yoheeb at gmail
Nov 5, 2009, 9:04 AM
Post #4 of 5
(441 views)
Permalink
|
On Nov 5, 10:47 am, Jake Stone <jake.the.st...@gmail.com> wrote:
> Olemis Lang wrote:
> > On Thu, Nov 5, 2009 at 3:38 AM, Kamin, Volker
> > <ka...@embedded.rwth-aachen.de> wrote:
>
> >> Hi!
>
> >> As LDAP didn’t seem to work I switched to SSPI which works just fine. There
> >> is however a little problem is still have regarding permissions:
>
> >> a) How can I use Windows user groups in Trac? When I checked our
> >> productive system (that was setup by my predecessor) I found out that
> >> everyone who can login to our domain can access the Trac system which only
> >> should be accessible to certain users. Do I need to manually replicate the
> >> Windows user groups in Trac or is it possible to use the Active Directory
> >> user groups? These groups are used in the VisualSVN server that Trac is
> >> connected to.
>
> > You could do one of two things :
>
> > - Use `mod_ldap` or similar ;o) group directives to make Apache
> > (assuming you'r using Apache ;o) apply the restrictions and check
> > groups against MS AD.
> > - Use Trac plugin for LDAP groups and assign permissions (AFAICR
> > LDAP groupos start with @ sign e.g. @power_rangers ;o). In Trac
> > group info and authentication are decoupled, so you should be able
> > to use LDAP groups with any auth mechanisms ... CMIIW anyway
>
> >> b) XMLRPC bugs me. When I assign myself TRAC_ADMIN permission and no
> >> one else any permissions I cannot use Mylin to access the Trac.
>
> > What does it return back to the client ?
>
> >> When I give
> >> the same permissions to anonymous
>
> > Suggestion : don't do that in a «real» environment
>
> >> I can login both anonymous and as myself.
> >> In our productive system (that is accessible via Mylin) anonymous doesn’t
> >> have any permissions at all. Here authenticated has all but administrative
> >> permissions.
>
> > Perhaps Mylin requires some admin or write permissions . Did u check out ?
>
> Incidentally, I switched to SSPI as well, and Trac doesn't correctly
> grab those groups, which is strange because the SSPI directive correctly
> limit by groups such as "<Require Group> DOMAIN/GROUP". Do I have to
> switch to a LDAP plugin? Since the groups work with Apache I'm confused.
I created a local user group on the server machine itself, and have
Apache require that group to address this issue. It was quick and
dirty, but it works. I use a separate one just for Subversion access,
which is restricted specifically to the developers for client actions,
I am using SSPI as well. Although I had issues with Mylin in the
past, simply because at the time it didn't support the custom
workflows, so this could be something else, more specific to Mylin/
xmlrpc, since as far as I can tell, when it comes to Apache, I am a
complete moron, and I managed to get SSPI going somehow.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---
|
