https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292008-04-26T12:19:34ZRedmineRedmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=24562008-04-26T12:19:34ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Target version</strong> deleted (<del><i>0.7</i></del>)</li></ul> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=28172008-05-19T09:07:08ZRob Felix
<ul><li><strong>Target version</strong> set to <i>0.8</i></li></ul> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=30672008-05-31T14:56:27ZAlon Bar-Lev
<ul></ul><p>Together Feature <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Add support for alternate (non-LDAP) authentication (Closed)" href="https://www.redmine.org/issues/1131">#1131</a>, apache, mod_auth_krb5 this should provide complete authentication and authorization environment for enterprise environment.</p>
<p>The authentication port is handled by the web server, the result user is put into environment variable, the application should accept this as-is.</p>
<p>Then the application should fetch user groups from LDAP and allow simple transformation, for example, user@REALM should be converted to userPrincipalName=user@realm, then constructed into LDAP query which returns group DN. Each group DN should be linked to roles.</p>
<p>End result: No users are defined inside application. User permission is based on their LDAP group membership.</p>
<p>Also, more information may be fetched from LDAP, for example: full name, email.</p>
<p>For the email field, there also can be an option to construct it from user name, for example if user name is user[@RELAM], then email is <a class="email" href="mailto:user@domain.org">user@domain.org</a>, this will enable simple way to construct address without LDAP support.</p>
<p>Thanks!</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=55422008-11-11T09:38:13ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Target version</strong> deleted (<del><i>0.8</i></del>)</li></ul> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=129872009-12-15T21:21:44Zalten benelux
<ul></ul><p>This would be a very interesting feature to be implemented with the new 'User Groups' (in version 0.9, Issue <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Group or company feature. (Closed)" href="https://www.redmine.org/issues/1018">#1018</a>).</p>
<p>Would this work ? :</p>
<ul>
<li>When a user logs in with ldap, the list of groups he is in is fetched from ldap.</li>
<li>For every of these groups, we check if a group with the same name already exists on the redmine site.</li>
<li>If it does, add the user to the group.</li>
<li>+Same for removals if he is no longer in the group</li>
</ul>
<p>I guess this could be quite slow and would maybe need some optimization...</p>
<p>Any idea on this ?</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=130412009-12-17T23:10:40Zalten benelux
<ul></ul><p>What about <a class="external" href="http://www.redmine.org/boards/1/topics/10008">http://www.redmine.org/boards/1/topics/10008</a> ?<br />If this could still be included in v0.9, with the Groups feature it would really be great...</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=130422009-12-17T23:32:53Zjacob briggs
<ul></ul><p>alten benelux wrote:</p>
<blockquote>
<p>This would be a very interesting feature to be implemented with the new 'User Groups' (in version 0.9, Issue <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Group or company feature. (Closed)" href="https://www.redmine.org/issues/1018">#1018</a>).</p>
<p>Would this work ? :</p>
<ul>
<li>When a user logs in with ldap, the list of groups he is in is fetched from ldap.</li>
<li>For every of these groups, we check if a group with the same name already exists on the redmine site.</li>
<li>If it does, add the user to the group.</li>
<li>+Same for removals if he is no longer in the group</li>
</ul>
<p>I guess this could be quite slow and would maybe need some optimization...</p>
<p>Any idea on this ?</p>
</blockquote>
<p>This is almost exactly what I have done, except that if the</p>
<ul>
<li>When a user logs in with ldap, the list of groups he is in is fetched from ldap.</li>
<li>For every of these groups, we check if a group with the same name already exists on the redmine site.</li>
<li>If it doesn't, add the group</li>
<li>Check if the user belongs to this group in redmine</li>
<li>They they don't, then add the user to the group.</li>
</ul>
<p>The code doesn't do removals at the moment. I also don't know what would happen if there was 100 groups and 10000 users - I don't know how well it would scale. The code doesn't deal with groups on the users, if the list of groups is stored in multiple memberOf attributes of the user in LDAP (I think AD does it this way).</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=138262010-01-26T10:03:14ZNatalia Lebedeva
