UserAccountControl flags on openLDAP

[disels]

You can add the settings plug-in ability to disable lock the account on the basis of UserAccountControl?
These flags are only available for Microsoft AD and does not support opening means in OpenLDAP.
And tell me, how in the current release, I can turn off this feature?
Thank you.

[thorin]

Disels, on the current version it's not possible to disable automatic user lock.

Since I have yet to test it with OpenLDAP, can you tell me if it is working ok for you with OpenLDAP.
It's supposed not to lock the user if the directory is not a Microsoft AD.

[disels]

With openLDAP plugin does not work correctly.
When you sync plugin does not find the parameter UserAccountControl and block accounts. Otherwise, synchronization is successful
I'm using slapd 2.4.25-1.1 and gosa 2.17 for control

[thorin]

Thank you for the feedback. I'll sure have a look at it later.

In the meanwhile, you make it work for you if you comment the lines 92, 93, 94, and 96 of the file lib/redmine_ldap_sync/redmine_ext/auth_source_ldap_patch.rb.
It should look like this:

#if entry[attr_enabled] && entry[attr_enabled][0].to_i & 2 != 0
#  users[:disabled] << entry[self.attr_login][0]
#else
  users[:enabled] << entry[self.attr_login][0]
#end

[disels]

You may be surprised, but not working
That's what turns up an array of changes to the code

disabled
enabled disel dmitry sergey

There are still places where checks are performed?

[thorin]

Indeed surprised. That's the only place where the checks are performed.

Disels, I don't understand the results you sent.
Did the synchronization disabled the users disel, dmitry, sergey?
I mean, they where enabled before sync and after the sync they ended disabled.

[disels]

Sorry .
yes, synchronization disabled the users disel, dmitry, sergey?
I was referring to the following
If I remove the code

 # if entry [attr_enabled] & & entry [attr_enabled] [0]. to_i & 2! 0
 # Users [:disabled] <<entry [self.attr_login] [0]
 # else
   users [:enabled] <<entry [self.attr_login] [0]
 # end

accounts that still marked as lock

[thorin]

Ok, just to make two things clear:

1. The plugin doesn't re-enable accounts. Accounts that were previously locked won't be unlocked by the synchronization if they are found unlocked on the ldap.
2. The idea was not to remove those 5 lines but leave only one line uncommented.
   The following line users[:enabled] << entry[self.attr_login][0].
   The whole file should look like this: http://pastebin.com/50DT5ddK

[disels]

I understand that you tried to explain.
I manually unlock an account, then run the synchronization
unfortunately still accounts are blocked.
And I was surprised

[thorin]

=) ok.
Sorry I wasn't able to help. Later I'll have a better a look at this and see
how I can fix it.

[mfulz]

Hi,

I think I know what the problem is (not 100% sure, if this is the same issue, I've have, but I want to reply before opening a new one):

I've defined a group under "user must be member of" so I let not all users login.
If A user is now during a sync not inside this group it will be created as locked under redmine, which is fine.
But if I add this user now under LDAP to the above group, the membership will be synced correct to redmine. But the user is still locked.

I think this should be easy to fix, by doing something like that:
(pseudocode9
while sync user
do {
if user is in "user must be member of group" {
unlock user
} else {
lock user
}
}
done

I would add this check by my own, but I'm not familiar with RoR, neither with redmine development.

I hope the stuff is understandable

[thorin]

Hi mfulz, thank you for your feedback.

That makes senses, it should be unlocking those users.

A side effect will be that you won't be able to lock the access to a user that is not disabled on ldap.

What I'll do is that a user will only be unlocked whenever there is defined a "user must be member of" group.

[mfulz]

Hi thorin,

you're right, I didn't think on this side effect. But in my opinion, most of the people normally uses AD/LDAP, etc. for single point of administration, so I think that's the smaller issue.

Perhaps (don't know, how complicated this is in redmine/RoR) you could add a check for selection?

A.e.: Something like "Aminister user in LDAP" (that means, that you cannot lock users in redmine, instead you need to remove them from the "user must be member of" group).

With this everyone could decide on his own, what he would like to use.

What do you think about it? Further I would really appreciate, if you post a note here, when you have done any of this implementations, I would like to test them.

BTW.: Thanks for your work

[thorin]

I've just commited the change.

The main idea behind the "users must be members of" group was to provide a way to control on ldap which users should have access to redmine.
As so, I think it might not be an issue to unlock the users only when that group is defined.

If it shows up as needed I'll add the option to "Administer the users in LDAP". It's not difficult.
For now I'll try to keep configuration simple.

What do you think?

[mfulz]

For me personally the way is good to go.

Btw. I've tested the updated plugin and it is working perfectly now for me, thanks a lot !

[thorin]

Disels, I'm closing this issue.
If you still have the problem feel free to reopen it.