]project-open[ : @This Wiki
Portrait

Welcome, Unregistered Visitor

Contact ·  Index · Login · Register
 

Contents

Remote Training
Support
SaaS Service

4 registered users
 in last 24 hours

]po[ Active Directory LDAP

This package creates an integration between ActiveDirectory or OpenLDAP with ]project-open[ in order to import user data and to perform authentication against the external server. This package uses the “ldapsearch” command line tool from the “OpenLDAP” Linux RPM as a base for the integration

Prerequisites

  • OpenLDAP
  • Perl
  • Perl extension "IO-Socket-PortState" 
Starting with ]po[ V4.0.3, both the VMware installer and the Windows installer include all necessary files and configurations. A comfortable wizard in Admin -> SysConfig -> LDAP Wizard allows to setup the integration semi automatically.

Obtaining the ]po[ Package

The package “auth-ldap-adldapsearch” is included in the standard of ]po[ installers, starting with V3.4. You can obtain the software via CVS if you are running an earlier version of ]po[:

# cd /web/projop/packages
# cvs -d :pserver:anonymous@cvs.project-open.net:/cvsroot/ checkout auth-ldap-adldapsearch

The required "OpenLDAP" Linux RPM is part of all major Linux distributions and included in the ]po[ VMware installers. OpenLDAP is a stable package with few changes in the last years, so most versions of it should work together with ]po[.

Installing “auth-ldap-adldapsearch”

Please make sure the package are available in the /packages/ directory of your ]po[ installation. Then go to /acs-admin/apm/ URL and select “Install New Packages” and select the package for installation. Restart the server and go back again to /acs-admin/apm/ and check that the package is available.

Enabling LDAP on the Login Page

Please go to Admin -> Parameters -> Kernel Parameters and set the parameter UseEmailForLoginP to 0. With "username" instead of "email" enabled for user login, the login screen will now show an additional drop-down box for the selection of the [Authentication Authority].

Before testing your new login method, please go to "My Account" and click on the "Edit" button of the user "Basic Information" and check the value of "Username". Otherwise you may lock yourself out!

Important Notes
  • Users and Authorities:
    Users are registered for a specific autentication "authority". Please (V3.4.0.8 or higher) enable the parameters "EnableUsersAuthorityP" and "EnableUsersUsernameP" in Admin -> Parameters -> intranet-core. With these parameters set to "1", you will see two additional fields if you go to Users -> One User -> Edit. When testing the LDAP driver, please make sure that your test user is set to the tested "authority".


References ­

Related Packages

Open Discussion Forum

 

Manually Configuring LDAP Access To Microsoft Active Directory

Outdated: The new LDAP Wizard in ]po[ V4.0.3 replaces these manual instructions. We  include them only for reference in the very rare cases that you have to manually debug the LDAP integration.

Before configuring the LDAP module, we recommend that you test the LDAP connection manually using the command line. ]po[ relies on the “ldapsearch” command line tool to establish a connection to the LDAP server, so you can test the connection manually before configuring ]po[.

Test Connection Parameters

To check the validity of a username/password combination, we use the “ldapsearch –n” comand, which doesn’t perform any specific action, but returns an error if the username/password combination is wrong. An example call of the tool may look like this:

­# ldapsearch -n -x -H ldap ://ldap.project-open.com -D u=ben.bigboss \
@tigerpond.com,ou=People,dc=tigerpond,dc=com -w secret
­

This command should return a 0 return code and a first line NOT containing “Invalid credentials (49)”. For details please see the ldapsearch “man” page for details.

Setup a new LDAP Authority

The next step is to setup a new OpenACS “Authentication Authority”. This object controls the authentication of users:

  • Go to Admin -> Auth Authorities (URL: /acs-admin/auth/)
  • Create a new Authority with the following values:
    • General Name: “LDAP”
    • Short Name: “LDAP”
    • Enabled: “Yes”
    • Authentication: “LDAP”
    • Password Management: “LDAP”
    • Account Registration: “LDAP”
    • User Info: “LDAP”
    • Batch sync enabled: “No”
    • GetDocument implementation: “--Disabled—“
    • ProcessDocument implementation: “--Disabled—“
  • Go back to the list of Authorites, click on your new Autority and choose ”Configure drivers for this authority”.
    In this page you will need to set specifc LDAP parameters that will differ between organizations.
    The example below allows to import data from a AD server with the IP 192.168.1.2 for the domain "project-open.com".


BaseDN
[i] Base DN when searching for users. Typically something like 'o=Your Org Name', or 'dc=yourdomain,dc=com'
BindDN
[i] How to form the user DN? Active Directory accepts emails like {username}@project-open.com
GroupMap
[i] A TCL list represnting a map form LDAP groups to PO groups. Example: 'Users 463 Administrators 459' maps Windows 'Users' to Employees and Windows 'Administrators' to PO Admins.
LdapURI
[i] URI of the host to access. Something like ldap ://ldap.project-open.com/
PasswordHash
[i] The hash to use when storing passwords. Supported values are MD5, SMD5, SHA, SSHA, and CRYPT.
SearchFilter
[i] An optional LDAP expression to limit the users to be imported. Example: '(memberOf=cn=PO-Users,cn=Users,dc=project-open,dc=com)' would only import users who are member of the LDAP group 'PO-Users'.
ServerType
[i] 'ad' for Microsoft Active Directory of 'ol' for OpenLDAP (without the single quotes).
SystemBindDN
[i] DN of an LDAP system user that allows PO to access the LDAP for batch synchronization. Example: 'cn=Administrator,cn=Users,dc=project-open,dc=com'. Leave empty if your LDAP allows anonymous access.
SystemBindPW
[i] Password for the SystemBindDN.
UsernameAttribute
[i] LDAP attribute to match username against, typically uid

You can leave the remaining fields empty. 

Synchronization

With the first successful login, ]po[ synchronizes the LDAP account and creates a ]po[ account. By default only the user account is created and the user will not become a memeber of any group. Address data and other other type of information such as membership to Departments/CC might be also synchronized.

Debugging the ]project-open[ - Active Directory LDAP Interface

  • Invalid user: Your authentication was successful, but your user account does not exist in our database:
    Please update the users.authority_id to the user's LDAP authority: "update users set authority_id = xxx where username = 'yyy';". You can find out about your authorities using "select * from auth_authorities;".
For other generic dbugging issues please enter:
# cd /web/projop/log
# tail -f error.log | grep ldapsearch

­This command will give you only the calls to “ldapsearch”. Copy & past these lines and execute them manually in the command line in order to drill-down further.


Package Documentation

Package 'auth-ldap-adldapsearch' is not installed on this server, so there is no documentation available.  

 


Please take a moment to complete this form to help us improve our service.

Note:
Please only provide feedback in regards to content this page shows. For support inquiries please refer either to the Community Support forum at Sourceforge or check out our 'Professional Support'

Did this page help you to achieve your goal?

 Yes  No  Don't know

Please provide us with comments to improve this page:

How useful is the information?

 1  2  3  4  5
Not
useful
      Extremely
useful
 
  

Explore

Installers
Demo Server
Modules & Functionality
Packages
Business Processes supported
FAQ's

Help

Getting started
User Manuals
Configuration Manuals
Community Support
Professional Support

News

News
Twitter
RSS Community / Sourceforge
Register for Newsletter

Get in touch

Contact
Register



Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Generic License - Privacy Policy