Modify

Opened 19 years ago

Closed 19 years ago

#286 closed defect (fixed)

Revision 615 does not properly handle LDAP groups with a dash

Reported by: trac-ldapplugin@… Owned by: Emmanuel Blot
Priority: normal Component: LdapPlugin
Severity: major Keywords:
Cc: Trac Release: 0.10

Description

After following all of the steps required to install/configure the plugin for Trac 0.9.4 (rev 615 of the plugin) I found that groups with a dash in them will not work for permissions.

Apache 2.0.x does not have issues with this, just the plugin.

Example groups (ldif format):

description: Access to Trac Administration features
dn: cn=trac-admins,ou=groups,o=whyaskwhy
objectClass: posixGroup
objectClass: top
cn: trac-admins
gidNumber: 309
memberUid: uid=myuser,ou=people,o=whyaskwhy
description: Testing LDAP plugin for trac
dn: cn=testing,ou=groups,o=whyaskwhy
objectClass: posixGroup
objectClass: top
cn: testing
gidNumber: 310
memberUid: uid=myuser,ou=people,o=whyaskwhy

Here is the ldap section of my trac.ini file:

[components]
ldapplugin.* = enabled

# http://trac-hacks.org/wiki/LdapPlugin
[ldap]
# enable LDAP support for Trac
enable = true
# LDAP directory host
host = localhost
# LDAP directory port
port = 389
# BaseDN
basedn = o=whyaskwhy
# BaseDN for users (defaults to basedn)
user_basedn = ou=people,o=whyaskwhy
# BaseDN for group of names (defaults to basedn)
group_basedn = ou=groups,o=whyaskwhy
# objectclass for groups
groupname = posixGroup
# dn entry in a groupname 
groupmember = memberUid
# attribute name for a group
groupattr = cn
# attribute name for a user
uidattr = uid
# attribute name to store trac permission
permattr = tracperm
# filter to search for dn with 'permattr' attributes
permfilter = objectclass=*
# time, in seconds, before a cached entry is purged out of the local cache.
cache_ttl = 900
# maximum number of entries in the cache
cache_size = 100
# whether to perform an authenticated bind for group resolution
group_bind = true
# user for authenticated group bind
group_user = uid=trac.binduser,ou=bind-accounts
# password for authenticated group bind
group_passwd = PASSWORD
# whether to perform an authenticated bind for permision store operations
store_bind = false
# user for authenticated store bind
store_user =
# password for authenticated store bind
store_passwd =
# global permissions (vs. per-environment permissions)
global_perms = false

Here is the result of a search (via a page view after Apache has authenticated by user)

/var/log/slapd.log

Apr  4 22:00:09 foi slapd[11162]: conn=353 fd=23 ACCEPT from IP=127.0.0.1:34946 (IP=0.0.0.0:389)
Apr  4 22:00:09 foi slapd[11164]: conn=353 op=0 BIND dn="uid=trac.binduser,ou=bind-accounts,o=whyaskwhy" method=128
Apr  4 22:00:09 foi slapd[11164]: conn=353 op=0 BIND dn="uid=trac.binduser,ou=bind-accounts,o=whyaskwhy" mech=SIMPLE ssf=0
Apr  4 22:00:09 foi slapd[11164]: conn=353 op=0 RESULT tag=97 err=0 text=
Apr  4 22:00:09 foi slapd[11165]: conn=353 op=1 CMP dn="cn=trac,ou=groups,o=whyaskwhy" attr="memberUid"
Apr  4 22:00:09 foi slapd[11165]: conn=353 op=1 RESULT tag=111 err=32 text=
Apr  4 22:00:09 foi slapd[11164]: conn=353 op=2 UNBIND
Apr  4 22:00:09 foi slapd[11164]: conn=353 fd=23 closed
Apr  4 22:00:09 foi slapd[11162]: conn=354 fd=23 ACCEPT from IP=127.0.0.1:34947 (IP=0.0.0.0:389)
Apr  4 22:00:09 foi slapd[11165]: conn=354 op=0 BIND dn="uid=trac.binduser,ou=bind-accounts,o=whyaskwhy" method=128
Apr  4 22:00:09 foi slapd[11165]: conn=354 op=0 BIND dn="uid=trac.binduser,ou=bind-accounts,o=whyaskwhy" mech=SIMPLE ssf=0
Apr  4 22:00:09 foi slapd[11165]: conn=354 op=0 RESULT tag=97 err=0 text=
Apr  4 22:00:09 foi slapd[11164]: conn=354 op=1 CMP dn="cn=testing,ou=groups,o=whyaskwhy" attr="memberUid"
Apr  4 22:00:09 foi slapd[11164]: conn=354 op=1 RESULT tag=111 err=6 text=
Apr  4 22:00:10 foi slapd[11162]: conn=355 fd=24 ACCEPT from IP=127.0.0.1:34948 (IP=0.0.0.0:389)
Apr  4 22:00:10 foi slapd[11165]: bind: invalid dn (trac.binduser,ou=bind-accounts,o=whyaskwhy,o=whyaskwhy)
Apr  4 22:00:10 foi slapd[11165]: conn=355 op=0 RESULT tag=97 err=34 text=invalid DN
Apr  4 22:00:10 foi slapd[11164]: conn=355 op=1 UNBIND
Apr  4 22:00:10 foi slapd[11164]: conn=355 fd=24 closed

I'll be glad to furnish other information upon request.

Thank you for your time.

Attachments (0)

Change History (1)

comment:1 Changed 19 years ago by Emmanuel Blot

Resolution: fixed
Status: newclosed
Trac Release: 0.90.10

Should be fixed in [905]

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Emmanuel Blot.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.