[Moin-user] Moinmoin 1.7.0, LDAP (ActiveDirectory) and Group based acls

[Krzysztof Stryjek]

Hello,

I'm using moinmoin from 1.6.1 version on FreeBSD box with LDAP
(ActiveDirectory) authentication. Also I've made SomeGroup page to put
some logins to one administrative group. Everything worked correctly.

iBut FreeBSD Team has just committed moinmoin-1.7.0 to ports collection,
so I've upgraded moinmoin.

I had some problems, because LDAP authorization has changed. But this is
not problem: I've read module file and made configuration with failover
(I've configured two Acitve Directory Controlers). That's working
correcltly.

But now members of SomeGroup are not "recognized" correctly. On pages,
where acl are like:

#acl SomeGroup: read,write,admin All:

are treated like "others" and can not see nor edit such pages.

In Changelog I've found, that in wikiconfig I should add such line:

auth_methods_trustes = [ ???, ??? ]

I've tried many methods: http, values set to LDAPAuth.name attribute,
but still administrative logins are not recognized.

So what I'm doing wrong? Maybe I should import something more to
wikiconfig file?

I'dont want to paste my wikiconfig (it is long), so I'm pasting most
important things:

--------------------------- snip -------------------------------------
###from MoinMoin.auth import ldap_login
###from MoinMoin.auth.ldap_login import LDAPAuth
try:
    import ldap
except ImportError, err:
    logging.error("Brakuje zainstalowanego moduu python-ldap (%s)." %
str(err))
    raise

ldap_auth_dc03 = LDAPAuth(
server_uri='ldap://dc03.domain.local',  
    bind_dn = '%(username)s at domain.local',
    bind_pw = '%(password)s',
    base_dn = 'ou=People,dc=domain,dc=local',
    scope = ldap.SCOPE_SUBTREE,
    referrals = 0,
    search_filter = '(sAMAccountName=%(username)s)',
    givenname_attribute = 'givenName',
    surname_attribute = 'sn',
    aliasname_attribute = 'displayName',
    email_attribute = 'mail',
    email_callback = None,
    coding = 'utf-8',
    timeout = 10,
)
# we have ta change name, because name = ldap as default. And with 2
# instances of LDAPAuth class Moinmoin comlains about duplicate name
# values.
# Also LDAPAuth.name is set as auth_method...
#
ldap_auth_dc03.name = 'dc03'

class Config(DefaultConfig): 
[...]
    acl_rights_default = u"SomeGroup:admin,read,write,delete,revert All:read"
    acl_rights_before = u"jkowalski:admin,read,write,delete,revert +SomeGroup:admin"
[...]
    auth = [ ldap_auth_dc03, ]
    auth_methods_trusted = [ 'ldap_login', 'LDAPAuth', 'dc03', 'ldap', 'http' ]
    trusted_auth_methods = [ 'ldap_login', 'LDAPAuth', 'dc03', 'ldap', 'http' ]

--------------------------- snip -------------------------------------

Thanks a lot for your help. Please feel free to contact me if there is
not enough information included.

Greetings
-- 
/~\ The ASCII                  Krzysztof Stryjek
\ / Ribbon Campaign            wtp (at) wtp3.org
 X  Against HTML           http://fw.wtp3.org/~wtp/
/ \ Email!               GG: 3608113 JID:wtp at chrome.pl

High heels are a device invented by a woman
who was tired of being kissed on the forehead.