Can the same user exist for both LDAP and internal authentication

[Mads Kiilerich]

> On Tue, Mar 21, 2017 at 12:29 AM, Long Vu <long.vu at intelerad.com> wrote:
>> Hi,
>>
>> I previously used the internal authentication.
>>
>> I now would like to enable LDAP.
>>
>> Upon enabling LDAP, I have the error below in the logs.  It looks like
>> Kallithea do not allow the same user from both authentication
>> mechanisms?

Correct. Each user has one authentication mechanism.

Each known user has an entry in the "users" table in the database. 
Internally, Kallithea references users by the internal primary key 
"user_id". "username" is a secondary but unique key. Entries are either 
created locally or created on demand from external sources like LDAP. 
"extern_type" determines where the user came from and how it should be 
authenticated.

>> How can this user migrate to use LDAP authentication now?

The "extern_type" field is not open for edit in the UI. It is not 
something admins should change - that would probably break something. 
And if changing it, it should probably not be done manually.

For a database migration like this, I suggest modifying the database 
directly. For all the ldap users, change extern_type from internal to 
ldap. extern_name is currently not really used and will be populated on 
demand.

>> I also notice if I disable internal authentication, the admin user
>> (which is a local user not in LDAP) no longer works, which means I am
>> force to keep internal auth together with ldap auth?

Yes, you probably want to keep internal auth enabled and have at least 
one internal admin so you also can access the system and reconfigure 
ldap if you should have to.

>> Let's say LDAP works.  It will only provide the users.  I still have
>> to manually assign those users coming from LDAP to a local group?

You might not have to, but it might be convenient to have user groups.

There is kallithea/bin/ldap_sync.py which should be able to sync LDAP 
groups. I haven't used it and it might have bitrotted. It would be nice 
if someone could use it and contribute documentation.

On 03/21/2017 05:01 PM, Long Vu wrote:
> Looks like the answer is no.  Same username can not exist in both
> internal and LDAP.
>
> I had to rename my existing userame in the internal auth to something
> else and LDAP can now create a user with that username.
>
> Now I have lvu-local (internal user) and lvu (user from LDAP).
>
> lvu-local has a bunch of comments, pull requests, repos belonging to
> him.  In addition of being in various groups.
>
> How can I batch transfer all comment/pr/repos ownership and group
> membership from lvu-local to lvu?

This information is referencing the user_id of the original (local) 
user. The user_id field is the primary key and immutable. I would 
suggest to modify the old local user with the essential info from the 
ldap user - primarily the username and extern_type, just like hinted 
when I mentioned database migration above.

/Mads