subject:"Is there a way to only allow some LDAP users to authenticate\?"

Re: Is there a way to only allow some LDAP users to authenticate?

2014-08-21 Thread Ian

On Tuesday, August 19, 2014 4:39:04 AM UTC-7, Stephen Gallagher wrote:

 On 08/19/2014 03:52 AM, Ian wrote: 
  I really don't want my entire organization to be able to log into my 
  Review Board server, I only want to allow a few LDAP groups to connect. 
   Is there any way to set up Review Board to do that?  The Custom LDAP 
  User Search Filter: looks like a possibility, or maybe there's some 
  magic to be done in the LDAP Base DN? 
  

 Restricting access by LDAP group is a complicated topic (and something 
 that's not yet implemented in Review Board). There may be some shortcuts 
 depending on how your LDAP environment is implemented, though. (For 
 example, with Active Directory or FreeIPA, users have 
 automatically-added attributes that can be used to determine whether 
 they are members of a particular group). For a purely generic LDAP 
 environment, this would require significant coding effort to accomplish. 

 If you are using AD or FreeIPA as your LDAP environment, I can help you 
 figure out what to put in the Custom LDAP User Search Filter. If you're 
 using a custom environment, your better bet is to ask your LDAP admin to 
 add a new attribute on the users that are allowed to access ReviewBoard 
 which you can key off of. 

 Of course, the other question is whether denying access completely is 
 worthwhile vs allowing anyone to log in but using Review Board's own 
 authorization system to determine who can see individual repo reviews. 
 But IIRC that means managing the groups separately on the Review Board 
 side (since right now it can't automatically retrieve LDAP groups). 

 
The main motivation is that search doesn't work if you use review-groups 
thing in Review Board.  But also it's a pain to keep my review groups on 
Review Board in sync with the LDAP groups.  I believe our organization uses 
OpenLDAP?

-- 
Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
---
Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
---
Happy user? Let us know at http://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
reviewboard group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Is there a way to only allow some LDAP users to authenticate?

2014-08-19 Thread Stephen Gallagher

On 08/19/2014 03:52 AM, Ian wrote:
 I really don't want my entire organization to be able to log into my
 Review Board server, I only want to allow a few LDAP groups to connect.
  Is there any way to set up Review Board to do that?  The Custom LDAP
 User Search Filter: looks like a possibility, or maybe there's some
 magic to be done in the LDAP Base DN?
 

Restricting access by LDAP group is a complicated topic (and something
that's not yet implemented in Review Board). There may be some shortcuts
depending on how your LDAP environment is implemented, though. (For
example, with Active Directory or FreeIPA, users have
automatically-added attributes that can be used to determine whether
they are members of a particular group). For a purely generic LDAP
environment, this would require significant coding effort to accomplish.

If you are using AD or FreeIPA as your LDAP environment, I can help you
figure out what to put in the Custom LDAP User Search Filter. If you're
using a custom environment, your better bet is to ask your LDAP admin to
add a new attribute on the users that are allowed to access ReviewBoard
which you can key off of.

Of course, the other question is whether denying access completely is
worthwhile vs allowing anyone to log in but using Review Board's own
authorization system to determine who can see individual repo reviews.
But IIRC that means managing the groups separately on the Review Board
side (since right now it can't automatically retrieve LDAP groups).

-- 
Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
---
Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
---
Happy user? Let us know at http://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
reviewboard group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Is there a way to only allow some LDAP users to authenticate?

Re: Is there a way to only allow some LDAP users to authenticate?

2 matches

Site Navigation

Mail list logo

Footer information