Eu configurei a autenticação do kerberos com trac , que funciona bem. Agora eu quero usar grupos AD e usuários para trac permissões usando o trac plugin Configuração para LdapPlugin . Eu tenho seguido este guia, mas não está funcionando. Estou usando trac 0.10.4 .
No meu apache, tenho o seguinte:
<LocationMatch "/trac/[^/]+/login">
AuthType Kerberos
AuthName Trac
KrbServiceName HTTP/intranet.domain.com
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.COM
Krb5KeyTab /etc/httpd/conf/intranet.keytab
AuthzLDAPAuthoritative off
require valid-user
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
SetOutputFilter DEFLATE
</LocationMatch>
Minha configuração trac :
[root@hero plugins]# cat ../conf/trac.ini
[components]
ldapplugin.* = enabled
[notification]
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
mime_encoding = base64
smtp_always_bcc =
smtp_always_cc = [email protected]
smtp_default_domain = domain.com
smtp_enabled = true
smtp_from = [email protected]
smtp_password =
smtp_port = 25
smtp_replyto = [email protected]
smtp_server = hero.uk.domain.com
smtp_subject_prefix = __default__
smtp_user =
use_public_cc = false
use_short_addr = false
use_tls = false
#ignore_domain= domain.com
[ldap]
global_perms = true
enable = true
use_tls = false
host = echo
port = 389
basedn = dc=domain,dc=com
# Relative DN for users (defaults to none)
user_rdn = ou=TechSupport,ou=Woking,ou=Sites
# Relative DN for group of names (defaults to none)
group_rdn = cn=users
# objectclass for groups
#groupname = groupofnames
# dn entry in a groupname
#groupmember = member
# attribute name for a group
#groupattr = cn
# attribute name for a user
#user_name_attr = uid
# objectclass for user ; customize to your needs
#user_class = sambaSamAccount
# attribute name to store trac permission
#permattr = tracperm
# filter to search for dn with 'permattr' attributes
#permfilter = objectclass=*
# time, in seconds, before a cached entry is purged out of the local cache.
#cache_ttl = 900
# maximum number of entries in the cache
#cache_size = 100
# whether to perform an authenticated bind for group resolution
#group_bind = false
# whether to perform an authenticated bind for permision store operations
store_bind = true
# user for authenticated connection to the LDAP directory
bind_user = cn=administrator,cn=users,dc=domain,dc=com
# password for authenticated connection
bind_passwd = ********
# global permissions (vs. per-environment permissions)
#global_perms = false
# group permissions are managed as addition/removal to the LDAP directory groups
#manage_groups = true
# whether a group member contains the full dn or a simple uid
#groupmemberisdn = true
[trac]
permission_store = LdapPermissionStore
Se eu alterar a configuração do httpd para ldap , recebo o seguinte erro:
[Mon Dec 02 14:13:33 2013] [warn] [client 172.16.0.85] [19659] auth_ldap authenticate: user sharifu authentication failed; URI /trac/paradox/login [ldap_search_ext_s() for user failed][Operations error], referer: http://intranet/trac/paradox/
<LocationMatch "/trac/[^/]+/login">
AuthType Basic
AuthName Trac
AuthBasicProvider ldap
Order allow,deny
Allow from all
AuthLDAPURL "ldap://echo:389/dc=domain,dc=com?uid"
AuthzLDAPAuthoritative on
require valid-user
# Options Indexes MultiViews FollowSymLinks
# AllowOverride All
# SetOutputFilter DEFLATE
</LocationMatch>
Acredito que estou fazendo algo errado no arquivo trac.ini se eu usar a autenticação Kerberos no apache.
Agora fiz o seguinte e consegui fazer a autenticação funcionar usando ldap no apache. Só preciso de ajuda para implementar isso em trac para usar a permissão em grupos do AD, etc.
<LocationMatch "/trac/[^/]+/login">
AuthType Basic
AuthName Trac
AuthBasicProvider ldap
Order allow,deny
Allow from all
AuthLDAPURL "ldap://echo.uk.domain.com akutan.usa.domain.com/ou=Sites,dc=domain,dc=com?sAMAccountName"
AuthLDAPBindDN cn=Administrator,cn=Users,dc=domain,dc=com
AuthLDAPBindPassword **********
AuthzLDAPAuthoritative off
require valid-user
</LocationMatch>
[root@hero trac]# trac-admin paradox permission list
User Action
--------------------------------
@Administrators TRAC_ADMIN
anonymous CHANGESET_VIEW
anonymous FILE_VIEW
anonymous LOG_VIEW
anonymous MILESTONE_VIEW
anonymous REPORT_SQL_VIEW
anonymous REPORT_VIEW
anonymous ROADMAP_VIEW
anonymous SEARCH_VIEW
anonymous TICKET_VIEW
anonymous TIMELINE_VIEW
anonymous WIKI_VIEW
Available actions:
BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, FILE_VIEW, LOG_VIEW,
MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY,
MILESTONE_VIEW, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY,
REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW,
TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY,
TICKET_VIEW, TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE,
WIKI_DELETE, WIKI_MODIFY, WIKI_VIEW
Esqueci-me de ativar os plug-ins, no entanto, estou com problemas trac conversando com ldap . No log, recebo o seguinte:
Trac[paradox:api] ERROR: LDAP error: Operations error
Trac[paradox:api] ERROR: LDAP error: Operations error
Trac[paradox:api] DEBUG: Updating wiki page index
Configuração atual:
[notification]
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
mime_encoding = base64
smtp_always_bcc =
smtp_always_cc = [email protected]
smtp_default_domain = domain.com
smtp_enabled = true
smtp_from = [email protected]
smtp_password =
smtp_port = 25
smtp_replyto = [email protected]
smtp_server = hero.uk.domain.com
smtp_subject_prefix = __default__
smtp_user =
use_public_cc = false
use_short_addr = false
use_tls = false
#ignore_domains = domain.com
[ldap]
enable = true
host = echo
basedn = dc=domain,dc=com
user_rdn = ou=Sites,dc=domain,dc=com
group_rdn = cn=Users,dc=domain,dc=com
store_bind = true
bind_user = [email protected]
bind_passwd = ******
[trac]
permission_store = LdapPermissionStore
[logging]
#log_file = /var/log/trac.log
log_format = Trac[$(basename)s:$(module)s] $(levelname)s: $(message)s
#log_level = DEBUG
#log_type = file
[components]
webadmin.* = enabled
ldapplugin.* = enabled