diff --git a/docs/development/concepts/secure-coding/README.md b/docs/development/concepts/secure-coding/README.md
index fa936f3fb046..f19c86da6f1e 100644
--- a/docs/development/concepts/secure-coding/README.md
+++ b/docs/development/concepts/secure-coding/README.md
@@ -64,7 +64,7 @@ OpenProject recommends these authentication mechanisms:
- For any external connection (Database, LDAP, etc.), OpenProject uses openssl library for the host or container's openssl certificate store. Use your distribution's mechanisms to add verified certificate or certificate chains. For more information, see the [Ruby OpenSSL X509 Store documentation](https://ruby-doc.org/stdlib-2.4.0/libdoc/openssl/rdoc/OpenSSL/X509/Store.html).
- For smaller to medium organizations with no centralized authentication mechanism, use the internal username / password authentication mechanism for secure storing of your user's credentials using BCrypt salted cryptographic hash function.
-- For organizations with a centralized and accessible LDAP server, [OpenProject provides LDAP userbind authentication](../../../system-admin-guide/authentication/ldap-authentication/) to forward the authentication request to your LDAP server. Use TLS or LDAPS encrypted connections to the LDAP server to ensure transport level security. Optionally, synchronize roles and permissions using the [LDAP Group sync functionality](../../../system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/).
+- For organizations with a centralized and accessible LDAP server, [OpenProject provides LDAP userbind authentication](../../../system-admin-guide/authentication/ldap-connections/) to forward the authentication request to your LDAP server. Use TLS or LDAPS encrypted connections to the LDAP server to ensure transport level security. Optionally, synchronize roles and permissions using the [LDAP Group sync functionality](../../../system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/).
- If your organization operates a central authentication services, it is very likely it supports one of the standard remote authentication mechanisms for single sign-on, such as [OpenID connect](../../../system-admin-guide/authentication/openid-providers/), [SAML](../../../system-admin-guide/authentication/saml/), or [Kerberos](../../../system-admin-guide/authentication/kerberos/). Use these mechanisms to ensure a standardized and secure authentication of users without requiring the storage of any credentials at OpenProject while providing a high level of usability due to centralized logins.
**References**
diff --git a/docs/development/ldap/README.md b/docs/development/ldap/README.md
index ae87ae53ae07..52738bbc8600 100644
--- a/docs/development/ldap/README.md
+++ b/docs/development/ldap/README.md
@@ -6,7 +6,7 @@ sidebar_navigation:
# Set up a development LDAP server
-**Note:** This guide is targeted only at development with OpenProject. For the LDAP configuration guide, please see this [here](../../system-admin-guide/authentication/ldap-authentication/)
+**Note:** This guide is targeted only at development with OpenProject. For the LDAP configuration guide, please see this [here](../../system-admin-guide/authentication/ldap-connections/)
OpenProject comes with a built-in LDAP server for development purposes. This server uses [ladle gem](https://github.com/NUBIC/ladle)
to run an underlying apacheDS server.
diff --git a/docs/enterprise-guide/enterprise-cloud-guide/enterprise-cloud-faq/README.md b/docs/enterprise-guide/enterprise-cloud-guide/enterprise-cloud-faq/README.md
index c51cdf7742ed..917533859bc1 100644
--- a/docs/enterprise-guide/enterprise-cloud-guide/enterprise-cloud-faq/README.md
+++ b/docs/enterprise-guide/enterprise-cloud-guide/enterprise-cloud-faq/README.md
@@ -82,7 +82,7 @@ Access to the database (including the PostgreSQL tables) is restricted for the E
## Can I use LDAP authentication in my Enterprise cloud environment?
-You can use [LDAP authentication](../../../system-admin-guide/authentication/ldap-authentication/) in your cloud environment. **However**, usually LDAP servers will _not_ be exposed to the internet, which they have to be for this to work.
+You can use [LDAP authentication](../../../system-admin-guide/authentication/ldap-connections/) in your cloud environment. **However**, usually LDAP servers will _not_ be exposed to the internet, which they have to be for this to work.
Whitelisting IPs is no option since the OpenProject servers' IPs are not permanent and can change without notice.
Moreover we do not have a mechanism to list all IP addresses currently in use.
diff --git a/docs/faq/README.md b/docs/faq/README.md
index 044cf285fa2e..1be25c58fe3d 100644
--- a/docs/faq/README.md
+++ b/docs/faq/README.md
@@ -84,7 +84,7 @@ However, if you're still using an old OpenProject subscription there may be limi
### What is the difference between Enterprise on-premises and Community edition regarding LDAP?
-In the Community edition and in the Enterprise on-premises edition you can use the standard LDAP authentication. However, the Enterprise on-premises edition also includes LDAP group synchronization. This allows you to synchronize group members from LDAP with groups in OpenProject. The respective documentation can be found [here](../system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/#synchronize-ldap-and-openproject-groups-enterprise-add-on).
+In the Community edition and in the Enterprise on-premises edition you can use the standard LDAP authentication. However, the Enterprise on-premises edition also includes LDAP group synchronization. This allows you to synchronize group members from LDAP with groups in OpenProject. The respective documentation can be found [here](../system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/#synchronize-ldap-and-openproject-groups-enterprise-add-on).
## How to ... in OpenProject
diff --git a/docs/glossary/README.md b/docs/glossary/README.md
index b7543a7c1a42..555e3187cae6 100644
--- a/docs/glossary/README.md
+++ b/docs/glossary/README.md
@@ -56,7 +56,7 @@ In OpenProject, authentication is an important element to guarantee a data prote
- [See answers to frequently asked questions (FAQ) for authentication](../system-admin-guide/authentication/authentication-faq/)
- [See our blog post on multi-factor authentication to improve data security](https://www.openproject.org/blog/multi-factor-authentication-for-data-security/)
- [Read more about Two-factor authentication (2FA) in OpenProject](../system-admin-guide/authentication/two-factor-authentication/)
-- [Read more about LDAP Authentication in OpenProject](../system-admin-guide/authentication/ldap-authentication/)
+- [Read more about LDAP Authentication in OpenProject](../system-admin-guide/authentication/ldap-connections/)
## B
diff --git a/docs/installation-and-operations/installation/README.md b/docs/installation-and-operations/installation/README.md
index 5f3b5be6d3b0..26e3702d8054 100644
--- a/docs/installation-and-operations/installation/README.md
+++ b/docs/installation-and-operations/installation/README.md
@@ -22,5 +22,5 @@ OpenProject can be setup in three different ways:
### Do you have a step-by-step guide to installing OpenProject Enterprise on-premises under Active Directory?
-We have a guide on [how to use OpenProject with your Active Directory](../../system-admin-guide/authentication/ldap-authentication/).
