LDAP inside Docker

[MrDiba]

I know there is a different LDAP topic open at this moment, but as that one is more focused on AD I'm opening this new one.

I'm trying to get LDAP authentication working using the Docker container but I'm not getting anywhere.

The docker-compose configuration is as follow:

~# cat docker-compose.yml 
version: '3.3'

services:
  leantime_db:
    image: mysql:8.0
    container_name: mysql_leantime
    networks:
      - db
    ports:
      - 127.0.0.1:3306:3306
    volumes:
      - db_data:/var/lib/mysql
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: '321.qwerty'
      MYSQL_DATABASE: 'leantime'
      MYSQL_USER: 'admin'
      MYSQL_PASSWORD: '321.qwerty'
    command: --character-set-server=utf8 --collation-server=utf8_unicode_ci

  leantime:
    image: leantime/leantime:latest
    container_name: leantime
    restart: unless-stopped
    networks:
      - proxy
      - db
    environment:
      # LEAN_APP_URL: 'https://domain.com/leantime'                     # Only needed for subdirectory setup; protocol (http or https) and base URL , trailing slash not needed
      LEAN_SITENAME: 'Leantime'                                         # Name of your site, can be changed later
      LEAN_DB_HOST: 'mysql_leantime'                                    # Database host, derived from container_name in leantime_db container
      LEAN_DB_USER: 'admin'
      LEAN_DB_PASSWORD: '321.qwerty'
      LEAN_DB_DATABASE: 'leantime'
      LEAN_DEFAULT_TIMEZONE: 'Europe/Amsterdam'                         # Set default server timezone
      LEAN_SESSION_PASSWORD: 'password'         # Salting sessions. Replace with a strong password
      LEAN_SESSION_EXPIRATION: 28800                                    # How many seconds after inactivity should we logout? 28800seconds = 8hours
      LEAN_DEBUG: "true"
      LEAN_LDAP_USE_LDAP: "true"
      LEAN_LDAP_HOST: "ldap.example.com"
      LEAN_LDAP_BASE_DN: "dc=example,dc=local"
      LEAN_LDAP_DN: "ou=Users,dc=example,dc=local"
      LEAN_LDAP_USER_DOMAIN: "@example.com"
    extra_hosts:
      - ldap.example.com:192.168.1.2

    volumes:
      - public_userfiles:/var/www/html/public/userfiles
      - userfiles:/var/www/html/userfiles
#    ports:
#      - "8080:80"                                                       # The port to expose and access Leantime
    depends_on:
      - leantime_db                                                     # Don't start Leantime unles leantime_db is running

volumes:
  db_data:
  userfiles:
  public_userfiles:

networks:
  proxy:
    external: true
  db:

The proxy network is there for a reverse proxy, but this is out of scope as I can login using a local user without a problem.

I tried to enable debugging to get some more information using LEAN_DEBUG: "true" but I can't get any more information. I do not know where the debug information should show? The container logs are only showing:

leantime       | 127.0.0.1 -  12/Oct/2022:12:23:59 +0000 "GET /index.php" 200
leantime       | 127.0.0.1 -  12/Oct/2022:12:23:59 +0000 "PATCH /index.php" 200
leantime       | 127.0.0.1 -  12/Oct/2022:12:25:16 +0000 "POST /index.php" 303
leantime       | 127.0.0.1 -  12/Oct/2022:12:25:16 +0000 "GET /index.php" 200
leantime       | 127.0.0.1 -  12/Oct/2022:12:25:16 +0000 "GET /index.php" 200
leantime       | 127.0.0.1 -  12/Oct/2022:12:25:16 +0000 "PATCH /index.php" 303
leantime       | 127.0.0.1 -  12/Oct/2022:12:25:16 +0000 "GET /index.php" 200

The docker host can connect to the LDAP server so I assume this is not the problem.

