FS#1487 : LDAP(Active Directory) Authentication

Quick Actions

View Dependency Graph

Status Planned
Percent Complete
40%
Task Type Feature Request
Category Backend/Core → Authentication
Assigned To No-one
Operating System All
Severity Low
Priority Very Low
Reported Version 0.9.9.5 devel
Due in Version 1.1 devel
Due Date Undecided
Votes
11
- Jugaru Gabi (15.10.2016)
- Artur Kanczugowski (09.10.2016)
- Plamen (28.03.2015)
- Jérôme Martin (23.03.2015)
- Evgeniy P. (21.01.2014)
- Sebastian Struß (06.01.2014)
- Phil (21.08.2013)
- Ethan Zonca (25.07.2013)
- BafS (12.02.2013)
- ms (11.07.2012)
- Pgl (12.01.2009)
Private

Attached to Project: Flyspray - The bug killer!
Opened by simon Whittaker - 21.05.2008
Last edited by Psychokiller1888 - 04.09.2019

FS#1487 - LDAP(Active Directory) Authentication

I have done a very quick bit of work to bring ldap (through active directory) authentication to flyspray for our implementation in the office. I hope it will be of use to others. There is a readme.txt inside talking through the process and the patch to apply. My plan is to expand on this and make it part of the setup process but this will take a bit longer.

AD authentication.zip (50.9 KiB)

This task has the following sub-task
ID	Project	Summary	Priority	Severity	Assigned To	Progress
2209	Flyspray - The bug killer!	FS#2209 - TLS support for LDAP	Very Low	Medium		0%

Tomasz Broniewski commented on 20.05.2011 13:02

simon, Great job!!!

Regards
Bronek

Sebastian Struß commented on 06.01.2014 11:21

is there a port for the current master? seems there has been some refactoring in the code...

Sebastian Struß commented on 06.01.2014 11:59

just did it, 3 of 4 chunks reject, but if you manually apply it, it works great (i am using 009e01aba031eafacde1ece6d5173a86d63e9fd4)

Ethan Zonca commented on 18.08.2014 15:02

I manually applied the patch against 0.9.9.7 and created a new patch from the result. The patchcan be found in the tarball below (apply with -p3):
https://aur.archlinux.org/packages/fl/flyspray-ldap/flyspray-ldap.tar.gz

If you use Arch Linux, I created an AUR package that installs patched version of Flyspray with LDAP support.
The PKGBUILD is a bit rough right now and configuration is still in class.flyspray.php, but it works.

https://aur.archlinux.org/packages/flyspray-ldap/

Psychokiller1888 commented on 07.03.2015 11:13

That's definitly a must, will be implemented!

Soltanici Ilie commented on 19.03.2015 13:39

Today i tested the long awaited alpha version 1.0 - and Active Directory authentication are not included, add it please...

Psychokiller1888 commented on 19.03.2015 13:43

As marked in this feature request, it's planned for 2.0. Will maybe be available for 1.1, but not for 1.0 for sure.

peterdd commented on 20.03.2015 05:58

Mmh, it seems that patch for 0.9.9.7 only uses php builtin ldap functions, so no need for extra adodb-ldap-inc.php loading here???

Added some code to github for further dev.

Dat Nguyen commented on 27.09.2016 04:37

Sorry but I do not understand this step "2/ apply the ldapauth.patch to your includes/fclass.flyspray.php and set the variables accordingly"
Pls give more details of this step
Tks

peterdd commented on 04.09.2019 09:59

With coming Flyspray 1.0-rc10 LDAP is configurable by flyspray.conf.php and builtin. So the attachments of this task are obsolete.

In the general section of flyspray.conf.php add

auth_method = "ldap"

and add the ldap section.

Example:

[general]
auth_method = "ldap"
 
[ldap]
uri="ldap://example.com:389"
base_dn="ou=users,dc=example,dc=com"
search_user="cn=admin,dc=example,dc=com"
search_pass="password"
filter="uid=%USERNAME%"

There is now also a vagrant example I used for testing connect to slapd on same host: https://github.com/Flyspray/flyspray-vagrant/tree/master/ldap

Things to take care: A mixed userbase installation with

LDAP company employees
customers with native Flyspray login
customers with OAuth2 Flyspray login (Google, Github, ..)

requires some extra hardening settings.

Example

Employee alice is an ldap user account, but who never used Flyspray, so the username alice does not exists in Flyspray installation.

Now a new user alice (e.g. a customer) registers as alice in Flyspray. Flyspray does not know that there is an LDAP alice yet.

Now employee alice is assigned a task by her boss and told to login with her credential stored in ldap. Now she is in the Flyspray account of the customer alice
and the customer still could login as same user alice with credentials stored in Flyspray database.

( Currently there is a fallback: When LDAP login username/password fails it tries the password stored in Flyspray database. )

So until this mixed stuff is cleaned, mixed LDAP+native+Oauth2 should be prevented by

disable OAuth2 if was configured
disable new user registration

For existing user accounts it must make sure foreign (non-company) user account names are no valid internal ldap usernames too. As an LDAP database may change over time (employees come and go) and Flyspray does not control that, some conflict preventing must be done.

I try to add some checks before releasing Flyspray 1.0-rc10 , but I am not an LDAP user and some best practice by people who are familiar with ldap maintainance and managing big user bases in mixed environments could help.

	Tasks related to this task (1)
	FS#2551 - LDAP/AD integration

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + l Login Dialog / Logout
Alt + a Add new task
Alt + m My searches
Alt + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + e ↵ Enter Edit this task
Alt + w watch task
Alt + y Close Task

Task Editing

Alt + s save task