This plugins extends redmine's ldap authentication to perform group synchronization. In addition it provides a rake task to perform full user group synchronization.
Features:
- Detects and disables users that have been removed from LDAP.
- Detects and disables users that have been marked as disabled on Active Directory (see MS KB Article 305144 for more details).
- Can detect and include nested groups. Upon login the nested groups are retrieve from disk cache. This cache will only be updated by running the rake task.
Remarks:
- The plugin has only been tested with Active Directory and OpenLDAP but should work with other directories.
- An user will only be removed from groups that exist on LDAP. This means that both ldap and non-ldap groups can coexist.
- Deleted groups on LDAP will not be deleted on redmine.
For both upgrade and installation please follow the plugin installation procedure described at http://www.redmine.org/wiki/redmine/Plugins
Open Administration > Plugins and on the plugin configuration page you'll be able to set for each LDAP authentication.
LDAP settings:
- Active - Enable/Disable user/group synchronization for this LDAP authentication.
- Group base DN - The path to where the groups located. Eg,
ou=people,dc=smokeyjoe,dc=com
. - Group name attribute (group) - The ldap attribute from where to fetch the
group's name. Eg,
sAMAccountName
. - Group membership - Specifies how to determine the user's group membership.
The possible values are:
- On the group class: membership determined from the list of users contained on the group.
- On the user class: membership determined from the list of groups contained on the user.
- Members attribute (group) - The ldap attribute from where to fetch the
group's members. Visible if the group membership is on the group class.
Eg,
member
. - Memberid attribute (user) - The ldap attribute from where to fetch the
user's memberid. This attribute must match with the members attribute.
Visible if the group membership is on the group class. Eg,
dn
. - Groups attribute (user) - The ldap attribute from where to fetch the user's
groups. Visible if the group membership is on the user class. Eg,
memberof
. - Groupid attribute (group) - The ldap attribute from where to fetch the
group's groupid. This attribute must match with the groups attribute.
Visible if the group membership is on the user class. Eg,
distinguishedName
. - Groups objectclass - The groups object class.
- Users objectclass - The users object class.
- Group name pattern - (optional) An RegExp that should match up with the name
of the groups that should be imported. Eg,
\.team$
. - Group search filter - (optional) An LDAP search filter to be applied whenever search for groups.
- Enable nested groups - Enables and specifies how to identify the groups
nesting. When enabled the plugin will look for the groups' parent groups, and
so on, and add those groups to the users.
- Membership on the parent class - group membership determined from the list of groups contained on the parent group.
- Membership on the member class - group membership determined from the list of groups contained on the member group.
- Member groups attribute (group) - The ldap attribute from where to fetch the
group's member groups. Visible if the nested groups membership is on the
parent class. Eg,
member
. - Parent groups attribute (group) - The ldap attribute from where to fetch the
group's parent groups. Visible if the nested groups membership is on the
member class. Eg,
memberOf
. - Memberid attribute (group) - The ldap attribute from where to fetch the
member group's memberid. This attribute must match with the member groups
attribute. Eg,
distinguishedName
. - Parentid attribute (group) - The ldap attribute from where to fetch the
parent group's id. This attribute must match with the parent groups
attribute. Eg,
distinguishedName
. - Account flags (user) - The ldap attribute containing the account disabled
flag. Eg.,
userAccountControl
. - Account disabled test - A ruby boolean expression that should evaluate an
account's flags (the variable
flags
) and returntrue
if the account is disabled. Eg.,flags.to_i & 2 != 0
or flags.include? 'D'`.
Synchronization Actions:
- Users must be members of - (optional) A group to wich the users must belong to to have access enabled to redmine.
- Add users to group - (optional) A group to wich all the users created from this LDAP authentication will added upon creation. The group should not exist on LDAP.
- Create new groups - If enabled, groups that don't already exist on redmine will be created.
- Create new users - If enabled, users that don't already exist on redmine will be created when running the rake task.
- Sync users attributes - If enabled, the selected attributes will synchronized both on the rake tasks and after every login.
- Attributes to be synced - The attributes to be synchronized: "First name", "Last name" and/or "Email"
To do the full user synchronization execute the following:
rake redmine:plugins:redmine_ldap_sync:sync_users RAILS_ENV=production
An alternative is to do it periodically with a cron task:
# Synchronize users with ldap @ every 60 minutes
35 * * * * root /usr/bin/rake -f /opt/redmine/Rakefile --silent redmine:plugins:redmine_ldap_sync:sync_users RAILS_ENV=production 2>&- 1>&-
- Group membership = on the group class | {on the user class}
- Group name attribute (group) = sAMAccountName
- Members attribute (group) = member
- Memberid attribute (user) = dn
- Account control flags (user) = userAccountControl
- Account disabled test = flags & 2 != 0
- Groups attribute (user) = --- | {memberof}
- Groupid attribute (group) = --- | {distinguishedName}
- Groups objectclass = group
- Users objectclass = user
- Nested groups = membership on the parent class | {membership on the member class}
- Member groups attribute (group) - member
- Memberid attribute (group) - distinguishedName
- Parent groups attribute (group) - --- | {memberof}
- Parentid attribute (group) - --- | {distinguishedName}
- Group name attribute (group) = cn
- Group membership = on the user class
- Groups attribute (user) = isMemberOf
- Memberid attribute (user) = entryDN
- Groups objectclass = groupOfUniqueNames
- Users objectclass = person
- Nested groups = disabled
- Group membership = on the group class
- Group name attribute (group) = cn
- Members attribute (group) = member
- Memberid attribute (user) = dn
- Groups objectclass = dominoGroup
- Users objectclass = dominoPerson
- Nested groups = disabled
- Group membership = on the group class
- Group name attribute = cn
- Members attribute = member
- Groups objectclass = posixGroup
- Users objectclass = person
- Nested groups = disabled
- Group membership = on the group class
- Group name attribute (group) = cn
- Members attribute (group) = member
- Memberid attribute (user) = dn
- Account control flags (user) = sambaAcctFlags
- Account disabled test = flags.include? 'D'
- Groups objectclass = sambaGroupMapping
- Users objectclass = sambaSamAccount
- Nested groups = disabled
This plugin is released under the GPL v3 license. See LICENSE for more information.