Project

General

Profile

RedmineLDAP » History » Version 29

Jan Catrysse, 2024-10-03 12:38

1 16 Perico Os Palotes
{{>toc}}
2
3 1 Jean-Philippe Lang
h1. LDAP Authentication
4
5
Redmine natively supports LDAP authentication using one or multiple LDAP directories.
6
7
h2. Declaring the LDAP
8
9 5 Eric Davis
Go to Administration and click *LDAP authentication* in the menu.
10 1 Jean-Philippe Lang
11
Enter the following:
12
13
* *Name*: an arbitrary name for the directory
14
* *Host*: the LDAP host name
15
* *Port*: the LDAP port (default is 389)
16
* *LDAPS*: check this if you want or need to use LDAPS to access the directory
17 9 T. Hauptman
* *Account*: enter a username that has read access to the LDAP , otherwise leave this field empty if your LDAP can be read anonymously (Active Directory servers generally do not allow anonymous access)
18 1 Jean-Philippe Lang
* *Password*: password for the account
19
* *Base DN*: the top level DN of your LDAP directory tree
20
* *Login attribute*: enter the name of the LDAP attribute that will be used as the Redmine username
21
22 2 Jean-Philippe Lang
Redmine users should now be able to authenticate using their LDAP username and password if their accounts are set to use the LDAP for authentication.
23 3 Jean-Philippe Lang
24 22 Mikhail Voronyuk
To test this, create a Redmine user with a login that matches his LDAP account (normally, Redmine will advise you by looking up the LDAP data), select the newly created LDAP in the *Authentication mode* drop-down list (this field is visible on the account screen only if a LDAP is declared) and leave his password empty. Try to log in into Redmine using the LDAP username and password.
25 1 Jean-Philippe Lang
26
h2. On the fly user creation
27
28
By checking *on-the-fly user creation*, any LDAP user will have his Redmine account automatically created the first time he logs into Redmine.
29
For that, you have to specify the LDAP attributes name (firstname, lastname, email) that will be used to create their Redmine accounts.
30
31
Here is an typical example using Active Directory:
32
33
<pre>
34
Name     = My Directory
35
Host     = host.domain.org
36
Port     = 389
37
LDAPS    = no
38 7 John Dell
Account  = MyDomain\UserName (or UserName@MyDomain depending on AD server)
39 1 Jean-Philippe Lang
Password = <password>
40
Base DN  = CN=users,DC=host,DC=domain,DC=org
41 9 T. Hauptman
42
On-the-fly user creation = yes
43
Attributes
44
  Login     = sAMAccountName
45
  Firstname = givenName
46
  Lastname  = sN
47
  Email     = mail
48
</pre>
49
50
Here is another example for Active Directory with a compartmentalized intranet:
51
52
<pre>
53
Name     = Just a description for the auth modes page
54
Host     = DepartmentName.OrganizationName.local
55
Port     = 389
56
LDAPS    = no
57 13 mouson chen
Account  = DepartmentName\UserName (or UserName@MyDomain depending on AD server or bind DN uid=Manager,cn=users,dc=MyDomain,dc=com)
58 9 T. Hauptman
Password = <password>
59
Base DN  = DC=DepartmentName,DC=OrganizationName,DC=local
60 1 Jean-Philippe Lang
61
On-the-fly user creation = yes
62
Attributes
63
  Login     = sAMAccountName
64
  Firstname = givenName
65
  Lastname  = sN
66
  Email     = mail
67
</pre>
68
69
Note that LDAP attribute names are *case sensitive*.
