Kerberos 인증을 설정했는데 trac
훌륭하게 작동합니다. 이제 AD 그룹과 사용자를 사용하여 플러그인의 trac
권한을 사용하고 싶습니다.trac
다음과 같이 구성됨LdapPlugin
. 이 가이드를 따랐지만 작동하지 않습니다. 을 사용하고 있습니다 trac 0.10.4
.
내 아파치에는 다음이 있습니다.
<LocationMatch "/trac/[^/]+/login">
AuthType Kerberos
AuthName Trac
KrbServiceName HTTP/intranet.domain.com
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.COM
Krb5KeyTab /etc/httpd/conf/intranet.keytab
AuthzLDAPAuthoritative off
require valid-user
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
SetOutputFilter DEFLATE
</LocationMatch>
내 trac
구성:
[root@hero plugins]# cat ../conf/trac.ini
[components]
ldapplugin.* = enabled
[notification]
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
mime_encoding = base64
smtp_always_bcc =
smtp_always_cc = [email protected]
smtp_default_domain = domain.com
smtp_enabled = true
smtp_from = [email protected]
smtp_password =
smtp_port = 25
smtp_replyto = [email protected]
smtp_server = hero.uk.domain.com
smtp_subject_prefix = __default__
smtp_user =
use_public_cc = false
use_short_addr = false
use_tls = false
#ignore_domain= domain.com
[ldap]
global_perms = true
enable = true
use_tls = false
host = echo
port = 389
basedn = dc=domain,dc=com
# Relative DN for users (defaults to none)
user_rdn = ou=TechSupport,ou=Woking,ou=Sites
# Relative DN for group of names (defaults to none)
group_rdn = cn=users
# objectclass for groups
#groupname = groupofnames
# dn entry in a groupname
#groupmember = member
# attribute name for a group
#groupattr = cn
# attribute name for a user
#user_name_attr = uid
# objectclass for user ; customize to your needs
#user_class = sambaSamAccount
# attribute name to store trac permission
#permattr = tracperm
# filter to search for dn with 'permattr' attributes
#permfilter = objectclass=*
# time, in seconds, before a cached entry is purged out of the local cache.
#cache_ttl = 900
# maximum number of entries in the cache
#cache_size = 100
# whether to perform an authenticated bind for group resolution
#group_bind = false
# whether to perform an authenticated bind for permision store operations
store_bind = true
# user for authenticated connection to the LDAP directory
bind_user = cn=administrator,cn=users,dc=domain,dc=com
# password for authenticated connection
bind_passwd = ********
# global permissions (vs. per-environment permissions)
#global_perms = false
# group permissions are managed as addition/removal to the LDAP directory groups
#manage_groups = true
# whether a group member contains the full dn or a simple uid
#groupmemberisdn = true
[trac]
permission_store = LdapPermissionStore
httpd 구성을 다음으로 변경하면 ldap
다음 오류가 발생합니다.
[Mon Dec 02 14:13:33 2013] [warn] [client 172.16.0.85] [19659] auth_ldap authenticate: user sharifu authentication failed; URI /trac/paradox/login [ldap_search_ext_s() for user failed][Operations error], referer: http://intranet/trac/paradox/
<LocationMatch "/trac/[^/]+/login">
AuthType Basic
AuthName Trac
AuthBasicProvider ldap
Order allow,deny
Allow from all
AuthLDAPURL "ldap://echo:389/dc=domain,dc=com?uid"
AuthzLDAPAuthoritative on
require valid-user
# Options Indexes MultiViews FollowSymLinks
# AllowOverride All
# SetOutputFilter DEFLATE
</LocationMatch>
trac.ini
Apache에서 Kerberos 인증을 사용하는 경우 파일에 문제가 있는 것 같습니다.
이제 다음을 수행하고 ldap
Apache에서 인증을 사용할 수 있게 되었습니다. trac
AD 그룹 등의 권한을 사용하려면 이를 구현하는 데 도움이 필요합니다 .
<LocationMatch "/trac/[^/]+/login">
AuthType Basic
AuthName Trac
AuthBasicProvider ldap
Order allow,deny
Allow from all
AuthLDAPURL "ldap://echo.uk.domain.com akutan.usa.domain.com/ou=Sites,dc=domain,dc=com?sAMAccountName"
AuthLDAPBindDN cn=Administrator,cn=Users,dc=domain,dc=com
AuthLDAPBindPassword **********
AuthzLDAPAuthoritative off
require valid-user
</LocationMatch>
[root@hero trac]# trac-admin paradox permission list
User Action
--------------------------------
@Administrators TRAC_ADMIN
anonymous CHANGESET_VIEW
anonymous FILE_VIEW
anonymous LOG_VIEW
anonymous MILESTONE_VIEW
anonymous REPORT_SQL_VIEW
anonymous REPORT_VIEW
anonymous ROADMAP_VIEW
anonymous SEARCH_VIEW
anonymous TICKET_VIEW
anonymous TIMELINE_VIEW
anonymous WIKI_VIEW
Available actions:
BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, FILE_VIEW, LOG_VIEW,
MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY,
MILESTONE_VIEW, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY,
REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW,
TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY,
TICKET_VIEW, TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE,
WIKI_DELETE, WIKI_MODIFY, WIKI_VIEW
플러그인을 활성화하는 것을 잊어버렸는데, 로그에 다음과 같은 내용이 표시됩니다 trac
.ldap
Trac[paradox:api] ERROR: LDAP error: Operations error
Trac[paradox:api] ERROR: LDAP error: Operations error
Trac[paradox:api] DEBUG: Updating wiki page index
현재 구성:
[notification]
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
mime_encoding = base64
smtp_always_bcc =
smtp_always_cc = [email protected]
smtp_default_domain = domain.com
smtp_enabled = true
smtp_from = [email protected]
smtp_password =
smtp_port = 25
smtp_replyto = [email protected]
smtp_server = hero.uk.domain.com
smtp_subject_prefix = __default__
smtp_user =
use_public_cc = false
use_short_addr = false
use_tls = false
#ignore_domains = domain.com
[ldap]
enable = true
host = echo
basedn = dc=domain,dc=com
user_rdn = ou=Sites,dc=domain,dc=com
group_rdn = cn=Users,dc=domain,dc=com
store_bind = true
bind_user = [email protected]
bind_passwd = ******
[trac]
permission_store = LdapPermissionStore
[logging]
#log_file = /var/log/trac.log
log_format = Trac[$(basename)s:$(module)s] $(levelname)s: $(message)s
#log_level = DEBUG
#log_type = file
[components]
webadmin.* = enabled
ldapplugin.* = enabled