LDAP problem for authentication
Added by Markus Lohr over 14 years ago
Hey all,
I have a huge problem with LDAP at the moment and I have to go online on Monday!! :-(
so here are the basics:
OS: CentOS 5.4
Ruby: Enterprise 1.8.7 (Ruby Enterprise Edition 2010.01)
Redmine: 0.9.3
actionmailer (2.3.5)
actionpack (2.3.5)
activerecord (2.3.5)
activeresource (2.3.5)
activesupport (2.3.5)
fastthread (1.0.7)
mysql (2.8.1)
passenger (2.2.11)
rack (1.1.0, 1.0.1)
rails (2.3.5)
rake (0.8.7)
rmagick (2.12.2, 1.15.17)
MySQL: mysql Ver 14.12 Distrib 5.0.77, for redhat-linux-gnu (i686) using readline 5.1
Apache: 2.2.3 (rpm)
I builded the whole platform from source and it looks good at the moment. I installed a few plugins and another theme. I started 4 projects and was starting to log-in with LDAP-credentials. And here the problem starts.
What is the "test LDAP connection" really testing? Just a fancy ping to the entered LDAP-host and port or also the given user with password? I changed the user and password and got a "Successful connection". That can't be, there is no user with this name in the ldap-tree. I got the same behavior when I changed the Base DN-path.
Sooo?!? Can I rely on the test information or not? What I need is prove, that I CAN connect to the ldap-host, that my user who is used to connect is allowed to connect and the ldap-host could find the Base DN-path!!! What can I do to get prove?
What’s worries me is the fact, that apache needs a CA for a LDAPS connection and redmine not!? Is redmine ignoring the ssl-cert?
I appreciate any help and questions to move forward.
Replies (3)
RE: LDAP problem for authentication - Added by Felix Schäfer over 14 years ago
- The connection test only binds to the LDAP server and uses the provided credentials for that, but the LDAP server might or might not be configured to require authentication for a simple bind.
- I'm not sure how much of the SSL stuff gets verified by the underlying libraries, but I'd wager that if you have put the certificate of the CA in the global path, it should use that. That, or it uses SSL only for encryption, not as a trust vector.
- Get a user in the LDAP and try to connect to the redmine, you will know if works or not, simple as that.
I'd also like to advise you to take a deep breath, calm down and loose the criticizing undertone. If you want to criticize something, fine, you are welcome to do so, there is an issue tracker for that, but it will lead to nothing here, as devs rarely if ever come to the forums, they are more intended as a communication means for the community. Panicking won't lead you to anything here either: if you want someone to get panicky with, get professional help, noticing such problems 1,5 days before launch on a weekend seems like someone hasn't done enough testing beforehand. I'd have 1 or 2 more things to say, but I'll leave it at that at the moment, I hope you'll be able to solve your connection issue though.
RE: LDAP problem for authentication - Added by Markus Lohr over 14 years ago
I'm sorry for some of my words. I was working for days to get this running and sometimes the small things can make you happy or cry - and after almost 12 hours, this forum was my last hope. :-) It looked and looks to me, that it is my fault and not a bug/issue, so used the forum instead of the tracker.
RE@1: the LDAP server requires auth. with LDAPS, so I thought that it is using the entered user and password for that?! But it seems that it is only testing a simple bind as you wrote.
RE@2: When I started to configure the redmine system I had no CA in the global path. (I also want to use apache with LDAP for subversion - but one step after another.) So I copied all the CAs to /etc/openldap/cacerts/. (Is this the global path?) But nothing changed after this action.
RE@3: I did that a lot of times, but… ...anyway, see below. ;-)
Again: Sorry for my bad mood last evening. And thanks for your help.
I looked over my setting and made a config-matrix to find out what can I test and how. So I was willing to change a lot over time and once a time to find out what is wrong in my settings. And it turns out, that I had to give NO user and password in the LDAP dialog. The test was still good and I was able to log in with my ldap user. Awesome!!!
Because Redmine was/is (almost) running I can deliver the platform, the only missing point was LDAP and subversion over LDAP. But I don’t like half done work :-) so I was willing to try to fix this over the weekend….
This was my fifth redmine installation, the second with LDAP (the first was a AD ldap) and up to this point all of them worked fine and almost out of the box. Thanks to this awesome redmine system I love to use tracking systems and Redmine is my first choice!
I am willing to help to improve the system over time, so I login in into redmine.org and hope that I can fix some bugs and develop new features in the future.
Thanks you Felix for your different view and a deeper look behind the GUI :-) I appreciate – I really do. Have a nice weekend – or do you know how I can set up my svn with apache using ldap :-) biiiig smile
Markus Schlichting
RE: LDAP problem for authentication - Added by Felix Schäfer over 14 years ago
Glad it worked for you, I don't have the time to help you with the LDAP auth for svn though. My setup is working, but it is a patched version.
There is a facility shipped with redmine that allows apache to authenticate and authorize access to repositories based on the permissions defined in redmine, it's a perl plugin called redmine.pm. There are a number of guides and tickets floating around here, try to see if you can get it working. If not, please open a new thread in the help forums or in the ticket from which you have taken a patch if you apply a patch and describe what doesn't work, what errors you get and what you have already tried, we can then help you best.