[Trac] Managing Trac Permissions in Active directory

Emmanuel Blot manu.blot at gmail.com
Wed May 31 10:05:39 CDT 2006 

Hi,

Something important to remember is that with the default setup:
  * Apache (or another web server) manages the authentication
(user/passwd is valid)
  * Trac manages the permission (whether an authenticated user can
perform a kind of action)

You can use SSPI to authenticate users w/ Apache. Nevertheless, pleae
search for SSPI in Trac ticket database, as there are known issues
with Trac+SSPI+IE browsers which are yet to be solved, AFAICT.

An alternative authentication scheme can be used, see
http://trac-hacks.org/wiki/AuthFormPlugin. In such a case,
authentication is not performed by the web server anymore, but by the
Trac plugin, which may leverage the SSPI issue (to be checked, I think
the SSPI issue is partially due to the HTTP authentication scheme)

LdapPlugin does not perform authentication - although it is usually
combined with mod_auth_ldap, so that the same LDAP directory is used
by Apache to perform authentication -, only group resolution. It also
acts as a permission store as well so that the permissions are stored
in the LDAP directory instead of the Trac DB, which is nice to share
permission among several Trac projects, for example.

I don't know whether it is possible to add permissions through SSPI,
but it would require to write a dedicated plugin.

AFAIK, ActiveDirectory is some kind of LDAP directory, so it might be
possible to tweak the LdapPlugin to use it against an ActiveDirectory.

HTH,
Manu

On 5/31/06, Bhuvan <bpasham at gmail.com> wrote:
>
>
> I'm a novice user of Trac (Just started experimenting with trac
> implementation two weeks back).
>
> I'm using trac 0.9.5.
>
> I was going through the documentation of LDAP plugin
> (http://trac-hacks.org/wiki/LdapPlugin) and was curious
> whether we can achieve the same functionality with SSPI authentication using
> mod_auth_sspi.
>
> I would like configure different permission levels for different active
> directory groups, like "Application Development" will be able to close
> tickets, valid_users can submit tickets, and so on ... this way i can apply
>
> Is there any way to do this?
>
>
> Thanks in advance ..
>
>
>
> Bhuvan
> _______________________________________________
> Trac mailing list
> Trac at lists.edgewall.com
> http://lists.edgewall.com/mailman/listinfo/trac
>
>
>


-- 
Manu

More information about the Trac mailing list