Feature #4124

LDAP integration

Added by LluĂ­s Vilanova almost 8 years ago. Updated over 1 year ago.

Status:NewStart date:2009-10-27
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:LDAP
Target version:-
Resolution:

Description

I have most users in my redmine system authenticated through LDAP, but I've seen that changes in the redmine DDBB are not synced with LDAP. Namely:
  • password: option not available in "non-native" users
  • mail: changes in redmine do not reflect in LDAP (neither the other way around, but that's not so problematic for me)
  • first name: not aproblem, as it cannot be changed in the LDAP
  • last name: idem

Thanks,
Lluis


Related issues

Related to Redmine - Patch #4977: LDAP user cant change username and email New 2010-03-03

History

#1 Updated by Jean-Philippe Lang almost 8 years ago

  • Category set to LDAP

#2 Updated by Roman E. over 6 years ago

I've been searching a correct fix for this.

In our company we are enforcing LDAP settings so users are not allowed to change logins, names and emails.
Since some dedicated individuals started to had fun, I applied a fast fix:
/app/controllers/my_controller.rb comment out line 50 @user.attributes = params[:user]
This has a side effect on users not able to change language (minor issue)

The patch #4977 fixes only the UI part, so it would be pretty simple to forge the request.

#3 Updated by Hans Bangkok over 6 years ago

+1 on better integration

There should be a keyfield to tie in to the LDAP record, since many properly configured LDAPs do allow all the "real-world" data to change - people do change last name frequently, and even first name occasionally. Email can and will obviously change, particularly in non-corporate environments.

Updates from the LDAP side could be handled by a pull via cronjob.

If you wanted Redmine updates to get sync'd up to the LDAP, I think things get more difficult, and I believe such use cases are rare - IMO LDAP should be "master" and changes to LDAP-controlled fields are blocked. I suppose Admin could do an edit knowing it'll get over-written at the next sync, OK for temporary quick-and-dirty situations when change requests to the LDAP admin might take time to get done.

A workaround-kludge solution for this would be to accommodate LDIF imports to update existing match records, but the keyfield requirement is a must in any case.

#4 Updated by Terence Mill over 6 years ago

Changes from ldap side should be synced to redmine of course, the other way isn't wished in our case. If someone use ldap its why many application use this common user base. There should be a central registartion and change process for ldap adn even an own apllication doing user managment. I doesn't make sense in that common szenario that every consumer of that trusted user base can chnage this trusted data. Every application which can change user data makes the whole thing less trustable and open security issues.

#5 Updated by Evgeniy Dushistov over 1 year ago

It would be nice to have option to block changes of user attributes that redmine get from
LDAP. Plus sync attributes every login.

Because of LDAP used to manage users and it's information in one place, and
if you have another place(redmine) where user can/should change their information,
this cause a troubles to IT and users.

Also available in: Atom PDF