Feature #4124
open
Added by Lluís Vilanova about 15 years ago.
Updated about 2 years ago.
Description
I have most users in my redmine system authenticated through LDAP, but I've seen that changes in the redmine DDBB are not synced with LDAP. Namely:
- password: option not available in "non-native" users
- mail: changes in redmine do not reflect in LDAP (neither the other way around, but that's not so problematic for me)
- first name: not aproblem, as it cannot be changed in the LDAP
- last name: idem
Thanks,
Lluis
I've been searching a correct fix for this.
In our company we are enforcing LDAP settings so users are not allowed to change logins, names and emails.
Since some dedicated individuals started to had fun, I applied a fast fix:
/app/controllers/my_controller.rb comment out line 50 @user.attributes = params[:user]
This has a side effect on users not able to change language (minor issue)
The patch #4977 fixes only the UI part, so it would be pretty simple to forge the request.
+1 on better integration
There should be a keyfield to tie in to the LDAP record, since many properly configured LDAPs do allow all the "real-world" data to change - people do change last name frequently, and even first name occasionally. Email can and will obviously change, particularly in non-corporate environments.
Updates from the LDAP side could be handled by a pull via cronjob.
If you wanted Redmine updates to get sync'd up to the LDAP, I think things get more difficult, and I believe such use cases are rare - IMO LDAP should be "master" and changes to LDAP-controlled fields are blocked. I suppose Admin could do an edit knowing it'll get over-written at the next sync, OK for temporary quick-and-dirty situations when change requests to the LDAP admin might take time to get done.
A workaround-kludge solution for this would be to accommodate LDIF imports to update existing match records, but the keyfield requirement is a must in any case.
Changes from ldap side should be synced to redmine of course, the other way isn't wished in our case. If someone use ldap its why many application use this common user base. There should be a central registartion and change process for ldap adn even an own apllication doing user managment. I doesn't make sense in that common szenario that every consumer of that trusted user base can chnage this trusted data. Every application which can change user data makes the whole thing less trustable and open security issues.
It would be nice to have option to block changes of user attributes that redmine get from
LDAP. Plus sync attributes every login.
Because of LDAP used to manage users and it's information in one place, and
if you have another place(redmine) where user can/should change their information,
this cause a troubles to IT and users.
Do we have any solution for that? Now I have a problem with Married employe name change. I can mot change the name because it is blocked by LDAP authentication and it's not updating new data from LDAP.
Also available in: Atom
PDF