https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292008-10-07T11:23:07ZRedmineRedmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=50552008-10-07T11:23:07ZMarkus Peter
<ul></ul><p>I applied this patch on a development checkout (revision 1901) and it works fine!<br />It took me a while to figure out the ldap settings.</p>
<p>In the Account field, I entered<br /><code>[domain]\$login</code><br />and in Base DN<br /><code>CN=users,DC=people,DC=example,DC=com</code><br />This finally worked for me, no password stored anywhere.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=56742008-11-14T18:00:55ZMartin Bächtold
<ul></ul><p>This patch also worked for me, thank you very much.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=74662009-02-20T08:58:21ZJérémie Delaitre
<ul></ul><p>Will this patch be included into the core ?</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=74932009-02-20T21:57:49ZEric Davis
<ul></ul><p>Could someone update the patch to include a few test cases?</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=89402009-05-01T19:24:23ZDaniel Marczisovszky
<ul></ul><p>I've created a patch for alias dereferencing (<a class="issue tracker-1 status-1 priority-4 priority-default" title="Defect: LDAP Auth : Alias Dereference (New)" href="https://www.redmine.org/issues/3253">#3253</a>) and I included your patch. It also adds options for custom search filtering that was influenced by your patch, it uses the same syntax. Could you please try it out?</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=106282009-08-21T13:34:23ZAdi Kriegisch
<ul><li><strong>File</strong> <a href="/attachments/2454">Redmine-ldap-as-user.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2454/Redmine-ldap-as-user.diff">Redmine-ldap-as-user.diff</a> added</li></ul><p>To make this patch usable with Apache authentication against Redmine for SVN access (ie. all the stuff that is located in redmine/extra/svn) it is necessary to patch Redmine.pm to as well understand how to treat $login in config.<br />btw. Arnaud Martel did a great job in enhancing Redmine.pm. See <a class="issue tracker-3 status-1 priority-4 priority-default" title="Patch: enhanced mod_perl module for apache (New)" href="https://www.redmine.org/issues/3712">#3712</a>.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=144662010-02-17T21:40:06ZEric Davis
<ul><li><strong>Category</strong> changed from <i>Accounts / authentication</i> to <i>LDAP</i></li></ul><p>Can someone post a simple OpenLDAP configuration that removes the anonymous binding so I can test this? I've been working in the LDAP code recently and would like to apply this.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=144802010-02-18T08:31:03ZAdi Kriegisch
<ul></ul><p>Eric Davis wrote:</p>
<blockquote>
<p>Can someone post a simple OpenLDAP configuration that removes the anonymous binding so I can test this? I've been working in the LDAP code recently and would like to apply this.</p>
</blockquote>
<p>Cool! Looking forward to you patch!</p>
<p>Assuming you've got a working LDAP server adding an access control list is the only thing required (if you already have some watch out for the correct sorting -- they are processed top to bottom and first match stops further processing).<br /><code>access to attrs=userPassword by dn.base="uid=root,dc=mydomain,dc=com" write</code><br /><code>_ _ by self write</code><br /><code>_ _ by anonymous auth</code><br />(_ _ == just spaces)<br />should be quite self explaining: in contrary to SQL-queries LDAP just hides attributes if you're not allowed to see them ("read" permission) so you will still be able to get a list of all users. Just the "userPassword" field is hidden. "anonymous" connections may just use this attribute to authenticate whereas the authenticated user himself may read and change his password and root -- as usual -- may do anything!</p>
<p>In real life you might add other ACL as well and you might want to add the "ssf" parameter as well (security strenght factor that specifies if SSL/TLS is required for access to a certain attribute).</p>
