LDAP - Support user-level filters / mappings offering finer level of control than just Group mappings
Description
Problem: Currently GitLab groups only support LDAP group mappings wholesale, meaning a GitLab group will get all the users in the ldap group.
We would like the ability to map GitLab groups with one of the following two ways:
Work just like the GitLab Access: be able to define a base and a user filter with it
How it works today with an ldap group to the GitLab Group
We need the user filter option as we need to have a GitLab group that includes all Full Time Employees (FTE) who are developers and active employees. These users span across all business units of the company, there is no single group that includes all of these users. Without this enhancement I will have to create a script to manually create a group for this either in GitLab or an Ldap group that can be mapped to the GitLab Group.
In this case the base would be: dc=customer_name,dc=com
The user filter may be something like:
(&(objectcategory=person)(objectclass=user)(extensionAttribute20=FTE)(|(extensionAttribute501=developer)(extensionAttribute501=technical))
In this case extensionAttribute20 defines Full Time Employee, and extensionAttribute501 defines they have the role of developer or technical. This example would work with GitLab access.
We have several other cases that are similar, for example we want to create a group for each business unit for users with a specific security level.
A lot of our access is not defined through groups which is why we need the ability to make this more dynamic.
Use cases
Customer Reference: https://na34.salesforce.com/0016100000KvaIg
Proposal
- Keep the “LDAP group cn” field as it is today
- Add a “LDAP user filter” text field that is validated for the correct syntax
- Add an exclusivity behavior where the user either uses the “LDAP group cn” field or the “LDAP filter” field (I'll be looking into this)
- For synchronizations in the “Linked LDAP groups” list that use a LDAP filter, show the full query
Design
LDAP group cn | LDAP user filter |
---|---|
-
Add a “Synch method” field with radio buttons that toggle the “LDAP group cn” and “LDAP user filter” fields
-
Add a “LDAP user filter” text field:
-
Placeholder: “e.g. (&(objectCategory=person)(objectClass=developer))”
-
Description: “This query must use valid [LDAP Search Filter Syntax]. Synchronize [GROUP]'s members with this LDAP user filter. If you do not belong to this LDAP user filter you will lose ownership of [GROUP].”
-
The “LDAP Search Filter Syntax” link should point to our own documentation about the syntax (I didn't find any, so it would need to be created) or to an external documentation. In my searches I've found these: Microsoft, LDAP Explorer, CentOS.
-
-
Make the help text of the “LDAP group cn” and “LDAP user filter” fields all in one line
-
If an active synchronization is:
-
A group, prefix it with “Group: ”
-
A user filter, prefix it with “User filter: ” and append the full query. Very long queries should be truncated with ellipsis according to the full width of the panel.
-
-
As this feature won't be limited to just groups anymore (filters allow you to sync across a server):
-
Rename the navigation item from “LDAP Group” to “LDAP”
-
Rename the breadcrumb item from “LDAP Groups” to “LDAP Settings”
-
Rename the page title from “Linked LDAP groups” to “LDAP synchronizations”
-
Rename the list panel from “Linked LDAP groups” “Active synchronizations”
-
(Not in the images) Rename the red “unlink” button to “Remove”
-