Patch #3358

Advanced LDAP authentication

Added by Daniel Marczisovszky over 8 years ago. Updated about 3 years ago.

Status:NewStart date:2009-05-13
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:LDAP
Target version:Candidate for next major release

Description

This patch adds the following new features to LDAP authentication:

  • using dereferencing aliases on search
  • ability to select protocol LDAPv2 or LDAPv3
  • connect using STARTTLS
  • selecting server certificate validation level
  • user-definable custom search filter
  • bind as current user instead of admin account, see Feature #1913
  • searching is sub-tree by default, in future GUI option may be added to configure this

If custom search filter is used, $login is replaced with the username. For example, to search for users with objectClass posixAccount, use this filter string: @(&(uid=$login)(objectClass=posixAccount))

Note that this patch uses Ruby/LDAP instead of Net::LDAP, so this should be installed, for example on Debian, use apt-get install libldap-ruby1.8

After applying this patch, run rake db:migrate RAILS_ENV="production", as auth_sources table is modified in the database. (filter, dereference, starttls, require_cert and protocol_version columns are added)

advanced_ldap_auth_0.8.3.diff Magnifier - LDAP authentication patch for 0.8.3 (9.93 KB) Daniel Marczisovszky, 2009-05-13 21:24

advanced_ldap_auth_r2743.diff Magnifier - LDAP authentication patch for revision 2743 (10 KB) Daniel Marczisovszky, 2009-05-13 21:24

07_ldap_update.patch Magnifier (1.98 KB) Jérémy Lal, 2009-07-14 14:37

07_ldap_sync.patch Magnifier (2.67 KB) Jérémy Lal, 2009-07-14 16:29

advanced_ldap_auth_1.2.1.diff Magnifier - LDAP authentication patch for 1.2.1 (12.3 KB) Günter Dressel, 2011-08-12 02:01

advanced_ldap_auth_r6417.diff Magnifier - LDAP authentication patch for revision 6417 (12.3 KB) Günter Dressel, 2011-08-12 02:01

ldap.png (43.9 KB) seb rey, 2011-12-09 22:44

logldap.txt Magnifier (5.79 KB) seb rey, 2011-12-09 22:44

advanced_ldap_auth_2.2.3.diff Magnifier - Diff for post-Redmine 2 (13.3 KB) Phil Weir, 2014-02-28 11:28


Related issues

Related to Redmine - Defect #3253: LDAP Auth : Alias Dereference New 2009-04-28

History

#1 Updated by Felix Schäfer about 8 years ago

Hello,

Are there any plans to integrate this or something similar to the next redmine release?

Thanks!

#2 Updated by Jérémy Lal about 8 years ago

Hi,
i tried your patch against current trunk, and it doesn't work very well :
using a working set of params for creating an ldap authentication mode,
with redmine trunk the "Test" button works ok,
and with your patch i get that log :
Connecting to localhost:389, tls=false
Dereference set option
Trying to bind
Bind as user admin
LDAP Connect Error: Invalid DN syntax

The actual parameters are very simple :
host: localhost
account: admin
password: admin
Base DN: dc=localhost

and i set :
login: cn
firstname: givenName
lastname: sn
email: mail

of course the ldap objects have those four non-empty attributes

#3 Updated by Jérémy Lal about 8 years ago

oops, sorry, actually it's the redmine trunk that wrongly reports the connection succeeds
i guess i'm not used to ldap ;)

#4 Updated by Jérémy Lal about 8 years ago

ok, it works, my mistake.
Thanks !
The db migration maybe is screwing existing ldap authentication modes,
for example i had to re-enter "Account" field to get it working.

I hope that patch makes its way to trunk,
since dropping old ruby-net-ldap plugin seems a very good idea,
and your patch looks clean and simple.

#5 Updated by Jérémy Lal about 8 years ago

Here's a patch to be applied over yours, that adds ldap synchronisation for "firstname, lastname, mail" attributes.
When one user changes these attributes using "My account" page, it updates them in ldap.
I thought it is logical to keep those three attributes synchronised ?
Maybe the auth_source should offer an option for this ?