[marcelfolaron]

Hi, Logs for Leantime can be found in the container under resources/logs/error.log Now taking a look at your config. Not sure if this is a typo but if you host is ldap.example.com the baseDN should be dc=ldap,dc=example,dc=com Same in the user ldapDN: ou=Users,dc=ldap,dc=… Do the ldapKeys align with your ldap directory structure? https://docs.leantime.io/#/installation/configuration?id=ldap-configuration-beta

…

On Wed, Oct 12, 2022 at 8:45 AM MrDiba ***@***.***> wrote: I know there is a different LDAP topic open at this moment, but as that one is more focused on AD I'm opening this new one. I'm trying to get LDAP authentication working using the Docker container but I'm not getting anywhere. The docker-compose configuration is as follow: ~# cat docker-compose.yml version: '3.3' services: leantime_db: image: mysql:8.0 container_name: mysql_leantime networks: - db ports: - 127.0.0.1:3306:3306 volumes: - db_data:/var/lib/mysql restart: unless-stopped environment: MYSQL_ROOT_PASSWORD: '321.qwerty' MYSQL_DATABASE: 'leantime' MYSQL_USER: 'admin' MYSQL_PASSWORD: '321.qwerty' command: --character-set-server=utf8 --collation-server=utf8_unicode_ci leantime: image: leantime/leantime:latest container_name: leantime restart: unless-stopped networks: - proxy - db environment: # LEAN_APP_URL: 'https://domain.com/leantime' # Only needed for subdirectory setup; protocol (http or https) and base URL , trailing slash not needed LEAN_SITENAME: 'Leantime' # Name of your site, can be changed later LEAN_DB_HOST: 'mysql_leantime' # Database host, derived from container_name in leantime_db container LEAN_DB_USER: 'admin' LEAN_DB_PASSWORD: '321.qwerty' LEAN_DB_DATABASE: 'leantime' LEAN_DEFAULT_TIMEZONE: 'Europe/Amsterdam' # Set default server timezone LEAN_SESSION_PASSWORD: 'password' # Salting sessions. Replace with a strong password LEAN_SESSION_EXPIRATION: 28800 # How many seconds after inactivity should we logout? 28800seconds = 8hours LEAN_DEBUG: "true" LEAN_LDAP_USE_LDAP: "true" LEAN_LDAP_HOST: "ldap.example.com" LEAN_LDAP_BASE_DN: "dc=example,dc=local" LEAN_LDAP_DN: "ou=Users,dc=example,dc=local" LEAN_LDAP_USER_DOMAIN: ***@***.***" extra_hosts: - ldap.example.com:192.168.1.2 volumes: - public_userfiles:/var/www/html/public/userfiles - userfiles:/var/www/html/userfiles # ports: # - "8080:80" # The port to expose and access Leantime depends_on: - leantime_db # Don't start Leantime unles leantime_db is running volumes: db_data: userfiles: public_userfiles: networks: proxy: external: true db: The proxy network is there for a reverse proxy, but this is out of scope as I can login using a local user without a problem. I tried to enable debugging to get some more information using LEAN_DEBUG: "true" but I can't get any more information. I do not know where the debug information should show? The container logs are only showing: leantime | 127.0.0.1 - 12/Oct/2022:12:23:59 +0000 "GET /index.php" 200 leantime | 127.0.0.1 - 12/Oct/2022:12:23:59 +0000 "PATCH /index.php" 200 leantime | 127.0.0.1 - 12/Oct/2022:12:25:16 +0000 "POST /index.php" 303 leantime | 127.0.0.1 - 12/Oct/2022:12:25:16 +0000 "GET /index.php" 200 leantime | 127.0.0.1 - 12/Oct/2022:12:25:16 +0000 "GET /index.php" 200 leantime | 127.0.0.1 - 12/Oct/2022:12:25:16 +0000 "PATCH /index.php" 303 leantime | 127.0.0.1 - 12/Oct/2022:12:25:16 +0000 "GET /index.php" 200 The docker host can connect to the LDAP server so I assume this is not the problem. — Reply to this email directly, view it on GitHub <#1023>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALG4EFSIYZENL3B2I6KP4NLWC2XFPANCNFSM6AAAAAARDIDWBU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[MrDiba]

Unfortunately the error.log is empty.

The baseDN is actually not a typo, our ldap server is configured to have ldap.example.com as hostname but dc=example,dc=local as baseDN. (Not my choice but something legacy ;) )

Taking the defaults from https://github.com/Leantime/leantime/blob/master/config/configuration.sample.php :

    public $ldapKeys = '{ 
        "username":"uid",
        "groups":"memberof",
        "email":"mail",
        "firstname":"displayname",
        "lastname":"",
        "phonenumber":""
        }';

And cross referencing to my ldap server I see that there are some fields missing in my LDAP server. I do not have a memberof and mail field for some users.

I assume that memberof is not required if I would not use the "auto group" feature. But as you login with the e-mail address I can assume that the mail field is something that is required? Or is the login created with the uid in combination with the user_domain?

