Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #11620 Add the ability to exclude user groups from being removed by LDAP sync
    Actions
    Infos
    #11620
    Jonathan Palm (palm)
    2018-08-06 14:03
    2018-06-14 08:17
    11965
    Details
    Add the ability to exclude user groups from being removed by LDAP sync
    As a project admin I want to be able to mark groups as 'always preserved' (or 'exclude from sync') so that they remain untouched by LDAP sync
    Project admin
    10.1
    CentOS 6
    • [ ] enhancement
    • [ ] internal improvement
    Patricia Carrasco (pcar), Stephan Bill (stephanbill), Kristofer Sandlund (krisan)
    Stage
    Empty
    New
    Empty
    Attachments
    Artifact links
    Empty
    Empty
    References
    References list is empty
    Display settings

    Follow-ups

    User avatar
    Kristofer Sandlund (krisan)2018-08-06 14:03
    Jonathan told me that you had discussed this further on the slack channel and that there's resistance against adding a group attribute or similar and that your suggestion was instead to "do not touch users that are not in LDAP". That partially defeats the purpose, since a user that leaves the company and is subsequently removed from LDAP then will not be removed from the project with the auto-sync.
    What we are trying to solve is that we have functional accounts that do not have email addresses and cannot be added to LDAP groups (company policies) while still having the nightly sync removing users that are no longer with the company and a neat way of doing that would be to mark the functional accounts with some special property or put them in a special group and then make sure that such users do not get removed.

    A slightly less nice option would be to have an option "do not remove users that do not have an email address", which would solve the issue for us, but it sounds a bit to adapted to our deployment so I prefer the possibility to make a specific group excluded from the removal during the sync.
    User avatar
    Jonathan Palm (palm)2018-07-24 09:22
    Let's say you have a project with project members joining and leaving frequently. Now, we want to remove them when they leave the LDAP group associated with the project. Syncing without preserve members works great in this case, assuming all project members can be in LDAP. However, syncing without preserve members does not work very well when some project member cannot be in an Active Directory, as they'd be kicked out after every sync.

    Thus, marking a Tuleap group within the project as 'excluded from sync' would allow the 'preserve members' function to be disabled even when not all users can be found within the Directory.
    User avatar
    Manuel Vacelet (vaceletm)2018-07-24 08:48

    I'm not sure to get the difference with 'Preserve members' options actually. Could you clarify ?
     

    User avatar
    Jonathan Palm (palm)2018-07-05 13:00
    This is mainly useful since there might some user accounts which cannot be synced to an LDAP user at all. Having this feature would make LDAP sync without 'Preserve Members' useful even when not all users can be linked to an LDAP account.