Enforcing groups from LDAP

Mads Kiilerich mads at kiilerich.com
Fri Apr 10 12:21:45 EDT 2015

On 04/10/2015 11:23 AM, Jean-Francois Beaumont wrote:
> Hi,
> I've been searching for a way so Kallithea preserves the groups from 
> LDAP and didn't find how to achieve this from the configuration alone. 
> However, I see all the code that is necessary to achieve that is there 
> and all lib/auth_modules/auth_ldap.py needs to do is to add a 'groups' 
> to user_attrs so this would be done.
> So I've written some code to expose this in Kallithea but it looks so 
> easy that I'm wondering if the feature is not actually implemented and 
> I've simply overlooked something in the documentation.
> Otherwise, if people are interested, I would be glad to contribute a 
> patch.

I think you are right it hasn't been implemented upstream.

One problem with this (and other use of external sources for user 
information) is to figure out which source is authoritative and/or how 
to synchronize. For group memberships, it is nice to be able to see in 
the Kallithea web interface exactly who have access through a group. 
That problem could probably be mitigated by making sure to synchronize 
all user memberships when the user logs in ... and when looking at a 
user group ... and when looking at permissions for a repo where a group 
has access. But how to handle the case where users were given access 
through LDAP but was removed from the group again? Or when the user has 
been granted access in Kallithea instead of in LDAP?

A good solution would require redefining the problem somewhat ... or at 
least make it clear which trade-off you make. (From your description it 
seems like you define the problem differently than I did here and accept 
that the Kallithea UI doesn't give the full answer. That might be ok.)

I look forward too see how you have solved the problem!


More information about the kallithea-general mailing list