https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292009-11-30T22:01:04ZRedmineRedmine - Defect #4283: LDAP attributes should be read as userhttps://www.redmine.org/issues/4283?journal_id=125972009-11-30T22:01:04ZFelix Schäfer
<ul><li><strong>File</strong> <a href="/attachments/2858">lookup_LDAP_attributes_as_user.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2858/lookup_LDAP_attributes_as_user.patch">lookup_LDAP_attributes_as_user.patch</a> added</li></ul><p>I had a quick shot at this one and came up with the attached patch against current git (8b8c24e61f37cee0904ad8d44184da58a2f8ca43). I couldn't do extensive testing, because my dev redmine doesn't have access to an LDAP server, but the attribute-fetching query gave the expected results in irb, so that should work.</p> Redmine - Defect #4283: LDAP attributes should be read as userhttps://www.redmine.org/issues/4283?journal_id=133332009-12-28T17:53:48ZJoe Heck
<ul></ul><p>I tried the patch against 0.87 released code - I'm afraid the patch didn't apply cleanly.</p>
<p>I also read through the patch though, and it still requires you to authenticate/bind with a userid/password from the configuration prior to attempting to authenticate/bind with the user's provided account and credentials. I tried a variation on the theme, but found I needed to prefix the domain to the login to authenticate/bind to AD over LDAPS.</p> Redmine - Defect #4283: LDAP attributes should be read as userhttps://www.redmine.org/issues/4283?journal_id=134132010-01-04T09:18:13ZFelix Schäfer
<ul></ul><p>Hello Joe,</p>
<p>I whipped up the patch on trunk, so I'm not too surprised it didn't work on stable. Regarding usernames with AD: yeah, AD is a little picky, but you'ld have to prefix the login with the domain either way, even with the stock LDAP implementation, but I think it's mentioned in the guide (I've never worked with AD though, so that's all hear-say more than evidence).</p>
<p>Regarding the need to connect to the LDAP server with the "global" credentials upfront:</p>
<blockquote>
<p>To avoid this, it is good practice in the LDAP world to use the "application" LDAP user to look up the DN corresponding to a username, and then look up additional attributes when connected as the user itself, not as the "application" user.</p>
</blockquote>
<p>Basically, most LDAP servers will only let you connect using a DN, you can't just use the "login" redmine uses, so the authentication scheme first must find the DN corresponding to the login name using the "redmine" DN, and can then connect to the LDAP server with the user DN. Currently, all operation are done through the redmine DN, which forces you to have a user in LDAP that has read rights on the names and mail addresses of everyone, with the approach of first looking up the DN corresponding to the login, you only need the redmine user to have search rights on the login attribute in LDAP.</p>
<p>I'm sorry if that's not very clear, but english is "only" the third language I learned. Tell me if there still is any understanding problems so I can try to be clearer.</p> Redmine - Defect #4283: LDAP attributes should be read as userhttps://www.redmine.org/issues/4283?journal_id=442882013-01-14T10:19:38ZDaniel Felix
<ul></ul><p>Any news on this suggestion? I'm sure the patch won't work with the current trunk. But the basic idea behind it sounds good.</p>