[MrDiba]

I have updated to v2.2.8 and that fixed the issue for some reason. I saw that the previous version (v2.2.7) did not communicated with the LDAP server all when checking the LDAP logs.

For future references here the updated (And working) environment variables.

environment:
  # LEAN_APP_URL: 'https://domain.com/leantime'                     # Only needed for subdirectory setup; protocol (http or https) and base URL , trailing slash not needed
  LEAN_SITENAME: 'Leantime'                                         # Name of your site, can be changed later
  LEAN_DB_HOST: 'mysql_leantime'                                    # Database host, derived from container_name in leantime_db container
  LEAN_DB_USER: 'admin'
  LEAN_DB_PASSWORD: '321.qwerty'
  LEAN_DB_DATABASE: 'leantime'
  LEAN_DEFAULT_TIMEZONE: 'Europe/Amsterdam'                         # Set default server timezone
  LEAN_SESSION_PASSWORD: 'password'         # Salting sessions. Replace with a strong password
  LEAN_SESSION_EXPIRATION: 28800                                    # How many seconds after inactivity should we logout?  28800seconds = 8hours
  LEAN_DEBUG: "true"
  LEAN_LDAP_USE_LDAP: "true"
  LEAN_LDAP_HOST: "192.168.1.2"
  LEAN_LDAP_BASE_DN: "dc=example,dc=local"
  LEAN_LDAP_DN: "ou=Users,dc=example,dc=local"
  LEAN_LDAP_USER_DOMAIN: "@example.com"
  LEAN_LDAP_KEYS: '{"username":"uid","groups":"","email":"mail","firstname":"givenname","lastname":"sn"}'

I do notice that a regular database user logs in using [email protected] whilst an LDAP user just logs in with there username.

[gloriafolaron]

I believe Marcel found some additional things that ended up being patched with the LDAP in the newest version. Glad to see that this corrected for you. Thanks for updating!

[adocampo]

Hi there, I'm trying to authenticate users from my Active Directory and this configuration seems not working here.

      #      LEAN_DEBUG: "true"
      LEAN_LDAP_USE_LDAP: "true"
      LEAN_LDAP_HOST: "192.168.10.10"
      LEAN_LDAP_BASE_DN: "dc=company,dc=lan"
      LEAN_LDAP_DN: "OU=Users,OU=IT Department,OU=organization,DC=company,DC=lan"
      LEAN_LDAP_USER_DOMAIN: "@company.com"  ## Tried also with "@company.lan", also failed
      LEAN_LDAP_KEYS: '{"username":"sAMAccountName","groups":"","email":"mail","firstname":"givenname","lastname":"sn"}'

OTOH, I need to comment LEAN_DEBUG or I else I receive this error and site won't even load

Fatal error: Uncaught TypeError: Cannot assign string to property leantime\core\environment::$debug of type int in /var/www/html/app/core/class.environment.php:116 Stack trace: #0 /var/www/html/app/core/class.environment.php(13): leantime\core\environment->__construct() #1 /var/www/html/public/index.php(10): leantime\core\environment::getInstance() #2 {main} thrown in /var/www/html/app/core/class.environment.php on line 116

[adocampo]

On other applications, a bind_dn and password are needed, is Leantime using the current user and password credentials or does it needs a bind_dn user to make the connection?

[marcelfolaron]

It's using the user that is trying to connect. LEAN_DEBUG needs to be either true or 1 (no quotes) With that said you don't have a value for groups in your LDAP_Keys definition. That field is needed to determine where Leantime should look for group definitions. For AD that is usually: "memberOf"

…

On Mon, Apr 24, 2023 at 8:51 AM Angel Docampo ***@***.***> wrote: On other applications, a bind_dn and password are needed, is Leantime using the current user and password credentials or does it needs a bind_dn user to make the connection? — Reply to this email directly, view it on GitHub <#1023 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALG4EFV5U6UASWU4SELGLIDXCZZOVANCNFSM6AAAAAARDIDWBU> . You are receiving this because you commented.Message ID: ***@***.***>

[adocampo]

LEAN_DEBUG: true produces the same error I said before, but LEAN_DEBUG: 1 seems to work, at least, now when I introduce my credentials, the page shows this:

Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /var/www/html/app/domain/ldap/services/class.ldap.php on line 115

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/app/domain/ldap/services/class.ldap.php:115) in /var/www/html/app/core/class.frontcontroller.php on line 305

I took a look into sample.env and now my docker-compose.yml is like this.