70 22 Mikhail Voronyuk
 
71 14 Alexander Menk
h3. Dynamic Bind Account 
72
73 21 Stanislav German-Evtushenko
The above setup would need a special account on the directory server which Redmine uses to pre-authenticate. It is possible to use the keyword *$login* in the account field which then would be replaced by the current login. The password can be left empty in this case, for example: <pre>Account: $login@COMPANY.DOMAIN.NAME</pre> or <pre>Account: company\$login</pre>
74 14 Alexander Menk
75 6 Chris Rose
h3. Base DN variants
76
77
Although it's quite possible that the Base DN above is standard for Active Directory, the Active Directory at my employer's site does not use the Users container for standard users, so those instructions sent me down a long and painful path.  I recommend also trying just "DC=host,DC=domain,DC=org" if login fail swith the settings there.
78 1 Jean-Philippe Lang
79 29 Jan Catrysse
h3. Filter variants
80
81
An example of a filter based on a group membership. Member of the group @Redmine-User@, located in OU @Security Groups@, @Application Settings@.
82
Verify if this is the right place the group was created, and that it is in reversed order.
83
84
<pre>
85
Base DN: OU=Users,DC=domain,DC=lan
86
LDAP Filter: (&(objectClass=user)(memberOf=CN=Redmine-User,OU=Application Settings,OU=Security Groups,DC=domain,DC=lan))
87
</pre>
88
89 16 Perico Os Palotes
h2. Group based LDAP login
90
91
If you want to just allow logins to users that belongs to a particular LDAP group you should follow below instructions. They are based on OpenLDAP LDAP server and redmine 2.3.0.
92
93
1. (OpenLDAP server) Enable memberof overlay
94
95
1.1. Create a file:
96
97
>vim ~/memberof_add.ldif
98
99
With below content:
100
101
>dn: cn=module,cn=config
102
>objectClass: olcModuleList
103
>cn: module
104
>olcModulePath: /usr/lib/ldap
105
>olcModuleLoad: memberof
106
107
1.2. Create a file:
108
109
>vim ~/memberof_config.ldif
110
111
With below content:
112
113
>dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
114
>objectClass: olcMemberOf
115
>objectClass: olcOverlayConfig
116
>objectClass: olcConfig
117
>objectClass: top
118
>olcOverlay: memberof
119
>olcMemberOfDangling: ignore
120
>olcMemberOfRefInt: TRUE
121
>olcMemberOfGroupOC: groupOfNames
122
>olcMemberOfMemberAD: member
123
>olcMemberOfMemberOfAD: memberOf
124
125
1.3. Load them. It will depend on your OpenLDAP configuration, so we will propose some possibilities:
126
127
>sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f memberof_add.ldif
128
>sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif
129
130
Or:
131
132
>ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_add.ldif
133
>ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_config.ldif
134
135
A restart is NOT needed if you use dynamic runtime configuration engine (slapd-config).
136
137
1.4. (Optional) Test it:
138
139
>ldapsearch -D cn=admin,dc=example,dc=com -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' '(&(objectClass=posixAccount)(memberOf=cn=ldapredmine,ou=groups,dc=example,dc=com))'
140
141
2. (OpenLDAP server) Create the group. In this example the user is "ldap_user_1" and the group is "ldapredmine":
142
143
>dn: cn=ldapredmine,ou=groups,dc=example,dc=com
144
>cn: ldapredmine
145
>description: Staff members allowed to login to redmine ticketing system
146
>member: cn=ldap_user_1,ou=people,dc=example,dc=com
147
>objectclass: groupOfNames
148
>objectclass: top
149
150
Adjust "dn" and "cn"s to fit to your DIT structure
151
152
3. (Redmine) Edit the LDAP authentication mode. In my case "ldap_user_1" is a "posixAccount" objectclass:
153
154
>Base DN: dc=example,dc=com
155
>Filter: (&(objectClass=posixAccount)(memberOf=cn=ldapredmine,ou=groups,dc=example,dc=com))
156 6 Chris Rose
157 1 Jean-Philippe Lang
h2. Troubleshooting
158
159 4 Jean-Philippe Lang
If you want to use on-the-fly user creation, make sure that Redmine can fetch from your LDAP all the required information to create a valid user.
