LDAP integration for Mantis

[lkalimas]

I am working on LDAP integration for Mantis.I have been examining the following two files; ldap_api.php and authentication_api.php.I am simply lost on what to do.Please clarify the steps towards accomplishing this task.
Leonard

[sigmapie]

In the config_inc.php, is where you put your LDAP settings.

Here is a copy and paste (with some stuff added and passwords/domain changed of course) from my mantis setup. I am using LDAP.

Code: Select all

        # LDAP
        $g_login_method = LDAP;
        $g_ldap_server = 'ldap://localhost';  # I'm pretty sure just 'localhost' works too
        $g_ldap_port = '389';
        $g_ldap_root_dn = 'ou=people,dc=example,dc=com'; # tutorials also have 'ou=Users,dc=example,dc=com'
        $g_ldap_organisation = '';
        $g_ldap_uid_field = 'uid';
        $g_ldap_bind_dn = 'cn=admin,dc=example,dc=com';  # tutorials also have 'cn=Manager,dc=example,dc=com'
        $g_ldap_bind_passwd = 'supersecretepassword'; 

You only need the following if your LDAP server DOES NOT allow anonymous binds:

Code: Select all

        $g_ldap_bind_dn = 'cn=admin,dc=example,dc=com';  # tutorials also have 'cn=Manager,dc=example,dc=com'
        $g_ldap_bind_passwd = 'supersecretepassword';

[lkalimas]

Is there any way that i can avoid including "$g_ldap_bind_passwd" on my configuration parameters? Because including a
"System account password" in config_api.php is a huge security vulnerability for my organization.I have tried to simply ignore it and iam getting the following error;
" APPLICATION ERROR #400
Database connection failed. Error received from database was #1049: Unknown database 'bugtracker"
Please help me out!!

Leonard

[lkalimas]

Has anyone check on the Zend Framework LDAP solution? Here is the URL.I am checking on it right now.I really do not know how to implement it on Mantis.

Please let me know, if you got any clue on how to implement this advanced solution
here is URL
http://framework.zend.com/manual/en/zend.ldap.html

Leonard

[lkalimas]

Anyone know how i can go round the use of password?, i have tried to ignore it, i keep getting database connection failure error
Please help me out

Leonard

[rgomes1997]

Hi

This is my first post and I'd like to quickly introduce myself.
My name is Richard Gomes and I'm interested on integrating Mantis into our infrastructure at
http://www.jquantlib.org/

Some background:

We have already made Mediawiki authenticate against our LDAP server and we have a pretty good understanding of LDAP, Kerberos, Linux Java but a very scarse knowledge of PHP. I changed a mediawiki extension called LdapAuthentication in order to make it a little bit smarter and it took me a lot of time

My question is:

Seems like Mantis tries to authenticate as 'administrator/root' against my LDAP server.
It does not matter if I use my 'test/secret' user in Mantis login_page or leave anonymous authentication: Mantis always tries to authenticate as 'administrator/root' before any other operation. I mean: It does not even try to bind as test/secret because bind as administrator/root failed. Seems (from sources) that Mantis uses the username associated to user id=1 (which is 'administrator') but I'm not sure which password Mantis adopts. I havent found any place where I could configure the binduser/bindPassword to be used by Mantis for write operations on LDAP and other priviledged operations.

What I'm doing wrong?

Also: I've read somewhere around that I need to create users in Mantis database, I mean: creating users in LDAP is not enough.
What's the current status regarding this subject? I'm using Mantis 1.2a-beta.

Thanks

Richard Gomes
http://www.jquantlib.org/index.php/User:RichardGomes

[rgomes1997]

I'd like to contribute with some dianostics:

Entering auth_does_password_match :: 1 :: root
t_configured_login_method=LDAP
Entering ldap_authenticate :: 1 :: root
Entering ldap_connect_bind :: ::
1: Reading bind configuration
2 Binding with cn=admin,dc=jquantlib,dc=org :: secret
4: bind succeeded
Leaving ldap_connect_bind
-------------------------------
t_ldap_root_dn=ou=People,dc=jquantlib,dc=org
t_ldap_uid_fild=uid
t_ldap_organization=(objectClass=inetOrgPerson)
t_search_filter=(&(objectClass=inetOrgPerson)(uid=administrator))
t_search_attrs=Array
t_info[1]=
-------------------------------
Leaving ldap_authenticate

What it means is:

1. ldap_connect_bind works as expected, picking userDN and userPassword from configuration file.

2. ldap_authenticate tries to authenticate to dn=uid=administrator,ou=People,dc=jquantlib,dc=org whilst it shouldnt... because I've informed test5/secret to login_page.php and this is the username I'm interested to authenticate, not the administrator.

I've seem some other posts about this behaviour: Mantis depends on internal user_ids, stored in its database in order to obtain the userDN which will be used to communicate to LDAP. This is undesirable, IMHO, because it creates an unneeded dependency between 2 distinct databases.

For the time being, I will:
a) try to reinstall Mantis and define 'mantisadmin' instead of 'administrator'. At the moment, I dont know if it can be done :/
b) make sure Mantis internal database and LDAP are synchronized.

My contribution:
My interest on Mantis is only as end-user but I could dedicate some effort for test driving Mantis with OpenLDAP.

Suggestion:
1. use usernames instead of userids in the internal Mantis database.
2. use username/password informed to login_page to authenticate, no matter which authentication database is used.
3. in the case LDAP is used, profiled information regarding the user would not be stored in Mantis internal database, but would be stored in a specific mantis.schema, in the LDAP server.
4. when a new user is created, Mantis could automagically assign inetorgperson.schema and mantis.schema to the newly created ldap entry.

Obviously it means that, on the OpenLdap side, a mantis.schema must be installed.
IMHO, this is good because a search filter (&(objectClass=mantis)(uid=test)) makes sure that a certain uid is a valid Mantis user.

A good souce of ideas is ...
http://svn.wikimedia.org/viewvc/mediawi ... ntication/
... which is a mediawiki extension able to create users in OpenLDAP and M$AD.


A side note and certainly not relevant to Mantis team... just intended to share some ideas:

SSO (single sign on) can be obtained easily by adding krb5Principal and krb5KDCEntry schemas to the newly created user (and some other details I prefer not mention here). This is certainly out of scope of Mantis new user creation because it's not Mantis responsibility to define a username/password for enterprise SSO authentication ... neither mediawiki responsibility... neither any other end-user application. A separate user administration tool and workflow is certainly needed. I've spent several days looking for something like this and I havent found anything. In spite it's not relevant, this is something with will happen sooner or later, as applications evolve to enterprise level quality and integration.

Cheers

Richard Gomes