#6 Updated by Jérémy Lal about 8 years ago

This improved patch synchronises "firstname, lastname, mail" from LDAP to DB at login,
and from DB to LDAP when user changes his attributes.

#7 Updated by Felix Schäfer about 8 years ago

Jérémy Lal wrote:

This improved patch synchronises "firstname, lastname, mail" from LDAP to DB at login,
and from DB to LDAP when user changes his attributes.

Looks good, but at least in the admin view, I don't see changes I made to another user on the LDAP backend... Can you confirm it works for you?

#8 Updated by Daniel Marczisovszky about 8 years ago

Felix Schäfer wrote:

Hello,

Are there any plans to integrate this or something similar to the next redmine release?

Thanks!

I've tried to contact Jean-Philippe Lang two months ago, however I received no response yet. I'll update this patch to 0.8.4 soon. (Maybe to the current trunk as well.)

#9 Updated by Daniel Marczisovszky about 8 years ago

Jérémy Lal wrote:

I thought it is logical to keep those three attributes synchronised ?
Maybe the auth_source should offer an option for this ?

Yes, it is logical, however there are many cases where there is no option to modify the LDAP. So I think there should be a checkbox on the LDAP auth source configuration page which tells if update is allowed or not. I've not tried your patch yet, just looked at the source, but for me it seems there is no way to disable this feature.

#10 Updated by Felix Schäfer about 8 years ago

Daniel Marczisovszky wrote:

Felix Schäfer wrote:

Are there any plans to integrate this or something similar to the next redmine release?

I've tried to contact Jean-Philippe Lang two months ago, however I received no response yet. I'll update this patch to 0.8.4 soon. (Maybe to the current trunk as well.)

works fine for me so far (against current trunk).

#11 Updated by Eric Davis about 8 years ago

Does anyone know a quick tutorial to setup an LDAP server to test this on? If I can get one running locally, I can review this patch (and #3253) and see about fixing this issue.

#12 Updated by Daniel Marczisovszky about 8 years ago

Eric Davis wrote:

Does anyone know a quick tutorial to setup an LDAP server to test this on? If I can get one running locally, I can review this patch (and #3253) and see about fixing this issue.

I can write a tutorial for you, but please tell which operating system are you using. Maybe I can set up a public test LDAP server, but I have to look for an available machine :)

#13 Updated by Felix Schäfer about 8 years ago

Jérémy Lal wrote:

This improved patch synchronises "firstname, lastname, mail" from LDAP to DB at login,
and from DB to LDAP when user changes his attributes.

The patch redefines the "update" method for app/models/auth_source_ldap.rb , which ultimately breaks saving of an LDAP auth source, because ActiveRecord already has an update attribute, see http://api.rubyonrails.org/classes/ActiveRecord/Base.html#M002560 . I have renamed the method to update_user and changed (my patched) app/controllers/my_controller.rb accordingly. Another thing I'd like to see here: the logic to chose between updating the user attributes to the DB or to LDAP should be done in the user model, not the user controller, I haven't looked deep enough if the actual LDAP code should stay in the auth_source or go in the user model too, but I might do once I'm through with my exam next week.

Another thing that goes wrong in the patch: I haven't tested if it works well without a filter, but I think it would be the same: you provide ldap_con.modify with something akin to an LDAP search string, where it awaits a DN, so you need to do an LDAP search with the search filter you create and feed the result do ldap_con.modify.

What I'd really like now is some more LDAP integration, like custom user fields populated by LDAP attributes, and user groups in redmine mapped to the LDAP groups, that would be even better :-)

#14 Updated by Eric Davis about 8 years ago

Daniel Marczisovszky wrote:

I can write a tutorial for you, but please tell which operating system are you using. Maybe I can set up a public test LDAP server, but I have to look for an available machine :)

Debian Linux would be best, Ubuntu would be ok.

