ActiveDirectory/LDAP authentication woes

[clarkritchie]

I can't seem to get ActiveDirectory/LDAP authentication working with Mantis 1.1.1. I’ve searched and searched and am about to give up.

I’m confident my LDAP bind is working. When I make changes to fields such as $g_ldap_bind_dn, $g_ldap_server, etc. Mantis gives me errors consistent with said changes. e.g. the Mantis login page says “LDAP Authentication Failed” when I change $g_ldap_bind_passwd to something that is incorrect.

I just can’t figure out what else might be going on. I've tried every permutation for each of the values that I can think of -- IP address, hostname, ldap://hostname, ldap://hostname:389, protocol, base DN, etc. Nothing seems to work. Is there any way to crank out some logging?

I do have two other PHP applications authenticating against ActiveDirectory using LDAP from the same subnet, so I’m highly confident the far end of this is configured and working correctly.

Any thoughts?

Code: Select all

$g_login_method = LDAP;
#$g_ldap_server  = 'drone';
$g_ldap_server  = 'ldap://drone/';
#$g_ldap_port    = '389';
$g_ldap_root_dn = 'OU=Staff,DC=XXX,DC=com';
$g_ldap_uid_field = 'sAMAccountName';
#$g_ldap_bind_dn = 'CN=LDAP,CN=Users,DC=XXX,DC=com';
#$g_ldap_bind_dn = 'LDAP';
$g_ldap_bind_dn = 'LDAP@XXX.com';

#$g_ldap_bind_dn = 'LDAP@XXX.com';
$g_ldap_bind_passwd = 'secret';
#$g_use_ldap_email = 'ON';
$g_ldap_protocol_version = 3;

[vboctor]

This LDAP code was contributed sometime ago. No one of the core developers is using and hence it is not getting a lot of attention.

Do you know that you have to create accounts for users? LDAP integration uses LDAP to check the password and possibly the email address.

I am interested to know what other PHP projects that you are using? If they are open source, then we may be able to use them as a reference for improving our LDAP integration. If/when we get to it.

[clarkritchie]

I see. Well, darn.

FWIW the other two apps we use today are ClearSpace(J2EE) and Copper Project(PHP). Neither are open source but both use authenticated binds to do LDAP authentication.

I'm very keen to get this working and will try to spend some more time with it this week. Is there a way to enable Mantis debugging?

[hdezmora]

Hello there,
we are trying to integrate ActiveDirectory/LDAP with Mantis as clarkritchie has tried to do. Could you please confirm if there isn't possible to configure ActiveDirectory LDAP authentication for Mantis? We have tried to do this configuration without any success. Here is what we have on the config_inc.php:

$g_login_method = LDAP;
$g_ldap_server = 'ldap://myserver.domain/';
$g_ldap_port = '636';
$g_ldap_root_dn = 'ou=MyUsers,dc=domain';
$g_ldap_organization = '(organizationname=*TARGET)';
$g_ldap_uid_field = 'sAMAccountName'; # Use 'sAMAccountName' for Active Directory
$g_ldap_bind_dn = 'cn=MyBindUser,ou=MyUsers,dc=domain';
$g_ldap_bind_passwd = 'MySecretPassword';
$g_use_ldap_email = ON; # Should we send to the LDAP email address or what MySql tells us

# The LDAP Protocol Version, if 0, then the protocol version is not set.
$g_ldap_protocol_version = 0;

Also, we did the following changes on core/ldap_api.php:

$t_ldap_organization = config_get( 'ldap_organization' );
$t_ldap_root_dn = config_get( 'ldap_root_dn' );
$t_ldap_host = config_get( 'ldap_server' );
$t_ldap_port = config_get( 'ldap_port' );
$t_username = user_get_field( $p_user_id, 'username' );
$t_ldap_uid_field = config_get( 'ldap_uid_field', 'uid' ) ;
$t_search_filter = "(&$t_ldap_organization($t_ldap_uid_field=$t_username))";
$t_search_attrs = array( $t_ldap_uid_field, 'dn' );
and
# Attempt to bind with the DN and password
if ( @ldap_bind( $t_ds, $t_user, $p_password ) ) {
$t_authenticated = true;
return $t_authenticated;
}