160
For example, on-the-fly user creation won't work if you don't have valid email adresses in your directory (you will get an 'Invalid username/password' error message when trying to log in).
161 6 Chris Rose
(This is not true with newer Redmine versions; the user creation dialog is populated with everything it can find from the LDAP server, and asks the new user to fill in the rest.)
162 4 Jean-Philippe Lang
163
Also, make sure you don't have any custom field marked as *required* for user accounts. These custom fields would prevent user accounts from being created on the fly.
164 6 Chris Rose
165 1 Jean-Philippe Lang
Errors in the login system are not reported with any real information in the Redmine logs, which makes troubleshooting difficult.  However, you can found most of the information you need using ??Wireshark?? between your Redmine host and the LDAP server. Note that this only works if you have permissions to read network traffic between those two hosts.
166 15 Wiebe Cazemier
167
You can also use the tool 'ldapsearch' to test if your settings are correct. Log into the Linux machine hosting your redmine (and possibly install ldaputils) and run this:
168
169
    ldapsearch -x -b  "dc=example,dc=com" -H ldap://hostname/ -D "DOMAIN\USER" -w mypassword [searchterm]
170
171
If succesful, you will get a listing of the contents of the AD, matching your search query. Then, you will know what how to fill out the fields in the LDAP config in Redmine.
172 12 Etienne Massip
173
174
h3. ??Account?? value format
175
176
The username for the bind credentials might need to be specified as a DN(i.e. CN=user,OU=optional,DC=domain,DC=com) rather than as a UPN(user@domain.com) or as ??domain\user??, as pointed out by this comment in source:trunk/vendor/plugins/ruby-net-ldap-0.0.4/lib/net/ldap.rb:
177 11 John Lewin
<pre>
178
  # As described under #bind, most LDAP servers require that you supply a complete DN
179 1 Jean-Philippe Lang
  # as a binding-credential, along with an authenticator such as a password.
180
</pre>
181 22 Mikhail Voronyuk
Therefore user with MyDomain\MyUserName or MyUserName@MyDomain.com username might enter only MyUserName as a Redmine login name.
182
183
h3. Slow LDAP authentification
184
185
If LDAP authentification is slow and you have an AD cluster, try to specify in Host field one of the AD physical servers (http://www.redmine.org/boards/2/topics/3056). It may help.
186 8 Oli Kessler
187
h3. OpenDS 
188
189
If you are using the OpenDS server, you might have issues with the request control "Paged results" sent with the initial query searching for the user by the specified login attribute. This request control 1.2.840.113556.1.4.319 is not allowed for anonymous users by default, thus preventing redmine from finding the user in the directory even before the binding takes place.
190
191
Add a global ACI like this
192
<pre>
193
./dsconfig -h SERVER_IP -p 4444 -D cn="Directory Manager" -w PASSWORD -n set-access-control-handler-prop --trustAll 
194
--add global-aci:\(targetcontrol=\"1.2.840.113556.1.4.319\"\)\ \(version\ 3.0\;\ acl\ 
195
\"Anonymous\ control\ access\ to\ 1.2.840.113556.1.4.319\"\;\ allow\ \(read\)\ userdn=\"ldap:///anyone\"\;\)
196
</pre>Note: Enter the command on one line, use the escaping exactly as indicated (the \ after "acl" is meant to be "\ " for a space).
197 17 Axel Pospischil
198
h2.  Solutions:
199
200
h3. Zentyal 3.2, Redmine 2.3.x
201
202
I successfully updated and (re)setup my Zentyal 3.2 on an Ubuntu 12.04 LTS server.