#15 Updated by Daniel Marczisovszky about 8 years ago

Eric Davis wrote:

Debian Linux would be best, Ubuntu would be ok.

apt-get install slapd

It will ask for your administrator password
You have to confirm the password

Ok, OpenLDAP is installed.

Your default base DN will be your domain name, for example if
your FQDN is ldap.redmine.org then your base of the LDAP directory will be:
dc=redmine,dc=org

Your default user is:
cn=admin,dc=redmine,dc=org
(use the password specified during the install)

apt-get install ldap-utils

To search in your LDAP:
@ldapsearch -b dc=redmine,dc=org -x -D cn=admin,dc=redmine,dc=org -W objectClass=*

I usually use this small Java based GUI tool to manage LDAP:
http://www.brothersoft.com/ldap-browser-download-14779.html

I can create a sample LDAP tree that you can import into yours. Moreover (as I created this test machine in VMWare) I can send you the virtual machine.

#16 Updated by Adi Kriegisch almost 8 years ago

I added a patch to redmine/extra/svn/Redmine.pm (apache auth source for svn server) to honor my (#1913) LDAP modifications. It might be a good idea to add your features to this tool as well... :-) [http://www.redmine.org/attachments/2454/Redmine-ldap-as-user.diff]

Another thing: Did you consider implementing search scope selection? To me this is a showstopper as I need to have a scope of "one"... :-(

#17 Updated by Daniel Marczisovszky almost 8 years ago

Adi Kriegisch wrote:

I added a patch to redmine/extra/svn/Redmine.pm (apache auth source for svn server) to honor my (#1913) LDAP modifications. It might be a good idea to add your features to this tool as well... :-) [http://www.redmine.org/attachments/2454/Redmine-ldap-as-user.diff]

I'm afraid I can not add these, even I'm not using SVN integration for Redmine. However, I can help to create to common class/codebase to make these LDAP features available to these modules/patches.

Another thing: Did you consider implementing search scope selection? To me this is a showstopper as I need to have a scope of "one"... :-(

Noone was interested till now ;) but I will add this (hopefully) within a week.

#18 Updated by Florian Collot almost 8 years ago

  • % Done changed from 100 to 0

I'v implement the patch ldap_update to my redmine release but when submiting user informations, i got an internal error.
Do you know this problem ?

#19 Updated by Florian Collot almost 8 years ago

  • % Done changed from 0 to 90

#20 Updated by Florian Collot almost 8 years ago

Florian Collot wrote:

I'v implement the patch ldap_update to my redmine release but when submiting user informations, i got an internal error.
Do you know this problem ?

I've renamed @user.auth_source.update to update_user in the model and the controller, so i have no more Internal Error, and when submiting, i got a redmine success. But, my ldap entry is not updated. What's wrong ?

#21 Updated by Felix Schäfer almost 8 years ago

Florian Collot wrote:

I've renamed @user.auth_source.update to update_user in the model and the controller, so i have no more Internal Error, and when submiting, i got a redmine success. But, my ldap entry is not updated. What's wrong ?

I think you got it backwards.Vanilla Redmine fetches information from LDAP only to populate some or all of the fields of a user at creation time, the patch does refresh the Redmine user attributes from the LDAP attributes every time the user logs in. In either case, Redmine reads the LDAP fields, but never updates them.

#22 Updated by Florian Collot almost 8 years ago

Felix Schäfer wrote:

I think you got it backwards.Vanilla Redmine fetches information from LDAP only to populate some or all of the fields of a user at creation time, the patch does refresh the Redmine user attributes from the LDAP attributes every time the user logs in. In either case, Redmine reads the LDAP fields, but never updates them.

Thanks to your quick answer !
your project is really beautiful even though at present it is not possible to update the Active Directory entries :-) It doesn't matter, and it may be better so that users cannot update their informations themselves

Thx !

#23 Updated by Florian Collot almost 8 years ago

  • % Done changed from 90 to 100

Florian Collot wrote:

Felix Schäfer wrote:

I think you got it backwards.Vanilla Redmine fetches information from LDAP only to populate some or all of the fields of a user at creation time, the patch does refresh the Redmine user attributes from the LDAP attributes every time the user logs in. In either case, Redmine reads the LDAP fields, but never updates them.

