Edgewall Software
Modify

Opened 12 years ago

Closed 12 years ago

#5858 closed enhancement (wontfix)

[patch] Assign to mod: get valid users from specified Active Directory group(s)

Reported by: Morris Owned by: Jonas Borgström
Priority: normal Milestone:
Component: ticket system Version: devel
Severity: minor Keywords: workflow ldap assignto
Cc: gt4329b@… Branch:
Release Notes:
API Changes:

Description

(I mentioned this on an existing ticket relating to Assign To functionality)

Summary: you're serving on Windows and want to get your list of assignable-to users from Active Directory groups that you specify.

Requires:

  • Windows-based Trac installation;
  • Trac ≥0.11dev-r5883 (might work with lower revs, but this is what I built from);
  • LDAP/Active Directory server available that has the groups w/users defined;
  • pywin32 and active_directory modules installed

Several new [ticket] keys are used by this code:

[ticket]
## this is a variant of the trac default restrict_owner 
##  flag -- instead of restricting ticket assignments 
##  to people who have logged in, it restricts assignments 
##  to members of the LDAP groups specified in ldap_valid_owner_groups (below)
ldap_restrict_owner_by_groups = true

## this is the LDAP user object attribute to use in the 
##  drop-down list -- e.g., sAMAccountName, uid, etc.
ldap_show_user_attribute = sAMAccountName

## ldap_valid_owner_groups should be a comma-delimited 
##  list of group CNs from your LDAP/AD 
ldap_valid_owner_groups = IT Apps Dev,IT Apps Support

Given the above configuration, the AssignTo dropdown on a ticket would now list the sAMAccountName of each user in each of those groups (where the users are UNIONed using sets, so there shouldn't be any dupes).

CAVEATS

  • the patch I've submitted adds imports for both active_directory and pythoncom (a pywin32 component) to /trac/ticket/default_workflow.py, with no error handling and no platform checking — this definitely needs to be added, but I wasn't sure if there were any conventions or what. Put another way, if you apply this patch and you don't have both active_directory and pywin32 installed, trac (in all likelihood) will not work at all
  • I have not done extensive testing with this, so please give it a spin and either post any problems you have or upload a tweaked patch

NOTE: If your AD server requires authentication for read-only access (e.g., searching), then you will need to tweak your Windows Apache service to run as an authenticated user, not under the SYSTEM account (which is the default).

Attachments (1)

assignto_via_ldap.diff (3.1 KB ) - added by Morris 12 years ago.

Download all attachments as: .zip

Change History (12)

by Morris, 12 years ago

Attachment: assignto_via_ldap.diff added

comment:1 by Emmanuel Blot, 12 years ago

Note: at least the LDAP part should be implemented as a plugin, not in Trac core.

in reply to:  1 comment:2 by anonymous, 12 years ago

Replying to eblot:

Note: at least the LDAP part should be implemented as a plugin, not in Trac core.

Gotcha. After further reflection however, I'm thinking this functionality would be a more appropriate submission to trac-hacks. I'll stew on whether or not to rewrite this as a plugin or just stick it on trac-hacks (and see if anyone else on t.e.o has any other input in the meantime…)

comment:3 by Emmanuel Blot, 12 years ago

I think this feature is tied to IUserDirectory interface. Really need to implement this long lasting ticket…

in reply to:  3 comment:4 by Morris, 12 years ago

Replying to eblot:

I think this feature is tied to IUserDirectory interface. Really need to implement this long lasting ticket…

Absolutely. I read over all the IUserDirectory interface info I could find before spending much time on this work, hoping that there was something more to start with. Along those lines, I'm more than willing to help out in either a development and/or testing capacity with the IUserDirectory effort.

comment:5 by ThurnerRupert, 12 years ago

does this also work on unix, connecting to the windows ad?

in reply to:  5 ; comment:6 by Morris, 12 years ago

Replying to ThurnerRupert:

does this also work on unix, connecting to the windows ad?

Well, there's no reason that just connecting to a Windows AD shouldn't be able to be done from *nix …but this particular patch isn't *nix compatible, as it requires a Windows-only module, pywin32.

I'd love to be able to not have to depend on the active_directory module (and, transitively, the pywin32 module), but I'm an LDAP noob. Perhaps someone else can take this patch as a starting place and replace the Win32-dependent pieces with OS-independent code …or maybe when I'm less of an LDAP ignoramus I'll come back and do it.

in reply to:  6 comment:7 by Emmanuel Blot, 12 years ago

Replying to Morris:

I'd love to be able to not have to depend on the active_directory module (and, transitively, the pywin32 module), but I'm an LDAP noob. Perhaps someone else can take this patch as a starting place and replace the Win32-dependent pieces with OS-independent code …or maybe when I'm less of an LDAP ignoramus I'll come back and do it.

Have a look at the th:wiki:LdapPlugin if it can help

comment:8 by Morris, 12 years ago

OK — I've revisited this concept. What I really needed was some generic way to allow specification of the users available in the "Assign To" dropdown — so I've created a plugin that does just that. The general idea is that after installing this plugin, which I'm calling FlexibleAssignTo, you write your own plugin that implements a getUsers() method that is called by FlexibleAssignTo. Your own getUsers() method can get a user list from wherever it needs to — in my case, that's LDAP/AD, but you could write your getUsers() to return users from wherever.

As luck would have it, trac-hacks is down — so until it's back up and I've got a proper plugin page in place, check out the FlexibleAssignTo thread on the trac-users list.

comment:9 by sid, 12 years ago

Good concept, and glad to see it go into a plugin. Did you ever get this on TracHacks? If so, can you provide a link here and then we'll close this ticket?

comment:10 by Morris, 12 years ago

Aye: http://trac-hacks.org/wiki/FlexibleAssignToPlugin

The plugin ended up being different than what I originally described here; namely, it allows you to write a (relatively) simple additional plugin component to provide access to the user data source of your choice — LDAP/AD or otherwise. The plugin comes with example code as well.

comment:11 by sid, 12 years ago

Resolution: wontfix
Status: newclosed

Thanks for the plugin link. Closing.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to as closed The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.