Redmine

Hi Etienne Massip,

Thanks for you answer, but I've watched these pages and there isn't a answer for me.

Have you a solution or not ?
What are the best solutions for me ?

Excuse me for my English...

See this topic :
http://www.redmine.org/boards/1/topics/3008

Ok, I see this topic, I test and if I have a bugs I waved tomorrow.

Thanks very much for your answer, because I must succeed for tomorrow.

good evening

Why close it ? The help forum has a patch, but the feature could be added in Redmine to restrict LDAP auth to a specified LDAP group.

Isn't this feature already explained in #5742 and related ?

This one only restricts authentication (and Redmine users creation, if on-the-fly import from LDAP is activated) based on a group, a feature often present in web-based products which support LDAP auth. #5742 is a lot more intrusive in Redmine's code : it's about implementing Redmine groups, and associating Redmine roles to users based on their LDAP groups, not about authentication. We're only speaking here of adding an input in LDAP auth configuration, like we're already able to restrict authentication with a base DN.

What kind of input could be needed in addition to the base DN ? LDAP attributes ?

Anyway, the issue description is more a question, hence its actual state ; opening a new feature, if needed, would be more clear.

An "LDAP filter" input would be very useful and could be used to restrict Redmine users to LDAP groups or more (custom attributes).

You mean a group DN and group search ldap filter. Futhermore and attribute for ldap users and groups which can map the role in redmine.

My approach for a full ldap group support in redmine is minimal invasive:

First step: Admin selects potential groups in ldap, that get known in redmine
Redmine should do an "on the fly" lookup if admin enters group search string. The admin can select groups from query result for setup in redmine. In Redmine group view, Groups which still exists in ldap get marked so you can distinguish them to "internal only" redmine groups or groups that has been deleted in ldap.

Second step: The admin assigns projects and roles to that groups

Third step: User authentification and "on tfe fly" project/role assigment via ldap group on login

If users logs into redmine, user gets authenticated agaist ldap and if valid redmine retrieves all ldap groups for that user - but only for configured group DN. Then redmine filters alls groups that exists in ldap and corresponding ones in redmine with same name.
Groups don't get deleted in redmine if no longer exists in ldap on next check (on login or group configuration in admin gui), but get marked so that it is visualized it is no ldap any longer. Also if ldap group(s) no longer exists (can be made optional by checkbox, so internal groups can be used also) group(s) won't get used for project-role authorization.
This approach checks user group memberships in ldap and group existence in ldap on the fly and don't imports and synronizes all ldap groups all the time.

Olivier SMEDTS wrote:

An "LDAP filter" input would be very useful and could be used to restrict Redmine users to LDAP groups or more (custom attributes).

Agreed. There's already a feature request for this, btw : #5702.