Feature #7532
closed
Added by Jor Dano almost 14 years ago.
Updated over 13 years ago.
Description
Hello everyone,
Is it possible to configure or access to our LDAP groups from Redmine. I explain I configure LDAP authentication to Redmine, but I do not want all the world to go access to Redmine, only 2 groups.
(For example for a school, access for teachers, even if all students are part of LDAP).
So I repeat myself a bit but is it possible to configure Redmine to give access only to certain specific groups throughout our LDAP.
I think of another solution if this is not possible. My solution is:
Configure LDAP for my Redmine, but then, when people connect to Redmine for the first time, the administrator must validate before it can connect. In the same way that a record except that it authenticates directly with their account.
I watched a different forum on the internet already opened, but nothing recent. So if you can help me to be very nice. ;)
If you have any solution or another login system given me ideas.
Thank you in advance
Jordano
- Subject changed from Groupes LDAP su Redmine to LDAP groups with Redmine
- Category set to LDAP
Thanks. I believe this is related to #5742.
Hi Etienne Massip,
Thanks for you answer, but I've watched these pages and there isn't a answer for me.
Have you a solution or not ?
What are the best solutions for me ?
Excuse me for my English...
Ok, I see this topic, I test and if I have a bugs I waved tomorrow.
Thanks very much for your answer, because I must succeed for tomorrow.
good evening
- Status changed from New to Closed
- Resolution set to Invalid
This is kinda more of a post for the Help forum, sorry but I will have to close it too, hope you found your answer, if not, ask forum.
Why close it ? The help forum has a patch, but the feature could be added in Redmine to restrict LDAP auth to a specified LDAPĀ group.
Isn't this feature already explained in #5742 and related ?
This one only restricts authentication (and Redmine users creation, if on-the-fly import from LDAPĀ is activated) based on a group, a feature often present in web-based products which support LDAP auth. #5742 is a lot more intrusive in Redmine's code : it's about implementing Redmine groups, and associating Redmine roles to users based on their LDAP groups, not about authentication. We're only speaking here of adding an input in LDAP auth configuration, like we're already able to restrict authentication with a base DN.
What kind of input could be needed in addition to the base DN ? LDAP attributes ?
Anyway, the issue description is more a question, hence its actual state ; opening a new feature, if needed, would be more clear.
An "LDAP filter" input would be very useful and could be used to restrict Redmine users to LDAP groups or more (custom attributes).
You mean a group DN and group search ldap filter. Futhermore and attribute for ldap users and groups which can map the role in redmine.
My approach for a full ldap group support in redmine is minimal invasive:
First step: Admin selects potential groups in ldap, that get known in redmine
Redmine should do an "on the fly" lookup if admin enters group search string. The admin can select groups from query result for setup in redmine. In Redmine group view, Groups which still exists in ldap get marked so you can distinguish them to "internal only" redmine groups or groups that has been deleted in ldap.
Second step: The admin assigns projects and roles to that groups
Third step: User authentification and "on tfe fly" project/role assigment via ldap group on login
If users logs into redmine, user gets authenticated agaist ldap and if valid redmine retrieves all ldap groups for that user - but only for configured group DN. Then redmine filters alls groups that exists in ldap and corresponding ones in redmine with same name.
Groups don't get deleted in redmine if no longer exists in ldap on next check (on login or group configuration in admin gui), but get marked so that it is visualized it is no ldap any longer. Also if ldap group(s) no longer exists (can be made optional by checkbox, so internal groups can be used also) group(s) won't get used for project-role authorization.
This approach checks user group memberships in ldap and group existence in ldap on the fly and don't imports and synronizes all ldap groups all the time.
Olivier SMEDTS wrote:
An "LDAP filter" input would be very useful and could be used to restrict Redmine users to LDAP groups or more (custom attributes).
Agreed. There's already a feature request for this, btw : #5702.
Also available in: Atom
PDF