On Tue, Mar 21, 2017 at 12:29 AM, Long Vu <[email protected]> wrote:
Hi,
I previously used the internal authentication.
I now would like to enable LDAP.
Upon enabling LDAP, I have the error below in the logs. It looks like
Kallithea do not allow the same user from both authentication
mechanisms?
Correct. Each user has one authentication mechanism.
Each known user has an entry in the "users" table in the database.
Internally, Kallithea references users by the internal primary key
"user_id". "username" is a secondary but unique key. Entries are either
created locally or created on demand from external sources like LDAP.
"extern_type" determines where the user came from and how it should be
authenticated.
How can this user migrate to use LDAP authentication now?
The "extern_type" field is not open for edit in the UI. It is not
something admins should change - that would probably break something.
And if changing it, it should probably not be done manually.
For a database migration like this, I suggest modifying the database
directly. For all the ldap users, change extern_type from internal to
ldap. extern_name is currently not really used and will be populated on
demand.
I also notice if I disable internal authentication, the admin user
(which is a local user not in LDAP) no longer works, which means I am
force to keep internal auth together with ldap auth?
Yes, you probably want to keep internal auth enabled and have at least
one internal admin so you also can access the system and reconfigure
ldap if you should have to.
Let's say LDAP works. It will only provide the users. I still have
to manually assign those users coming from LDAP to a local group?
You might not have to, but it might be convenient to have user groups.
There is kallithea/bin/ldap_sync.py which should be able to sync LDAP
groups. I haven't used it and it might have bitrotted. It would be nice
if someone could use it and contribute documentation.
On 03/21/2017 05:01 PM, Long Vu wrote:
Looks like the answer is no. Same username can not exist in both
internal and LDAP.
I had to rename my existing userame in the internal auth to something
else and LDAP can now create a user with that username.
Now I have lvu-local (internal user) and lvu (user from LDAP).
lvu-local has a bunch of comments, pull requests, repos belonging to
him. In addition of being in various groups.
How can I batch transfer all comment/pr/repos ownership and group
membership from lvu-local to lvu?
This information is referencing the user_id of the original (local)
user. The user_id field is the primary key and immutable. I would
suggest to modify the old local user with the essential info from the
ldap user - primarily the username and extern_type, just like hinted
when I mentioned database migration above.
/Mads
_______________________________________________
kallithea-general mailing list
[email protected]
https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
