Add LDAP group sync
This commit is contained in:
Frederic Guillot
@@ -132,6 +132,17 @@ define('LDAP_ACCOUNT_EMAIL', 'mail');
|
||||
// Example for OpenLDAP: 'uid'
|
||||
define('LDAP_ACCOUNT_ID', 'samaccountname');
|
||||
|
||||
// LDAP Attribute for group membership
|
||||
define('LDAP_ACCOUNT_MEMBEROF', 'memberof');
|
||||
|
||||
// DN for administrators
|
||||
// Example: CN=Kanboard Admins,CN=Users,DC=kanboard,DC=local
|
||||
define('LDAP_GROUP_ADMIN_DN', '');
|
||||
|
||||
// DN for project administrators
|
||||
// Example: CN=Kanboard Project Admins,CN=Users,DC=kanboard,DC=local
|
||||
define('LDAP_GROUP_PROJECT_ADMIN_DN', '');
|
||||
|
||||
// By default Kanboard lowercase the ldap username to avoid duplicate users (the database is case sensitive)
|
||||
// Set to true if you want to preserve the case
|
||||
define('LDAP_USERNAME_CASE_SENSITIVE', false);
|
||||
|
||||
@@ -120,6 +120,7 @@ Technical details
|
||||
### Authentication
|
||||
|
||||
- [LDAP authentication](ldap-authentication.markdown)
|
||||
- [LDAP group sync](ldap-group-sync.markdown)
|
||||
- [Google authentication](google-authentication.markdown)
|
||||
- [Github authentication](github-authentication.markdown)
|
||||
- [Gitlab authentication](gitlab-authentication.markdown)
|
||||
|
||||
@@ -225,6 +225,17 @@ define('LDAP_ACCOUNT_EMAIL', 'mail');
|
||||
// Example for OpenLDAP: 'uid'
|
||||
define('LDAP_ACCOUNT_ID', 'samaccountname');
|
||||
|
||||
// LDAP Attribute for group membership
|
||||
define('LDAP_ACCOUNT_MEMBEROF', 'memberof');
|
||||
|
||||
// DN for administrators
|
||||
// Example: CN=Kanboard Admins,CN=Users,DC=kanboard,DC=local
|
||||
define('LDAP_GROUP_ADMIN_DN', '');
|
||||
|
||||
// DN for project administrators
|
||||
// Example: CN=Kanboard Project Admins,CN=Users,DC=kanboard,DC=local
|
||||
define('LDAP_GROUP_PROJECT_ADMIN_DN', '');
|
||||
|
||||
// By default Kanboard lowercase the ldap username to avoid duplicate users (the database is case sensitive)
|
||||
// Set to true if you want to preserve the case
|
||||
define('LDAP_USERNAME_CASE_SENSITIVE', false);
|
||||
|
||||
36
doc/ldap-group-sync.markdown
Normal file
36
doc/ldap-group-sync.markdown
Normal file
@@ -0,0 +1,36 @@
|
||||
LDAP Group Synchronization
|
||||
==========================
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
- Have LDAP authentication properly configured
|
||||
- Use a LDAP server that supports `memberOf`
|
||||
|
||||
Automatically define Kanboard groups based on LDAP groups
|
||||
---------------------------------------------------------
|
||||
|
||||
In your config file, define the constants `LDAP_GROUP_ADMIN_DN` and `LDAP_GROUP_PROJECT_ADMIN_DN`. Here an example, replace the values according to your own LDAP configuration:
|
||||
|
||||
```php
|
||||
define('LDAP_GROUP_ADMIN_DN', 'CN=Kanboard Admins,CN=Users,DC=kanboard,DC=local');
|
||||
define('LDAP_GROUP_PROJECT_ADMIN_DN', 'CN=Kanboard Project Admins,CN=Users,DC=kanboard,DC=local');
|
||||
```
|
||||
|
||||
- People member of "Kanboard Admins" will be "Kanboard Administrators"
|
||||
- People member of "Kanboard Project Admins" will be "Kanboard Project Administrators"
|
||||
- Everybody else will be Kanboard Standard Users
|
||||
|
||||
Note: At the moment, that works only at account creation.
|
||||
|
||||
Filter Kanboard access based on the LDAP group
|
||||
----------------------------------------------
|
||||
|
||||
To allow only some users to use Kanboard, use the existing `LDAP_USER_PATTERN` constant:
|
||||
|
||||
```php
|
||||
define('LDAP_USER_PATTERN', '(&(objectClass=user)(sAMAccountName=%s)(memberOf=CN=Kanboard Users,CN=Users,DC=kanboard,DC=local))');
|
||||
```
|
||||
|
||||
This example allow only people member of the group "Kanboard Users" to connect to Kanboard.
|
||||
|
||||
Reference in New Issue
Block a user