LDAPとtracの設定方法

LDAPとtracの設定方法

Kerberos認証を設定しましたが、tracうまく機能します。これで、ADグループとユーザーを使用してプラグインのtrac権限を使用したいと思います。trac次のように構成されていますLdapPlugin。このガイドに従いましたが、うまくいきません。を使用していますtrac 0.10.4

私のApacheには次のものがあります。

<LocationMatch "/trac/[^/]+/login">
    AuthType Kerberos
    AuthName Trac
    KrbServiceName HTTP/intranet.domain.com
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbAuthRealms DOMAIN.COM
    Krb5KeyTab /etc/httpd/conf/intranet.keytab
    AuthzLDAPAuthoritative off
    require valid-user
    Options Indexes MultiViews FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    SetOutputFilter DEFLATE
</LocationMatch>

私のtrac設定:

[root@hero plugins]# cat ../conf/trac.ini 
[components]
ldapplugin.* = enabled

[notification]
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
mime_encoding = base64
smtp_always_bcc =
smtp_always_cc = [email protected]
smtp_default_domain = domain.com
smtp_enabled = true
smtp_from = [email protected]
smtp_password =
smtp_port = 25
smtp_replyto = [email protected]
smtp_server = hero.uk.domain.com
smtp_subject_prefix = __default__
smtp_user =
use_public_cc = false
use_short_addr = false
use_tls = false
#ignore_domain= domain.com

[ldap]
global_perms = true
enable = true
use_tls = false
host = echo
port = 389
basedn = dc=domain,dc=com

# Relative DN for users (defaults to none)
user_rdn = ou=TechSupport,ou=Woking,ou=Sites

# Relative DN for group of names (defaults to none)
group_rdn = cn=users

# objectclass for groups
#groupname = groupofnames

# dn entry in a groupname 
#groupmember = member

# attribute name for a group
#groupattr = cn

# attribute name for a user
#user_name_attr = uid

# objectclass for user ; customize to your needs
#user_class = sambaSamAccount

# attribute name to store trac permission
#permattr = tracperm

# filter to search for dn with 'permattr' attributes
#permfilter = objectclass=*

# time, in seconds, before a cached entry is purged out of the local cache.
#cache_ttl = 900

# maximum number of entries in the cache
#cache_size = 100

# whether to perform an authenticated bind for group resolution
#group_bind = false

# whether to perform an authenticated bind for permision store operations
store_bind = true

# user for authenticated connection to the LDAP directory
bind_user = cn=administrator,cn=users,dc=domain,dc=com

# password for authenticated connection
bind_passwd = ********

# global permissions (vs. per-environment permissions)
#global_perms = false

# group permissions are managed as addition/removal to the LDAP directory groups
#manage_groups = true

# whether a group member contains the full dn or a simple uid
#groupmemberisdn = true

[trac]
permission_store = LdapPermissionStore

httpd 設定を次に変更すると、ldap次のエラーが発生します。

[Mon Dec 02 14:13:33 2013] [warn] [client 172.16.0.85] [19659] auth_ldap authenticate: user sharifu authentication failed; URI /trac/paradox/login [ldap_search_ext_s() for user failed][Operations error], referer: http://intranet/trac/paradox/

<LocationMatch "/trac/[^/]+/login">
    AuthType Basic
    AuthName Trac
    AuthBasicProvider ldap
    Order allow,deny
    Allow from all
    AuthLDAPURL "ldap://echo:389/dc=domain,dc=com?uid"
    AuthzLDAPAuthoritative on
    require valid-user
#     Options Indexes MultiViews FollowSymLinks
#     AllowOverride All
#     SetOutputFilter DEFLATE
</LocationMatch>

trac.iniApacheでKerberos認証を使用している場合、ファイルに問題があるようです。

これで、次のことを行い、ldapApacheで認証を使用できるようになりました。tracADグループなどの権限を使用するには、それを実装するのに役立ちます。

<LocationMatch "/trac/[^/]+/login">
    AuthType Basic
    AuthName Trac
    AuthBasicProvider ldap
    Order allow,deny
    Allow from all

    AuthLDAPURL "ldap://echo.uk.domain.com akutan.usa.domain.com/ou=Sites,dc=domain,dc=com?sAMAccountName"
    AuthLDAPBindDN cn=Administrator,cn=Users,dc=domain,dc=com
    AuthLDAPBindPassword **********

    AuthzLDAPAuthoritative off
    require valid-user
</LocationMatch>

[root@hero trac]# trac-admin paradox permission list

User             Action         
--------------------------------
@Administrators  TRAC_ADMIN     
anonymous        CHANGESET_VIEW 
anonymous        FILE_VIEW      
anonymous        LOG_VIEW       
anonymous        MILESTONE_VIEW 
anonymous        REPORT_SQL_VIEW
anonymous        REPORT_VIEW    
anonymous        ROADMAP_VIEW   
anonymous        SEARCH_VIEW    
anonymous        TICKET_VIEW    
anonymous        TIMELINE_VIEW  
anonymous        WIKI_VIEW      

Available actions:
 BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, FILE_VIEW, LOG_VIEW,
 MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY,
 MILESTONE_VIEW, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY,
 REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW,
 TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY,
 TICKET_VIEW, TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE,
 WIKI_DELETE, WIKI_MODIFY, WIKI_VIEW

プラグインを有効にするのを忘れましたが、ログに次の内容が表示されますtracldap

Trac[paradox:api] ERROR: LDAP error: Operations error
Trac[paradox:api] ERROR: LDAP error: Operations error
Trac[paradox:api] DEBUG: Updating wiki page index

現在の構成:

[notification]
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
mime_encoding = base64
smtp_always_bcc =
smtp_always_cc = [email protected]
smtp_default_domain = domain.com
smtp_enabled = true
smtp_from = [email protected]
smtp_password =
smtp_port = 25
smtp_replyto = [email protected]
smtp_server = hero.uk.domain.com
smtp_subject_prefix = __default__
smtp_user =
use_public_cc = false
use_short_addr = false
use_tls = false
#ignore_domains = domain.com

[ldap]
enable = true
host = echo
basedn = dc=domain,dc=com
user_rdn = ou=Sites,dc=domain,dc=com
group_rdn = cn=Users,dc=domain,dc=com
store_bind = true
bind_user = [email protected]
bind_passwd = ******

[trac]
permission_store = LdapPermissionStore

[logging]
#log_file = /var/log/trac.log
log_format = Trac[$(basename)s:$(module)s] $(levelname)s: $(message)s
#log_level = DEBUG
#log_type = file

[components]
webadmin.* = enabled
ldapplugin.* = enabled

関連情報