203
204
Because this really drove me nuts after an update to Zentyal 3.2 and Redmine 2.3, I like to make the story short and share this simple solution with you:
205
206
* https://wiki.blue-it.org/Zentyal#LDAP
207 18 Axel Pospischil
208
Using zentyals readonly credentials:
209 19 Axel Pospischil
<pre>> Basedomain (Base DN):  dc=your_domain,dc=your_tld
210
  Rootdomain (Root DN):  cn=zentyal,dc=your_domain,dc=your_tld
211
  Password:              <admin_secret_pass>
212
> Read-only root DN:     cn=zentyalro,dc=your_domain,dc=your_tld
213
> Read-only password:    <ro_secret_pass>
214
  Default Users DN:      ou=Users,dc=your_domain,dc=your_tld
215
  Default Groups DN:     ou=Groups,dc=your_domain,dc=your_tld
216 18 Axel Pospischil
</pre> 
217
218
And in Redmine (use the credentials above, without <>) and be aware of the changed LDAP port 390 (read the article above):
219
<pre>
220
Name     = Just a description for the auth modes page
221 19 Axel Pospischil
> Host     = <IP of the host>
222
> Port     = <390>
223
  LDAPS    = no
224
> Account  = <Read-only root DN>
225
> Password = <ro_secret_pass>
226
> Base DN  = <Basedomain (Base DN)>
227 18 Axel Pospischil
228
On-the-fly user creation = yes
229
Attributes
230 19 Axel Pospischil
>  Login     = uid
231
   Firstname = givenName
232
>  Lastname  = sN
233 18 Axel Pospischil
  Email     = mail
234
</pre>
235 23 [ Desperados ]
236
h3. Zentyal 4.x, Redmine 3.3.x
237
238
Use port 389 and sAMAccountName instead of uid
239 24 Dhia Eddine
240
h3. Zentyal 5.0, Redmine 3.2
241
242
<pre>
243 25 Dhia Eddine
  Name     = Just a description for the auth modes page
244 24 Dhia Eddine
  Host     = <IP of the host>
245
  Port     = <389>
246 25 Dhia Eddine
  LDAPS    = no (yes/checked is ok too with Port set to 636)
247 24 Dhia Eddine
  Account  = username@domain.tld
248
  Password = <username_pass>
249
  Base DN  = < Default Users DN > (cn=Users,dc=domain,dc=tld)   
250
251
On-the-fly user creation = yes
252
Attributes
253
   Login     = sAMAccountName
254
   Firstname = givenName
255
   Lastname  = sN
256
   Email     = mail
257
</pre>
258 26 frnk snck
259
h3. OpenLDAP, Redmine 3.4.2.stable
260 28 Chris Clemson
261 26 frnk snck
<pre>
262
  Name     = Some random description
263
  Host     = <IP of the host>
264
  Port     = <389>
265
  LDAPS    = no
266
  Account  = < Admins DN > (cn=admin,dc=domain,dc=tld)
267
  Password = < Admins Pass >
268
  Base DN  = < Default Users DN > (cn=People,dc=domain,dc=tld)   
269
270
On-the-fly user creation = yes
271
Attributes
272 27 frnk snck
   Login     = uid
273 26 frnk snck
   Firstname = givenName
274
   Lastname  = sn
275
   Email     = mail
276
</pre>
277
278 27 frnk snck
The admin account may be any other LDAP account with global read permission. The "domain" and "tld" part has to fit the LDAP setup, as everything else. Login attribute is used for login. The rest has to be according to LDAP setup.
279 28 Chris Clemson
280
h3. FreeIPA 4.6.8, Redmine 3.2.6
281
282
<pre>
283
  Name     = Service Description or server name etc.
284
  Host     = <IP/domain of the host>
285
  Port     = <389>
286
  LDAPS    = no ("yes" not tested)
287
  Account  = uid=<bind username>,cn=users,cn=accounts,dc=<domain>,dc=<tld>
288
  Password = <bind password>
289
  Base DN   = cn=accounts,dc=<domain>,dc=<tld>
290
291
Attributes
292
   Login     = uid
293
   Firstname = givenName
294
   Lastname  = sn
295
   Email     = mail
296
</pre>
297
298
The "domain" and "tld" part has to fit the LDAP setup, as everything else. uid attribute is used for login.