Hi Bruce
Thanks for the reply Bruce, but if I understand your reply correctly, it solves a different problem to mine. Are you describing a way of getting LDAP authentication working in apache? Strangely enough, I am having no problem with that side of it, all my users can log in fine to both subversion and trac using 'AuthBasicProvider ldap' etc, and I have groups set up for Trac users and Subversion users, and use 'require ldap-group <blah>'. It doesn't seem to matter what OU the users are under for the apache http authentication to work as long as they are members of the right group. The problem I am trying to solve is trying to get the Trac LdapPlugin to assign Trac permissions to users based on their LDAP group memberships. I have permissions assigned (via trac-admin) to various groups (TracAdmin, TracUser, TracGuest etc); everything works as long as the Users are in the OU I specify in user_rdn (in trac.ini). The trouble is I want to admit users in different OUs. When a User logs in to Trac who is in the right group but not in the right OU, trac loads (ie apache http authentication works) but with no permissions set (empty menu bar, front page message '403 Forbidden (WIKI_VIEW privileges are required to perform this operation)', ie LdapPlugin group permissions is broken. My working theory for why Apache LDAP group authentication works and Trac LdapPlugin doesn't is that apache LDAP looks for the User in the group's 'member' attributes. LdapPlugin looks at the User's 'memberOf' attributes to look up the groups the user belongs to, ie back to front compared to apache. Apache only needs to know the CN of the group (which is supplied in 'require ldap-group') whereas the LdapPlugin needs to know where the groups are AND where the Users are, but will only look in <user_rdn>,<base_dn> for Users; if a given User is not in this branch then the lookup will fail. A similar problem would exist if the Groups themselves were in different OUs. So it looks like I have 2 options: 1) some guru tells me how to set it up properly using the existing version 2) I patch the plugin to allow more than one user_rdn setting, perhaps using an array Ideas, anyone? Thanks again Jim ________________________________ From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Wilson, Bruce E. Sent: 06 June 2007 19:58 To: [email protected] Subject: [Trac] Re: LdapPlugin: user_rdn support for users in several OUs? We're using LDAP as well. It's a bit of a hack, but what I've done is use an Include file that has a set of require user and require group directives. I've built a database table, and the list is generated from that table with a cron job. Doing it this way -- with the include file -- lets me use the same file in both the SubVersion section of the conf files and the Trac section. I'm actually managing three different SubVersion repositories and two related Trac instances. ============================================================ Bruce E. Wilson ([EMAIL PROTECTED]) Environmental Sciences Division Oak Ridge National Laboratory ________________________________ From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Page Sent: Wednesday, June 06, 2007 3:41 AM To: [email protected] Subject: [Trac] LdapPlugin: user_rdn support for users in several OUs? Morning All My problem: I am using LdapPlugin to manage my Trac permissions, and it's great. However our AD structure has users assigned to various different OUs, Technical, Sales, Management and so on. The Groups I am using to assign permissions are in the Technical OU (which I set up in group_rdn), and all works fine, as long as the users themselves are in the OU I set up in the 'user_rdn=' config entry. But there are several users in other OUs I would like to allow in, including (rather urgently) the Technical Manager (who is in OU=Management). Is this currently supported in any way? Grasping at straws, I tried 'OU=*' in user_rdn :-) but it didn't work of course. All help gratefully received. In the event that this is not currently supported, I am considering the idea of patching LdapPlugin to allow an array of RDNs in user_rdn - anyone care to comment on that idea, is it a desirable feature for anyone except me? Is there a better way to do this? All the best Jim Jim Page Chief Technical Architect Email Systems Ltd Telephone: +44 (0) 870 141 7070 Facsimile: +44 (0) 870 141 8080 www.emailsystems.com <http://www.emailsystems.com> - robust messaging technology <BR --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
