LDAP 및 trac을 설정하는 방법

LDAP 및 trac을 설정하는 방법

Kerberos 인증을 설정했는데 trac훌륭하게 작동합니다. 이제 AD 그룹과 사용자를 사용하여 플러그인의 trac권한을 사용하고 싶습니다.trac다음과 같이 구성됨LdapPlugin. 이 가이드를 따랐지만 작동하지 않습니다. 을 사용하고 있습니다 trac 0.10.4.

내 아파치에는 다음이 있습니다.

<LocationMatch "/trac/[^/]+/login">
    AuthType Kerberos
    AuthName Trac
    KrbServiceName HTTP/intranet.domain.com
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbAuthRealms DOMAIN.COM
    Krb5KeyTab /etc/httpd/conf/intranet.keytab
    AuthzLDAPAuthoritative off
    require valid-user
    Options Indexes MultiViews FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    SetOutputFilter DEFLATE
</LocationMatch>

trac구성:

[root@hero plugins]# cat ../conf/trac.ini 
[components]
ldapplugin.* = enabled

[notification]
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
mime_encoding = base64
smtp_always_bcc =
smtp_always_cc = [email protected]
smtp_default_domain = domain.com
smtp_enabled = true
smtp_from = [email protected]
smtp_password =
smtp_port = 25
smtp_replyto = [email protected]
smtp_server = hero.uk.domain.com
smtp_subject_prefix = __default__
smtp_user =
use_public_cc = false
use_short_addr = false
use_tls = false
#ignore_domain= domain.com

[ldap]
global_perms = true
enable = true
use_tls = false
host = echo
port = 389
basedn = dc=domain,dc=com

# Relative DN for users (defaults to none)
user_rdn = ou=TechSupport,ou=Woking,ou=Sites

# Relative DN for group of names (defaults to none)
group_rdn = cn=users

# objectclass for groups
#groupname = groupofnames

# dn entry in a groupname 
#groupmember = member

# attribute name for a group
#groupattr = cn

# attribute name for a user
#user_name_attr = uid

# objectclass for user ; customize to your needs
#user_class = sambaSamAccount

# attribute name to store trac permission
#permattr = tracperm

# filter to search for dn with 'permattr' attributes
#permfilter = objectclass=*

# time, in seconds, before a cached entry is purged out of the local cache.
#cache_ttl = 900

# maximum number of entries in the cache
#cache_size = 100

# whether to perform an authenticated bind for group resolution
#group_bind = false

# whether to perform an authenticated bind for permision store operations
store_bind = true

# user for authenticated connection to the LDAP directory
bind_user = cn=administrator,cn=users,dc=domain,dc=com

# password for authenticated connection
bind_passwd = ********

# global permissions (vs. per-environment permissions)
#global_perms = false

# group permissions are managed as addition/removal to the LDAP directory groups
#manage_groups = true

# whether a group member contains the full dn or a simple uid
#groupmemberisdn = true

[trac]
permission_store = LdapPermissionStore

httpd 구성을 다음으로 변경하면 ldap다음 오류가 발생합니다.

[Mon Dec 02 14:13:33 2013] [warn] [client 172.16.0.85] [19659] auth_ldap authenticate: user sharifu authentication failed; URI /trac/paradox/login [ldap_search_ext_s() for user failed][Operations error], referer: http://intranet/trac/paradox/

<LocationMatch "/trac/[^/]+/login">
    AuthType Basic
    AuthName Trac
    AuthBasicProvider ldap
    Order allow,deny
    Allow from all
    AuthLDAPURL "ldap://echo:389/dc=domain,dc=com?uid"
    AuthzLDAPAuthoritative on
    require valid-user
#     Options Indexes MultiViews FollowSymLinks
#     AllowOverride All
#     SetOutputFilter DEFLATE
</LocationMatch>

trac.iniApache에서 Kerberos 인증을 사용하는 경우 파일에 문제가 있는 것 같습니다.

이제 다음을 수행하고 ldapApache에서 인증을 사용할 수 있게 되었습니다. tracAD 그룹 등의 권한을 사용하려면 이를 구현하는 데 도움이 필요합니다 .

<LocationMatch "/trac/[^/]+/login">
    AuthType Basic
    AuthName Trac
    AuthBasicProvider ldap
    Order allow,deny
    Allow from all

    AuthLDAPURL "ldap://echo.uk.domain.com akutan.usa.domain.com/ou=Sites,dc=domain,dc=com?sAMAccountName"
    AuthLDAPBindDN cn=Administrator,cn=Users,dc=domain,dc=com
    AuthLDAPBindPassword **********

    AuthzLDAPAuthoritative off
    require valid-user
</LocationMatch>

[root@hero trac]# trac-admin paradox permission list

User             Action         
--------------------------------
@Administrators  TRAC_ADMIN     
anonymous        CHANGESET_VIEW 
anonymous        FILE_VIEW      
anonymous        LOG_VIEW       
anonymous        MILESTONE_VIEW 
anonymous        REPORT_SQL_VIEW
anonymous        REPORT_VIEW    
anonymous        ROADMAP_VIEW   
anonymous        SEARCH_VIEW    
anonymous        TICKET_VIEW    
anonymous        TIMELINE_VIEW  
anonymous        WIKI_VIEW      

Available actions:
 BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, FILE_VIEW, LOG_VIEW,
 MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY,
 MILESTONE_VIEW, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY,
 REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW,
 TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY,
 TICKET_VIEW, TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE,
 WIKI_DELETE, WIKI_MODIFY, WIKI_VIEW

플러그인을 활성화하는 것을 잊어버렸는데, 로그에 다음과 같은 내용이 표시됩니다 trac.ldap

Trac[paradox:api] ERROR: LDAP error: Operations error
Trac[paradox:api] ERROR: LDAP error: Operations error
Trac[paradox:api] DEBUG: Updating wiki page index

현재 구성:

[notification]
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
mime_encoding = base64
smtp_always_bcc =
smtp_always_cc = [email protected]
smtp_default_domain = domain.com
smtp_enabled = true
smtp_from = [email protected]
smtp_password =
smtp_port = 25
smtp_replyto = [email protected]
smtp_server = hero.uk.domain.com
smtp_subject_prefix = __default__
smtp_user =
use_public_cc = false
use_short_addr = false
use_tls = false
#ignore_domains = domain.com

[ldap]
enable = true
host = echo
basedn = dc=domain,dc=com
user_rdn = ou=Sites,dc=domain,dc=com
group_rdn = cn=Users,dc=domain,dc=com
store_bind = true
bind_user = [email protected]
bind_passwd = ******

[trac]
permission_store = LdapPermissionStore

[logging]
#log_file = /var/log/trac.log
log_format = Trac[$(basename)s:$(module)s] $(levelname)s: $(message)s
#log_level = DEBUG
#log_type = file

[components]
webadmin.* = enabled
ldapplugin.* = enabled

관련 정보