Thanks to your quick answer !
your project is really beautiful even though at present it is not possible to update the Active Directory entries :-) It doesn't matter, and it may be better so that users cannot update their informations themselves

Thx !

#24 Updated by Felix Schäfer almost 8 years ago

Florian Collot wrote:

Thanks to your quick answer !

Pas de problème :-)

your project is really beautiful even though at present it is not possible to update the Active Directory entries :-) It doesn't matter, and it may be better so that users cannot update their informations themselves

Well, I have a POC to read the user attributes from LDAP each time the user object is instantiated, so that they are always fresh, not only when the user logs in, but that goes well over the intended use of the auth_source, so I'm not sure as what I should file it... I'll try to clean up the code and update it against current trunk, and send a patch.

#25 Updated by insrc in almost 8 years ago

Hi,
Just wanted to thank you Daniel for your great patch ! Thanks to this patch, my redmine install can now authenticate my users against my ldap server which requires a TLS encrypted connection :-)

May i suggest however that requiring to check the START_TLS option and the LDAPS when using a start_tls connection is a little bit confusing.
As you know, LDAPS and start_tls are two different way to secure the connection to an ldap server. The LDAPS connection (which is a bit deprecated i think) is negociated on port 636 of the ldap server while the START_TLS connection occurs on the usual 389 port. See http://www.openldap.org/faq/data/cache/185.html

So i think that those two options should be mutually exclusive :-)

HTH,

#26 Updated by david gurba almost 8 years ago

I work for an edu and have a local department ldap, and campus wide ldap. I have the 2 setup currently and can login via each LDAP instance, thank you.

(1) How hard would it be to provide a drop down list to allow the user to select the LDAP source to authenticate against?

(2) ... Ideally as a user authenticates the 1st time and Redmine creates their account on-the-fly in Redmine ... I would the Admin to insert them into given projects then email them that their account is setup fully ...

If given a bit of pointers I hope I could create the patch for at least (1) above ... any feedback is appreciated.

regards,
David

#27 Updated by Eric Davis over 7 years ago

  • Category changed from Accounts / authentication to LDAP
  • % Done changed from 100 to 0

#28 Updated by Anthony Paul about 7 years ago

Daniel Marczisovszky wrote:

  • ability to select protocol LDAPv2 or LDAPv3
  • connect using STARTTLS
  • selecting server certificate validation level
  • user-definable custom search filter
  • bind as current user instead of admin account, see Feature #1913
  • searching is sub-tree by default, in future GUI option may be added to configure this

Yes, it would be great to see this implemented in a next release, it would avoid to manually change the LDAP filter in app/models/auth_source_ldap.rb everytime a new release appears...

#29 Updated by Etienne Massip over 6 years ago

  • Target version set to Candidate for next major release

#30 Updated by Dominik s about 6 years ago

Anyone has a working patch for the latest trunk? We need TLS support but the patch is for a pretty old version of Redmine.

#31 Updated by Günter Dressel about 6 years ago

Updated patch of Daniel Marczisovszky to current version of redmine (1.2.1) and current trunk revision (r6417).
Also added german translations of new fields in settings form.

#32 Updated by seb rey over 5 years ago

Günter Dressel wrote:

Updated patch of Daniel Marczisovszky to current version of redmine (1.2.1) and current trunk revision (r6417).
Also added german translations of new fields in settings form.

Do you think i can try to apply this patch on 1.2.2 stable redmine installation, anybody try ?
After that, can i have problem in the future to upgrade my installation ?
Thanks

#33 Updated by Günter Dressel over 5 years ago

You can try - of course :)
I have to mention that I run into one little problem once I tried to apply my updated patch to another instance of redmie.
It was about that one LDAP property was forgotten to overwrite (One line of code, it's about STARTTLS vs. classic TLS)
If you are not trying to connect via STARTTLS you will not experience a problem at all.

And yes - it would lead to inconveniences for further upgrades, since you patch the core files.
You'll need to patch those files after each upcomming upgrade again.

