Patch #30757

LDAP Contextless login in Active Directory

Added by Guilherme Chehab 16 days ago. Updated 8 days ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-

Description

I created a very quick and dirty 4-line patch to allow contextless login authentication in Active Directory on LDAP module. I.e. without the need to have a search specific user nor allowing anonymous search in the directory server.

It uses the same login and password entered in the login screen and computes domain from a regex sub from the base_dn to avoid the need to create additional configuration fields (binds samaccountname=login@domain).

I know that it might not be needed for most AD ldap scenarios, when you should be able to create a specific user just to bind and search on your Active Directory, but I thought it might come in handy for other people.

auth_source_ldap.rb.diff Magnifier (689 Bytes) Guilherme Chehab, 2019-02-06 16:01

auth_source_ldap.rb.diff Magnifier - Fix for contextless active directory login, on the fly user creation and new user search (1.11 KB) Guilherme Chehab, 2019-02-11 15:04

History

#1 Updated by Guilherme Chehab 15 days ago

Well it broke automatic user creation and getting add user from LDAP server for, in both cases, auth_source_ldap.rb tries to bind again with anonymous binds, instead of the current user's dn and password...
Have to review the code with a more elegant solution, I will review the patch and submit it again.

#2 Updated by Guilherme Chehab 11 days ago

Fixed on the fly automatic user creation.
Fixed add new user searching using AD, but administrator user must been logged using Active Directory credentials

#3 Updated by Holger Just 8 days ago

  • Status changed from Resolved to New

I'm not sure if this is documented anywhere, but you can set the LDAP Account to $login (literally that string starting with a dollar character) and leave the Password field empty, Redmine will use the username and password provided by the user as they login to get the user details from the LDAP server.

The only significant difference to your patch appears to be that Redmine doesn't automatically append the domain. If this is necessary to login your users, they should/need to always append the domain to their username when logging in.

Does this already solve your requirement? In that case, we should just document this feature.

Also available in: Atom PDF