<p>Hope this helps! Feel free to contact me if you need any further assistance!</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=144812010-02-18T08:35:05ZFelix Schäfer
<ul></ul><p>This is a "light" version of what we have, so it's kinda untested in this form, but it should give read or read/write permission to some attributes only to some users.</p>
<pre>to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by * none
to dn.one="ou=People,dc=example,dc=com" attrs=uid # This assumes a flat user directory, change one to children to extend it to any child of ou=People at any depth
by self read
by users read # this ensures that any user in the LDAP can search/read for uids to enable the search for a cn based on the uid, redmine obviously needs a "user" somewhere in the LDAP tree for that to work
by * none
to dn.children="ou=People,dc=example,dc=com" attrs=givenName,sn,mail # We have more attributes here, but that should be the only three redmine needs atm
by self write
by users read # same comment as above
by * none
to dn.base=""
by * read
to *
by users read # not sure how much this part is needed, as it gives a blanket read access to all users in the LDAP, but should be ok for testing the need for user credentials to read the LDAP
by * none</pre>
<p>I also removed all our "extra" admin accesses and stuff, catch me on IRC if you need more info/help with that.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=144822010-02-18T08:39:09ZFelix Schäfer
<ul></ul><p>By the way, you won't need a "full" user for the redmine to access the LDAP, "only" an LDAP object with a password, our "users" for app access export to something like that:</p>
<pre>dn: cn=Redmine,ou=Apps,ou=System,dc=example,dc=com
cn: Redmine
objectClass: namedObject
objectClass: top
objectClass: simpleSecurityObject
userPassword: {SSHA}somefunnyhash</pre> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=145782010-02-21T21:14:02ZAntoine Beaupré
<ul><li><strong>File</strong> <a href="/attachments/3232">Redmine-app-models-auth_source_ldap-0.9.1-2.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3232/Redmine-app-models-auth_source_ldap-0.9.1-2.diff">Redmine-app-models-auth_source_ldap-0.9.1-2.diff</a> added</li><li><strong>% Done</strong> changed from <i>0</i> to <i>50</i></li></ul><p>So here's a patch that applies to the Debian 0.9.1 package that improves a bit on what's already here in that it avoids doing a second bind if we're using the introduced "bind as user" setting.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=145802010-02-21T21:46:11ZAntoine Beaupré
<ul><li><strong>File</strong> <a href="/attachments/3233">1913_redmine_bind_as_user.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3233/1913_redmine_bind_as_user.diff">1913_redmine_bind_as_user.diff</a> added</li><li><strong>% Done</strong> changed from <i>50</i> to <i>70</i></li></ul><p>... and here's an untested patch for current head. it refactors get_user_dn() to use an internal ldap_con to avoid binding twice with the ldap server when using user-level bindings.</p>
<p>i think the UI could still need some love to explain the $login hack, but in the meantime this makes more sense in the LDAP world...</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=146492010-02-24T13:26:49ZBernhard Furtmueller
<ul></ul><p>I had the very same problem, tried to search but didn´t find this solution in the past.<br />Therefore a did the "reinvent the wheel" approach and came up with my patch<br />which introduces a new domain field.</p>
<p>See forum entry here:<br /><a class="external" href="http://www.redmine.org/boards/1/topics/11119">http://www.redmine.org/boards/1/topics/11119</a></p>
<p>And the patch (which works at least against active directory):<br /><a class="external" href="http://www.redmine.org/attachments/3176/patch0.patch">http://www.redmine.org/attachments/3176/patch0.patch</a></p>
<p>I´ll try the patch (is it supposed to work against active directory?)<br />attached to this tracker asap and will report.</p>
<p>br,<br />bernhard</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=160212010-04-20T22:44:13ZMarkus Peter
