Defect #932

LDAP / Active Directory user login

Added by Mikhail Yakshin over 9 years ago. Updated over 9 years ago.

Status:ClosedStart date:2008-03-26
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:Accounts / authentication
Target version:-
Resolution: Affected version:

Description

When trying to use Active Directory authentication with on-fly user addition, this procedure requires that user:

  • must have at least "first name", "last name" and "email" fields in LDAP,
  • must have "email" field in valid format.

In fact, in some AD/LDAP installations, some or all of these fields may be omitted. For example, in my AD, users were created only with "displayName", i.e. without "givenName" (=first name), "sn" (=last name) and email entries. I can solve first problem by setting up fake field mapping (for example, set everything to "displayName"), but I can't pass e-mail validation with these emails. I had to patch RedMine sources to

Last, but not least, saving on-the-fly created user uses .save, not .save!, and thus fails silently with very strange error message "Invalid user or password" in flash notice and even more misleading

Authenticating 'xxx' against 'My Directory'
DN found for xxx: CN=xxx,CN=Users,DC=domain,DC=zone
Authentication successful for 'xxx'

I've only digged down to the real problem after inserting lots of debug and using .save! method to produce an exception.

Associated revisions

Revision 1345
Added by Jean-Philippe Lang over 9 years ago

Better error message and AR errors in log for failed LDAP on-the-fly user creation (closes #932, #1042).

History

#1 Updated by Jean-Philippe Lang over 9 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Applied in changeset r1345.

Also available in: Atom PDF