      LEAN_DEBUG: 1
      LEAN_LDAP_USE_LDAP: true
      LEAN_LDAP_LDAP_TYPE: 'AD'
      LEAN_LDAP_HOST: "192.168.10.10"
      LEAN_LDAP_PORT: 389
      LEAN_LDAP_BASE_DN: "dc=company,dc=lan"
      LEAN_LDAP_DN: "OU=Users,OU=IT Department,OU=organization,DC=company,DC=lan"
      LEAN_LDAP_USER_DOMAIN: "@company.com" 
      LEAN_LDAP_KEYS: '{"username":"sAMAccountName","groups":"memberOf","email":"mail","firstname":"givenname","lastname":"sn"}'

[marcelfolaron]

Good. So it is connecting successfully but your credentials are wrong. Which could be for several reasons: - username: you should try logging in with the exact username (try with and without domain name) - groups: the user you are trying to use is not in the group(s) defined in ldap dn - groups are case sensitive, please make sure they are correct in your definition. - group is not allowed to use ldap as credentials. Some ad groups prevent users from logging in. Please check the directory and make sure your users are allowed to sign in externally.

…

On Mon, Apr 24, 2023 at 10:44 AM Angel Docampo ***@***.***> wrote: LEAN_DEBUG: true produces the same error I said before, but LEAN_DEBUG: 1 seems to work, at least, now when I introduce my credentials, the page shows this: Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /var/www/html/app/domain/ldap/services/class.ldap.php on line 115 Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/app/domain/ldap/services/class.ldap.php:115) in /var/www/html/app/core/class.frontcontroller.php on line 305 I took a look into sample.env and now my docker-compose.yml is like this. LEAN_DEBUG: 1 LEAN_LDAP_USE_LDAP: true LEAN_LDAP_LDAP_TYPE: 'AD' LEAN_LDAP_HOST: "192.168.10.10" LEAN_LDAP_PORT: 389 LEAN_LDAP_BASE_DN: "dc=company,dc=lan" LEAN_LDAP_DN: "OU=Users,OU=IT Department,OU=organization,DC=company,DC=lan" LEAN_LDAP_USER_DOMAIN: ***@***.***" LEAN_LDAP_KEYS: '{"username":"sAMAccountName","groups":"memberOf","email":"mail","firstname":"givenname","lastname":"sn"}' — Reply to this email directly, view it on GitHub <#1023 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALG4EFRTPFVTCBGY2MSNCCDXC2GVRANCNFSM6AAAAAARDIDWBU> . You are receiving this because you commented.Message ID: ***@***.***>

[adocampo]

username: you should try logging in with the exact username (try with and without domain name)

Despite the sample.env file, which states "username":"cn", on AD shold be "username":"sAMAccountName". I've tried with cn, yet cn on AD it's like this, and obviously fails as well.

So, I've tried the username forms name.surname which is the correct one (the one matching sAMAccountName), [email protected] and DOMAIN\name.surname, all with the error aforementioned.
If I try [email protected] (not .com, but .lan), the error is this one

Warning: Undefined property: stdClass::$phonenumber in /var/www/html/app/domain/ldap/services/class.ldap.php on line 165

Warning: Undefined array key "memberOf" in /var/www/html/app/domain/ldap/services/class.ldap.php on line 180

Warning: foreach() argument must be of type array|object, null given in /var/www/html/app/domain/ldap/services/class.ldap.php on line 180

Warning: Undefined property: stdClass::$phonenumber in /var/www/html/app/domain/ldap/services/class.ldap.php on line 195

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/app/domain/ldap/services/class.ldap.php:165) in /var/www/html/app/core/class.frontcontroller.php on line 305

groups: the user you are trying to use is not in the group(s) defined in ldap dn

You mean this?

LEAN_LDAP_DN: "OU=Users,OU=IT Department,OU=organization,DC=company,DC=lan"

Then, yet, it belongs to this Organizational Unit, I've copied the distinguishedName of my user and just removed the CN. Or the blank spaces or capital letters are a problem, or this is correct.

groups are case sensitive, please make sure they are correct in your definition.

I don't know what are you referring about, to which groups?

group is not allowed to use ldap as credentials. Some ad groups prevent users from logging in. Please check the directory and make sure your users are allowed to sign in externally.