-In addition, with the Enterprise on-premises edition it is also possible to [link LDAP groups with groups in OpenProject](../../system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/).
+We have a guide on [how to use OpenProject with your Active Directory](../../system-admin-guide/authentication/ldap-connections/).
+In addition, with the Enterprise on-premises edition it is also possible to [link LDAP groups with groups in OpenProject](../../system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/).
diff --git a/docs/security-and-privacy/processing-of-personal-data/README.md b/docs/security-and-privacy/processing-of-personal-data/README.md
index 70cb7e6724c7..c3ed7cbcd19b 100644
--- a/docs/security-and-privacy/processing-of-personal-data/README.md
+++ b/docs/security-and-privacy/processing-of-personal-data/README.md
@@ -330,7 +330,7 @@ flowchart LR
* Centralized identity and access management
* Single sign on and single sign out ([OIDC](../../system-admin-guide/authentication/openid-providers/), [SAML](../../system-admin-guide/authentication/saml/))
-* [Syncing LDAP groups with OpenProject groups](../../system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/)
+* [Syncing LDAP groups with OpenProject groups](../../system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/)
#### Processed data
diff --git a/docs/system-admin-guide/api-and-webhooks/README.md b/docs/system-admin-guide/api-and-webhooks/README.md
index 4041f05a84c3..ac4b49af8ea8 100644
--- a/docs/system-admin-guide/api-and-webhooks/README.md
+++ b/docs/system-admin-guide/api-and-webhooks/README.md
@@ -15,7 +15,7 @@ Navigate to **Administration → API and webhooks**.
-Here, you can manage the **REST web service** to selectively control whether foreign applications may access your OpenProject API endpoints from within the browser. You can set the **maximum page size** the API will respond with. It will not be possible to perform API requests that return more values on a single page. You can also enable **write access to read-only attributes**, which will allow administrators to write static read-only attributes during creation, such as *createdAt* and *author*.
+Here, you can manage the **REST web service** to selectively control whether foreign applications may access your OpenProject API endpoints from within the browser. This setting allows users to access the OpenProject API using an API token created from the users "My account" page. You can set the **maximum page size** the API will respond with. It will not be possible to perform API requests that return more values on a single page. You can also enable **write access to read-only attributes**, which will allow administrators to write static read-only attributes during creation, such as *createdAt* and *author*.
### Documentation
diff --git a/docs/system-admin-guide/authentication/README.md b/docs/system-admin-guide/authentication/README.md
index 5cb37a60d20b..420cce675335 100644
--- a/docs/system-admin-guide/authentication/README.md
+++ b/docs/system-admin-guide/authentication/README.md
@@ -9,7 +9,7 @@ keywords: authentication
Configure **authentication** settings and authentication providers in OpenProject. To adapt these authentication settings, navigate to your user name and select -> *Administration* -> *Authentication*.
-
+
## Overview
@@ -20,5 +20,5 @@ Configure **authentication** settings and authentication providers in OpenProjec
| [OpenID providers](openid-providers) | How to configure OpenID providers in OpenProject. |
| [Two-factor authentication](two-factor-authentication) | Set up and manage two-factor authentication (2FA) in OpenProject. |
| [reCAPTCHA](recaptcha) | How to activate reCAPTCHA in OpenProject. |
-| [LDAP authentication](ldap-authentication) | How to set up LDAP authentication in OpenProject. |
-| [LDAP group synchronization](ldap-authentication/ldap-group-synchronization) | How to configure LDAP group synchronization in OpenProject. (Enterprise add-on) |
+| [LDAP authentication](ldap-connections) | How to set up LDAP authentication in OpenProject. |
+| [LDAP group synchronization](ldap-connections/ldap-group-synchronization) | How to configure LDAP group synchronization in OpenProject. (Enterprise add-on) |
diff --git a/docs/system-admin-guide/authentication/Sys-admin-authentication-1579787715984.png b/docs/system-admin-guide/authentication/Sys-admin-authentication-1579787715984.png
deleted file mode 100644
index 12f6d5758c5c..000000000000
Binary files a/docs/system-admin-guide/authentication/Sys-admin-authentication-1579787715984.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/authentication-faq/README.md b/docs/system-admin-guide/authentication/authentication-faq/README.md
index d3a010a9b7d7..451636ac081e 100644
--- a/docs/system-admin-guide/authentication/authentication-faq/README.md
+++ b/docs/system-admin-guide/authentication/authentication-faq/README.md
@@ -41,7 +41,7 @@ Yes, for Enterprise on-premises and Community edition there is a [configuration
We support all authentication providers that support the SAML and OpenID Connect (OIDC) standards, such as Microsoft Entra ID, ADFS, CAS (with the OpenID connect overlay), Azure, Keycloak, Okta.
-> [Note]
+> [!NOTE]
> Please note that single sign-on is an Enterprise add-on and can only be activated for Enterprise cloud and Enterprise on-premises.
## Is it possible to use a custom SSO provider (e.g. Keycloak) with the Enterprise cloud edition?
@@ -51,7 +51,7 @@ For context: The connection of custom SSO providers is also described [here](../
## I want to connect AD and LDAP to OpenProject. Which attribute for authentication sources does OpenProject use?
-You can freely define the attributes that are taken from LDAP sources [in the LDAP auth source configuration screen](../ldap-authentication/).
+You can freely define the attributes that are taken from LDAP sources [in the LDAP auth source configuration screen](../ldap-connections/).
For group synchronization, OpenProject supports the AD/LDAP standard for groups via "member / memberOf". The attribute cannot be configured at this time.
## Is there an option to mass-create users in OpenProject via the LDAP?
@@ -60,6 +60,6 @@ There's no such option at the moment. However, you can activate the on-the-fly u
## I would like to assign work packages to users from different authentication sources (AD and OpenLDAP). Is this possible without the admin creating groups manually?
-OpenProject supports creating groups and staffing them with users based on information found in an LDAP (or AD). This is called [LDAP group synchronization](../ldap-authentication/ldap-group-synchronization/#synchronize-ldap-and-openproject-groups-enterprise-add-on). The groups are created based on the name. So theoretically, it should be possible to have a single group that gets staffed by the information found in multiple LDAPs. This scenario has not been tested yet. Therefore, we cannot promise that it will work for sure. There is currently no other option.
