Ticket 1491: LDAP group support

1491: LDAP group support

Confirmed
Review Board
Component: Accounts

Component: Reviews

Priority: Medium

Type: Enhancement

Reported by:	psar**@gmai*** (Google Code) (Is this you? Claim this profile.) 14 years, 9 months
Unassigned

What version are you running?

1.1alpha2

Describe the enhancement and the motivation for it.

It'd be nice to have LDAP group support so we could just use the groups 
defined in LDAP rather than having to re-create them in ReviewBoard. This 
would be useful both for auth and for review groups.

#1 chipx86

This is pretty specific to certain setups and is certainly not something we'd want to
make default. If we do this, I'd propose a tool or management command for running the
synchronization. We probably couldn't just keep it always in sync within Review
Board, so it'd have to be run manually or in a crontab.

Tags:
+ Component-Accounts
+ Component-Reviews

+	Component-Accounts
+	Component-Reviews

#2 psar****@gmai***** (Google Code) (Is this you? Claim this profile.)

To me at least, it feels like not wanting this is specific to certain setups (or 
small shops that don't have LDAP setup properly yet). Managing everything through a 
single point is a lot easier than having to deal with multiple points and sync 
processes are annoying.

If LDAP is so broken group stuff doesn't work, neither does login and you have bigger 
issues. Can you please provide a bit more about why you think it's specific to 
certain setups and why a sync process would be better than just calling LDAP in the 
same way user login does?

#3 chipx86

You may want groups for permission purposes, or for review groups, or neither. Some
places map review groups to mailman lists, and not anything in LDAP.

#4 lonesom********@gmai***** (Google Code) (Is this you? Claim this profile.)

Right. I was thinking that each part of this would be optional (i.e. turn on LDAP 
group support for auth OR review). That'd allow organizations to turn on the parts 
they want to use LDAP support for and leave the rest as internal groups (if they use 
the group functionality at all).

#5 shol****@gmai***** (Google Code) (Is this you? Claim this profile.)

I'm running 1.5.5.  Has there been any progress on this issue -- either a management tool to sync LDAP/RB groups or something else?

#6 liam.r******@gmai***** (Google Code) (Is this you? Claim this profile.)

Any progress on this? It's been "New" for a long time. This would be extremely handy.

#7 rge****@gmai***** (Google Code) (Is this you? Claim this profile.)

Yes, please!
Has anyone solved this on their own? I am contemplating a hack in the current ldap auth code to do the group membership check first. If anybody else has done this already, I'd love to know. Thanks.

#8 mortis.********@gmai***** (Google Code) (Is this you? Claim this profile.)

What I believe would fit the requirements for my company would be the ability to add group DNs as members to both permission and review groups.

E.g. adding "CN=svn_x_product,OU=Project,OU=Development Center,DC=example,DC=com" as a member of a (review/permission/auth) group would implicitly add all of this group's members as well. This would of course require that every time an enumeration of this group's members is asked for that an LDAP search needs to be performed if that group references LDAP groups (though I don't believe that should be a problem, and could be cached for some time).

#9 rtfm.******@gmai***** (Google Code) (Is this you? Claim this profile.)

Just another ++ for this feature.

In LDAP auth based environment, with a lot of different systems assigning permission by per group in LDAP is way more efficent and easy to manage than in every single system by its own. 
It could be done by simply mapping reviewboard groups to LDAP ones (requires same name). User membership would then be required to check by per group on log in. No cron jobs be needed to import groups and users from ldap.

#10 msunde

Another ++ for this feature.

Use case:
- 1000 users in LDAP
- Users are part of LDAP groups based on their teams, etc.
- LDAP groups can be nested.
- Members of the LDAP groups have access to certain systems, repos, etc.

It is one thing to go into reviewboard and say anyone in this LDAP group has access to this repo. 
It is a maintenance nightmare if I also have to go in and manually configure the group memberships in reviewboard. LDAP is the certain of the world, why should I have to duplicate the configuration of who belongs to which group. Group membership can change over time, thus should not have to go an update all connected systems.

Thanks.

#11 chipx86

We're looking into adding this functionality as part of Power Pack. We don't yet have an ETA, as we're working on a few other high-priority features, but it's one of the next big ones we're hoping to get to.

Status:
+ Confirmed

+	Confirmed

#12 darrenmoffat

Exactly the same situation (different company) as #10 above. For us LDAP is the authoratative mechanism for source code access and is used in the filesystem and mercurial repositories for access control. We need to be able to control initial authenticaiton to ReviewBoard by LDAP group membership and map review group membership 1:1 to an existing LDAP group.

#13 chipx86

We're adding support for user and group sync as part of Power Pack 2.0, which will be out in a couple of months. We'll announce this release on our announcements list.

Welcome to the Splat alpha!

1491: LDAP group support