New users being added automatically

We are using AD for authentication and I have stared to notice that users are being automatically added to Octopus as a user in the Everyone group. Is there a way to keep this from happening as it fills up our allotted allowed users?

A non-user tries to login to Octopus server
They put in the correct username and password to satisfy AD
Their user, name@domain.foo, is added to the user list and the user is added to Everyone.
Preferred outcome is to deny them access to the server.

Hi,

Thanks for getting in touch! Unfortunately we do not currently have a solution for this. Octopus requires an Octopus user account for each person who logs in via AD.

We make sure that the users added never go over the user limit as not to disable deployments if too many people log in. It will however max out your users. Currently the only option is to manually remove users who are not required.

We are currently working on an OAuth solution that will be made opensource on GitHub, once that is released you can fork a copy and modify it to suit your needs.

Let me know if you have any further questions or if I can clarify anything for you. :slight_smile:

Regards,
Daniel

Thank you for the information. So are you saying you have to add the user prior to authenticating them in AD?

Brett


I am up and about, sent from my phone

On Oct 4, 2016, at 05:25, Daniel Fischer <tender2+d2371bba14@tenderapp.commailto:tender2+d2371bba14@tenderapp.com> wrote:

Hi Brett,

Sorry I think I could have been clearer, you do not need to add users prior to authenticating them in AD. Octopus creates the user each time a new user is authenticated via AD.
However, you will need to manually remove users who you do not wish to be there.

Hope that helps.

Regards,
Daniel

It helps but is quite confusing. Why create them? If you authenticate against AD and that passes, but they are not listed as a user, then they should be allowed access? Is this just overly simple from my narrow point of view of things? Users are authenticated into the site and can’t do anything, confusing for them and a support request for me. Any non-user can use the guest account to see where things are at.

I guess I could see the use of things configured this way, though not as much with limited user licenses.

Kind regards,

Brett

This e-mail and/or its attachments are intended only for the use of the addressee(s) and may contain confidential and legally privileged information belonging to CEB and/or its subsidiaries, including SHL. If you have received this e-mail in error, please notify the sender and immediately, destroy all copies of this email and its attachments. The publication, copying, in whole or in part, or use or dissemination in any other way of this e-mail and attachments by anyone other than the intended person(s) is prohibited.

Hi Brett,

Thanks for getting back! The user is required to be added to Octopus as it contains audit information. It is mainly used to identify user information for events such as deployment creation. It is used for more than that but the main reason is for auditing.

Hope that answers your question. :slight_smile:

Regards,
Daniel

That makes complete sense, what I am not understanding is why add a user that we don’t want to have access to the system? I don’t need auditing for them, they have access to nothing, they shouldn’t even be in the system. Perhaps this was/is actually a feature of the product so companies who are using AD auth didn’t have to manually add users wanting access and simply setting them up with some initial rights?

You stated in your first reply

Thanks for getting in touch! Unfortunately we do not currently have a solution for this. Octopus requires an Octopus user account for each person who logs in via AD.

So the assumption is that everyone from AD is allowed to access the application?

I am honestly not trying to beat anyone up here, I am simply trying to understand the thought process behind adding the user on login to better understand the application.

Kind regards,

Brett

Hi Brett,

You are absolutely correct with the following statement:

Perhaps this was/is actually a feature of the product so companies who are using AD auth didn’t have to manually add users wanting access and simply setting them up with some initial rights?

As for your other question, not exactly:

So the assumption is that everyone from AD is allowed to access the application?

If you are using AD authentication then anyone on the same domain can login to OD given they have the link. However, you can set the permissions based on either groups or individuals and block all permissions for the everyone team. If you have not specified that someone in AD should be a member of a group/role then they will be in the Everyone group with no access to do anything.

I had a look and found the following UserVoice suggestion: https://octopusdeploy.uservoice.com/forums/170787-general/suggestions/10918098-allow-login-only-to-users-in-specific-ad-groups-w
It could use a vote and perhaps a comment with your thoughts/ideas.

Hope that helps!

Regards,
Daniel