+OpenProject supports creating groups and staffing them with users based on information found in an LDAP (or AD). This is called [LDAP group synchronization](../ldap-connections/ldap-group-synchronization/#synchronize-ldap-and-openproject-groups-enterprise-add-on). The groups are created based on the name. So theoretically, it should be possible to have a single group that gets staffed by the information found in multiple LDAPs. This scenario has not been tested yet. Therefore, we cannot promise that it will work for sure. There is currently no other option.
Assigning work packages to multiple assignees is expected to be implemented in 2021. Once it is implemented, the source the user is defined in is no longer relevant.
diff --git a/docs/system-admin-guide/authentication/authentication-settings/README.md b/docs/system-admin-guide/authentication/authentication-settings/README.md
index 37dcc9444d48..f1b0e40f83f8 100644
--- a/docs/system-admin-guide/authentication/authentication-settings/README.md
+++ b/docs/system-admin-guide/authentication/authentication-settings/README.md
@@ -7,7 +7,7 @@ keywords: authentication settings
---
# Authentication settings
-To adapt general system **authentication settings**, navigate to *Administration -> Authentication* and choose -> *Settings*.
+To adapt general system **authentication settings**, navigate to *Administration -> Authentication* and choose -> *Authentication Settings*.
You can adapt the following under the authentication settings:
@@ -15,7 +15,8 @@ You can adapt the following under the authentication settings:
1. Select if the **authentication is required** to access OpenProject. For versions 13.1 and higher of OpenProject, this setting will be checked by default
- **Important note**: If you un-tick this box your OpenProject instance will be visible to the general public without logging in. The visibility of individual projects depends on [this setting](../../../user-guide/projects/#set-a-project-to-public).
+> [!IMPORTANT]
+> If you un-tick this box your OpenProject instance will be visible to the general public without logging in. The visibility of individual projects depends on [this setting](../../../user-guide/projects/#set-a-project-to-public).
2. Select an option for **self-registration**. Self-registration can either be **disabled**, or it can be allowed with the following criteria:
@@ -25,22 +26,23 @@ You can adapt the following under the authentication settings:
c) **Automatic account activation** means that a newly registered user will automatically be active.
- **Note:** By default, self-registration is only applied to internal users (logging in with username and password). If you have an identity provider such as LDAP, SAML or OpenID Connect, use the respective settings in their configuration to control which users are applicable for automatic user creation.
+> [!NOTE]
+> By default, self-registration is only applied to internal users (logging in with username and password). If you have an identity provider such as LDAP, SAML or OpenID Connect, use the respective settings in their configuration to control which users are applicable for automatic user creation.
3. Define if the **email address should be used as login** name.
4. Define after how many days the **activation email sent to new users will expire**. Afterwards, you will have the possibility to [re-send the activation email](../../users-permissions/users/#resend-user-invitation-via-email) via the user settings.
-
+
## Define a registration footer for registration emails
-You can define a footer for your registration emails under -> *Administration* -> *Authentication* -> *Settings*.
+You can define a footer for your registration emails under -> *Administration* -> *Authentication* -> *Authentication Settings*.
1. Choose for which **language** you want to define the registration footer.
2. Enter a **text for the registration footer**.
-
+
## Configure password settings
@@ -53,7 +55,7 @@ You can change various settings to configure password preferences in OpenProject
5. Define the **number of the most recently used passwords that a user should not be allowed to reuse**.
6. Activate the **Forgot your password.** This way a user will be able to reset the own password via email.
-
+
## Other authentication settings
@@ -64,7 +66,6 @@ There can be defined a number of other authentication settings.
3. Enable or disable the **autologin option**. This allows a user to remain logged in, even if he/she leaves the site. If this option is activated, the “Stay signed in” option will appear on the login screen to be selected.
4. Activate the **session expiration option**. If you select this option, an additional field will open, where you will be able to define the **inactivity time duration before the session expiry**.
5. Define to **log user login, name, and mail address for all requests**.
-6. **Enable REST web service**. This setting allows users to access the OpenProject API using an API token created from the users "My account" page.
7. Do not forget to **save** your changes.
-
+
diff --git a/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-other-settings.png b/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-other-settings.png
deleted file mode 100644
index 76c6dcd75299..000000000000
Binary files a/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-other-settings.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-passwords-1579791010597.png b/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-passwords-1579791010597.png
deleted file mode 100644
index f48ac2d36851..000000000000
Binary files a/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-passwords-1579791010597.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-registration-footer.png b/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-registration-footer.png
deleted file mode 100644
index 530b4c8c5145..000000000000
Binary files a/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-registration-footer.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-settings.png b/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-settings.png
deleted file mode 100644
index c0a698f31830..000000000000
Binary files a/docs/system-admin-guide/authentication/authentication-settings/Sys-admin-authentication-settings.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings.png b/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings.png
new file mode 100644
index 000000000000..27d1166c060e
Binary files /dev/null and b/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings.png differ
diff --git a/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings_other.png b/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings_other.png
new file mode 100644
index 000000000000..6248a00b856e
Binary files /dev/null and b/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings_other.png differ
diff --git a/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings_passwords.png b/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings_passwords.png
new file mode 100644
index 000000000000..0fffcc9c589c
Binary files /dev/null and b/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings_passwords.png differ
diff --git a/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings_registration_footer.png b/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings_registration_footer.png
new file mode 100644
index 000000000000..c72ce7c33c2d
Binary files /dev/null and b/docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings_registration_footer.png differ
diff --git a/docs/system-admin-guide/authentication/kerberos/README.md b/docs/system-admin-guide/authentication/kerberos/README.md
index 4513ae82b5d8..f83d1da864d4 100644
--- a/docs/system-admin-guide/authentication/kerberos/README.md
+++ b/docs/system-admin-guide/authentication/kerberos/README.md
@@ -1,7 +1,7 @@
---
sidebar_navigation:
title: Kerberos
- priority: 800
+ priority: 200
description: How to set up integration of Kerberos for authentication with OpenProject.
keywords: Kerberos, authentication
@@ -10,7 +10,9 @@ keywords: Kerberos, authentication
# Kerberos integration
-> **Note**: This documentation is valid for the OpenProject Enterprise edition only.
+> [!NOTE]
+> This documentation is valid for the OpenProject Enterprise edition only.
+
[Kerberos](https://web.mit.edu/kerberos/) allows you to authenticate user requests to a service within a computer network. You can integrate it with OpenProject with the use of [GSSAPI Apache module](https://github.com/gssapi/mod_auth_gssapi/) (`mod_auth_gssapi`) plugging into the OpenProject packaged installation using Apache web server.
