How to force LDAP user import

I need to bulk-import a number of users from LDAP, preferably using the REST interface, so I can assign the to projects and grant permissions in bulk.

Does Hub allow me to do that?

What would be the right REST API to use? Could you provide a plain cURL example of the POST payload?

 

8 comments
Comment actions Permalink
Official comment

Hello Dimitar,

unfortunately, it's not possible in Hub. The only option is to create users via REST: https://www.jetbrains.com/help/hub/HUB-REST-API_Users_Create-New-User.html

Comment actions Permalink

If we create a user with the same uid as in LDAP and dummy password, would it be recognized later and automatically updated when they try to log in through the LDAP auth module, or would that create a new account ?

 

I remember having multiple accounts in similar scenarios in the past, when some users were defined manually and later we enabled LDAP - I had to tell everybody to login and then merge the accounts as a manual step.

0
Comment actions Permalink

In particular, when I created a user using REST and then logged in using LDAP, I ended up with the following two users:

 

{
"type": "user",
"id": "0160a879-68f8-4e6c-8033-c8ba27e7cccf",
"name": "Dimitar Dimitrov",
"transitiveProjectRoles": [
{
"id": "a2e344d2-9f75-468a-91aa-d7d5a13b8f4a",
"role": {
"id": "0c173dc2-c796-41e5-a79f-3450a3c57385",
"key": "observer",
"name": "Observer"
},
"project": {
"id": "0"
},
"owner": {
"type": "userGroup",
"id": "7bb0d16e-0089-4a60-b527-0e8f7524fc40"
}
}
],
"login": "ddimitrov",
"banned": false,
"guest": false,
"avatar": {
"type": "defaultavatar",
"url": "http://localhost:8082/hub/api/rest/avatar/0160a879-68f8-4e6c-8033-c8ba27e7cccf"
},
"profile": {
"avatar": {
"type": "defaultavatar",
"url": "http://localhost:8082/hub/api/rest/avatar/0160a879-68f8-4e6c-8033-c8ba27e7cccf"
}
},
"groups": [
{
"type": "userGroup",
"id": "7bb0d16e-0089-4a60-b527-0e8f7524fc40"
}
],
"VCSUserNames": [
{
"name": "ddimitrov"
}
],
"creationTime": 1504856348230
},
{
"type": "user",
"id": "6e0e4237-2084-4cdd-a47a-be896002ba0d",
"name": "Dimitar Dimitrov",
"transitiveProjectRoles": [
{
"id": "a2e344d2-9f75-468a-91aa-d7d5a13b8f4a",
"role": {
"id": "0c173dc2-c796-41e5-a79f-3450a3c57385",
"key": "observer",
"name": "Observer"
},
"project": {
"id": "0"
},
"owner": {
"type": "userGroup",
"id": "7bb0d16e-0089-4a60-b527-0e8f7524fc40"
}
}
],
"login": "ddimitrov.1",
"banned": false,
"guest": false,
"avatar": {
"type": "defaultavatar",
"url": "http://localhost:8082/hub/api/rest/avatar/6e0e4237-2084-4cdd-a47a-be896002ba0d"
},
"profile": {
"avatar": {
"type": "defaultavatar",
"url": "http://localhost:8082/hub/api/rest/avatar/6e0e4237-2084-4cdd-a47a-be896002ba0d"
}
},
"groups": [
{
"type": "userGroup",
"id": "7bb0d16e-0089-4a60-b527-0e8f7524fc40"
},
{
"type": "userGroup",
"id": "40e92ffb-732d-4af5-9a0e-4fac51d3776c"
}
],
"details": [
{
"type": "LdapdetailsJSON",
"id": "62aa4ca0-e60d-4875-a56f-25b3258bbd33",
"userid": "ddimitrov"
}
],
"VCSUserNames": [
{
"name": "ddimitrov.1"
}
],
"creationTime": 1504856413950,
"lastAccessTime": 1504856413824
}

0
Comment actions Permalink

It is essential to a create user via REST with the same email as this user has in LDAP and it is essential that this email is verified. When a user logs in via LDAP auth module for the first time and LDAP filters user details, they are matched by email. If there is an account with the same email (and it is verified!), they will be matched.

0
Comment actions Permalink

What does it mean for the email to be verified? I.e. can I create account with verified email without the user involvement?

Btw, I found that I can prevent the creation of second account by adding a minimal ldap detail. I'm not sure whether I am supposed to do that, but it works so far...

0
Comment actions Permalink

Once again, what is the meaning of email verification and is there a way to verify the emails without sending an email and requiring each individual user takes action.

I have also tried the "POST verifyContact" method, but I get this error - without some explanation I don't know which direction shall I look further:

"url": "http://localhost:8082/hub/api/rest/users/de64e523-8ed8-4f05-84ae-3a4bc70cae30/verifyContact",
"status": 400,
"cache_control": "no-cache, no-store, no-transform, must-revalidate",
"content_type": "application/json;charset=UTF-8",
"json": {
"error": "notification_smtp_disabled",
"error_code": 400,
"error_description": "Email notifications are disabled",
"error_developer_message": "Email notifications are disabled",
"error_uri": "https://www.jetbrains.com/help/hub/2017.2/HUB-REST-API.html"
}

I can confirm that any email I set through REST shows as "unverified", even if the request specifies "verified=true".

 

 

0
Comment actions Permalink

You can create users via REST with verified emails. Just need to set verifued:true attribute of profile email {type: “EmailJSON”, verified: true, email: “test@test.domain”}. You can check a REST request that goes from client to server in browser log when new user is created in UI and also you can notice that all users that created y admin from hub UI are created with already verified emails (Note - created, but not users that are invited)
There is no direct meaning of email verification inside hub (all messages will be sent from hub to bot verified/not verifed emails) but external services can use this attribute for notifications or other purposes. There is no use calling verifyContact unless you’ve set SMTP notifications in Hub server as it will try to send verification email and will fail if no SMTP server set.
One scenario explaining why email in profile should be verified to attach LDAP credentials to that account:
- Let’s suppose one intruder creates (via sign up etc) an account with non-verified email of some other employee (eg with admin privileges which is for some reason not yet created in hub). Intruder can’t verify email in profile as he doesn’t own this email. But still can login into that account via Hub credentials
- Real admin user logins via LDAP and new account with same email will be created, not ldap credentials added to first ‘fake’ account as LDAP email is always verified. In the opposite situation intruder gets access to real user account

0
Comment actions Permalink

Thank you, this makes it clear.

 

0

Please sign in to leave a comment.