Edgewall Software

Changes between Version 32 and Version 33 of TracModWSGI


Ignore:
Timestamp:
Feb 27, 2011, 5:55:33 PM (13 years ago)
Author:
Christian Boos
Comment:

refreshing the #UsingLDAPAuthentication, adding some details found in trunk/doc/install/apacheauth.rst

Legend:

Unmodified
Added
Removed
Modified

  • TracModWSGI

    v32 v33  
    189189  AuthLDAPURL "ldap://127.0.0.1/dc=example,dc=co,dc=ke?uid?sub?(objectClass=inetOrgPerson)"
    190190  authzldapauthoritative Off
    191   require valid-user
     191  Require valid-user
    192192</Location>
    193193}}}
    194194
    195 Or the LDAP interface to a Microsoft Active Directory:
    196 
     195
     1963. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory:
     197
     198
     199Use the following as your LDAP URL:
     200{{{
     201    AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
     202}}}
     203
     204You will also need to provide an account for Apache to use when checking
     205credentials. As this password will be listed in plaintext in the
     206config, you should be sure to use an account specifically for this task:
     207{{{
     208    AuthLDAPBindDN ldap-auth-user@example.com
     209    AuthLDAPBindPassword "password"
     210}}}
     211
     212The whole section looks like:
    197213{{{
    198214<Location /trac/>
     
    215231Note 1: This is the case where the LDAP search will get around the multiple OUs, conecting to Global Catalog Server portion of AD (Notice the port is 3268, not the normal LDAP 389). The GCS is basically a "flattened" tree which allows searching for a user without knowing to which OU they belong.
    216232
    217 Note 2: Active Directory requires an authenticating user/password to access records (AuthLDAPBindDN and AuthLDAPBindPassword).
    218 
    219 Note 3: The directive "require ldap-group ..."  specifies an AD group whose members are allowed access.
    220 
    221 
     233Note 2: You can also require the user be a member of a certain LDAP group, instead of
     234just having a valid login:
     235{{{
     236    Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com
     237}}}
     238
     239See also:
     240  - [http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html mod_authnz_ldap], documentation for mod_authnz_ldap
     241   
     242 - [http://httpd.apache.org/docs/2.2/mod/mod_ldap.html mod_ldap], documentation for mod_ldap, which provides connection pooling and a shared cache.
     243 - [http://trac-hacks.org/wiki/LdapPlugin TracHacks:LdapPlugin] for storing TracPermissions in LDAP.
    222244
    223245=== Example: Apache/mod_wsgi with Basic Authentication, Trac being at the root of a virtual host