This guide will also apply for Docker-based installation, if you have an outer proxying server such as Apache2 that you can configure to use Kerberos. This guide however focuses on the packaged installation of OpenProject.
@@ -49,7 +51,8 @@ You will then need to add the generated keytab to be used for the OpenProject in
We are going to create a new file `/etc/openproject/addons/apache2/custom/vhost/kerberos.conf` with the following contents.
-> **Please note**: The following kerberos configuration is only an example. We cannot provide any support or help with regards to the Kerberos side of configuration. OpenProject will simply handle the incoming header containing the logged in user.
+> [!NOTE]
+> The following kerberos configuration is only an example. We cannot provide any support or help with regards to the Kerberos side of configuration. OpenProject will simply handle the incoming header containing the logged in user.
```apache
@@ -119,7 +122,7 @@ Once the configuration is completed, restart your OpenProject and Apache2 server
From there on, you will be forced to the Kerberos login flow whenever accessing OpenProject. For existing users that will be found by their login attribute provided in the `X-Authenticated-User`, they will be automatically logged in.
-For non-existing users, if you have an LDAP configured with automatic user registration activated (check out our [LDAP authentication guide](../../../system-admin-guide/authentication/ldap-authentication/) for that), users will be created automatically with the attributes retrieved from the LDAP.
+For non-existing users, if you have an LDAP configured with automatic user registration activated (check out our [LDAP authentication guide](../../../system-admin-guide/authentication/ldap-connections/) for that), users will be created automatically with the attributes retrieved from the LDAP.
## Known issues
@@ -127,7 +130,8 @@ For non-existing users, if you have an LDAP configured with automatic user regis
As Kerberos provides its own Basic Auth challenges if configured as shown above, it will prevent you from using the OpenProject API using an Authorization header such as API key authentication or OAuth2.
-**Note:** A precondition to use this workaround is to run OpenProject under its own path (server prefix) such as `https://YOUR DOMAIN/openproject/`. If you are not using this, you need to first reconfigure the wizard with `openproject reconfigure` to use such a path prefix. Alternatively, you might have success by using a separate domain or subdomain, but this is untested.
+> [!NOTE]
+> A precondition to use this workaround is to run OpenProject under its own path (server prefix) such as `https://YOUR DOMAIN/openproject/`. If you are not using this, you need to first reconfigure the wizard with `openproject reconfigure` to use such a path prefix. Alternatively, you might have success by using a separate domain or subdomain, but this is untested.
To work around this, you will have to configure a separate route to access the API, bypassing the Kerberos configuration. You can do that by modifying the `/etc/openproject/addons/apache2/custom/vhost/kerberos.conf`as follows:
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/README.md b/docs/system-admin-guide/authentication/ldap-connections/README.md
similarity index 87%
rename from docs/system-admin-guide/authentication/ldap-authentication/README.md
rename to docs/system-admin-guide/authentication/ldap-connections/README.md
index abe7497a632b..84fec7d83731 100644
--- a/docs/system-admin-guide/authentication/ldap-authentication/README.md
+++ b/docs/system-admin-guide/authentication/ldap-connections/README.md
@@ -1,6 +1,6 @@
---
sidebar_navigation:
- title: LDAP authentication
+ title: LDAP connections
priority: 500
description: Manage LDAP Authentication in OpenProject.
keywords: ldap authentication
@@ -8,7 +8,8 @@ keywords: ldap authentication
# Manage LDAP connections
-> **Note**: In order to be able to access the administration panel and manage LDAP authentication you need to be a system admin.
+> [!NOTE]
+> In order to be able to access the administration panel and manage LDAP authentication you need to be a system admin.
To see the list of all available LDAP (Lightweight Directory Access Protocol) authentications navigate to - > *Administration* and select *-> Authentication* -> *LDAP connections* from the menu on the left. You will see the list of all available connections already created.
@@ -16,7 +17,7 @@ To see the list of all available LDAP (Lightweight Directory Access Protocol) a
To create a new LDAP connection, click on the respective icon.
-
+
You will then be able to specify the LDAP configuration. This can be any directory service compatible with the LDAPv3 standard, such as Microsoft Active Directory or openLDAP. The configuration depends on the specific database/applications, through which the authentication with OpenProject is intended.
@@ -24,7 +25,7 @@ The following screenshots contain an exemplary configuration for a new LDAP aut
### LDAP connection details and security
-
+
In the upper section, you have to specify the connection details of your LDAP server as well as the connection encryption to use.
@@ -45,7 +46,7 @@ In the upper section, you have to specify the connection details of your LDAP se
### LDAP system user credentials
-
+
Next, you will need to enter a system user that has READ access to the users for identification and synchronization purposes. Note that most operations to the LDAP during authentication will not be using these credentials, but the user-provided credentials in the login form in order to perform a regular user bind to the LDAP.
@@ -54,7 +55,7 @@ Next, you will need to enter a system user that has READ access to the users for
### LDAP details
-
+
Next you can define what sections OpenProject will look for in the LDAP and also if users should be created automatically in OpenProject when they are accessing it. Let's look at the available options:
@@ -70,7 +71,7 @@ Next you can define what sections OpenProject will look for in the LDAP and also
### Attribute mapping
-
+
The attribute mapping is used to identify attributes of OpenProject with attributes of the LDAP directory. At least the *login* attribute is required to create DNs from the login credentials.
@@ -80,9 +81,9 @@ The attribute mapping is used to identify attributes of OpenProject with attribu
- **Email:** The attribute name in the LDAP that maps to the user’s mail address. This will usually be *mail.* If left empty, user will be prompted to enter upon registration if **automatic user creation** is true.
- **Admin:** Specify an attribute that if it has a truthy value, results in the user in OpenProject becoming an admin account. Leave empty to never set admin status from LDAP attributes.
-Lastly, click on *Create* to save the LDAP authentication mode. You will be redirected to the index page with the created authentication mode. Click the *test* button to create a test connection using the system user’s bind credentials.
+Lastly, click on *Create* to save the LDAP authentication mode. You will be redirected to the index page with the created LDAP connection. Click the *test* button to create a test connection using the system user’s bind credentials.
-
+
With the [OpenProject Enterprise edition](https://www.openproject.org/enterprise-edition/) it is possible to [synchronize LDAP and OpenProject groups](./ldap-group-synchronization).
