Is there a way to limit or prevent which AD groups or Controllers can authenticate against Octopus? It seems like any user in the domain that attempts to authenticate, has the ability to. We’d like to restrict this with LDAP queries.
Thanks for reaching out! The way it currently works is a user will automatically be created in Octopus if that user isn’t recognized in Octopus and can authenticate with Active Directory. Domain trusts are the only constraint - if the AD user is in a trusted domain, they can authenticate in Octopus.
We have a suggestion on UserVoice to disable Octopus from auto-creating these users that I think partially addresses your scenario. I’ve updated it to include the suggestion to allow you to specify the domains to trust. I think that may be better suited for this use-case. Let me know what you think.
You can also leave a comment on that suggestion if you’d like, as we’ll refer to this when we consider these changes. And feel free to shoot us through any followup questions!
I would certainly appreciate the ability to restrict or toggle automatic user creation, I’d consider a toggle or granular restrictions to be more useful than domain restrictions.
How does this correlate to having a limited license (for instance Team)? If a user just visits the site and his account is created automatically, does that count as a normal Octopus user?
Thanks for reaching out! Yes, any user in Octopus, including users created automatically after authenticating with AD, will count towards the license limit as a user. However, since Octopus 3.1, we have relaxed the license limits. Instead of being limited specifically to 60 users, 60 projects and 60 target machines, your license allows for 180 combined objects. So long as: (projects + machines + users) <= 180
You will be within your Team license limit.
If you hit the limit, a new user will instead receive an error at login saying the license limits have been reached, and they won’t have access.
Depending on your scenario, a good alternative may be to enable guest access. The guest user is designed for multiple people to use, and has read-only access.