LDAP authorisation with OpenLDAP

Added by John Marsden over 9 years ago

Hello,

I am trying to configure the current trunk of redmine to authenticate with an OpenLDAP Server and I really am just having no luck and currently dont have any idea where i should start.

The following is the LDIF I am using to test configure OpenLDAP,

version: 1

# Entry ou=groups,dc=plural,dc=cc
dn: ou=groups,dc=plural,dc=cc
objectclass: organizationalUnit
objectclass: top
ou: groups

# Entry ou=people,dc=plural,dc=cc
dn: ou=people,dc=plural,dc=cc
objectclass: organizationalUnit
objectclass: top
ou: people

# Entry cn=tester,ou=people,dc=plural,dc=cc
dn: uid=tester,ou=people,dc=plural,dc=cc
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uid: testuser
cn: TestUser UserTest
sn: UserTest
givenName: TestUser
userPassword: password

I have configured phpLDAPadmin to see if the LDAP sever looks okay. It looks fine to me (I dont have a lot of LDAP experience)

The following is what I have configured in redmine,

The user jmarsden is a linux user on my machine. I am not sure what this should be.. I have tried and active directory admin dn as well.

When I click test I simply get "Successful connection." and 0 users. I cant see anything in the log file and I have no idea if this even works (other then some people seem to have it configured with ActiveDirectory).

My OS is Debian Lenny, Redmine is running in Nginx using passenger and the database is PostgreSQL.

Any thoughts, examples or complaints would be great,

John

Replies (6)

RE: LDAP authorisation with OpenLDAP - Added by John Marsden over 9 years ago

Okay I got it working with a combination of code reading, guessing and forum trawling.

Here is my OpenLDAP LDIF,

version: 1

# Entry ou=groups,dc=plural,dc=cc
dn: ou=groups,dc=plural,dc=cc
objectclass: organizationalUnit
objectclass: top
ou: groups

# Entry ou=people,dc=plural,dc=cc
dn: ou=people,dc=plural,dc=cc
objectclass: organizationalUnit
objectclass: top
ou: people

# Entry cn=jmarsden,ou=people,dc=plural,dc=cc
dn: uid=jmarsden,ou=people,dc=plural,dc=cc
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uid: jmarsden
cn: John Marsden
sn: Marsden
givenName: jmarsden
userPassword: password
mail: jmarsden@plural.cc

And my redmine configuration,

Where admin is the user account automatically configured in OpenLDAP as you install.

My Advice to people trying to get this to work,

  1. On the fly user creation is a must. Without it you need users in Redmine magically that match the LDAP server.
  2. Ignore the connection successful rubbish and the 0 users feedback. It simply does not work.
  3. Learn Ruby, Rails and Redmine and write me a new LDAP connection :-) one with beer, and hookers and support for LDAP groups and decent logging!

John

RE: LDAP authorisation with OpenLDAP - Added by Ruben Sanchez almost 9 years ago

Hey John

Thanks for your post. It helps me a lot, however I can't connect to my LDAP yet.
The account and password must be from the LDAP admin?

Thanks
Ruben

RE: LDAP authorisation with OpenLDAP - Added by David Thomas about 8 years ago

I just want to thank you VERY, very much, John! After rummaging through countless vague documentation, wiki, and forum pages, I finally found something that works.

What a hassle that was. To reiterate, mine started working after I added the full domain for the admin account. And he's right, that "Test" link is a waste of time. Don't bother clicking it.

Again, thank you, John.

RE: LDAP authorisation with OpenLDAP - Added by Bryn Jeffries almost 6 years ago

Just to add to what appears to be one of the few decent examples of getting LDAP up and running in Redmine.

To get dynamic binding working, such that the LDAP connection is performed using the account of the person logging in, the "account" field needs to be replaced from the static string ('jmarsden' in the above example) to the DN for the logging-in user. The string '$login' can be used as a placeholder for the actual user-name. In the above example each user's DN would be
uid=<username>,ou=people,dc=plural,dc=cc so the 'account' string should be 'uid=$login,ou=people,dc=plural,dc=cc'. The password field can be left empty, since the password submitted at login can be used instead.

RE: LDAP authorisation with OpenLDAP - Added by Thanh LE almost 6 years ago

Hi everybody, firstly, thanks very much for those guiding/tips. I just want to add one point about the password hashing in your Ldap server, SHA-256 does not work... I tried Plain Text or SHA... then it works!

RE: LDAP authorisation with OpenLDAP - Added by Patricio Aguilera about 5 years ago

Estimates,

After working a lot, I could enable integration OPENLDAP using the ADMINISTRATOR account OpenLdap.

Patricio

(1-6/6)