I don't have any restriction, and I'm using my AD to authenticate to a lot of 3rd party software without any issue, so I don't think I have any restrinction.

[marcelfolaron]

"username":"sAMAccountName" seems to be correct. From what the error messages above indicate the login is successful but leantome can't pull the user information after the login. So continue using (If I try ***@***.***' (not .com, but .lan), the error is this one). Now it still seems to be related to the groups issue. "memberOf" is indeed not an attribute you have in your directory. Can you try "member"? I don't see the full list of attributes in your screenshot, but you are getting close.

…

On Mon, Apr 24, 2023 at 11:11 AM Angel Docampo ***@***.***> wrote: username: you should try logging in with the exact username (try with and without domain name) Despite the sample.env file, which states "username":"cn", on AD shold be "username":"sAMAccountName". I've tried with cn, yet cn on AD it's like this, and obviously fails as well. [image: image] <https://user-images.githubusercontent.com/2266612/234034262-eec0cc13-1c01-46de-8ee1-09cf68295bd0.png> So, I've tried the username forms name.surname which is the correct one (the one matching sAMAccountName), ***@***.*** and DOMAIN\name.surname, all with the error aforementioned. If I try ***@***.***' (not .com, but .lan), the error is this one Warning: Undefined property: stdClass::$phonenumber in /var/www/html/app/domain/ldap/services/class.ldap.php on line 165 Warning: Undefined array key "memberOf" in /var/www/html/app/domain/ldap/services/class.ldap.php on line 180 Warning: foreach() argument must be of type array|object, null given in /var/www/html/app/domain/ldap/services/class.ldap.php on line 180 Warning: Undefined property: stdClass::$phonenumber in /var/www/html/app/domain/ldap/services/class.ldap.php on line 195 Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/app/domain/ldap/services/class.ldap.php:165) in /var/www/html/app/core/class.frontcontroller.php on line 305 groups: the user you are trying to use is not in the group(s) defined in ldap dn You mean this? LEAN_LDAP_DN: "OU=Users,OU=IT Department,OU=organization,DC=company,DC=lan" Then, yet, it belongs to this Organizational Unit, I've copied the distinguishedName of my user and just removed the CN. Or the blank spaces or capital letters are a problem, or this is correct. groups are case sensitive, please make sure they are correct in your definition. I don't know what are you referring about, to which groups? group is not allowed to use ldap as credentials. Some ad groups prevent users from logging in. Please check the directory and make sure your users are allowed to sign in externally. I don't have any restriction, and I'm using my AD to authenticate to a lot of 3rd party software without any issue, so I don't think I have any restrinction. — Reply to this email directly, view it on GitHub <#1023 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALG4EFR4P4W5CAXNK2RRFATXC2J2VANCNFSM6AAAAAARDIDWBU> . You are receiving this because you commented.Message ID: ***@***.***>

[adocampo]

No, nor member or memberof exists as attributes on Active Directory,

but a user belongs to groups and they can be show in ldapsearch command with a memberof... speaking of which, if I use "memberof" instead of "memberOf", the error now changes to this

Warning: Undefined property: stdClass::$phonenumber in /var/www/html/app/domain/ldap/services/class.ldap.php on line 165

Warning: Undefined property: stdClass::$phonenumber in /var/www/html/app/domain/ldap/services/class.ldap.php on line 195

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/app/domain/ldap/services/class.ldap.php:165) in /var/www/html/app/core/class.frontcontroller.php on line 305

[adocampo]

Well, I'd added phonenumber:"" to my LEAN_LDAP_KEYS array, and now I can log in. 👍🏻

But I see no items on the left pane

On the other hand, it's a bit weird to make users log in with the format [email protected] when this format has never been used anywhere... is there any way to make them use just the format name.username or their email instead?

[adocampo]

Ok, following the same logic as on "memberof", I've changed from "givenName" to "givenname", and now my name appears

I would like to note, correct attribute on AD are cameCase, not lowercase.

[marcelfolaron]

Yes, it should be possible to use username only and I am still investigating best options. This is also one items that can be set via ldap settings. You don't see anything on the left because you don't have a project. I am glad it seems to work now. If you create project you will see the project navigation.

