I’ve been using Redmine for managing projects and tracking issues. The software is installed on a Mac OS X Server that is joined to an Active Directory domain. I wanted users to be able to use their network login instead of having a separate account in Redmine.
One approach to solving this would be to use LDAP authentication functionality already built into the software. While this could work, for me it would involve requesting an account for Redmine to access the LDAP directory since anonymous reading is disabled. It also does not provide the level of control over account creation that I would like to see.
Mac OS X is already able to access the directory since it is joined to the Active Directory domain. This can be put to use by means of Identity Services, which was a new feature of Mac OS X v10.5 Leopard. I put together a quick hack to add support for authentication using Identity Services and it worked well for many months. Now I have this solution in the form of a Redmine plugin, which should improve usability and ease of maintenance.
Features of the plugin include:
- User accounts can be local server accounts, network accounts, or both.
- On-the-fly user creation with name and email address obtained from Identity Services.
- Email addresses local to the server can be preferred over external email addresses.
- User groups in Redmine can be linked to groups accessible through Identity Services.
- User membership in groups is updated each time that user authenticates.
- Access can be restricted to just users who belong to the specified groups.
- Tested with both Mac OS X Server v10.5 Leopard and v10.6 Snow Leopard.
I have not spent much time testing the plugin against the 0.8-stable branch of Redmine since I have been following the trunk for development and eventual production use. At present the plugin is tested up to revision 3171.
Future improvements include actual documentation and test units. Please let me know if you have any suggestions.