<ul><li><strong>File</strong> <a href="/attachments/3585">Bind_as_user_LDAP.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3585/Bind_as_user_LDAP.diff">Bind_as_user_LDAP.diff</a> added</li></ul><p>Antoine Beaupré wrote:</p>
<blockquote>
<p>... and here's an untested patch for current head. it refactors get_user_dn() to use an internal ldap_con to avoid binding twice with the ldap server when using user-level bindings.</p>
</blockquote>
<p>The patch did throw an error: <br /><pre>
NoMethodError (undefined method `ldap_con=' for #<AuthSourceLdap:0x8c22f74>):
app/models/auth_source_ldap.rb:38:in `authenticate'
app/models/user.rb:105:in `try_to_login'
app/controllers/account_controller.rb:147:in `password_authentication'
app/controllers/account_controller.rb:142:in `authenticate_user'
app/controllers/account_controller.rb:30:in `login'
</pre></p>
<p>Chances are I messed up something...</p>
<p>I included a patch which works with the current head, though it still calls <code>initialize_ldap_con</code> twice, once in <code>authenticate</code> and once in <code>authenticate_dn</code>.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=160282010-04-21T06:00:45ZFelix Schäfer
<ul></ul><p>Markus Peter wrote:</p>
<blockquote>
<p>I included a patch which works with the current head, though it still calls <code>initialize_ldap_con</code> twice, once in <code>authenticate</code> and once in <code>authenticate_dn</code>.</p>
</blockquote>
<p>There are environments in which you might need to first bind as the "redmine user" to the LDAP to determine the DN corresponding to a certain login as not all LDAP setups support searching for login as anonymous.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=160302010-04-21T07:06:01ZMarkus Peter
<ul></ul><p>Felix Schäfer wrote:</p>
<blockquote>
<p>There are environments in which you might need to first bind as the "redmine user" to the LDAP to determine the DN corresponding to a certain login as not all LDAP setups support searching for login as anonymous.</p>
</blockquote>
<p>Our AD does not support serching for logins as anonymous, that's why we use this patch to connect with the login/password supplied by the user and the parameters provided in the LDAP configuration <em>without</em> having to enter a user/pwd for each LDAP config.</p>
<p>Not sure whether this works with self-registration, though.</p>
<p>Antoine's patch is certainly better, but unless I messed up something there may be missing something to make it work.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=160662010-04-21T20:20:12ZBernhard Furtmueller
<ul></ul><p>Had the same problem, so I´ll post my approach here. This is against trunk @3625<br />This adds a domain field which will be prefixed to the userid.<br />It also allows self-registration.<br />HTH,<br />bernhard</p>
<pre>
commit c6b87839849899fb2c24fde1533224f60818074e
Author: Bernhard Furtmueller <bernhard.furtmueller@hilti.com>
Date: Tue Mar 30 13:37:14 2010 +0000
adding a domain field in order to allow direct active directory
authentication without requiring a read only ads user.
forward port of 0b9ee54dafe21140bf694bf968431633d4ec09b5
only with lang en and de
diff --git a/app/models/auth_source_ldap.rb b/app/models/auth_source_ldap.rb
index d2a7e70..a7bb7ba 100644
--- a/app/models/auth_source_ldap.rb
+++ b/app/models/auth_source_ldap.rb
@@ -21,7 +21,7 @@ require 'iconv'
class AuthSourceLdap < AuthSource
validates_presence_of :host, :port, :attr_login
validates_length_of :name, :host, :account_password, :maximum => 60, :allow_nil => true
- validates_length_of :account, :base_dn, :maximum => 255, :allow_nil => true
+ validates_length_of :account, :domain, :base_dn, :maximum => 255, :allow_nil => true
validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true
validates_numericality_of :port, :only_integer => true
@@ -33,7 +33,7 @@ class AuthSourceLdap < AuthSource
def authenticate(login, password)
return nil if login.blank? || password.blank?
- attrs = get_user_dn(login)
+ attrs = get_user_dn(login,password)
if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password)
logger.debug "Authentication successful for '#{login}'" if logger && logger.debug?
