forked from ACCORD5/TrellisDesk
-
Notifications
You must be signed in to change notification settings - Fork 0
LDAP Status
lewellyn edited this page Nov 17, 2012
·
1 revision
NOTE: This is a copy of the page that is in our internal wiki. If it looks like this page doesn't reflect reality, please let me (lewellyn) know and I'll update it with the latest information. Thanks!
- Only Active Directory is supported (using adLDAP). Switching to a different library is probably not so difficult, but we only have a way to test Active Directory. It's better to implement what's testable.
- Currently working fully for users.
- Administrative users can log into the ACP, however
no_permpermeates the experience for now. Fixing at least some of this is a high priority. - There is a bit of a stub toward ACP having an LDAP checkbox for users.
- There is no page to configure LDAP in the guided setup, though the preferences are in
config.php.dist. - Groups have only had minimal testing so far.
- Currently there are a lot of
no_perm. This will be fixed at a later date. (However, vital functionality will likely be fixed sooner.) If others can help, it is welcome. Users can pretty much just log into the ACP for now. - The user add/edit LDAP checkbox will be coming soon.
- Checking the box once implemented will only set a well-known (invalid) password for the user.
- For the checkbox to be persistent, the database schema must be extended. A schema extension is also necessary for anything other than ensuring the user can only log in via LDAP. As there is no such functionality yet, no extension has been done. (Nor are we likely to until we know whether ACCORD5 has abandoned their GitHub project.)
- User password changes outside the ACP will be accepted even after the LDAP checkbox arrives, per the above. This will, of course, not change the user's LDAP password, but rather the password stored in the database. The user can only use this password if the LDAP server is down, so this may currently be considered an "undocumented feature".
- Future enhancement may be to have a toggle in the ACP to get the user's email address from LDAP. This would disable the user's "Change Email" button.
- The exact implementation details will be up for discussion before that feature arrives.
includes/classes/class_session.php lines 320-323
includes/classes/class_asession.php lines 252-255
Unsure if logging mechanism is correct for these. We don't want to spew the exception to the browser; we want login to fail so the user sees the "contact an Administrator" message and the admin will hopefully check the logs. Unfortunately, I'm not entirely sure where this function logs... It's a first stab; it can be fixed later. 🏄