Add LDAP group sync

4 files changed, 59 insertions, 0 deletions

diff --git a/doc/config.markdown b/doc/config.markdown
index b5c3ce0d..5473ef9b 100644
--- a/doc/config.markdown
+++ b/doc/config.markdown
@@ -132,6 +132,17 @@ define('LDAP_ACCOUNT_EMAIL', 'mail');
 // Example for OpenLDAP: 'uid'
 define('LDAP_ACCOUNT_ID', 'samaccountname');
 
+// LDAP Attribute for group membership
+define('LDAP_ACCOUNT_MEMBEROF', 'memberof');
+
+// DN for administrators
+// Example: CN=Kanboard Admins,CN=Users,DC=kanboard,DC=local
+define('LDAP_GROUP_ADMIN_DN', '');
+
+// DN for project administrators
+// Example: CN=Kanboard Project Admins,CN=Users,DC=kanboard,DC=local
+define('LDAP_GROUP_PROJECT_ADMIN_DN', '');
+
 // By default Kanboard lowercase the ldap username to avoid duplicate users (the database is case sensitive)
 // Set to true if you want to preserve the case
 define('LDAP_USERNAME_CASE_SENSITIVE', false);
diff --git a/doc/index.markdown b/doc/index.markdown
index 0c33bfaa..bc3cc23c 100644
--- a/doc/index.markdown
+++ b/doc/index.markdown
@@ -120,6 +120,7 @@ Technical details
 ### Authentication
 
 - [LDAP authentication](ldap-authentication.markdown)
+- [LDAP group sync](ldap-group-sync.markdown)
 - [Google authentication](google-authentication.markdown)
 - [Github authentication](github-authentication.markdown)
 - [Gitlab authentication](gitlab-authentication.markdown)
diff --git a/doc/ldap-authentication.markdown b/doc/ldap-authentication.markdown
index 53b3d012..136aa9ac 100644
--- a/doc/ldap-authentication.markdown
+++ b/doc/ldap-authentication.markdown
@@ -225,6 +225,17 @@ define('LDAP_ACCOUNT_EMAIL', 'mail');
 // Example for OpenLDAP: 'uid'
 define('LDAP_ACCOUNT_ID', 'samaccountname');
 
+// LDAP Attribute for group membership
+define('LDAP_ACCOUNT_MEMBEROF', 'memberof');
+
+// DN for administrators
+// Example: CN=Kanboard Admins,CN=Users,DC=kanboard,DC=local
+define('LDAP_GROUP_ADMIN_DN', '');
+
+// DN for project administrators
+// Example: CN=Kanboard Project Admins,CN=Users,DC=kanboard,DC=local
+define('LDAP_GROUP_PROJECT_ADMIN_DN', '');
+
 // By default Kanboard lowercase the ldap username to avoid duplicate users (the database is case sensitive)
 // Set to true if you want to preserve the case
 define('LDAP_USERNAME_CASE_SENSITIVE', false);
diff --git a/doc/ldap-group-sync.markdown b/doc/ldap-group-sync.markdown
new file mode 100644
index 00000000..355a1cde
--- /dev/null
+++ b/doc/ldap-group-sync.markdown
@@ -0,0 +1,36 @@
+LDAP Group Synchronization
+==========================
+
+Requirements
+------------
+
+- Have LDAP authentication properly configured
+- Use a LDAP server that supports `memberOf`
+
+Automatically define Kanboard groups based on LDAP groups
+---------------------------------------------------------
+
+In your config file, define the constants `LDAP_GROUP_ADMIN_DN` and `LDAP_GROUP_PROJECT_ADMIN_DN`. Here an example, replace the values according to your own LDAP configuration:
+
+```php
+define('LDAP_GROUP_ADMIN_DN', 'CN=Kanboard Admins,CN=Users,DC=kanboard,DC=local');
+define('LDAP_GROUP_PROJECT_ADMIN_DN', 'CN=Kanboard Project Admins,CN=Users,DC=kanboard,DC=local');
+```
+
+- People member of "Kanboard Admins" will be "Kanboard Administrators"
+- People member of "Kanboard Project Admins" will be "Kanboard Project Administrators"
+- Everybody else will be Kanboard Standard Users
+
+Note: At the moment, that works only at account creation.
+
+Filter Kanboard access based on the LDAP group
+----------------------------------------------
+
+To allow only some users to use Kanboard, use the existing `LDAP_USER_PATTERN` constant:
+
+```php
+define('LDAP_USER_PATTERN', '(&(objectClass=user)(sAMAccountName=%s)(memberOf=CN=Kanboard Users,CN=Users,DC=kanboard,DC=local))');
+```
+
+This example allow only people member of the group "Kanboard Users" to connect to Kanboard.
+