@@ -100,8 +100,10 @@ class AuthSourceLdap < AuthSource
end
# Get the user's dn and any attributes for them, given their login
- def get_user_dn(login)
- ldap_con = initialize_ldap_con(self.account, self.account_password)
+ def get_user_dn(login,password)
+ #ldap_con = initialize_ldap_con(self.account, self.account_password)
+ domain.blank? ? ldap_con = initialize_ldap_con(self.account, self.account_password) : ldap_con = initialize_ldap_con(domain + "\\" + login, password);
+
login_filter = Net::LDAP::Filter.eq( self.attr_login, login )
object_filter = Net::LDAP::Filter.eq( "objectClass", "*" )
attrs = {}
diff --git a/app/views/auth_sources/_form.rhtml b/app/views/auth_sources/_form.rhtml
index 9ffffaf..f023bce 100644
--- a/app/views/auth_sources/_form.rhtml
+++ b/app/views/auth_sources/_form.rhtml
@@ -11,6 +11,9 @@
<p><label for="auth_source_port"><%=l(:field_port)%> <span class="required">*</span></label>
<%= text_field 'auth_source', 'port', :size => 6 %> <%= check_box 'auth_source', 'tls' %> LDAPS</p>
+<p><label for="auth_source_domain"><%=l(:field_domain)%></label>
+<%= text_field 'auth_source', 'domain' %></p>
+
<p><label for="auth_source_account"><%=l(:field_account)%></label>
<%= text_field 'auth_source', 'account' %></p>
diff --git a/config/locales/de.yml b/config/locales/de.yml
index 982452e..d79c20a 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -268,6 +268,7 @@ de:
field_port: Port
field_account: Konto
field_base_dn: Base DN
+ field_domain: Domäne
field_attr_login: Mitgliedsname-Attribut
field_attr_firstname: Vorname-Attribut
field_attr_lastname: Name-Attribut
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 4082670..b155582 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -243,6 +243,7 @@ en:
field_port: Port
field_account: Account
field_base_dn: Base DN
+ field_domain: Domain
field_attr_login: Login attribute
field_attr_firstname: Firstname attribute
field_attr_lastname: Lastname attribute
diff --git a/db/migrate/20100330124427_add_auth_sources_domain.rb b/db/migrate/20100330124427_add_auth_sources_domain.rb
new file mode 100644
index 0000000..f9d1de5
--- /dev/null
+++ b/db/migrate/20100330124427_add_auth_sources_domain.rb
@@ -0,0 +1,9 @@
+class AddAuthSourcesDomain < ActiveRecord::Migration
+ def self.up
+ add_column :auth_sources, :domain, :string, :default => 'none', :null => false
+ end
+
+ def self.down
+ remove_column :auth_sources, :domain
+ end
+end
</pre> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=231592010-12-13T15:55:56ZAntoine Beaupré
<ul><li><strong>File</strong> <a href="/attachments/5008">1913_redmine_bind_as_user2.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/5008/1913_redmine_bind_as_user2.diff">1913_redmine_bind_as_user2.diff</a> added</li></ul><p>For me the patch in comment <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Defect: problem with new projects setting up wiki (Closed)" href="https://www.redmine.org/issues/17">#17</a> was unclear: first, there's commented code in there and second, I don't understand the reason for the 'domain' field. The patch I am providing here is just a port of the one in comment <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Defect: Scripts in the repository are not marked as executable (Closed)" href="https://www.redmine.org/issues/14">#14</a>, which is itself a port of my patch, which was a port of... well, you see where I'm going. :)</p>
<p>Basically, I believe that using $login in the field is (a) much more powerful and (b) flexible enough to cover for the "domain" case, which is really unclear to me what it does.</p>
<p>Can we get this committed please? This issue has been opened for 2 years and a patch has been available for over a year now. I've been using it in production here for the last 10 months without any problems.</p>
<p>The patch applies to 1.0.1 but it should be trivial to port it to trunk. Besides, i did that earlier and that didn't seem to favor inclusion so I'll just try to port this to new releases as we upgrade, but I'd really like to see this hit the trunk so i don't have to maintain this silly patch.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=231602010-12-13T17:24:55ZAdi Kriegisch
<ul></ul><p>Thanks, Antoine, for forward porting this patch. (Just a minor correction: this patch is available for two years now -- and it is still working in production ;-)<br />Probably main developers are lacking something? What do I/we need to do to finally get this included into Redmine?<br />Eric Davis (comment 4) asked for test cases. How should they look like? Is it enough to proof that this patch generates a correct login dn?<br />Probably documentation is missing? How should the documentation look like? The very first comment explains how to bind against AD. Comment 8 and 9 provide useful LDAP config snippets for OpenLDAP. Anything more needed?<br />I'd love to have this upstream: rebuilding packages all the time to get this working again and again is just annoying.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=356922012-02-01T15:22:37ZDaniel Ritz
