LDAP Authentication to Active Directory
Brought to you by:
tuxmonkey
Menu
▾
▴
#29 LDAP Authentication to Active Directory
The following patch has been submitted to members of
the development team for hopeful addition to the CVS tree.
In the mean time, here it is for everyone to play with.
I'd be interested in everyones expierences using this.
Below is a quick summary of what was added and how the
patch works.
In the configuration file for Issue Tracker I added the
following new items:
/**
* LDAP Configuration
*/
/**
* LDAP Host. If this is left blank, LDAP features of
this application are not enabled.
* This is the address of your Active Directory Server.
*/
define("_LDAPhost_", "ActiveDirectoryServerHost");
/**
* LDAP Distinguished Name
* This is where your users are found. It will find
the users if they exist in subdirectories under this OU.
*/
define("_LDAPdn_", "OU=clients, DC=domain, DC=com");
/**
* If Active Directory is used enter the Domain here.
*/
define("_LDAPdomain_", "ActiveDirectoryDomain");
/**
* Version of the LDAP Directory
*/
define("_LDAPVersion_", "3");
/**
* LDAP Search Filter
* This is used to check if the LDAP user who
authenticates is part of
* a group of users who can access the issue-tracker
application. If
* this is left blank, every user that can access the
LDAP directory
* will be able to access the issue-tracker application
- important to
* note especially if your LDAP directory has guest
access enabled.
*/
define("_LDAPFilterMemberOf_", "CN=HelpDeskUsers,
OU=Applications, DC=domain, DC=com");
The line above should match where you create your
application groups. We have ours under Applications
and under that we have HelpDeskUsers, FTPUsers, etc.
Active Directory users who are part of this group will
have access to Issue-Tracker.
We've also setup an e-mail address for this group in
case we need to send everyone an e-mail to let them
know of updates, change, etc to Issue-tracker.
After this has been setup in Issue-Tracker, you will
still need to create the users profiles in
Issue-Tracker. If you don't the user will log in and
get an error message saying that their profile doesn't
exist in Issue-Tracker.
We've decided to enter everyone manually, but the LDAP
Authentication patch allows you to use the Register
feature so users can create their own profile. If a
user creates an account in Issue-Tracker that doesn't
exist in Active Directory and/or the Application Group,
they will not have access to Issue-Tracker. They will
get an error that loosely describes what fails.
The one exception to the above is the Issue-Tracker
admin account. It is a stand-alone account that
continues to authenticate locally from the
Issue-Tracker database. We left this so you could get
into the application in case AD went down or was
otherwise unavailable.
This patch is a first step to integrate AD and
Issue-Tracker. It doesn't sync the address, phone
number and permissions of the users in AD to
Issue-Tracker. This becomes a much more challenging
problem that would need to be solved for each web
application you add in your environment.
This patch was written in such a way the basic approach
could be used in other OS web tools if needed.
Files modified to enable LDAP Authentication to Active Directory