Active Directory integration experience. Notes and comments.
895 views
Skip to first unread message
Lars Bingchong
Jul 13, 2015, 6:13:34 AM7/13/15
to bonobo-g...@googlegroups.com
Hi Bonobo Git Server people :-D,
This is more of a follow-up and commentary regarding my experience integrating the Bonobo Git Server with Active Directory. I hope it is ok to post it here as I assume this post will get out to more people than if I wrote it directly to Jakub.
Here goes.....a list of pointers to be aware of when integrating Bonobo Git Server with your AD.
-1- Make sure to set ' <add key="ActiveDirectoryIntegration" value="true" /> ' to TRUE.
-2- The code in the contains part seems to be case sensitive. In thi code: https://github.com/jakubgarfield/Bonobo-Git-Server/blob/master/Bonobo.Git.Server/WindowsIdentityImporter.cs - so make sure that you provide the the team name as it is defined in the msDS-PrincipalName AD attribute name of the group. This can be seen with 'Active Directory Users and Computers' by going to the 'Attribute Editor' tab' (if you can't see it make sure 'Advanced Features' is ticked under the 'View' menu) in 'Active Directory Users and Computers'.
-3- Bonobo Git Server works by reading the 'Security Principal Windows Indentity' data on the user logging into the Bonobo Git Server. Therefore it is not necessary to allow list contents to the server running the IIS site.
The case sensitive requirement would be nice to avoid. It is a type of error which could be so easily overlooked. So yeah :-D
This was my input :-) - I hope someone can use it. Thank you for creating Bonobo Git Server and have a great day.
This is more of a follow-up and commentary regarding my experience integrating the Bonobo Git Server with Active Directory. I hope it is ok to post it here as I assume this post will get out to more people than if I wrote it directly to Jakub.
Here goes.....a list of pointers to be aware of when integrating Bonobo Git Server with your AD.
-1- Make sure to set ' <add key="ActiveDirectoryIntegration" value="true" /> ' to TRUE.
-2- The code in the contains part seems to be case sensitive. In thi code: https://github.com/jakubgarfield/Bonobo-Git-Server/blob/master/Bonobo.Git.Server/WindowsIdentityImporter.cs - so make sure that you provide the the team name as it is defined in the msDS-PrincipalName AD attribute name of the group. This can be seen with 'Active Directory Users and Computers' by going to the 'Attribute Editor' tab' (if you can't see it make sure 'Advanced Features' is ticked under the 'View' menu) in 'Active Directory Users and Computers'.
-3- Bonobo Git Server works by reading the 'Security Principal Windows Indentity' data on the user logging into the Bonobo Git Server. Therefore it is not necessary to allow list contents to the server running the IIS site.
The case sensitive requirement would be nice to avoid. It is a type of error which could be so easily overlooked. So yeah :-D
This was my input :-) - I hope someone can use it. Thank you for creating Bonobo Git Server and have a great day.
Yi Shang Low
Jul 20, 2015, 2:00:31 AM7/20/15
to bonobo-g...@googlegroups.com
I've enabled ActiveDirectoryIntegration and my group name is correct but users belonging to an AD group doesn't seem to see a repo which I have given access to a team with the same name. When creating the team, do I need to add any members? How do I add the WindowsIdentityImporter.cs with the installation that comes from the website?
Lars Bingchong
Jul 21, 2015, 2:47:32 PM7/21/15
to Bonobo Git Server
Hi Yi Shang Low,
- You don't have to add members to the team manually.Lars Bingchong
Jul 21, 2015, 2:53:28 PM7/21/15
to Bonobo Git Server
In reply to:
[ Hi!
[ Hi!
I've figured out the problem. The AD integration
will only work on new users imported into the server, and Teams must be
created prior to importing the users. The code checks the user's AD
groups against the created Teams and adds the user to the team if
matched. I had previously tried creating the Team with similar name
after the user has been imported and see if the user automatically gets
put inside, which didn't work.
Thanks anyway! Much appreciated =) ]
----- REPLY
I'm pretty sure it works without having to create the teams before logging in with the user. But maybe there is a different on this based on the type of authentication you choose to use. I don't think so though. The WindowsIdentityImporter.cs code takes the memberOf info from the user logging in and parses the groups to see if a group matches a team name. Here it is a criteria that the case matches for the AD group name and the team and that the team name contains the domain portion of the fully qualified name of the AD group.
Glad to assist :-)
----- REPLY
I'm pretty sure it works without having to create the teams before logging in with the user. But maybe there is a different on this based on the type of authentication you choose to use. I don't think so though. The WindowsIdentityImporter.cs code takes the memberOf info from the user logging in and parses the groups to see if a group matches a team name. Here it is a criteria that the case matches for the AD group name and the team and that the team name contains the domain portion of the fully qualified name of the AD group.
Glad to assist :-)
Reply all
Reply to author
Forward
0 new messages