migrating or onboarding existing users using LDAP and groups based ACLs
Thomas De Schampheleire
patrickdepinguin at gmail.com
Wed May 27 09:41:39 EDT 2015
On Wed, May 27, 2015 at 3:21 PM, Todd Morgan <toddlmorgan at gmail.com> wrote:
> Hi everyone,
> I'm not having much luck in migrating my existing Hg repositories and
> uerss to Kallithea. My final final stumbling block is making the transition
> seamless to my users. We have LDAP/CROWD based authentication for all of the
> infrastructure and this needs to be used for Kallithea.
> I can authenticate my users using LDAP - with the account being
> created/linked in Kallithea at the point in time at which a user logs in for
> the first time.
> The problem is there are a large number of repositories which we are
> currently managed by groups. Groups are not imported.
> I have tried to use the LDAP group modification as detailed here
> but it didn't work with my LDAP - I tried contacting the original author (no
> response) and this mailing list ...
> So I wrote my own manual sync using the REST API (as per another suggestion
> from this mailing list)... at which point I discovered that wouldn't help me
> I can't create accounts ahead of time that are authenticated using LDAP -
> they are all marked as "internal" - so they are in addition to the LDAP
> credentials - not merely delegating to them.
> I can't create all the required user groups in advance and associate the
> existing accounts from the LDAP. Ie pre-create the user groups as the users
> can't be added as they don't exist in advance (ie so that the users are
> automatically associated with the correct group based access when their LDAP
> account is eventually added).
> So is there something else I can consider to try and make this process
> transparent and automagic to my users? I considered having a regular
> scheduled manual sync process occurring such that every hour (or whenever)
> I'd query the LDAP for all of the existing users in Kallithea and add the
> associated user groups to Kallithea and add the user to them ... but that
> won't enable users to transparently cut-over on day-one with their existing
> repos ... they'd have to first fail to get access to their repository.
> How have others approached this situation?
While it isn't really an answer to your question: following note from
my instance: we had a number of users that created explicit accounts
originally (internal). Later we enabed LDAP.
The mere enabling of LDAP would cause new users to be able to login
transparently, but existing users would still be internal.
What we did was manually edit the database to change the extern_type
field from 'internal' to 'ldap'. After this change, all existing users
(except those we did not change the extern_type for, like an admin
user) would use LDAP for authentication.
This strategy would allow you to precreate the users with LDAP type.
It does nothing for the groups though.
More information about the kallithea-general