<ul></ul><p>+1</p>
<p>Even the minimal patch in <a class="attachment" href="https://www.redmine.org/attachments/5008">1913_redmine_bind_as_user2.diff</a> is a big improvement. Using that one at work to authenticate against a Windows AD without requiring an extra user (which is not easy to get...corporate politics).</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=360282012-02-13T17:18:41ZAntoine Beaupré
<ul></ul><p>I can confirm this is still working in production, and I painstakingly update this at every release. So far there was no change in the 1.1 release, but we'll see for 1.3.</p>
<p>How <strong>do</strong> we get patches merged into redmine? I have a good lot waiting in the queue and they seem to be getting no attention whatsoever...</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=368252012-03-15T18:33:02ZAntoine Beaupré
<ul></ul><p>Hello? Anyone?</p>
<p>Should I submit this to chiliproject instead?</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=368312012-03-16T07:18:01ZJean-Philippe Langjp_lang@yahoo.fr
<ul></ul><p>Would you be able to add a test case to the patch ? Or should I take care of it ?</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=368332012-03-16T08:08:05ZAdi Kriegisch
<ul></ul><p>Jean-Philippe, it would be great if you can add test cases. Please let me know if you lack anything for adding this patch. I'd gladly help!<br />Thank you for considering this patch!</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=368542012-03-16T17:05:27ZAntoine Beaupré
<ul></ul><p>I am sorry I am not familiar enough with Redmine's unit testing to provide a test case here. Besides, I think it would require a running LDAP server, which is not trivial...</p>
<p>It would be awesome if someone else could provide that test case though. Thanks for looking into this patch!</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=368642012-03-17T12:17:14ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Assignee</strong> set to <i>Jean-Philippe Lang</i></li><li><strong>Target version</strong> set to <i>1.4.0</i></li></ul><p>Feature added in <a class="changeset" title="LDAP: adds the ability to bind with user's account (#1913)." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/9241">r9241</a> - <a class="changeset" title="Typo (#1913)." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/9243">r9243</a> with slight changes and tests. The initial patch was breaking 2 tests and i think it's safer to escape the submitted login.</p>
<p>Antoine Beaupré wrote:</p>
<blockquote>
<p>Besides, I think it would require a running LDAP server, which is not trivial...</p>
</blockquote>
<p>This was already required to run the full test suite, so adding tests for this new feature was pretty straightforward.<br />Thanks for your contribution.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=383462012-05-21T20:38:54ZHarley Laue
<ul></ul><p>extra/svn/Redmine.pm still needs patched (which was supplied) to work correctly. Without this patch, SVN read and/or write is completely broken while using this feature within Redmine.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=385392012-05-29T18:27:58ZJean-Philippe Langjp_lang@yahoo.fr
<ul></ul><p>Indeed, <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Defect: Redmine.pm does not support "bind as user" ldap authentication (Closed)" href="https://www.redmine.org/issues/11046">#11046</a> created.</p> Redmine - Feature #1913: LDAP - authenticate as userhttps://www.redmine.org/issues/1913?journal_id=566612014-06-05T20:32:57ZAndrew Kohlsmith
<ul></ul><p>There is a more generic issue with binding to the AD. I ran into this and don't have a good solution, but I'll describe it here so that hopefully others will find it.</p>
<p>Windows 2003 seems to confuse the notion of binding to the LDAP server and logging in to a workstation. If you have a domain user who is restricted to logging in only from a specific workstation or workstations, the bind as that user will fail because AD sees the bind, validates the password and then notices that the AD server itself is not in the list of allowed workstations. The specific LDAP error is </p>
<pre><code>W80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece</code></pre>
<p>where the <code>531</code> corresponds to "User not allowed to logon at this computer".</p>
<p>I don't know enough about AD to know if there is a way to say "any valid account can bind the AD server" while maintaining the workstation login restriction. The only way around it that I have found is to add the NetBIOS name of the AD server to the restricted user's allowed workstation list. This is clearly not a great solution.</p>