<ul><li><strong>File</strong> <a href="/attachments/3097">redmine_ldap_groups_import_0.9.0.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3097/redmine_ldap_groups_import_0.9.0.patch">redmine_ldap_groups_import_0.9.0.patch</a> added</li></ul><p>Here is a patch implementing the import of LDAP groups. The patch is based on <a class="external" href="http://www.redmine.org/boards/1/topics/10008">http://www.redmine.org/boards/1/topics/10008</a> but membership is detected using 'uniqueMember' LDAP attribute (not memberOf)</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=138642010-01-28T00:19:15ZStefan Stefansson
<ul></ul><p>I would very much like to see this functionality in the trunk. We're currently using a hack that we would be more than happy to get rid of but would prefer if the solution came in the form of a patch applied to the trunk instead of applying it to the codebase ourselves.</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=141682010-02-10T02:02:49ZEric Davis
<ul><li><strong>Priority</strong> changed from <i>High</i> to <i>Normal</i></li></ul><p>I'm starting to work on some LDAP features for a customer, including linking them to groups in Redmine. A few of the new features have been added to a plugin in the form of Rake tasks. Feel free to try it out but it's still under active development.</p>
<p><a class="external" href="http://github.com/edavis10/redmine_extra_ldap">http://github.com/edavis10/redmine_extra_ldap</a></p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=141892010-02-10T15:14:37ZGlenn Gould
<ul></ul><p>You may also be interested in <a class="issue tracker-3 status-1 priority-4 priority-default" title="Patch: Create and maintain groups from LDAP attributes (New)" href="https://www.redmine.org/issues/4755">#4755</a>.</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=177532010-06-28T08:55:36ZTerence Mill
<ul></ul><p>We want to use Redmine in Enterprise Environment but we need to use the ldap groups, cause need of central user/group managment. The groups are used also for other middleware developing inftrastructure like Hudson, Nexus, etc..</p>
<p>The Patch seems to go deep into the base and i am afraid of getting into troubles using redmine too far away of the main stream, then getting update problems and problems with other plugins.</p>
<p>Will this feature streamed into the trunk .. or why not? I couldn't find it on the roadmap.</p>
<p>Tx for information!</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=203572010-09-16T02:37:55ZKiall Mac Innes
<ul></ul><p>I'd like to see this either A) included with core redmine.. or B) have all LDAP features extracted to a plugin so LDAP can be developed in a single place.</p>
<p>Anyway .. I'm about to try your extra_ldap plugin now..</p>
<p>Thanks</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=206762010-09-24T14:59:50ZAntoine Beaupré
<ul><li><strong>% Done</strong> changed from <i>0</i> to <i>30</i></li></ul><p>It would be nice to have the "uniqueMember" parameter a variable so that we can customize it to our schemas (we use memberUid), but otherwise this patch seems like a good fit for our needs. I don't see how the extra_ldap plugin resolves the issue however, maybe I'm missing something?</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=216342010-10-21T23:25:29ZRoy Sindre Norangshol
<ul></ul><p>Here's some modifications I've done from Natalia Lebedeva's patch.<br />Basically just made sure it pulled the user object only once pr. group, and made it pull all Redmine groups from the database and tries to remove you from every group in Redmine.</p>
<p>Since Natalia's patch already makes sure to create group and member group assosications, I found this the easiest way to deal of removal. Problem is that this probably doesn't scale very well as already mentioned, as this happens on every user login..</p>
<p>My modified patch is available here: <a class="external" href="https://gist.github.com/25e3df445eff2ab6a460">https://gist.github.com/25e3df445eff2ab6a460</a> (rev c50cf3 at the time of writing). Note that I've changed the ldap filter lookup to "memberUid" as we use the nis.schema in our LDAP.</p>
I assume the solution for making this scale rather well, is to make this task a cronjob task:
<ul>
<li>Basically does the same as the patch</li>
<li>Just make sure the actions in the patch runs as a transaction, so user doesn't notice he "was" removed from all the groups and added again. If the user is requesting project A which requires group Y while the transaction is running, this will only turn into a "tiny" longer waiting time (page load) then usual I think.</li>
</ul>
There's "two" problems with the cronjob deal:
<ul>
<li>LDAP changes won't reflect right away, but just on every "sync" when the cronjob is doing it's tasks.</li>
<li>Setuping up the cronjob is not out of the box as simply deploying Redmine, you actually need to setup the cronjob (but imo, if your dealing with deploying Redmine & LDAP - you probably should know how to setup a cronjob..)</li>
</ul> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=216412010-10-22T06:56:08ZTerence Mill
<ul></ul><p>We use Novell edirectory which has beyond "normal" groups a kind of <a href="http://support.novell.com/techcenter/articles/ana20020405.html" class="external">dynamic/virtual groups</a>.<br /><pre>...
