This plugins extends redmine's ldap authentication to perform group synchronization. In addition it provides a rake task to perform full user group synchronization.

Features:

• Detects and disables users that have been removed from LDAP.
• Detects and disables users that have been marked as disabled on Active Directory (see MS KB Article 305144 for more details).
• Can detect and include nested groups. Upon login the nested groups are retrieve from disk cache. This cache will only be updated by running the rake task.

Remarks:

• The plugin has only been tested with Active Directory and OpenLDAP but should work with other directories.
• An user will only be removed from groups that exist on LDAP. This means that both ldap and non-ldap groups can coexist.
• Deleted groups on LDAP will not be deleted on redmine.

For both upgrade and installation please follow the plugin installation procedure described at http://www.redmine.org/wiki/redmine/Plugins

Open Administration > Plugins and on the plugin configuration page you'll be able to set for each LDAP authentication.

LDAP settings:

• Active - Enable/Disable user/group synchronization for this LDAP authentication.
• Group base DN - The path to where the groups located. Eg, ou=people,dc=smokeyjoe,dc=com.
• Group name attribute (group) - The ldap attribute from where to fetch the group's name. Eg, sAMAccountName.
• Group membership - Specifies how to determine the user's group membership. The possible values are:
  • On the group class: membership determined from the list of users contained on the group.
  • On the user class: membership determined from the list of groups contained on the user.
• Members attribute (group) - The ldap attribute from where to fetch the group's members. Visible if the group membership is on the group class. Eg, member.
• Memberid attribute (user) - The ldap attribute from where to fetch the user's memberid. This attribute must match with the members attribute. Visible if the group membership is on the group class. Eg, dn.
• Groups attribute (user) - The ldap attribute from where to fetch the user's groups. Visible if the group membership is on the user class. Eg, memberof.
• Groupid attribute (group) - The ldap attribute from where to fetch the group's groupid. This attribute must match with the groups attribute. Visible if the group membership is on the user class. Eg, distinguishedName.
• Groups objectclass - The groups object class.
• Users objectclass - The users object class.
• Group name pattern - (optional) An RegExp that should match up with the name of the groups that should be imported. Eg, \.team$.
• Group search filter - (optional) An LDAP search filter to be applied whenever search for groups.
• Enable nested groups - Enables and specifies how to identify the groups nesting. When enabled the plugin will look for the groups' parent groups, and so on, and add those groups to the users.
  • Membership on the parent class - group membership determined from the list of groups contained on the parent group.
  • Membership on the member class - group membership determined from the list of groups contained on the member group.
• Member groups attribute (group) - The ldap attribute from where to fetch the group's member groups. Visible if the nested groups membership is on the parent class. Eg, member.
• Parent groups attribute (group) - The ldap attribute from where to fetch the group's parent groups. Visible if the nested groups membership is on the member class. Eg, memberOf.
• Memberid attribute (group) - The ldap attribute from where to fetch the member group's memberid. This attribute must match with the member groups attribute. Eg, distinguishedName.
• Parentid attribute (group) - The ldap attribute from where to fetch the parent group's id. This attribute must match with the parent groups attribute. Eg, distinguishedName.
• Account flags (user) - The ldap attribute containing the account disabled flag. Eg., userAccountControl.
• Account disabled test - A ruby boolean expression that should evaluate an account's flags (the variable flags) and return true if the account is disabled. Eg., flags.to_i & 2 != 0 or flags.include? 'D'`.

Synchronization Actions:

• Users must be members of - (optional) A group to wich the users must belong to to have access enabled to redmine.
• Add users to group - (optional) A group to wich all the users created from this LDAP authentication will added upon creation. The group should not exist on LDAP.
• Create new groups - If enabled, groups that don't already exist on redmine will be created.
• Create new users - If enabled, users that don't already exist on redmine will be created when running the rake task.
• Sync users attributes - If enabled, the selected attributes will synchronized both on the rake tasks and after every login.
• Attributes to be synced - The attributes to be synchronized: "First name", "Last name" and/or "Email"

To do the full user synchronization execute the following:

rake redmine:plugins:redmine_ldap_sync:sync_users RAILS_ENV=production

An alternative is to do it periodically with a cron task:

# Synchronize users with ldap @ every 60 minutes
35 *            * * *   root /usr/bin/rake -f /opt/redmine/Rakefile --silent redmine:plugins:redmine_ldap_sync:sync_users RAILS_ENV=production 2>&- 1>&-

• Group membership = on the group class | {on the user class}
• Group name attribute (group) = sAMAccountName
• Members attribute (group) = member
• Memberid attribute (user) = dn
• Account control flags (user) = userAccountControl
• Account disabled test = flags & 2 != 0
• Groups attribute (user) = --- | {memberof}
• Groupid attribute (group) = --- | {distinguishedName}
• Groups objectclass = group
• Users objectclass = user
• Nested groups = membership on the parent class | {membership on the member class}
• Member groups attribute (group) - member
• Memberid attribute (group) - distinguishedName
• Parent groups attribute (group) - --- | {memberof}
• Parentid attribute (group) - --- | {distinguishedName}

• Group name attribute (group) = cn
• Group membership = on the user class
• Groups attribute (user) = isMemberOf
• Memberid attribute (user) = entryDN
• Groups objectclass = groupOfUniqueNames
• Users objectclass = person
• Nested groups = disabled

• Group membership = on the group class
• Group name attribute (group) = cn
• Members attribute (group) = member
• Memberid attribute (user) = dn
• Groups objectclass = dominoGroup
• Users objectclass = dominoPerson
• Nested groups = disabled

• Group membership = on the group class
• Group name attribute = cn
• Members attribute = member
• Groups objectclass = posixGroup
• Users objectclass = person
• Nested groups = disabled

• Group membership = on the group class
• Group name attribute (group) = cn
• Members attribute (group) = member
• Memberid attribute (user) = dn
• Account control flags (user) = sambaAcctFlags
• Account disabled test = flags.include? 'D'
• Groups objectclass = sambaGroupMapping
• Users objectclass = sambaSamAccount
• Nested groups = disabled

This plugin is released under the GPL v3 license. See LICENSE for more information.