[patch] Assign to mod: get valid users from specified Active Directory group(s)
|Reported by:||Morris||Owned by:||Jonas Borgström|
|Severity:||minor||Keywords:||workflow ldap assignto|
(I mentioned this on an existing ticket relating to Assign To functionality)
Summary: you're serving on Windows and want to get your list of assignable-to users from Active Directory groups that you specify.
- Windows-based Trac installation;
- Trac ≥0.11dev-r5883 (might work with lower revs, but this is what I built from);
- LDAP/Active Directory server available that has the groups w/users defined;
- pywin32 and active_directory modules installed
Several new [ticket] keys are used by this code:
[ticket] ## this is a variant of the trac default restrict_owner ## flag -- instead of restricting ticket assignments ## to people who have logged in, it restricts assignments ## to members of the LDAP groups specified in ldap_valid_owner_groups (below) ldap_restrict_owner_by_groups = true ## this is the LDAP user object attribute to use in the ## drop-down list -- e.g., sAMAccountName, uid, etc. ldap_show_user_attribute = sAMAccountName ## ldap_valid_owner_groups should be a comma-delimited ## list of group CNs from your LDAP/AD ldap_valid_owner_groups = IT Apps Dev,IT Apps Support
Given the above configuration, the AssignTo dropdown on a ticket would now list the sAMAccountName of each user in each of those groups (where the users are UNIONed using sets, so there shouldn't be any dupes).
- the patch I've submitted adds imports for both active_directory and pythoncom (a pywin32 component) to /trac/ticket/default_workflow.py, with no error handling and no platform checking — this definitely needs to be added, but I wasn't sure if there were any conventions or what. Put another way, if you apply this patch and you don't have both active_directory and pywin32 installed, trac (in all likelihood) will not work at all
- I have not done extensive testing with this, so please give it a spin and either post any problems you have or upload a tweaked patch
NOTE: If your AD server requires authentication for read-only access (e.g., searching), then you will need to tweak your Windows Apache service to run as an authenticated user, not under the SYSTEM account (which is the default).