Project

General

Profile

RedmineLDAP » History » Version 11

John Lewin, 2012-01-18 17:22

1 1 Jean-Philippe Lang
h1. LDAP Authentication
2
3
Redmine natively supports LDAP authentication using one or multiple LDAP directories.
4
5
h2. Declaring the LDAP
6
7 10 Etienne Massip
Go to Administration and click *LDAP authentication* in the menu.
8 5 Eric Davis
9 1 Jean-Philippe Lang
10
Enter the following:
11
12
* *Name*: an arbitrary name for the directory
13
* *Host*: the LDAP host name
14
* *Port*: the LDAP port (default is 389)
15
* *LDAPS*: check this if you want or need to use LDAPS to access the directory
16 9 T. Hauptman
* *Account*: enter a username that has read access to the LDAP , otherwise leave this field empty if your LDAP can be read anonymously (Active Directory servers generally do not allow anonymous access)
17 1 Jean-Philippe Lang
* *Password*: password for the account
18
* *Base DN*: the top level DN of your LDAP directory tree
19
* *Login attribute*: enter the name of the LDAP attribute that will be used as the Redmine username
20
21 2 Jean-Philippe Lang
Redmine users should now be able to authenticate using their LDAP username and password if their accounts are set to use the LDAP for authentication.
22 3 Jean-Philippe Lang
23
To test this, create a Redmine user with a login that matches his LDAP account, select the newly created LDAP in the *Authentication mode* drop-down list (this field is visible on the account screen only if a LDAP is declared) and leave his password empty. Try to log in into Redmine using the LDAP username and password.
24 1 Jean-Philippe Lang
25
h2. On the fly user creation
26
27
By checking *on-the-fly user creation*, any LDAP user will have his Redmine account automatically created the first time he logs into Redmine.
28
For that, you have to specify the LDAP attributes name (firstname, lastname, email) that will be used to create their Redmine accounts.
29
30
Here is an typical example using Active Directory:
31
32
<pre>
33
Name     = My Directory
34
Host     = host.domain.org
35
Port     = 389
36
LDAPS    = no
37 7 John Dell
Account  = MyDomain\UserName (or UserName@MyDomain depending on AD server)
38 1 Jean-Philippe Lang
Password = <password>
39
Base DN  = CN=users,DC=host,DC=domain,DC=org
40 9 T. Hauptman
41
On-the-fly user creation = yes
42
Attributes
43
  Login     = sAMAccountName
44
  Firstname = givenName
45
  Lastname  = sN
46
  Email     = mail
47
</pre>
48
49
Here is another example for Active Directory with a compartmentalized intranet:
50
51
<pre>
52
Name     = Just a description for the auth modes page
53
Host     = DepartmentName.OrganizationName.local
54
Port     = 389
55
LDAPS    = no
56
Account  = DepartmentName\UserName (or UserName@MyDomain depending on AD server)
57
Password = <password>
58
Base DN  = DC=DepartmentName,DC=OrganizationName,DC=local
59 1 Jean-Philippe Lang
60
On-the-fly user creation = yes
61
Attributes
62
  Login     = sAMAccountName
63
  Firstname = givenName
64
  Lastname  = sN
65
  Email     = mail
66
</pre>
67
68
Note that LDAP attribute names are *case sensitive*.
69
70 6 Chris Rose
h3. Base DN variants
71
72
Although it's quite possible that the Base DN above is standard for Active Directory, the Active Directory at my employer's site does not use the Users container for standard users, so those instructions sent me down a long and painful path.  I recommend also trying just "DC=host,DC=domain,DC=org" if login fail swith the settings there.
73
74 1 Jean-Philippe Lang
h2. Troubleshooting
75
76 4 Jean-Philippe Lang
If you want to use on-the-fly user creation, make sure that Redmine can fetch from your LDAP all the required information to create a valid user.
77
For example, on-the-fly user creation won't work if you don't have valid email adresses in your directory (you will get an 'Invalid username/password' error message when trying to log in).
78 6 Chris Rose
(This is not true with newer Redmine versions; the user creation dialog is populated with everything it can find from the LDAP server, and asks the new user to fill in the rest.)
79 4 Jean-Philippe Lang
80
Also, make sure you don't have any custom field marked as *required* for user accounts. These custom fields would prevent user accounts from being created on the fly.
81 6 Chris Rose
82 11 John Lewin
*'Account' Format*
83
The username for the bind credentials might need to be specified as a DN(i.e. CN=user,OU=optional,DC=domain,DC=com) rather than the UPN(user@domain.com) or domain\user formats. After spending an entire afternoon troubleshooting on a hard to tweak bitnami instance, I finally came across this comment in /vendor/plugins/ruby-net-ldap-0.0.4/lib/net/ldap.rb and switching to the DN format immediately resolved the problem:
84
<pre>
85
  # As described under #bind, most LDAP servers require that you supply a complete DN
86
  # as a binding-credential, along with an authenticator such as a password.
87
</pre>
88
89 6 Chris Rose
Errors in the login system are not reported with any real information in the Redmine logs, which makes troubleshooting difficult.  However, I found most of the information I needed using Wireshark between my Redmine host and the LDAP server.  Note that this only works if you have permissions to read network traffic between those two hosts (which was true for me because Redmine was running locally).
90 8 Oli Kessler
91
h3. OpenDS 
92
93
If you are using the OpenDS server, you might have issues with the request control "Paged results" sent with the initial query searching for the user by the specified login attribute. This request control 1.2.840.113556.1.4.319 is not allowed for anonymous users by default, thus preventing redmine from finding the user in the directory even before the binding takes place.
94
95
Add a global ACI like this
96
<pre>
97
./dsconfig -h SERVER_IP -p 4444 -D cn="Directory Manager" -w PASSWORD -n set-access-control-handler-prop --trustAll 
98
--add global-aci:\(targetcontrol=\"1.2.840.113556.1.4.319\"\)\ \(version\ 3.0\;\ acl\ 
99
\"Anonymous\ control\ access\ to\ 1.2.840.113556.1.4.319\"\;\ allow\ \(read\)\ userdn=\"ldap:///anyone\"\;\)
100
</pre>Note: Enter the command on one line, use the escaping exactly as indicated (the \ after "acl" is meant to be "\ " for a space).