Feature #4124


LDAP integration

Added by Lluís Vilanova over 14 years ago. Updated over 1 year ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


I have most users in my redmine system authenticated through LDAP, but I've seen that changes in the redmine DDBB are not synced with LDAP. Namely:
  • password: option not available in "non-native" users
  • mail: changes in redmine do not reflect in LDAP (neither the other way around, but that's not so problematic for me)
  • first name: not aproblem, as it cannot be changed in the LDAP
  • last name: idem


Related issues

Related to Redmine - Patch #4977: LDAP user cant change username and emailNew2010-03-03

Actions #1

Updated by Jean-Philippe Lang over 14 years ago

  • Category set to LDAP
Actions #2

Updated by Roman E. over 13 years ago

I've been searching a correct fix for this.

In our company we are enforcing LDAP settings so users are not allowed to change logins, names and emails.
Since some dedicated individuals started to had fun, I applied a fast fix:
/app/controllers/my_controller.rb comment out line 50 @user.attributes = params[:user]
This has a side effect on users not able to change language (minor issue)

The patch #4977 fixes only the UI part, so it would be pretty simple to forge the request.

Actions #3

Updated by Hans Bangkok about 13 years ago

+1 on better integration

There should be a keyfield to tie in to the LDAP record, since many properly configured LDAPs do allow all the "real-world" data to change - people do change last name frequently, and even first name occasionally. Email can and will obviously change, particularly in non-corporate environments.

Updates from the LDAP side could be handled by a pull via cronjob.

If you wanted Redmine updates to get sync'd up to the LDAP, I think things get more difficult, and I believe such use cases are rare - IMO LDAP should be "master" and changes to LDAP-controlled fields are blocked. I suppose Admin could do an edit knowing it'll get over-written at the next sync, OK for temporary quick-and-dirty situations when change requests to the LDAP admin might take time to get done.

A workaround-kludge solution for this would be to accommodate LDIF imports to update existing match records, but the keyfield requirement is a must in any case.

Actions #4

Updated by Terence Mill about 13 years ago

Changes from ldap side should be synced to redmine of course, the other way isn't wished in our case. If someone use ldap its why many application use this common user base. There should be a central registartion and change process for ldap adn even an own apllication doing user managment. I doesn't make sense in that common szenario that every consumer of that trusted user base can chnage this trusted data. Every application which can change user data makes the whole thing less trustable and open security issues.

Actions #5

Updated by Evgeniy Dushistov about 8 years ago

It would be nice to have option to block changes of user attributes that redmine get from
LDAP. Plus sync attributes every login.

Because of LDAP used to manage users and it's information in one place, and
if you have another place(redmine) where user can/should change their information,
this cause a troubles to IT and users.

Actions #6

Updated by Akihiro YAMAKAWA over 4 years ago


Actions #7

Updated by Bartłomiej Perz over 1 year ago

Do we have any solution for that? Now I have a problem with Married employe name change. I can mot change the name because it is blocked by LDAP authentication and it's not updating new data from LDAP.


Also available in: Atom PDF