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/Sys-admin_ldap-authentication.png b/docs/system-admin-guide/authentication/ldap-connections/Sys-admin_ldap-authentication.png
similarity index 100%
rename from docs/system-admin-guide/authentication/ldap-authentication/Sys-admin_ldap-authentication.png
rename to docs/system-admin-guide/authentication/ldap-connections/Sys-admin_ldap-authentication.png
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/ldap-attribute-mapping.png b/docs/system-admin-guide/authentication/ldap-connections/ldap-attribute-mapping.png
similarity index 100%
rename from docs/system-admin-guide/authentication/ldap-authentication/ldap-attribute-mapping.png
rename to docs/system-admin-guide/authentication/ldap-connections/ldap-attribute-mapping.png
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/ldap-details.png b/docs/system-admin-guide/authentication/ldap-connections/ldap-details.png
similarity index 100%
rename from docs/system-admin-guide/authentication/ldap-authentication/ldap-details.png
rename to docs/system-admin-guide/authentication/ldap-connections/ldap-details.png
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/README.md b/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/README.md
similarity index 92%
rename from docs/system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/README.md
rename to docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/README.md
index be22ba16c968..4ba6589c08fb 100644
--- a/docs/system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/README.md
+++ b/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/README.md
@@ -13,10 +13,11 @@ Note: This feature is available for the Enterprise on-premises only, for OpenPro
In OpenProject Enterprise on-premises, you can synchronize LDAP group memberships defined through the [groupOfNames](https://tools.ietf.org/html/rfc4519#section-3.5) LDAP object class. This guide assumes that you:
- have at least one group defined in OpenProject (See the “[Managing groups](../../../users-permissions/groups/)” guide for more information on how to create and edit groups),
-- have set up your LDAP authentication source (See the “[Manage LDAP authentication](../../ldap-authentication/)” guide)
+- have set up your LDAP authentication source (See the “[Manage LDAP authentication](../../ldap-connections/)” guide)
- have at least one LDAP entry with a *groupOfNames* object class and members of that group to contain the *`memberOf: `* attribute to determine the members of a group entry. Right now we do not support LDAP instances that only have *member* attributes, but not the inverse *memberOf* property.
-> **Please note**: OpenProject does not support other attributes other than the `memberOf` property to define groups. Please make sure that user objects have the `memberOf` property for the synchronization to work.
+> [!NOTE]
+> OpenProject does not support other attributes other than the `memberOf` property to define groups. Please make sure that user objects have the `memberOf` property for the synchronization to work.
For the sake of simplicity, we assume that in this guide, your LDAP structure looks like the following:
@@ -38,7 +39,7 @@ Instead of manually synchronizing groups from a given DN, you can also create fi
When the synchronization task is executed, the filter is being queried against the LDAP and resulting group objects will be created as synchronized groups *and* as OpenProject groups.
-
+
### Create a synchronized filter
@@ -53,7 +54,8 @@ To create a new synchronized filter, use the button on the top right of the inde
Click on *Create* to finish the creation of the synchronized filter. This filter is being executed hourly as part of the background job before the actual group synchronization runs.
-**Note:** If you manually create a synchronized group that is also found by a filter, its properties (such as the *Sync users* setting) is being overridden by the filter setting.
+> [!NOTE]
+> If you manually create a synchronized group that is also found by a filter, its properties (such as the *Sync users* setting) is being overridden by the filter setting.
## Configure synchronized LDAP groups
@@ -63,7 +65,7 @@ In order to get to the LDAP group sync administration pane, expand the LDAP auth
In order for the LDAP groups plugin to locate your group entries, you first need to set the *group key* to **cn** (the identifying attribute of the group entries) and *group base* to **ou=groups,ou=example,ou=com** as shown in the following screenshot.
-
+
### Create a synchronized group
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/ldap-group-form.png b/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/ldap-group-form.png
similarity index 100%
rename from docs/system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/ldap-group-form.png
rename to docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/ldap-group-form.png
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/ldap-groups-1-900x363@2x.png b/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/ldap-groups-1-900x363@2x.png
similarity index 100%
rename from docs/system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/ldap-groups-1-900x363@2x.png
rename to docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/ldap-groups-1-900x363@2x.png
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/ldap-groups-filter.png b/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/ldap-groups-filter.png
similarity index 100%
rename from docs/system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/ldap-groups-filter.png
rename to docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/ldap-groups-filter.png
diff --git a/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/openproject_system_guide_add_ldap_filter.png b/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/openproject_system_guide_add_ldap_filter.png
new file mode 100644
index 000000000000..7d46fe3fae45
Binary files /dev/null and b/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/openproject_system_guide_add_ldap_filter.png differ
diff --git a/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/openproject_system_guide_add_ldap_group.png b/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/openproject_system_guide_add_ldap_group.png
new file mode 100644
index 000000000000..49d4038fcfe0
Binary files /dev/null and b/docs/system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/openproject_system_guide_add_ldap_group.png differ
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/ldap-host-and-security.png b/docs/system-admin-guide/authentication/ldap-connections/ldap-host-and-security.png
similarity index 100%
rename from docs/system-admin-guide/authentication/ldap-authentication/ldap-host-and-security.png
rename to docs/system-admin-guide/authentication/ldap-connections/ldap-host-and-security.png
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/ldap-index-page.png b/docs/system-admin-guide/authentication/ldap-connections/ldap-index-page.png
similarity index 100%
rename from docs/system-admin-guide/authentication/ldap-authentication/ldap-index-page.png
rename to docs/system-admin-guide/authentication/ldap-connections/ldap-index-page.png
diff --git a/docs/system-admin-guide/authentication/ldap-authentication/ldap-system-user.png b/docs/system-admin-guide/authentication/ldap-connections/ldap-system-user.png
similarity index 100%
rename from docs/system-admin-guide/authentication/ldap-authentication/ldap-system-user.png
rename to docs/system-admin-guide/authentication/ldap-connections/ldap-system-user.png
diff --git a/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections.png b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections.png
new file mode 100644
index 000000000000..0b71cec862e5
Binary files /dev/null and b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections.png differ
diff --git a/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_attribute_mapping.png b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_attribute_mapping.png
new file mode 100644
index 000000000000..4ad7544054a7
Binary files /dev/null and b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_attribute_mapping.png differ
diff --git a/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_created.png b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_created.png
new file mode 100644
index 000000000000..f40eeb17eccc
Binary files /dev/null and b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_created.png differ
diff --git a/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_host_security.png b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_host_security.png
new file mode 100644
index 000000000000..4d10af687f7d
Binary files /dev/null and b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_host_security.png differ
diff --git a/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_system_account_credentials.png b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_system_account_credentials.png
new file mode 100644
index 000000000000..6e911113085b
Binary files /dev/null and b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_system_account_credentials.png differ
diff --git a/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_system_ldap_details.png b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_system_ldap_details.png
new file mode 100644
index 000000000000..bb664b920689
Binary files /dev/null and b/docs/system-admin-guide/authentication/ldap-connections/openproject_system_guide_ldap_connections_new_system_ldap_details.png differ
diff --git a/docs/system-admin-guide/authentication/oauth-applications/README.md b/docs/system-admin-guide/authentication/oauth-applications/README.md
index 34a8214bfc7b..85ab9b25dde3 100644
--- a/docs/system-admin-guide/authentication/oauth-applications/README.md
+++ b/docs/system-admin-guide/authentication/oauth-applications/README.md
@@ -7,14 +7,13 @@ keywords: OAuth application settings
---
# OAuth applications
-To configure OpenProject to act as a server to an
-OAuth client applications, please navigate to *Administration* -> *Authentication* -> *OAuth applications*.
