![]() That would require a more sophisticated LDAP subsystem implementation - probably a couple of days worth of effort including testing (in order to accommodate the major LDAP servers, like AD, openLDAP, SUN One, Novell eDirectory, etc.).įor now, an ugly hack in order to get it to work for your situation could be to modify the file "/app/models/auth_source_ldap.rb" and replace the line Now, for your solution: you could try to specify "o=" as the search scope in Redmine, then all users in that directory can be found and will be authenticated by Redmine the only issue is that they seem to have at least read privileges for all configured projects - that is something, we should try to change in the Redmine authorization system though. ![]() everbody from ou=germany,o=, or ou=sales,o=) group membership thing? This is for two reasons: limit the search scope (performance, load on server) to a particular subset (many directories are organized by region as opposed to functional groups), but also to limit the search (and result of course) to a particular subset of the directory population (e.g. Now, why even do all this search base vs. In order for a group membership to work, the query that Redmine performs needs to be different (this is called the LDAP search filter): it needs to specifically ask the directory server (AD in your case), if a user belongs to (or is "member of" a particular group). When you add a user to a group (or even a group to a group (or even a ou to a group (not sure if this is possible, I am not an expert with AD and cannot verify that right now))), the search that Redmine performs with not yield any result, because it does not "ask" the directory for a group membership of a particular user, but only if a user is physically located under a particular search base, such as ou=sales,o= Now, the area of groups is something totally different, because users (typically do not and should not) be "physically" located underneath a group, they are still in the directory only once, underneath the organizational unit (ou) that they belong to (e.g. Of course, if you specify "ou=sales,o=" as the search base from our example above, Redmine will find the user with uid "john.doe" - but not the user "jane.doe" (because she is under a different search base). Now, if you configure an authentication provider in Redmine, you specify the so called "search base" for that authentication provider as well. For example, a typical LDAP structure could look like this: What that means is, that - when Redmine performs the authentication for a user, it really only "looks" in that particular partition of your directory. When you add a "OU", you really add a search base from your AD/LDAP directory.
0 Comments
Leave a Reply. |