Extend LDAP auth plugin to also handle group memberships

Description

One of our customers wants to handle the DATAGERRY group membership with LDAP groups (or Active Directory groups) when using LDAP authentication.

Currently, if a user logs in for the first time using LDAP auth, a user object in DATAGERRY will be created. This user object will be part of a static defined user group, which can be changed manually by editing this user object.

On every login using the LDAP auth plugin, the LDAP user groups (a user could be part of multiple groups in LDAP) should be read out of LDAP with a configured group filter. A mapping between LDAP groups and DATAGERRY group (one group per user) should be defined.

Activity

Show:
Michael Batz
January 19, 2021, 7:55 AM

tested again, looks good to me:

 

Testcase 1:

  • group mapping disabled

  • default group

  • login of a new user

  • should be moved to default group
    => OK

Testcase 2:

  • group mapping disabled

  • login of an existing user which is in a different group than the default group

  • should stay in its group
    => OK

Testcase 3:

  • group mapping enabled

  • group mapping defined for one LDAP group

  • test user is part of that defined LDAP group

  • login of an existing user which is in a different DG group than defined in group mapping

  • should move to new group
    => OK

Testcase 4:

  • group mapping enabled

  • group mapping defined for one LDAP group

  • test user is not part of that defined LDAP group

  • login of an existing user which is in a different DG group than defined in group mapping

  • should move to default group
    => OK

Testcase 5:

  • group mapping enabled

  • group mapping defined for two LDAP groups

  • test user is part of both defined LDAP group

  • login of an existing user which is in a different DG group than defined in group mapping

  • should move to first defined group in mapping
    => OK

Mark Heumüller
January 14, 2021, 12:00 PM

Fixed and should work now!

Michael Batz
January 14, 2021, 10:52 AM

here is the list

Hints:

  • usability: default group hint „this is the default group when NO group mapping is enabled.“ is not correct

Testcase 1:

  • group mapping disabled

  • default group

  • login of a new user

  • should be moved to default group

 => OK

 

Testcase 2:

  • group mapping disabled

  • login of an existing user which is in a different group than the default group

  • should stay in its group

 => NO


Testcase 3:

  • group mapping enabled

  • group mapping defined for one LDAP group

  • test user is part of that defined LDAP group

  • login of an existing user which is in a different DG group than defined in group mapping

  • should move to new group

=> OK


Testcase 4:

  • group mapping enabled

  • group mapping defined for one LDAP group

  • test user is not part of that defined LDAP group

  • login of an existing user which is in a different DG group than defined in group mapping

  • should move to default group

=> OK


Testcase 5:

  • group mapping enabled

  • group mapping defined for two LDAP groups

  • test user is part of both defined LDAP group

  • login of an existing user which is in a different DG group than defined in group mapping

  • should move to first defined group in mapping

=> NO: it seems, one of the defined groups in mapping will always win, regardless of the order

Mark Heumüller
January 13, 2021, 2:41 PM

Implemented in:

Done

Assignee

Mark Heumüller

Reporter

Michael Batz

Labels

Story Points

8

Tester

None

Sprint

None

Fix versions

Priority

Medium