Project

General

Profile

Actions

Feature #7532

closed

LDAP groups with Redmine

Added by Jor Dano almost 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
LDAP
Target version:
-
Start date:
2011-02-03
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid

Description

Hello everyone,

Is it possible to configure or access to our LDAP groups from Redmine. I explain I configure LDAP authentication to Redmine, but I do not want all the world to go access to Redmine, only 2 groups.
(For example for a school, access for teachers, even if all students are part of LDAP).
So I repeat myself a bit but is it possible to configure Redmine to give access only to certain specific groups throughout our LDAP.

I think of another solution if this is not possible. My solution is:
Configure LDAP for my Redmine, but then, when people connect to Redmine for the first time, the administrator must validate before it can connect. In the same way that a record except that it authenticates directly with their account.

I watched a different forum on the internet already opened, but nothing recent. So if you can help me to be very nice. ;)

If you have any solution or another login system given me ideas.

Thank you in advance

Jordano

Actions #1

Updated by Etienne Massip almost 14 years ago

  • Subject changed from Groupes LDAP su Redmine to LDAP groups with Redmine
  • Category set to LDAP

Thanks. I believe this is related to #5742.

Actions #2

Updated by Jor Dano almost 14 years ago

Hi Etienne Massip,

Thanks for you answer, but I've watched these pages and there isn't a answer for me.

Have you a solution or not ?
What are the best solutions for me ?

Excuse me for my English...

Actions #4

Updated by Jor Dano almost 14 years ago

Ok, I see this topic, I test and if I have a bugs I waved tomorrow.

Thanks very much for your answer, because I must succeed for tomorrow.

good evening

Actions #5

Updated by Etienne Massip almost 14 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid

This is kinda more of a post for the Help forum, sorry but I will have to close it too, hope you found your answer, if not, ask forum.

Actions #6

Updated by Olivier SMEDTS over 13 years ago

Why close it ? The help forum has a patch, but the feature could be added in Redmine to restrict LDAP auth to a specified LDAPĀ group.

Actions #7

Updated by Etienne Massip over 13 years ago

Isn't this feature already explained in #5742 and related ?

Actions #8

Updated by Olivier SMEDTS over 13 years ago

This one only restricts authentication (and Redmine users creation, if on-the-fly import from LDAPĀ is activated) based on a group, a feature often present in web-based products which support LDAP auth. #5742 is a lot more intrusive in Redmine's code : it's about implementing Redmine groups, and associating Redmine roles to users based on their LDAP groups, not about authentication. We're only speaking here of adding an input in LDAP auth configuration, like we're already able to restrict authentication with a base DN.

Actions #9

Updated by Etienne Massip over 13 years ago

What kind of input could be needed in addition to the base DN ? LDAP attributes ?

Anyway, the issue description is more a question, hence its actual state ; opening a new feature, if needed, would be more clear.

Actions #10

Updated by Olivier SMEDTS over 13 years ago

An "LDAP filter" input would be very useful and could be used to restrict Redmine users to LDAP groups or more (custom attributes).

Actions #11

Updated by Terence Mill over 13 years ago

You mean a group DN and group search ldap filter. Futhermore and attribute for ldap users and groups which can map the role in redmine.

My approach for a full ldap group support in redmine is minimal invasive:

First step: Admin selects potential groups in ldap, that get known in redmine
Redmine should do an "on the fly" lookup if admin enters group search string. The admin can select groups from query result for setup in redmine. In Redmine group view, Groups which still exists in ldap get marked so you can distinguish them to "internal only" redmine groups or groups that has been deleted in ldap.

Second step: The admin assigns projects and roles to that groups

Third step: User authentification and "on tfe fly" project/role assigment via ldap group on login

If users logs into redmine, user gets authenticated agaist ldap and if valid redmine retrieves all ldap groups for that user - but only for configured group DN. Then redmine filters alls groups that exists in ldap and corresponding ones in redmine with same name.
Groups don't get deleted in redmine if no longer exists in ldap on next check (on login or group configuration in admin gui), but get marked so that it is visualized it is no ldap any longer. Also if ldap group(s) no longer exists (can be made optional by checkbox, so internal groups can be used also) group(s) won't get used for project-role authorization.
This approach checks user group memberships in ldap and group existence in ldap on the fly and don't imports and synronizes all ldap groups all the time.

Actions #12

Updated by Etienne Massip over 13 years ago

Olivier SMEDTS wrote:

An "LDAP filter" input would be very useful and could be used to restrict Redmine users to LDAP groups or more (custom attributes).

Agreed. There's already a feature request for this, btw : #5702.

Actions

Also available in: Atom PDF