+To configure OpenProject to act as a server to an OAuth client applications, please navigate to *Administration* -> *Authentication* -> *OAuth applications*.
## Add a new authentication application for OAuth
-To add a new OAuth application, click the green **+ Add** button.
+To add a new OAuth application, click the green **+ OAuth application** button.
-
+
You can configure the following options to add your OAuth application:
@@ -40,9 +39,10 @@ You can configure the following options to add your OAuth application:
user on whose behalf requests will be performed.
6. Press **Create** to add your OAuth application.
-
+
-Don't forget to note down your `Client ID` and your `Client secret`
+> [!TIP]
+> Don't forget to note down your `Client ID` and your `Client secret`
in a safe space. You will need them later.
## OAuth endpoints
diff --git a/docs/system-admin-guide/authentication/oauth-applications/Sys-admin-authentication-oauth-applications.png b/docs/system-admin-guide/authentication/oauth-applications/Sys-admin-authentication-oauth-applications.png
deleted file mode 100644
index f8e2656d5f06..000000000000
Binary files a/docs/system-admin-guide/authentication/oauth-applications/Sys-admin-authentication-oauth-applications.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/oauth-applications/add-new-oauth-application.png b/docs/system-admin-guide/authentication/oauth-applications/add-new-oauth-application.png
deleted file mode 100644
index 25bc79525a53..000000000000
Binary files a/docs/system-admin-guide/authentication/oauth-applications/add-new-oauth-application.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/oauth-applications/openproject_system_admin_guide_oauth_application_button.png b/docs/system-admin-guide/authentication/oauth-applications/openproject_system_admin_guide_oauth_application_button.png
new file mode 100644
index 000000000000..ed2c1da00df9
Binary files /dev/null and b/docs/system-admin-guide/authentication/oauth-applications/openproject_system_admin_guide_oauth_application_button.png differ
diff --git a/docs/system-admin-guide/authentication/oauth-applications/openproject_system_admin_guide_oauth_application_new.png b/docs/system-admin-guide/authentication/oauth-applications/openproject_system_admin_guide_oauth_application_new.png
new file mode 100644
index 000000000000..2fed0a9f1310
Binary files /dev/null and b/docs/system-admin-guide/authentication/oauth-applications/openproject_system_admin_guide_oauth_application_new.png differ
diff --git a/docs/system-admin-guide/authentication/openid-providers/README.md b/docs/system-admin-guide/authentication/openid-providers/README.md
index 9ae25ce42c81..e8120fe018a1 100644
--- a/docs/system-admin-guide/authentication/openid-providers/README.md
+++ b/docs/system-admin-guide/authentication/openid-providers/README.md
@@ -20,17 +20,26 @@ To activate and configure OpenID providers in OpenProject, navigate to *Administ
To add a new OpenID provider, click the green **+ OpenID provider** button.
-
+
You can configure the following options.
1. Choose **Google** or **Azure** to add as an OpenID provider to OpenProject.
+
2. Optionally enter a **display name**.
+
3. Enter the **Identifier**.
+
4. Enter the **Secret**.
+
5. Optionally, if you want to honor the system-wide self-registration setting, enable "Limit self registration".
-When checked, users will be created according to the [self-registration setting](../authentication-settings).
-6. Press the **create** button.
+ When checked, users will be created according to the [self-registration setting](../authentication-settings).
+
+6. Set the **tenant** of your Azure endpoint. This will control who gets access to the OpenProject instance. For more information, please see [our user guide on Azure OpenID connect](#azure-active-directory)
+
+7. Press the **create** button.
+
+ 
## Google Workspace
@@ -87,13 +96,14 @@ After pressing **CREATE** you will get a pop-up window like the following
2. **Display Name** (e.g. **EXAMPLE.COM SSO**)
3. **Identifier** (**Client ID** from step 2)
4. **Secret** (**Client Secret** from step 2)
+ 5. Enable **Limit self registration** option
3. Press **Create**
-
+
4. The following green notification **Successful creation** should appear
-
+
## Azure Active Directory
diff --git a/docs/system-admin-guide/authentication/openid-providers/Sys-admin-authentication-openid-provider.png b/docs/system-admin-guide/authentication/openid-providers/Sys-admin-authentication-openid-provider.png
deleted file mode 100644
index 0bd47c91613e..000000000000
Binary files a/docs/system-admin-guide/authentication/openid-providers/Sys-admin-authentication-openid-provider.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/openid-providers/g6-add-new-openid-provider-google.png b/docs/system-admin-guide/authentication/openid-providers/g6-add-new-openid-provider-google.png
deleted file mode 100644
index afc77a295065..000000000000
Binary files a/docs/system-admin-guide/authentication/openid-providers/g6-add-new-openid-provider-google.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/openid-providers/g7-successful-creation-google.png b/docs/system-admin-guide/authentication/openid-providers/g7-successful-creation-google.png
deleted file mode 100644
index 50c66b847a91..000000000000
Binary files a/docs/system-admin-guide/authentication/openid-providers/g7-successful-creation-google.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider.png b/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider.png
new file mode 100644
index 000000000000..89399fea1931
Binary files /dev/null and b/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider.png differ
diff --git a/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider_new.png b/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider_new.png
new file mode 100644
index 000000000000..850d89ee8490
Binary files /dev/null and b/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider_new.png differ
diff --git a/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider_new_google.png b/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider_new_google.png
new file mode 100644
index 000000000000..36301c3ff739
Binary files /dev/null and b/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider_new_google.png differ
diff --git a/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider_new_google_successful_message.png b/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider_new_google_successful_message.png
new file mode 100644
index 000000000000..3ac418daf544
Binary files /dev/null and b/docs/system-admin-guide/authentication/openid-providers/openproject_system-admin-guide_authentication_openid_provider_new_google_successful_message.png differ
diff --git a/docs/system-admin-guide/authentication/openproject_system_guide_authentication_settings.png b/docs/system-admin-guide/authentication/openproject_system_guide_authentication_settings.png
new file mode 100644
index 000000000000..b00b73dd2d41
Binary files /dev/null and b/docs/system-admin-guide/authentication/openproject_system_guide_authentication_settings.png differ
diff --git a/docs/system-admin-guide/authentication/recaptcha/README.md b/docs/system-admin-guide/authentication/recaptcha/README.md
index 76708460a263..72c26e6e3299 100644
--- a/docs/system-admin-guide/authentication/recaptcha/README.md
+++ b/docs/system-admin-guide/authentication/recaptcha/README.md
@@ -7,7 +7,7 @@ keywords: reCAPTCHA
---
# reCAPTCHA configuration
-To activate and **configure reCAPTCHA** for OpenProject, navigate to *Administration* -> *Authentication* and choose -> reCAPTCHA.
