Setting up the server ActiveDirectory and the plugin «Hierarchy» for synchronization
In order to take the data from the AD, you must first lead to the correct view structure of your organization in ActiveDirectory. These settings are necessary because AD initially do not have all the information necessary to describe the structure of subordination of the organization, but there are plenty of objects with no interest to us: system users, built-in security groups, a variety of special settings and objects, etc.
Configuring a hierarchy of departments
On the domain controller, open standard equipment «Active Directory Users and Computers».
Create OU, which will contain the hierarchical structure of departments. Selected in the future in the plugin settings that OU and will be a department of the maximum level.
In this OU create a security group with the name absolutely identical with the name of OU. This is necessary in order to security group is defined as a department. Apart from this group, container may have other security groups of AD, but they will not be interpreted as departments during synchronization.
On this basis create the whole structure of the departments of your company.
Users themselves may be located both in the created OU, and elsewhere. Belonging to the department is determined by user`s membership in groups that are interpreted as a department.
Open the parameters of the security group that is a department.
Add to this group all users who are members of this department.
Follow these steps to adjust the hierarchy of departments by adding users and specifying the heads of these departments.
Positions, as well as departments are created in the domain as a security groups. However, there is no need to to specify any structure. This is just a list of groups, in which you will need to add employees in accordance with their positions.
Choose a separate OU
Create security groups in this OU which will be defined as positions
Add to the security group, that is defined as a position those employees who have this position in your organization.
Configuring offices is performed in exactly the same way we have set up positions. It is necessary to allocate a separate OU, in which to create a list of your offices, if necessary.Indication of the location of the employee in the office is also his membership in the domain security group.
Inspecting the structure
You can open user settings and check the list of groups in which it is composed.
If required, in the same interface, specify the correct set of groups for the position, department and office.
The user can be a member of other security groups in the domain that are not position, department or office. This does not affect the data synchronization.
Configure plugin settings
After adjustment the structure of objects in ActiveDirectory, you can now configure the plugin and specify from where in the hierarchy of AD objects should be taken users, departments, post offices and other information.
Go to the menu Administration, then select menu item Plugins and in the opened window go to the settings of plugin «Ldap Users Sync».
Enable option «Turn on LDAP synchronization».
Set the parameter «The method of the object type definition» in OU.
Specify settings for the fields «Organization unit(OU) for departments tree», «Organization unit(OU) for positions», «Organization unit(OU) for branch offices».
Specify jQuery selector for fields, where you need to display information about employees on vacation.
The rest of the parameters are optional. Synchronization of additional data from ActiveDirectory is based on the expansion of the standard scheme with additional attributes, in which, for example, can be stored data about holidays, birthdays, pictures of staff, etc.
Go to the menu item Departments in the admin interface of Redmine.
Synchronize users from AD at first.
Then start the synchronization of departments, positions and offices.
As a result, you will get structure in Redmine, configured on your domain controller.
Subordination hierarchy of users can be checked by clicking the link Users hierarchy.
- «Enable AD synchronization» - if the option is disabled, when you start any of the synchronization procedures nothing will happen. This is necessary to secure itself from accidental rebuilding of structure in cases when you have configured synchronization automatically launch by cron.
- «Enable page with extended information about employee» - link to the user profile will be replaced by a pop-up window with information about the user, the history of his actions, etc. The data set depends on the installed plugins in the system.
- «Allow access only to own actions and actions of subordinates» - hide in the user`s history all actions, not directly related to the user himself or his subordinates.
- «LDAP(AD) limit for a number of records upon request» - standard amount of sending AD entries is limited 1,000 items. If the number of synchronization objects exceeds this number, you must specify this setting, or increase the limit on the domain controller.
- A set of settings relating to non-standard attributes of the user object in AD. If you set field with the appropriate attributes, they will be uploaded to Redmine automatically.
- In particular, if user vacation terms are set in AD and deputy is specified, Redmine will track this situation during synchronization. Deputy will get rights of the employee on it`s holiday period automatically. Rights will be canceled automatically after the vacation end at the moment of synchronization with AD.
- «Notify about vacation, if an employee is selected in the fields with the following ids» - field identifiers (selector jQuery), for which will be monitored drop-down fields with type user. If in this field will be selected employee who is on vacation at the moment, you will be notified about the deputy with quick substitution of user in the field.
- Block with settings for avatars determines from which attribute in AD to take data with the photo of the user, and sub-folder where photos of Redmine users will be stored. Other parameters determine whether to allow user photos - «Enable AD avatars», and whether avatars will be synchronized during normal user synchronization - «Sync avatars from AD(LDAP) during synchronization procedures».