We have a built-in bruteforce protection for built-in users. When users
are being created from LDAP on-the-fly, these limits cannot apply, as we
do not have a user object yet.
Instead, we can provide a more generous throttler to block attempts
The main purpose is to make a deduplicating identifier available for
interaction with integrations. We want to start using it for the integration
with XWiki, but the underlying problem occurs regularly in integrations:
It's possible for an OP instance to integrate with more than one XWiki instance.
Vice versa it's also possible for one XWiki to integrate with multiple OPs.
When this happens, API calls like "show me wiki pages that point to work package 123"
become ambiguous, because WP 123 might exist on multiple OpenProject instances. Thus it
makes sense to have a global identifier for the OpenProject instance. Different identifiers
look good and unique at first, but they are not working well in detail:
* Base URL (e.g. https://openproject.example.com): Some instances are available via more than one URL,
e.g. inside cluster vs. outside cluster.
* OAuth client ID: Usually not known to other party, and not guaranteed to be unique, because multiple
authentication providers could be involved
Hence we decided to use a uniquely generated ID and expose it in a way that doesn't require additional configuration
by the users, but can be automatically discovered during integration setup.
- Remove the memberOf-only restriction from docs, UI help text, and FAQ;
both reverse lookup (memberOf) and forward lookup (Group member
attribute) are now supported
- Document the new "Group member attribute" filter field, including when
to use forward vs reverse lookup
- Clarify that forward lookup is only available via synchronized filters,
not manually-created synchronized groups
- Rename "Synchronize" button to "Discover LDAP groups" to make clear it
only runs group discovery (phase 1), not member synchronization
- Document that the Discover LDAP groups button does not sync members;
point to the rake task for a full manual sync
- Expand troubleshooting: login attribute mismatch, missing/empty
required attributes
- Replace packaged-installation-specific rake command with
installation-agnostic form; link to console setup docs
- Clarify Enterprise cloud availability and recommend SAML/SCIM as
more secure alternatives when LDAP exposure to the internet is
undesirable
- Fix grammar, double spaces, and stale phrasing throughout
OpenProject Actions CI