Dynamic groups let you specify the members of a group using a search filter. The members of a dynamic group are computed dynamically by the eDirectory server(s) whenever the groups are accessed or evaluated. This makes it easier for a user to group objects together because membership can be based on a certain criterion, without having to manually add each member to the Group object..
</pre></p>
<p>As i understood this group type there is no memebership attribute at the member defined, but a group definitions referencing alls memebers via search filter query. So it would need to join the query result with the memeber(s) in redmine to evluate if its a members or not.</p>
<p>Will this patch also work with this kind of groups?</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=226962010-11-25T13:38:29ZTom Kuther
<ul><li><strong>File</strong> <a href="/attachments/4902">redmine-1.0.3_ldap_autogroups.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/4902/redmine-1.0.3_ldap_autogroups.patch">redmine-1.0.3_ldap_autogroups.patch</a> added</li></ul><p>Hello,</p>
<p>I desperately need this feature. Redmine would be a no-go for the company here, otherwhise.<br />Tried to use the plugin, but I couldn't figure out what it does, if it does anything.</p>
<p>Attached is a modified version of Roy Sindre Norangshol's patch, with following changes:</p>
<ul>
<li>Well, I removed the deletion part, feel free to re-add it from Roy's patch, if needed/wanted.</li>
<li>shorten the group CN if it's longer than 30 chars (braindead lastname.length limitation)</li>
<li>check if the user exists already, as it would fail with on-the-fly registration (user get's created after authenticate(login, password) somehow).</li>
<li>AD style: search for "member:" attribute containing user's DN, not memberUID. Should still be made configurable.</li>
</ul>
<p>Now with this and on-the-fly registration turned on, it works, but users have to login twice.</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=254422011-02-22T00:23:23ZTerence Mill
<ul></ul><p>+1</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=270682011-03-24T14:34:36ZStéphane Duchesneau
<ul></ul><p>+1 !</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=281992011-04-20T20:18:22ZJoshua Villagomez
<ul></ul><p>+1</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=307572011-07-15T07:11:26ZTerence Mill
<ul></ul><p>There is a new plugin for <a href="https://github.com/thorin/redmine_ldap_sync/blob/master/README.md" class="external">ldap sync</a></p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=354582012-01-19T09:41:43ZJérôme BATAILLE
<ul></ul><p>You can check :<br /><a class="external" href="https://github.com/Utopism/redmine_ldap_sync">https://github.com/Utopism/redmine_ldap_sync</a></p>
<p>a fork of the ldap_sync plugin with enhancements.</p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=354662012-01-19T23:54:21ZTerence Mill
<ul></ul><p>Why a cache?<br />Dynamic groups?</p>
<p>Jérôme BATAILLE wrote:</p>
<blockquote>
<p>You can check :<br /><a class="external" href="https://github.com/Utopism/redmine_ldap_sync">https://github.com/Utopism/redmine_ldap_sync</a></p>
<p>a fork of the ldap_sync plugin with enhancements.</p>
</blockquote> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=774082017-03-21T21:09:42ZAnonymous
<ul></ul><a name="Redmine-Plugin-Add-LDAP-Users-to-Group"></a>
<h2 >Redmine Plugin : Add LDAP Users to Group<a href="#Redmine-Plugin-Add-LDAP-Users-to-Group" class="wiki-anchor">¶</a></h2>
<p>I just made some plugin that could help people with Redmine ~3.2</p>
<blockquote>
<p>Redmine plugin that automatically adds newly logged-in LDAP users to specific group that is configurated in plugin's settings.</p>
</blockquote>
<p><a class="external" href="https://github.com/savoirfairelinux/redmine-add-ldap-user-to-group">https://github.com/savoirfairelinux/redmine-add-ldap-user-to-group</a></p> Redmine - Feature #1113: Link LDAP groups with user accountshttps://www.redmine.org/issues/1113?journal_id=781052017-04-19T15:44:31ZToshi MARUYAMA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-1 priority-4 priority-default" href="/issues/6202">Feature #6202</a>: On-the-fly group addition based on LDAP sources</i> added</li></ul>