Feature #1113
Link LDAP groups with user accounts
| Status: | New | Start: | 2008-04-25 | |
| Priority: | High | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | Accounts | |||
| Target version: | 0.8 | |||
| Resolution: |
Description
It would be a great feature for corporate wide use of Redmine, to be able to link users according to LDAP groups.
For example, when a user logs into the tool, and he is part of group A, then he should get "Member" permissions. When another user, not part of group A, logs into the tool, he should automatically get "Non-Member" permissions for example.
My reasoning behind this request is that, currently when using LDAP authentication, you set up Redmine to be accessible by anyone in the company that has an LDAP account. However, you would like to break that superset down into a subset of people that can for example see files & repositories for all projects, using LDAP groups.
Yes, the above is possible if you add the user to every single project, however with 100+ projects, it would be painful to add a new user.
Hopefully this is possible!
History
2008-05-31 16:56 - Alon Bar-Lev
Together Feature #1131, apache, mod_auth_krb5 this should provide complete authentication and authorization environment for enterprise environment.
The authentication port is handled by the web server, the result user is put into environment variable, the application should accept this as-is.
Then the application should fetch user groups from LDAP and allow simple transformation, for example, user@REALM should be converted to userPrincipalName=user@realm, then constructed into LDAP query which returns group DN. Each group DN should be linked to roles.
End result: No users are defined inside application. User permission is based on their LDAP group membership.
Also, more information may be fetched from LDAP, for example: full name, email.
For the email field, there also can be an option to construct it from user name, for example if user name is user[@RELAM], then email is user@domain.org, this will enable simple way to construct address without LDAP support.
Thanks!