As far as I understand, if the LDAP plugin is configured, then:
- user's authentication is done against the LDAP server
- their groups are retrived (but not displayed in the "Groups" view)
- it's possible to assign permissions on a repository against such a group (using uid=thegroup for example)
Is it possible to determine if a user is an admin using the LDAP plugin though ? The 'admin' property is a member of the User, and not of the Group. In my opinion it'd be better if it were a Group property, because the permission system would rely only on groups to work. With a default XML group 'administrators' created with 'scmadmin' as the only member, the behaviour would be the same.
But it would mean some refactoring...
The reason behind this question is that it's bad practice to use technical accounts like 'scmadmin' when the installation is automated, as the password would be shared by several administrators or it would mean manually settings some people as 'admin'. I want everything to be LDAP-driven, so I want to delete the 'scmadmin' user automatically after all configuration is done. But that's possible only if there is another 'admin' account, and during the installation the only thing I can assume is the existence of groups, not users...