1491: LDAP group support
- Review Board
|psar****@gmai***** (Google Code) (Is this you? Claim this profile.)|
What version are you running? 1.1alpha2 Describe the enhancement and the motivation for it. It'd be nice to have LDAP group support so we could just use the groups defined in LDAP rather than having to re-create them in ReviewBoard. This would be useful both for auth and for review groups.
This is pretty specific to certain setups and is certainly not something we'd want to make default. If we do this, I'd propose a tool or management command for running the synchronization. We probably couldn't just keep it always in sync within Review Board, so it'd have to be run manually or in a crontab.
+ Component-Accounts + Component-Reviews
#2 psar****@gmai***** (Google Code) (Is this you? Claim this profile.)
To me at least, it feels like not wanting this is specific to certain setups (or small shops that don't have LDAP setup properly yet). Managing everything through a single point is a lot easier than having to deal with multiple points and sync processes are annoying. If LDAP is so broken group stuff doesn't work, neither does login and you have bigger issues. Can you please provide a bit more about why you think it's specific to certain setups and why a sync process would be better than just calling LDAP in the same way user login does?
You may want groups for permission purposes, or for review groups, or neither. Some places map review groups to mailman lists, and not anything in LDAP.
#4 lonesom********@gmai***** (Google Code) (Is this you? Claim this profile.)
Right. I was thinking that each part of this would be optional (i.e. turn on LDAP group support for auth OR review). That'd allow organizations to turn on the parts they want to use LDAP support for and leave the rest as internal groups (if they use the group functionality at all).
#5 shol****@gmai***** (Google Code) (Is this you? Claim this profile.)
I'm running 1.5.5. Has there been any progress on this issue -- either a management tool to sync LDAP/RB groups or something else?
#6 liam.r******@gmai***** (Google Code) (Is this you? Claim this profile.)
Any progress on this? It's been "New" for a long time. This would be extremely handy.
#7 rge****@gmai***** (Google Code) (Is this you? Claim this profile.)
Yes, please! Has anyone solved this on their own? I am contemplating a hack in the current ldap auth code to do the group membership check first. If anybody else has done this already, I'd love to know. Thanks.
#8 mortis.********@gmai***** (Google Code) (Is this you? Claim this profile.)
What I believe would fit the requirements for my company would be the ability to add group DNs as members to both permission and review groups. E.g. adding "CN=svn_x_product,OU=Project,OU=Development Center,DC=example,DC=com" as a member of a (review/permission/auth) group would implicitly add all of this group's members as well. This would of course require that every time an enumeration of this group's members is asked for that an LDAP search needs to be performed if that group references LDAP groups (though I don't believe that should be a problem, and could be cached for some time).
#9 rtfm.******@gmai***** (Google Code) (Is this you? Claim this profile.)
Just another ++ for this feature. In LDAP auth based environment, with a lot of different systems assigning permission by per group in LDAP is way more efficent and easy to manage than in every single system by its own. It could be done by simply mapping reviewboard groups to LDAP ones (requires same name). User membership would then be required to check by per group on log in. No cron jobs be needed to import groups and users from ldap.
Another ++ for this feature. Use case: - 1000 users in LDAP - Users are part of LDAP groups based on their teams, etc. - LDAP groups can be nested. - Members of the LDAP groups have access to certain systems, repos, etc. It is one thing to go into reviewboard and say anyone in this LDAP group has access to this repo. It is a maintenance nightmare if I also have to go in and manually configure the group memberships in reviewboard. LDAP is the certain of the world, why should I have to duplicate the configuration of who belongs to which group. Group membership can change over time, thus should not have to go an update all connected systems. Thanks.
We're looking into adding this functionality as part of Power Pack. We don't yet have an ETA, as we're working on a few other high-priority features, but it's one of the next big ones we're hoping to get to.
Exactly the same situation (different company) as #10 above. For us LDAP is the authoratative mechanism for source code access and is used in the filesystem and mercurial repositories for access control. We need to be able to control initial authenticaiton to ReviewBoard by LDAP group membership and map review group membership 1:1 to an existing LDAP group.
We're adding support for user and group sync as part of Power Pack 2.0, which will be out in a couple of months. We'll announce this release on our announcements list.