Patch #30757
open
LDAP Contextless login in Active Directory
0%
Description
I created a very quick and dirty 4-line patch to allow contextless login authentication in Active Directory on LDAP module. I.e. without the need to have a search specific user nor allowing anonymous search in the directory server.
It uses the same login and password entered in the login screen and computes domain from a regex sub from the base_dn to avoid the need to create additional configuration fields (binds samaccountname=login@domain).
I know that it might not be needed for most AD ldap scenarios, when you should be able to create a specific user just to bind and search on your Active Directory, but I thought it might come in handy for other people.
Files
Updated by Guilherme Chehab about 5 years ago
Well it broke automatic user creation and getting add user from LDAP server for, in both cases, auth_source_ldap.rb tries to bind again with anonymous binds, instead of the current user's dn and password...
Have to review the code with a more elegant solution, I will review the patch and submit it again.
Updated by Guilherme Chehab about 5 years ago
- File auth_source_ldap.rb.diff auth_source_ldap.rb.diff added
- Status changed from New to Resolved
Fixed on the fly automatic user creation.
Fixed add new user searching using AD, but administrator user must been logged using Active Directory credentials
Updated by Holger Just about 5 years ago
- Status changed from Resolved to New
I'm not sure if this is documented anywhere, but you can set the LDAP Account to $login (literally that string starting with a dollar character) and leave the Password field empty, Redmine will use the username and password provided by the user as they login to get the user details from the LDAP server.
The only significant difference to your patch appears to be that Redmine doesn't automatically append the domain. If this is necessary to login your users, they should/need to always append the domain to their username when logging in.
Does this already solve your requirement? In that case, we should just document this feature.