LDAP authorisation with OpenLDAP
Added by John Marsden over 13 years ago
Hello,
I am trying to configure the current trunk of redmine to authenticate with an OpenLDAP Server and I really am just having no luck and currently dont have any idea where i should start.
The following is the LDIF I am using to test configure OpenLDAP,
version: 1 # Entry ou=groups,dc=plural,dc=cc dn: ou=groups,dc=plural,dc=cc objectclass: organizationalUnit objectclass: top ou: groups # Entry ou=people,dc=plural,dc=cc dn: ou=people,dc=plural,dc=cc objectclass: organizationalUnit objectclass: top ou: people # Entry cn=tester,ou=people,dc=plural,dc=cc dn: uid=tester,ou=people,dc=plural,dc=cc objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person uid: testuser cn: TestUser UserTest sn: UserTest givenName: TestUser userPassword: password
I have configured phpLDAPadmin to see if the LDAP sever looks okay. It looks fine to me (I dont have a lot of LDAP experience)
The following is what I have configured in redmine,
The user jmarsden is a linux user on my machine. I am not sure what this should be.. I have tried and active directory admin dn as well.
When I click test I simply get "Successful connection." and 0 users. I cant see anything in the log file and I have no idea if this even works (other then some people seem to have it configured with ActiveDirectory).
My OS is Debian Lenny, Redmine is running in Nginx using passenger and the database is PostgreSQL.
Any thoughts, examples or complaints would be great,
John
Replies (6)
RE: LDAP authorisation with OpenLDAP - Added by John Marsden over 13 years ago
Okay I got it working with a combination of code reading, guessing and forum trawling.
Here is my OpenLDAP LDIF,
version: 1 # Entry ou=groups,dc=plural,dc=cc dn: ou=groups,dc=plural,dc=cc objectclass: organizationalUnit objectclass: top ou: groups # Entry ou=people,dc=plural,dc=cc dn: ou=people,dc=plural,dc=cc objectclass: organizationalUnit objectclass: top ou: people # Entry cn=jmarsden,ou=people,dc=plural,dc=cc dn: uid=jmarsden,ou=people,dc=plural,dc=cc objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person uid: jmarsden cn: John Marsden sn: Marsden givenName: jmarsden userPassword: password mail: jmarsden@plural.cc
And my redmine configuration,
Where admin is the user account automatically configured in OpenLDAP as you install.
My Advice to people trying to get this to work,
- On the fly user creation is a must. Without it you need users in Redmine magically that match the LDAP server.
- Ignore the connection successful rubbish and the 0 users feedback. It simply does not work.
- Learn Ruby, Rails and Redmine and write me a new LDAP connection :-) one with beer, and hookers and support for LDAP groups and decent logging!
John
RE: LDAP authorisation with OpenLDAP - Added by Ruben Sanchez almost 13 years ago
Hey John
Thanks for your post. It helps me a lot, however I can't connect to my LDAP yet.
The account and password must be from the LDAP admin?
Thanks
Ruben
RE: LDAP authorisation with OpenLDAP - Added by David Thomas about 12 years ago
I just want to thank you VERY, very much, John! After rummaging through countless vague documentation, wiki, and forum pages, I finally found something that works.
What a hassle that was. To reiterate, mine started working after I added the full domain for the admin account. And he's right, that "Test" link is a waste of time. Don't bother clicking it.
Again, thank you, John.
RE: LDAP authorisation with OpenLDAP - Added by Bryn Jeffries over 9 years ago
Just to add to what appears to be one of the few decent examples of getting LDAP up and running in Redmine.
To get dynamic binding working, such that the LDAP connection is performed using the account of the person logging in, the "account" field needs to be replaced from the static string ('jmarsden' in the above example) to the DN for the logging-in user. The string '$login' can be used as a placeholder for the actual user-name. In the above example each user's DN would be
uid=<username>,ou=people,dc=plural,dc=cc so the 'account' string should be 'uid=$login,ou=people,dc=plural,dc=cc'. The password field can be left empty, since the password submitted at login can be used instead.
RE: LDAP authorisation with OpenLDAP - Added by Thanh LE over 9 years ago
Hi everybody, firstly, thanks very much for those guiding/tips. I just want to add one point about the password hashing in your Ldap server, SHA-256 does not work... I tried Plain Text or SHA... then it works!
RE: LDAP authorisation with OpenLDAP - Added by Patricio Aguilera about 9 years ago
Estimates,
After working a lot, I could enable integration OPENLDAP using the ADMINISTRATOR account OpenLdap.
Patricio