TL 1.9.4 Enabling both local user account and LDAP

[narsu]

Hello!

I am searching solution for authentication issue with TL 1.9.4 installation. I would like to enable both local user accounts and LDAP simultanious. Here is scenario:

1. We have one testlink instance which has a LDAP authentication enabled for AD server
2. There is often need for "dummy" user accounts which can be used as place holder for external team mates.
3. Service desk is not able to provide "dummy" user account, because of company policies
4. I assume, that easiest way could be enable local user account creation and management working with LDAP simultanously
5. This leads to situation where test manager can create needed accounts asap without extra AD service desk requests? This is fine for us!

IS this kind of configuration possible in official way without stabbing code?


Thank you for this great tool!

Br,
Narsuman

[narsu]

I have been solving samekind of problem in mantis http://mantis.testlink.org/view.php?id=2842 earlier. Thanks for mehrir about solution http://mantis.testlink.org/view_user_page.php?id=4116

This local user account enable simultanously with LDAP could be feasible feature?

Below I Just Drafting idea...

/**
* Login authentication method:
* 'MD5' => use password stored on db
* 'LDAP' => use password from LDAP Server
* 'MD5LDAP' => use password stored on db before searching from LDAP
* 'LDAPMD5' => use LDAP before local db

*/
$tlCfg->authentication['method'] = 'BOTH';

Is there any other who have same kind of problems? I would like to know, because I could try to get some resource to create such? If it's feasible to others?

[fman]

IMHO, from a sysadmin point of view options:
MD5LDAP and other combinations will be a nightmare when an issue arise.

I consider OK, to may be add a feature (if you are able to get resources to sponsor a development) to allow some users (may be external) to use TL AUTHENTICATION (MD5) and other (internals) use LDAP.

having users with password on several systems IMHO is not good approach.

[narsu]

This is difficult question. What happens if connection to LDAP/AD is down? You cannot login using admin account? You have to reconfigure back to "MD5" to allow local user login. This was one question in my mind. That's why eg. I would like to have testlink's administration account working without any external AD/LDAP fixed account

Could it be most feasible if administrator could set a user specific "check box" which defines which source is used for password is check? In this case LDAP or MD5
This leads also to situation could it be also feasible to allow multiple LDAP server definitons So administrator could select one of many sources LDAP1, LDAP2, LDAP3 and MD5. This leads to many other things, but I would like to drafting idea If we could support project with some coding effort for this feature.

br,
Narsuman

[fman]

>> This is difficult question. What happens if connection to LDAP/AD is down? You cannot login using admin account?
you face same situation every day when you try to login to your workstation, if LDAP is down, you has to wait till service will be available again.
If LDAP is down, you not only will be not able to access TestLink but ANY OTHER system that uses LDAP.

anyway, is just matter of opinions/taste

[jsm]

I came across this thread by searching for the same problem.

As narsu I use the same in mantis: LDAP for the internal accounts (developers) and accounts local to the mantis-DB for instance for customers (which are obviously not known by AD).

I'm quite happy that I got LDAP authentication running a while ago as it makes live easier.
But IMHO there are some cases, where local accounts would be helpful:
- testing / documenting user role settings without the need to create these users in AD
- manage / create users for TL without having admin rights for AD

To avoid the nightmare of different combinations the same rule like in mantis might help: if the account is available in AD, the password is managed there; if it's not an LDAP account the local password applies.

just 2c
jsm