- password: option not available in "non-native" users
- mail: changes in redmine do not reflect in LDAP (neither the other way around, but that's not so problematic for me)
- first name: not aproblem, as it cannot be changed in the LDAP
- last name: idem
#2 Updated by Roman E. over 7 years ago
I've been searching a correct fix for this.
In our company we are enforcing LDAP settings so users are not allowed to change logins, names and emails.
Since some dedicated individuals started to had fun, I applied a fast fix:
/app/controllers/my_controller.rb comment out line 50 @user.attributes = params[:user]
This has a side effect on users not able to change language (minor issue)
The patch #4977 fixes only the UI part, so it would be pretty simple to forge the request.
#3 Updated by Hans Bangkok over 7 years ago
+1 on better integration
There should be a keyfield to tie in to the LDAP record, since many properly configured LDAPs do allow all the "real-world" data to change - people do change last name frequently, and even first name occasionally. Email can and will obviously change, particularly in non-corporate environments.
Updates from the LDAP side could be handled by a pull via cronjob.
If you wanted Redmine updates to get sync'd up to the LDAP, I think things get more difficult, and I believe such use cases are rare - IMO LDAP should be "master" and changes to LDAP-controlled fields are blocked. I suppose Admin could do an edit knowing it'll get over-written at the next sync, OK for temporary quick-and-dirty situations when change requests to the LDAP admin might take time to get done.
A workaround-kludge solution for this would be to accommodate LDIF imports to update existing match records, but the keyfield requirement is a must in any case.
#4 Updated by Terence Mill over 7 years ago
Changes from ldap side should be synced to redmine of course, the other way isn't wished in our case. If someone use ldap its why many application use this common user base. There should be a central registartion and change process for ldap adn even an own apllication doing user managment. I doesn't make sense in that common szenario that every consumer of that trusted user base can chnage this trusted data. Every application which can change user data makes the whole thing less trustable and open security issues.
#5 Updated by Evgeniy Dushistov over 2 years ago
It would be nice to have option to block changes of user attributes that redmine get from
LDAP. Plus sync attributes every login.
Because of LDAP used to manage users and it's information in one place, and
if you have another place(redmine) where user can/should change their information,
this cause a troubles to IT and users.