+To activate and **configure reCAPTCHA** for OpenProject, navigate to *Administration* -> *Authentication* and choose -> *reCAPTCHA.*
If enabled, a captcha form will be rendered upon login for all users that have not verified a captcha yet. Please see the following link for more details on reCAPTCHA and their versions, and how to create the website and secret keys: [https://www.google.com/recaptcha](https://www.google.com/recaptcha).
@@ -16,9 +16,10 @@ You can configure the following options:
1. Activate reCAPTCHA for OpenProject. You can choose between reCAPTCHA v2 and reCAPTCHA v3.
2. Insert the **website key**.
3. Insert the **secret key**.
-4. Press the **Apply** button to save your changes.
+4. Enter the **response limit for HCaptcha**.
+5. Press the **Apply** button to save your changes.
-
+
# Cloudflare Turnstile configuration
diff --git a/docs/system-admin-guide/authentication/recaptcha/openproject_system_admin_guide_recaptcha.png b/docs/system-admin-guide/authentication/recaptcha/openproject_system_admin_guide_recaptcha.png
new file mode 100644
index 000000000000..deba4d6c3a83
Binary files /dev/null and b/docs/system-admin-guide/authentication/recaptcha/openproject_system_admin_guide_recaptcha.png differ
diff --git a/docs/system-admin-guide/authentication/saml/README.md b/docs/system-admin-guide/authentication/saml/README.md
index 67d3e33962dc..005c4a952cfd 100644
--- a/docs/system-admin-guide/authentication/saml/README.md
+++ b/docs/system-admin-guide/authentication/saml/README.md
@@ -1,21 +1,22 @@
---
sidebar_navigation:
title: SAML single sign-on
- priority: 800
+ priority: 100
description: How to set up SAML integration for SSO with OpenProject.
keywords: SAML, SSO, single sign-on, authentication
---
# SAML
-> **NOTE**: This documentation is valid for the OpenProject Enterprise edition only.
+> [!NOTE]
+> This documentation is valid for the OpenProject Enterprise edition only.
You can integrate your active directory or other SAML compliant identity provider in your OpenProject Enterprise edition.
## Enterprise cloud
For the moment in the Enterprise cloud OpenProject DevOps team has to apply the configuration for you. The configuration has to be provided in a support ticket, e.g. as an ENV environment file.
-Experience shows that configuring this can be tricky, though. So it may take a bit until the correct configuration is finished with your SAML provider.
-If you have the chance to test the SAML configuration on an Enterprise on-premises installation this might speed things up. But we can make it work either way.
+Experience shows that configuring this can be tricky. So it may require some time until the correct configuration is finished with your SAML provider.
+If you have the chance to test the SAML configuration on an Enterprise on-premises installation this might speed up the process. But we can make it work either way.
## Enterprise on-premises
@@ -156,7 +157,8 @@ Setting.plugin_openproject_auth_saml = Hash(Setting.plugin_openproject_auth_saml
#### 1.3 config/configuration.yml file
-> **NOTE**: ONLY for OpenProject version 11 and older
+> [!IMPORTANT]
+> ONLY for OpenProject version 11 and older
In your OpenProject packaged installation, you can modify the `/opt/openproject/config/configuration.yml` file.
Edit the file in your favorite editor
@@ -266,7 +268,8 @@ Setting.plugin_openproject_auth_saml = Hash(Setting.plugin_openproject_auth_saml
**b) Attribute mapping example for configuration.yml**
-> **NOTE**: ONLY for OpenProject version 11 and older
+> [!IMPORTANT]
+> ONLY for OpenProject version 11 and older
```yaml
default:
@@ -292,7 +295,8 @@ That means the response should contain attribute names 'mail', etc. as configure
If you have URN or OID attribute identifiers, you can modify the request as follows:
-> **NOTE**: Example is ONLY for OpenProject version 11 and older and needs to be redesigned for ENV configuration
+> [!IMPORTANT]
+> Example is ONLY for OpenProject version 11 and older and needs to be redesigned for ENV configuration
```yaml
default:
@@ -327,7 +331,8 @@ Your identity provider may optionally encrypt the assertion response, however no
To configure assertion encryption, you need to provide the certificate to send in the request and private key to decrypt the response:
-> **NOTE**: Example is ONLY for OpenProject version 11 and older and needs to be redesigned for ENV configuration
+> [!IMPORTANT]
+> Example is ONLY for OpenProject version 11 and older and needs to be redesigned for ENV configuration
```yaml
default:
@@ -342,7 +347,8 @@ Request signing means that the service provider (OpenProject in this case) uses
To enable request signing, enable the following flag:
-> **NOTE**: Example is ONLY for OpenProject version 11 and older and needs to be redesigned for ENV configuration
+> [!IMPORTANT]
+> Example is ONLY for OpenProject version 11 and older and needs to be redesigned for ENV configuration
```yaml
default:
diff --git a/docs/system-admin-guide/authentication/two-factor-authentication/README.md b/docs/system-admin-guide/authentication/two-factor-authentication/README.md
index 708fc0ce2c75..ba1e881bf49a 100644
--- a/docs/system-admin-guide/authentication/two-factor-authentication/README.md
+++ b/docs/system-admin-guide/authentication/two-factor-authentication/README.md
@@ -17,7 +17,7 @@ From the GUI you are able to configure the following options:
2. **Remember 2FA login** for a given number of days, e.g. 30 days.
