Pachno ~ The Bug Genie ~ Configuration

Pachno Home Projects Documentation Press / or click here to open the quicksearch Log in

Configuring LDAP Authentication

Settings page

Before switching to use LDAP Authentication, it is necessary to set a number of settings to properly connect to the LDAP Server. This can be done from the LDAP Authentication part of Configuration after installing the module.

Settings

Connection

Hostname

The hostname, which includes the port, tells The Bug Genie what server to connect to. This should be provided in the format ldap://hostname:port, or ldaps://hostname:port if you wish to use a SSL connection. The default port is 389 for a non-SSL connection and 636 for an SSL connection, but consult your administrator for details.

Base DN

The Bug Genie will perform subtree searches, so only one DN which is the base of the DNs for all users and groups is necessary. This should be provided in DN format, an example is provided.

Object DN attribute

The Bug Genie will need to obtain the full DN of user objects. In this field, you will need to enter the name of the attribute to get this data from. On OpenLDAP systems, this may be entrydn, and on Active Directory it will be distinguishedName.

Users data

Class

The Bug Genie will look for objects which are of a certain class to use as users. You can type the value to look for in objectClass here, though if you don't the default of 'person' will be used.

Attributes

The Bug Genie will need to obtain certain data about the user, and the attributes used can be specified here.

Username - The username specified during login will be looked up here.
Full name - The full name in The Bug Genie will be set to this, but also the 'Buddy Name', which will be shown by issues you are assigned to, as well as in other places.
Email address - Emails sent from The Bug Genie will be sent to this address.

Groups

Class

The Bug Genie can optionally restrict access to users belonging in certain groups. Like users, The Bug Genie will look for objects to use as groups, the objectClass value to look for can be entered here. If none is specified, the default of 'group' will be used.

Attributes

Like users, attributes need to be specified, but only one needs to be.

Group members - The attribute containing the list of DNs of users belonging in the group

Allowed groups

This should contain a list of groups to allow access to. If this is left blank, all users will be allowed access to The Bug Genie. If a comma separated list of groups is entered here, only users belonging to the named groups will be allowed access.

Control user

The Bug Genie needs a user to perform user and group lookups with. If anonymous binding to the directory is possible, these fields can be left blank. Otherwise, an account username and password needs to be entered here. Please note that these credentials will be stored unencrypted in the database, so if you are able to, you should restrict the permissions of this user.

If you are connecting to an Active Directory server, please note that this user will need to be prefixed with DOMAIN\, or the full DN (see below). Logging in to The Bug Genie via LDAP will not need any prefix under Active Directory.

For all users (including AD ones who do not use a DOMAIN\ prefix), the full DN of your control user must be specified. This can be found by your administration tools.

Categories

Attachments 1

ldap_settings.PNG

123.7KB

Comments 1

May 22, 2012 (14:08)

Notes about binding to Mac OS X Server (Open Directory):

* anonymous binding is OK so you don't have to specify user account. 
 * Username attribute is uid
 * Full name attribute is cn
 * Email address attribute is mail
 * Group class is posixGroup
 * Group members attribute is memberUid

* group members are listed with their username and not their distinguished name, so it requires some source code modifications

in authldap/classes/actions.class.php, line 283, replace <source lang="php">$user_dn = $data[$i][strtolower($dn_attr)][0];
</source> with <source lang="php">$username = $data[$i][strtolower($username_attr)][0];
</source>

same file, lines 339 and 340 replace <source lang="php">$user_dn</source> by <source lang="php">$username</source>

in auth_ldap/classes/TBGLDAPAuthentication.class.php, line 196, replace <source lang="php">$fields = array($fullname_attr, $email_attr, 'cn', $dn_attr);</source> by <source lang="php">$fields = array($fullname_attr, $email_attr, 'cn', $dn_attr, $username_attr);</source>

same file, line 277, replace <source lang="php">$user_dn = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $data[0][strtolower($dn_attr)][0]);</source> by <source lang="php">$username = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $data[0][strtolower($username_attr)][0]);</source>

line 279, replace <source lang="php">$user_dn</source> by <source lang="php">$username</source>

Visible for all users

Cancel

Notes about binding to Mac OS X Server (Open Directory):

 * anonymous binding is OK so you don't have to specify user account. 
 * Username attribute is uid
 * Full name attribute is cn
 * Email address attribute is mail
 * Group class is posixGroup
 * Group members attribute is memberUid

 * group members are listed with their username and not their distinguished name, so it requires some source code modifications

in authldap/classes/actions.class.php, line 283, replace

$user_dn = $data[$i][strtolower($dn_attr)][0];

with

$username = $data[$i][strtolower($username_attr)][0];

same file, lines 339 and 340 replace

$user_dn

by

$username

in auth_ldap/classes/TBGLDAPAuthentication.class.php, line 196, replace

$fields = array($fullname_attr, $email_attr, 'cn', $dn_attr);

by

$fields = array($fullname_attr, $email_attr, 'cn', $dn_attr, $username_attr);

same file, line 277, replace

$user_dn = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $data[0][strtolower($dn_attr)][0]);

by

$username = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $data[0][strtolower($username_attr)][0]);

line 279, replace

$user_dn

by

$username