diff options
| author | Frederic Guillot <fred@kanboard.net> | 2016-04-30 20:38:16 -0400 |
|---|---|---|
| committer | Frederic Guillot <fred@kanboard.net> | 2016-04-30 20:38:16 -0400 |
| commit | 3872dee261779a3263155935a578173205aae533 (patch) | |
| tree | c1dfd082d6ae82e8607533ed8697ef546e27430a /doc | |
| parent | 2afd7ee834d8064c6cfefd09a11d08d05a0dfdf1 (diff) | |
Added support for LDAP Posix Groups (OpenLDAP with memberUid)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/config.markdown | 5 | ||||
| -rw-r--r-- | doc/ldap-authentication.markdown | 4 | ||||
| -rw-r--r-- | doc/ldap-group-sync.markdown | 28 | ||||
| -rw-r--r-- | doc/ldap-parameters.markdown | 1 |
4 files changed, 32 insertions, 6 deletions
diff --git a/doc/config.markdown b/doc/config.markdown index 150cb6dc..c1f08b99 100644 --- a/doc/config.markdown +++ b/doc/config.markdown @@ -170,6 +170,11 @@ define('LDAP_GROUP_BASE_DN', ''); // Example for ActiveDirectory: (&(objectClass=group)(sAMAccountName=%s*)) define('LDAP_GROUP_FILTER', ''); +// LDAP user group filter +// If this filter is configured, Kanboard will search user groups in LDAP_GROUP_BASE_DN +// Example for OpenLDAP: (&(objectClass=posixGroup)(memberUid=%s)) +define('LDAP_GROUP_USER_FILTER', ''); + // LDAP attribute for the group name define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn'); ``` diff --git a/doc/ldap-authentication.markdown b/doc/ldap-authentication.markdown index cacfb523..e994c149 100644 --- a/doc/ldap-authentication.markdown +++ b/doc/ldap-authentication.markdown @@ -167,8 +167,8 @@ Just change the value of `LDAP_ACCOUNT_CREATION` to `false`: define('LDAP_ACCOUNT_CREATION', false); ``` -Troubleshootings ----------------- +Troubleshooting +--------------- ### SELinux restrictions diff --git a/doc/ldap-group-sync.markdown b/doc/ldap-group-sync.markdown index 69678a8a..b519146b 100644 --- a/doc/ldap-group-sync.markdown +++ b/doc/ldap-group-sync.markdown @@ -5,7 +5,7 @@ Requirements ------------ - Have LDAP authentication properly configured -- Use a LDAP server that supports `memberOf` +- Use a LDAP server that supports `memberOf` or `memberUid` (PosixGroups) Define automatically user roles based on LDAP groups ---------------------------------------------------- @@ -15,7 +15,7 @@ Use these constants in your config file: - `LDAP_GROUP_ADMIN_DN`: Distinguished names for application administrators - `LDAP_GROUP_MANAGER_DN`: Distinguished names for application managers -Example: +### Example for Active Directory: ```php define('LDAP_GROUP_ADMIN_DN', 'CN=Kanboard Admins,CN=Users,DC=kanboard,DC=local'); @@ -26,6 +26,18 @@ define('LDAP_GROUP_MANAGER_DN', 'CN=Kanboard Managers,CN=Users,DC=kanboard,DC=lo - People member of "Kanboard Managers" will have the role "Managers" - Everybody else will have the role "User" +### Example for OpenLDAP with Posix Groups: + +```php +define('LDAP_GROUP_BASE_DN', 'ou=Groups,dc=kanboard,dc=local'); +define('LDAP_GROUP_USER_FILTER', '(&(objectClass=posixGroup)(memberUid=%s))'); +define('LDAP_GROUP_ADMIN_DN', 'cn=Kanboard Admins,ou=Groups,dc=kanboard,dc=local'); +define('LDAP_GROUP_MANAGER_DN', 'cn=Kanboard Managers,ou=Groups,dc=kanboard,dc=local'); +``` + +You **must define the parameter** `LDAP_GROUP_USER_FILTER` if your LDAP server use `memberUid` instead of `memberOf`. +All parameters of this example are mandatory. + Automatically load LDAP groups for project permissions ------------------------------------------------------ @@ -41,7 +53,7 @@ If the group doesn't exist in the local database, it will be automatically synce - `LDAP_GROUP_FILTER`: LDAP filter used to perform the query - `LDAP_GROUP_ATTRIBUTE_NAME`: LDAP attribute used to fetch the group name -Example: +### Example for Active Directory: ```php define('LDAP_GROUP_PROVIDER', true); @@ -52,7 +64,15 @@ define('LDAP_GROUP_FILTER', '(&(objectClass=group)(sAMAccountName=%s*))'); With the filter given as example above, Kanboard will search for groups that match the query. If the end-user enter the text "My group" in the auto-complete box, Kanboard will return all groups that match the pattern: `(&(objectClass=group)(sAMAccountName=My group*))`. -- Note 1: The special characters `*` is important here, otherwise an exact match will be done. +- Note 1: The special characters `*` is important here, **otherwise an exact match will be done**. - Note 2: This feature is only compatible with LDAP authentication configured in "proxy" or "anonymous" mode [More examples of LDAP filters for Active Directory](http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx) + +### Example for OpenLDAP with Posix Groups: + +```php +define('LDAP_GROUP_PROVIDER', true); +define('LDAP_GROUP_BASE_DN', 'ou=Groups,dc=kanboard,dc=local'); +define('LDAP_GROUP_FILTER', '(&(objectClass=posixGroup)(cn=%s*))'); +``` diff --git a/doc/ldap-parameters.markdown b/doc/ldap-parameters.markdown index bd02baf2..c7202641 100644 --- a/doc/ldap-parameters.markdown +++ b/doc/ldap-parameters.markdown @@ -26,6 +26,7 @@ Here is the list of available LDAP parameters: | `LDAP_GROUP_PROVIDER` | false | Enable LDAP group provider for project permissions | | `LDAP_GROUP_BASE_DN` | Empty | LDAP Base DN for groups | | `LDAP_GROUP_FILTER` | Empty | LDAP group filter (Example: "(&(objectClass=group)(sAMAccountName=%s*))") | +| `LDAP_GROUP_USER_FILTER` | Empty | If defined, Kanboard will search user groups in LDAP_GROUP_BASE_DN with this filter, it's useful only for posixGroups (Example: `(&(objectClass=posixGroup)(memberUid=%s))`) | | `LDAP_GROUP_ATTRIBUTE_NAME` | cn | LDAP attribute for the group name | Notes: |