3. Press the **Apply** button to save your changes.
-
+
> [!NOTE]
> These options will not be shown in the administration if 2FA settings are configured through [environment variables](../../../installation-and-operations/configuration/environment/).
diff --git a/docs/system-admin-guide/authentication/two-factor-authentication/Sys-admin-authentication-two-factor-authentication.png b/docs/system-admin-guide/authentication/two-factor-authentication/Sys-admin-authentication-two-factor-authentication.png
deleted file mode 100644
index 2725ec9607f4..000000000000
Binary files a/docs/system-admin-guide/authentication/two-factor-authentication/Sys-admin-authentication-two-factor-authentication.png and /dev/null differ
diff --git a/docs/system-admin-guide/authentication/two-factor-authentication/openproject_system_admin_guide_two_factor_authentication.png b/docs/system-admin-guide/authentication/two-factor-authentication/openproject_system_admin_guide_two_factor_authentication.png
new file mode 100644
index 000000000000..86e97b8127a7
Binary files /dev/null and b/docs/system-admin-guide/authentication/two-factor-authentication/openproject_system_admin_guide_two_factor_authentication.png differ
diff --git a/docs/system-admin-guide/manage-work-packages/README.md b/docs/system-admin-guide/manage-work-packages/README.md
index eb5eba3a9afa..168c7271043c 100644
--- a/docs/system-admin-guide/manage-work-packages/README.md
+++ b/docs/system-admin-guide/manage-work-packages/README.md
@@ -17,4 +17,5 @@ Manage work packages in OpenProject.
| [Types](work-package-types) | Create and manage work package types. |
| [Status](work-package-status) | Create and manage work package status. |
| [Workflows](work-package-workflows) | Create and manage workflows for work packages in OpenProject. |
-| [Custom actions](custom-actions) | Create custom actions for work packages (Enterprise add-on) |
+| [Custom actions](custom-actions) | Create custom actions for work packages (Enterprise add-on). |
+| [FAQs](work-packages-faq) | Frequently asked questions about work packages in OpenProject. |
diff --git a/docs/system-admin-guide/users-permissions/placeholder-users/README.md b/docs/system-admin-guide/users-permissions/placeholder-users/README.md
index dc72d10baa6c..17e07fb8cf01 100644
--- a/docs/system-admin-guide/users-permissions/placeholder-users/README.md
+++ b/docs/system-admin-guide/users-permissions/placeholder-users/README.md
@@ -44,7 +44,7 @@ You will then be asked to type in the placeholder user name to confirm the delet
-> [!NOTE]
+> [!CAUTION]
> Deleting a placeholder user account is an irreversible action and cannot be revoked. The previous activities from this user will still be displayed in the system but reassigned to **Deleted user**.
## Create placeholder users
diff --git a/docs/system-admin-guide/users-permissions/roles-permissions/README.md b/docs/system-admin-guide/users-permissions/roles-permissions/README.md
index e81950332ccb..e18045341af9 100644
--- a/docs/system-admin-guide/users-permissions/roles-permissions/README.md
+++ b/docs/system-admin-guide/users-permissions/roles-permissions/README.md
@@ -64,7 +64,8 @@ A user can have one or more roles which grant permissions on different levels.
**A project role** is a set of **permissions** that can be assigned to any project member. Multiple roles can be assigned to the same project member.
-**Note:** If a module is not enabled in a project it is not shown to a user despite having a permission for it.
+>[!NOTE]
+>If a module is not enabled in a project it is not shown to a user despite having a permission for it.
| Scope of the role | Permission examples | Customization options |
| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
@@ -74,7 +75,8 @@ A user can have one or more roles which grant permissions on different levels.
**Non member** is the default role of users of your OpenProject instance who have not been added to a project. This only applies if the project has been set as [public](../../../user-guide/projects/#set-a-project-to-public) in the project settings.
-**Note:** The *Non-member* role cannot be deleted.
+>[!NOTE]
+The *Non-member* role cannot be deleted.
| Scope of the role | Permission examples | Customization options |
| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
@@ -84,7 +86,8 @@ A user can have one or more roles which grant permissions on different levels.
OpenProject allows to share project information with **anonymous** users which are not logged in. This is helpful to communicate projects goals and activities with a public community.
-**Note**: This only applies if you disabled the need for authentication for your instance and if the project is set as **public**. The *Anonymous* role cannot be deleted.
+>[!NOTE]
+> This only applies if you disabled the need for authentication for your instance and if the project is set as **public**. The *Anonymous* role cannot be deleted.
| Scope of the role | Permission examples | Customization options |
| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
@@ -117,7 +120,8 @@ Administrators can create new global roles in *Administration* > *Users and perm
- [Create projects](../../../getting-started/projects/#create-a-new-project)
- > **Note:** To create a subproject for an existing project it requires also the project permission "Create subprojects".
+> [!TIP]
+> To create a subproject for an existing project it also requires the project permission "Create subprojects".
- [Create backups](../../backup/)
@@ -125,11 +129,13 @@ Administrators can create new global roles in *Administration* > *Users and perm
- [Edit users](../users/)
- > **Note:** This allows the *Administrator* to delegate the administration of users to other people that should not have full control of the entire OpenProject installation (Administrator). These users can edit attributes of any users, except administrators. This means they are able to impersonate another user by changing email address to match theirs. This is a security risk and should be considered with caution.
+> [!NOTE]
+> This allows the *Administrator* to delegate the administration of users to other people that should not have full control of the entire OpenProject installation (Administrator). These users can edit attributes of any users, except administrators. This means they are able to impersonate another user by changing email address to match theirs. This is a security risk and should be considered with caution.
- [Create, edit, and delete placeholder users](../placeholder-users/)
- > **Note**: Users with this global permission cannot automatically see and edit all placeholder user in all projects. It is restricted to the placeholder users in projects in which the user has the respective permission to see or edit project member.
+> [!NOTE]
+> Users with this global permission cannot automatically see and edit all placeholder user in all projects. It is restricted to the placeholder users in projects in which the user has the respective permission to see or edit project member.
### Edit and delete roles
@@ -137,7 +143,8 @@ To edit an existing role, click on the role name in the roles overview table. Ma
To delete an existing role click on the **delete icon** next to a role in the list.
-> **Note:** Roles that are assigned to a user cannot be deleted.
+> [!IMPORTANT]
+> Roles that are assigned to a user cannot be deleted.
## FAQ for roles and permissions