This plugins extends redmine's ldap authentication to perform group synchronization. In addition it provides a rake task to perform full user group synchronization.
The following should be noted:
- The plugin has only been tested with Active Directory but should work with other directories.
- It detects and disables users that have been marked as disabled on LDAP (see MS KB Article 305144 for more details).
- An user will only be removed from groups that exist on LDAP. This means that both ldap and non-ldap groups can coexist.
- Deleted groups on LDAP will not be deleted on redmine.
Follow the plugin installation procedure described at http://www.redmine.org/wiki/redmine/Plugins
Open Administration > Plugins and on the plugin configuration page you'll be able to set for each LDAP authentication.
LDAP settings:
- Active - Enable/Disable user/group synchronization for this LDAP authentication.
- Group base DN - The path to where the groups located. Eg,
ou=people,dc=smokeyjoe,dc=com
. - Group name attribute - The ldap attribute from where to fetch the group's
name. Eg,
sAMAccountName
. - Members attribute - The ldap attribute from where to fetch the group's
members. Eg,
member
. - Groups objectclass - The groups object class.
- Users objectclass - The users object class.
- Group name pattern - (optional) An RegExp that should match up with the name
of the groups that should be imported. Eg,
\.team$
. - Group search filter - (optional) An LDAP search filter to be applied whenever search for groups.
Synchronization Actions:
- Users must be members of - (optional) A group to wich the users must belong to to have access enabled to redmine.
- Add users to group - (optional) A group to wich all the users created from this LDAP authentication will added upon creation. The group should not exist on LDAP.
- Create new groups - If enabled, groups that don't already exist on redmine will be created.
- Create new users - If enabled, users that don't already exist on redmine will be created when running the rake task.
- Sync users attributes - If enabled, the selected attributes will synchronized both on the rake tasks and after every login.
- Attributes to be synced - The attributes to be synchronized: "First name", "Last name" and/or "Email"
To do the full user synchronization execute the following:
rake redmine:plugins:redmine_ldap_sync:sync_users RAILS_ENV=production
An alternative is to do it periodically with a cron task:
# Synchronize users with ldap @ every 60 minutes
35 * * * * root /usr/bin/rake -f /opt/redmine/Rakefile --silent redmine:plugins:redmine_ldap_sync:sync_users RAILS_ENV=production
- Group name attribute = sAMAccountName
- Members attribute = member
- Groups objectclass = group
- Users objectclass = user
- Group name attribute = cn / ??
- Members attribute = member
- Groups objectclass = groupOfNames
- Users objectclass = person / organizationalPerson
This plugin is released under the GPL v3 license. See LICENSE for more information.