in the LDAP directory. (一)The permission-based setting would add a
tracperm
attribute to the user entry:
# eblot, people, example.org dn: uid=eblot,ou=people,dc=example.org objectClass: tracuser tracperm: @developers ...(二)The LDAP group setting would add a new
member
attribute to the group entry:
# developers, groups, example.org dn: cn=developers,ou=groups,dc=example.org objectClass: groupOfNames objectClass: tracgroup member: uid=eblot,ou=people,dc=example.org ...
@
character. You can therefore mix aliases and LDAP directory groups:
●permission add eblot devteam
is a group alias, managed as any Trac permission.
●permission add devteam @devel
opers
is managed as a LDAP directory group, if manage_grou
ps
option is enabled.
IUserDire
ctory
(not before Trac 0.11 at best). A patch on #6268 implements this. It's a bit of a kludge, but it's been working without issue thus far.
●There's probably a lot of room for improvement and debugging.
global_perms
configuration parameters is set.
●v0.4.0: Major rewrite of the LdapPlugin to support Trac trunk 3419, including better support for groups (user dns may be part of a different subtree than group dns, such as ou=people
vs. ou=groups
), improved cache management, as well as many bug fixes and code clean up.
●v0.4.1: Introduce a new feature: group management is done as addition and removal to the LDAP groups of names: instead of storing groups as trac permissions (as the default permission store does), the plugin is not able to add and remove members to the LDAP group of names.
●v0.4.2: Fix up an important issue with the management of the caches. The plugin has also been tested with the WebAdmin plugin.
●v0.4.3: Fix up two issues with authentication (an invalid user identifier was sent to the LDAP server)
●v0.4.4: Enable support for posix groups (and group members w/o distinguish name)
●v0.5.0: Add basic support for LDAPS/TLS connections
●v0.5.1: Update the Egg configuration file and the author contact details
●v0.6.0: Support for Trac 0.11, thanks to judok
●v0.7.0: Support for Trac 0.12