…

On Mon, Apr 24, 2023 at 12:00 PM Angel Docampo ***@***.***> wrote: Well, I'd added phonenumber:"" to my LEAN_LDAP_KEYS array, and now I can log in. 👍🏻 But I see no items on the left pane [image: image] <https://user-images.githubusercontent.com/2266612/234051597-4f3fce4e-c14a-40ac-97ba-c7faf5236f52.png> On the other hand, it's a bit weird to make users log in with the format ***@***.*** when this format has never been used anywhere... is there any way to make them use just the format name.username or their email instead? — Reply to this email directly, view it on GitHub <#1023 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALG4EFQS3YFGFYOBXFXJWX3XC2PSZANCNFSM6AAAAAARDIDWBU> . You are receiving this because you commented.Message ID: ***@***.***>

[adocampo]

This is also one items that can be set via ldap settings.

Is it possible to configure right now, or we should wait for a final action from your side?

You don't see anything on the left because you don't have a project. ... If you create project you will see the project navigation.

If I want some user to be an administrator? I've set LEAN_LDAP_DEFAULT_ROLE_KEY: 50 to see if my user would become an admin, but no, and now I cannot login with the local user "admin"... is there a way to fallback to local users when the login doesn't match an LDAP credentials, or at least, how can I specify wich users or grops (IT deparment, for instance) can be administrators?

[adocampo]

Ok, I've changed LEAN_LDAP_USE_LDAP: true to LEAN_LDAP_USE_LDAP: false and I was able to login with the local admin, then I saw the LDAP user and gave administrator persmissions and access to several projects. Now my username has the proper rights and I can safely leave LEAN_LDAP_USE_LDAP: true

Not ideal, but easily manageable :)

Well, I guess this is all what I need to start playing with Leantime.

Thank you very much for your support and time @marcelfolaron !!

[marcelfolaron]

Thank you. You can set the default group for each new ldap user in your config file as well. Glad it is working now. Let me know if you have any questions or feedback

…

On Mon, Apr 24, 2023 at 12:20 PM Angel Docampo ***@***.***> wrote: Ok, I've changed LEAN_LDAP_USE_LDAP: true to LEAN_LDAP_USE_LDAP: false and I was able to login with the local admin, then I saw the LDAP user and gave administrator persmissions and access to several projects. Now my username has the proper rights and I can safely leave LEAN_LDAP_USE_LDAP: true [image: image] <https://user-images.githubusercontent.com/2266612/234056525-ec4839a7-84ca-43d2-b2bd-6e03e2f2ed3d.png> Not ideal, but easily manageable :) Well, I guess this is all what I need to start playing with Leantime. Thank you very much for your support and time @marcelfolaron <https://github.com/marcelfolaron> !! — Reply to this email directly, view it on GitHub <#1023 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALG4EFW6BVJ5FQPUZDTFB4DXC2R45ANCNFSM6AAAAAARDIDWBU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[adocampo]

Well, if you accept some feedback, here my very very first impressions regarding LDAP support.

• Let the users log in with the sAMAccountName and not the userPrincipalName which is how it is doing right now.
  
• Let the admin filter by group. Currently just one OU can log in into the system. So I can let everybody log in or just one OU. Usually, in a company there are several OU (one for each department), and many administrators create the "Users" OU inside the "Department" OU... so now I can let everyone log in with LEAN_LDAP_DN: "DC=domain,DC=lan" or a single OU with LEAN_LDAP_DN: "OU=Users,OU=IT Department,OU=Barcelona,DC=domain,DC=lan". The first is too lax as I don't want everyone to use the tool, and the other too restrictive, as it would leave other OUs out. An LDAP filter would be great, something like (memberof=CN=Leantime,OU=Security Groups,OU=Barcelona,DC=company,DC=lan), so anyone belonging to the group "Leantime" should be able to connect.

I've just rummaged with this like 3 minutes, but as far as I saw, I can see users once they have log in, which is fine, but it would be great to see all the LDAP users, so managers could assign new employees to projects and so on before they log in. So,

• Let Leantime to sync LDAP users and groups, so a read-only bind_user is needed and a cron taks (or manually triggered action) in order to sync all LDAP users.
• In order to automate this, let the system assign LDAP Groups to Leantime Groups. And let autoassign projects to a group.

So for instance, if an LDAP user belongs to the group Design (and to the Security Group "Leantime"), then Leantime would autosync that user by creatint it on the Leantime DB, assign that user to the Leantime Design group and as that group has access to the project "Covers", when that user would login into Leantime for the very first time, he or she automatically would see all the related stuff without manual itervention.