I am not sure if we have to do additional configuration. We are running an apache server, v2.0.59, php v5.2.6 and mysql v5.0.22-2.2.el5 on a Red Hat Enterprise Linux Server release 5.1. Any help will be really appreciated. Thanks in advance.
-Hugo

[hdezmora]

and we are using Mantis 1.1.1

[clarkritchie]

hdezmora, I don't think it works. We gave up on Mantis in favor of another solution.

[hdezmora]

Well, I have changed my Mantis configuration and now the LDAP authentication is working correctly. Now, the question is if it is possible to have working together the default authentication method with the LDAP authentication method. Thoughts?

Here is what I changed in my config_inc.php:

#############################
# Mantis LDAP Settings
#############################

$g_login_method = LDAP;


# look in README.LDAP for details
# --- using openldap -------------
$g_ldap_server = 'ldap://myserver.domain/';
$g_ldap_port = '389';
$g_ldap_root_dn = 'ou=MyUsers,dc=domain';
$g_ldap_organization = ' ';
$g_ldap_uid_field = 'sAMAccountName'; # Use 'sAMAccountName' for Active Directory
$g_ldap_bind_dn = 'DOMAIN\\MyBindUser';
$g_ldap_bind_passwd = 'MySecretPassword';
$g_use_ldap_email = ON; # Should we send to the LDAP email address or what MySql tells us
$g_ldap_protocol_version = 3;

[Techie-Micheal]

This LDAP code was contributed sometime ago. No one of the core developers is using and hence it is not getting a lot of attention.

Do you know that you have to create accounts for users? LDAP integration uses LDAP to check the password and possibly the email address.

I am interested to know what other PHP projects that you are using? If they are open source, then we may be able to use them as a reference for improving our LDAP integration. If/when we get to it.

*cough*phpBB3*cough* You are using the product. Yes, it has LDAP code.

[vboctor]

I've added a link (in the recipes page) to an article that describes steps for setting up LDAP support in Mantis. It might be of help.
http://www.mantisbt.org/wiki/doku.php/m ... s_recipies

[hdezmora]

hey vboctor,
Thanks for the info you provided to us. I have tried to follow the instructions found in http://phprelated.blogspot.com/2008/06/ ... login.html but I am curious about steps 4 and 5. Could you give me additional hints about how to work on the manage_user_*.php scripts?
Thanks in advance,
- Hugo

[kingphil69]

The documentation is rather iffy on this topic, so here's what I had to do to get this working for me.
Active Directory (auth against 2008r2) / with MANTISBT running on Centos 5.5 with all updates to today (3/14/11)
The following goes into Config_inc.php

$g_login_method = LDAP;
$g_ldap_server = 'ldap://SERVERNAME/';
$g_ldap_port = 389;
$g_ldap_root_dn = 'CN=Users,DC=DOMAINNAME,DC=com';
$g_ldap_uid_field = 'sAMAccountName';
$g_ldap_realname_field = 'cn';
$g_ldap_bind_dn = 'CN=FIRSTNAME LASTNAME,OU=Users,DC=DOMAIN,DC=com';
$g_ldap_bind_passwd = 'PASSWORD';
$g_use_ldap_email = ON;
$g_use_ldap_realname = OFF;
$g_ldap_protocol_version = 3;
$g_ldap_follow_referrals = OFF;

Sometimes you have to edit these options in config_defaults_inc.php AND in Config_inc.php. I'm not a coder, I don't know why, but this worked for me. As long as the lines are exactly the same there should be no issues. So copy the lines from config_defaults_inc and paste them into your config_inc so formatting is left correctly. "Follow Referrals" is VERY important. AD does not give a referral, resulting in a blank page witho no error messages....

Naturally, usernames and passwords have been modified to protect the innocent. Any correlation to actual names and events is sheer coincidence.