D4Science Infrastructure

Massimiliano Assante wrote:

Could we check the feasibility to enable login with user email address also? It would be easier for people (receiving Redmine email notifications) belonging to D4Science VREs. As they login trasparently from within a VRE they may have no idea of what their username is

If also is the key, the answer is no. We can change the ldap configuration to authenticate all the users by their email address but not maintain both.

As a result of today's meeting we should "move" the login info from username to email address also by changing the label (current is Login to "Email address" in the Redmine login form

However we should plan this in advance and notify the users before doing it

Luca Frosini, in the Redmine Login page (https://support.d4science.org/login) after we switched to email login we should state clearly (highlight somehow) something like:

Users of D4Science Gateways (iMarine, Services, Descramble, and EGIP) can use their gateway credentials to login (email address plus gateway password)

we need to do the test the login via email as soon as possible because I keep receiving emails from VRE users and they don't know their username

Dear all,
we now have a testing redMine instance to play with. http://redmine-d.d4science.org

The next step, as I was explaining in this ticket, would be to switch the login with user email address instead of username also by changing the label (current is Login to "Email address" in the Redmine login form. Additionally a page header on top of the login form would be beneficial, sth like:

"Users of D4Science Gateways (iMarine, D4Science.org, DESCRAMBLE, and EGIP) can use their gateway credentials to login (email address plus gateway password)"

Just Created a Task #939 for this

We've made some tests on redmine-d.d4science.org.

Changing the ldap login ID from uid to mail can work, but there's a problem. We have a DB with already registered users that have the uid as their login, so:

• The ldap synchronization fails, because it find that the email address is already used
• Removing all the users from the redmine DB is not a solution, because we loose all the already defined properties.

One possibile solution is to manually change the DB, and modify all the login fields with the corresponding mail one. We can choose to do so for both the ldap sources or for one only.
At the same time we switch the redmine ldap configuration to use the email ad login.
If it's OK I'll need some help to build the SQL query.

I'm told that my description of the problem and proposed solution is not clear.

To make things work, the only changes need to happen inside the Redmine LDAP configuration and the Redmine database (postgresql).

• The redmine ldap authentication configuration uses the field login attribute to find and set the login name.

• We need to change it from uid to mail.
• After doing that, all the existing users are not able to authenticate anymore because, inside the redmine DB, they are registered with the uid as login name.
• The users synchronization also fails, because it finds that the mail fields already exist and that field must be unique. Even when is not used to authenticate people.

• Redmine writes some users data inside its DB, so that it's able to assign properties and roles to the users.

Example of the relevant fields from the redmine users table (login, mail, auth_source_id, status):

andrea.dellamico                 | andrea.dellamico@isti.cnr.it                              |              1 |      1

• So the redmine DB needs to be manually changed, without touching the ldap DB or the portals synchronization. The result we want is the following:

massimiliano.assante@isti.cnr.it | massimiliano.assante@isti.cnr.it                          |              3 |      1

where all the users authenticating against the liferay populated LDAP server (auth_source_id == 3) have the login field identical to the mail field. After the DB changes, the synch scripts will work again.

We can choose to make the change for both the LDAP sources or for the liferay one only.

A SQL query like the following should suffice:

update users set login = mail where auth_source_id = 3;

We can get rid of the constraint if we want to use the email address also to authenticate agains the NeMIS ldap server.

So, the steps to change the configuration are:

• Disable the ldap synch cron job
• Change the login form page
• Change the LDAP auth login type from uid to mail on both the LDAP sources on the Redmine configuration
• Fix the redmine DB: update users set login = mail where auth_source_id = 3 or auth_source_id =1;
• Restart the redmine web container. The restart is needed to let the login form changes visible
• Enable the ldap synch cron job

I just changed the configuration of the production Redmine server. Now the authentication using the email address is in place.