Announcement

Collapse
No announcement yet.

LDAP integration - can't add LDAP users to Teams?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP integration - can't add LDAP users to Teams?

    Hi,

    The LDAP integration is a great addition to the product.

    What I'm trying to do is have uberSVN managed Teams and have the user information come from LDAP. It seems like this feature is currently unavailable? Are there plans to implement this?

    Thanks!

    -K

  • #2
    Hi K,

    Just so I can be clear what you're looking for, is it the ability to define an LDAP search query which populates the uberSVN portal membership, so as well as being able to login via Apache, users can also login to the uberSVN portal with their LDAP credentials? I'd also assume if that's the case you'd want a way to pre-populate users into uberSVN via an LDAP query?

    Both features are planned but add a surprising amount of complexity. It would be great to know exactly what you need so we can prioritise building exactly that.

    Best Wishes,

    Ian

    Comment


    • #3
      Hello Ian,

      Thank you for the quick response.

      To clarify, here's what I'm looking for:
      1. Ability to define an LDAP query to fetch users from an LDAP server.
      2. Ability to add LDAP users from [1] to Teams, make them Repository admins, etc.
      3. Ability for users from [1] to login to uberSVN (as well as Apache of course) with their LDAP credentials if/when they choose.

      I'm not necessarily looking for a way to pre-populate uberSVN with an entire LDAP directory full of users. I'm looking more for the ability for uberSVN to delegate authentication to LDAP and worry about authorization within the confines of uberSVN. i.e. "LDAP user X is an admin of Repository Q and belongs to uberSVN Teams A and B" regardless of what LDAP groups s/he may belong to. As a side note, it might be another nice addition to be able to map LDAP groups to uberSVN Teams as well.

      So, in essence, I'm looking for uberSVN to manage Teams and Repositories while passing the user-profiley passwordy stuff to LDAP.

      Too bad this is not an open-source project. I would have loved to contribute.

      -K

      Comment


      • #4
        That's a great answer - Thanks very much.

        Would you expect [2] to be performed inside the uberSVN product, or would you want it to be a factor of an LDAP group membership or other LDAP attribute that these rights could be set in LDAP and be automatically recognised by uber?

        Also, what would your expectation be about users removed from LDAP groups - Should uber automatically remove them from itself if the query no longer returns the user?

        This potentially gets quite messy and complex and needs careful consideration before we build it, but certainly it is something we've spoken about and plan to do at some point. Your input into this is much appreciated.

        Best Wishes,

        Ian

        Comment


        • #5
          Ian,

          Yes, I would expect uberSVN to handle user-to-Team membership. Simplest would be to have the user textfield in Team Players widget in Teams tab and Repositories/Permissions tab fetch/filter the usernames from LDAP.

          I don't expect to have uberSVN fetch all users in LDAP and create accounts for them (nightmare for large LDAP directories); but it would be nice to automatically create an uberSVN user when a user logs in to uberSVN with their correct LDAP credentials (and are available in the resultset of the query in [1] above). It would be a good fallback option for when LDAP is down. (This way also allows me to have "local" users, defined only in uberSVN, as well. A quick bind to LDAP would solve the "what if the user's removed" question. See below.)

          The way humble ole' me would build it would be to cache the LDAP users using [1] in uberSVN (refreshing it periodically, marking differences until someone looks at them; if no admin logs in within a day shoot an email off inviting them back in while asking them what kind of an admin they are leaving the system all alone, etc..)

          The LDAP group membership or other LDAP attribute would then just be a part of [1]. This would also solve the case when users are removed from LDAP or LDAP Groups. For one thing, if the user is removed from LDAP altogether, the authentication would fail. I don't think it's a good idea to have uberSVN to automagically remove the users from Teams/Repositories. What would be better, I think, would be to mark them in the UI somehow for the curious administrator to investigate and resolve.

          This functionality could be architected as a modular chain, because I'm sure someone's about to ask "Well, what about a database to fetch these or part of these from?"..

          -K

          Comment


          • #6
            Ping... Any update on this?

            Comment


            • #7
              Hi Kutsal,

              Sorry for not coming back before. I appreciated the detail in your suggestion. The feature request is noted and it's something we certainly plan to provide, however as far as timescales go I'm not sure when we'll be able to get this into the uberSVN workstack. This level of integration with LDAP won't be a feature we can add overnight (there are complexities) but I will do my best to keep you updated on progress with this one.

              Best Wishes,

              Ian

              Comment


              • #8
                Excellent suggestions

                It would be nice to be able to configure ubersvn groups to match LDAP groups.

                As far as users deactivated in LDAP, is there an inactive user status in ubersvn? Sort of a purgatory that a user could be placed in where a ubersvn admin could at some point decide to set their status back to active if desired.

                Comment

                Working...
                X