What is the least obtrusive means of migrating a large number of users to Kallithea when using LDAP and/or Crowd external authentication?

[Mads Kiilerich]

On 05/03/2015 03:41 PM, Todd Morgan wrote:
> Hi everyone,
>     I'm trying to setup a new Kallithea (0.2.1) installation on 
> Win2k12, which is working OK using a vanilla installation as detailed 
> previously.
>
> My problem is that now I need to bring on approximately 200+ users to 
> this system but I need to do it in the least obtrusive fashion, as 
> this server will be replacing an existing system.
>
> I have all of my users stored within CROWD and also available within 
> LDAP. Having each of my users manually register is not a suitable 
> option as this is supposed to be a seamless transition. Can anyone 
> please advise how this may be achieved other than manually entering 
> all the accounts :- )
>
>   * How can I automate the process of onboarding my users?
>       o ie they simply login to the application (if they need to) and
>         it works? and/or merely continue using the old repository URL
>         (now moved to Kallithea) using the existing credentials and
>         their clones just get updated as required.
>   * I saw two promising settings in the admin/permissions with items for:
>           + registration ' allow with automatic account activation"
>           + external auth account activation 'automatic activation of
>             external account'
>       o The second seems most useful. ie I add my external
>         authentication mechanism - crowd for example - and anyone
>         contained within crowd should be able to just login to
>         continue working.
>
> In my attempts I found that even though I enabled the CROWD plugin 
> (restarted afterwards), I was still forced to create a local account 
> within Kallithea and then I was still forced to input a local password 
> (what is the point of external authentication then??). Then when I 
> attempted to login it was using the local auth and not the crowd 
> authentication. ie the local auth was taking precedence. It could be a 
> PEBKAC but from the doco that I could find it looks like the accounts 
> are lazy loaded so the entire LDAP tree doesn't get input into 
> Kallithea. I am reasonably certain that the CROWD integration was 
> working as the account was given admin rights as it's group membership 
> was listed explicitly on the "admin groups" within the crowd plugin 
> and I didn't check it within the normal admin ui for users.
>
> If there is means of achieving this through configuration perhaps 
> there's a script that can be used?
>

"forced to create a local account" - forced how? If you create a local 
user, I expect it to use local authentication.

I don't know crowd - it is probably not widely used and there might be 
bugs in the auth module. Max Roman <max at choloclos.se> contributed a fix 
half a year ago so I assume it works for him. He might be able to give 
some advice.

LDAP is more widely used - you can perhaps give that a try and either 
learn from it or use it. I don't know what advantages it would have to 
use crowd directly instead of through ldap - you can perhaps help 
improve the documentation when you know more.

/Mads
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20150503/2ba4036d/attachment.html>