If you are still looking forward to test it, I'm willing to support you with further testing on 1.2.2

Regards,
gue

#34 Updated by seb rey over 5 years ago

Günter Dressel wrote:

You can try - of course :)
[...]
If you are still looking forward to test it, I'm willing to support you with further testing on 1.2.2

Regards,
gue

I try to patch my 1.2.2 version, i have no error when patching, but after that, redmine crash with error :

[ pid=8941 thr=-609826598 file=utils.rb:176 time=2011-12-09 20:01:03.799 ]: *** Exception PhusionPassenger::UnknownError in PhusionPassenger::ClassicRails::ApplicationS
pawner (no such file to load -- ldap (MissingSourceFile)) (process 8941, thread #<Thread:0xb74d91b4>):
from /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:36:in `gem_original_require'
from /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:36:in `require'
from /usr/lib/ruby/gems/1.8/gems/activesupport-2.3.11/lib/active_support/dependencies.rb:184:in `require'
from /var/www/redmine/app/models/auth_source_ldap.rb:20

Thanks for your help
SR.

#35 Updated by seb rey over 5 years ago

I install libldap with apt-get install libldap-ruby1.8, and after i rake,
i have successful connection when i test in ldap_authentification, but when i try to enter a user + pass, i cannot login ...

#36 Updated by seb rey over 5 years ago

OK, after many test, i attach the png of my configuration, and a txt file with log of the "test" button on ldap auth page.
When i try to enter a login and password on login page, i have no debug in the log file of slapd, so ... ?

#37 Updated by H Cartiaux over 5 years ago

Is it still needed for redmine 2.0.0 ? somebody has already tested this patch with 1.4.x or 2.0.0 ?

#38 Updated by Jérémy Lal over 5 years ago

Especially considering ruby-net-ldap is now 0.3.1

#39 Updated by Kouhei Sutou about 5 years ago

The latest net-ldap (0.3.1) supports STARTTLS.
My patch for STARTTLS was merged three years ago.

#40 Updated by Daniel Felix over 4 years ago

Hi,

any news on this? This could be very helpful for our windows users! :-)

#41 Updated by Dominik s over 4 years ago

Any solutions to this? It is still not working with the latest version of Redmine. There is still no option to ignore the certificate check which is rather important. Since the file structure changed a lot, the applied patches do not work anymore.

#42 Updated by Miodrag Milic over 4 years ago

I think that redmine_ldap_sync should serve as a model how this should get implemented. Actually, why not merging code of the plugin (after review) to the Redmine, as it works like a charm at the moment.

#43 Updated by Phil Weir over 3 years ago

This is a quick fix to get STARTTLS working for 2.2.3, just an update of the most recent patch above. There isn't much point in doing too much work on this patch, as moving back to Net::LDAP seems much more logical anyway, but until one of us gets a chance to rewrite it properly this should restore the functionality for those who need it (like me).

Note that this does effectively remove some of the more recent improvements to Redmine LDAP, such as validating the LDAP filter, but should still do what the original patch was intended to. This may be obvious to others, but you need LDAPS checked for STARTTLS to work with port 389 and, if you are using an LDAP filter with Redmine 2, don't forget to add (&(uid=$login)...) to it.

#44 Updated by Fadi Asbih over 3 years ago

Correct me if i am wrong, so StartTLS(389) for LDAP is not supported in the latest Release of redmine?

#45 Updated by Fadi Asbih about 3 years ago

If you need to use StartTLS instead of SSL (PORT 689), just edit the file

/app/models/auth_source_ldap.rb

in Linie 135, replace simple_tls with start_tls, save the file & restart Apache. Also under the LDAP web Interface settings check LDAPS with port 389,
StartTLS should work now!

tested on:

Redmine version                2.5.2.stable.13231
  Ruby version                   1.9.3-p194 (2012-04-20) [x86_64-linux]
  Rails version                  3.2.19
  Environment                    production
  Database adapter               Mysql2

Also available in: Atom PDF