Mantis Bug Tracker - Forums

Hello!

I have been reading the documentation of Mantis for the last week and so far I am only getting lost in it regarding the proper configuration for setting up the authentication's mechanism of Mantis with a Windows server 2003 Domain Controller.

My current setup is as followed :

Mantis is installed on a Linux Redhat ES 4 server running on Apache. That server already got Samba configured with the authentication against our domain controller which is running, Windows server 2003 (through pam.d).

The installation of Mantis is running fine, I have setup an administrator account on the local DB of Mantis on that linux server. Now all I want is for the users of the office to be able to log into Mantis using their credential coming from the Domain Controller. I have tried a lot of different setup regarding the config_inc.php file but alas, to no avail so far.

I am wondering first of all, does anybody have successfully setup a similiar environnement of mantis? (i.e. : Mantis on a linux server with authentication against a Windows 2K3 DC). Don't tell me that it is working fine on your windows server only, I am not interested in that. Again, a lot of people don't understand that setup, Mantis is on a Linux server and I want the authentication to be done against a Windows 2003 Domain Controler.

And if yes, what is the problem with my setup in config_inc.php? Here's my config file with the server name and our domain name changed :

$g_login_method = 'LDAP';
$g_ldap_server = 'ldaps://servername.domain.local/';
$g_ldap_root_dn = 'dc=domain, dc=local';
$g_ldap_uid_field = 'cn';
$g_use_ldap_email = 'OFF';
$g_ldap_bind_dn = 'ou=Users, dc=domain, dc=local';
$g_ldap_protocol_version = 3;

I am not specifying the LDAP port since I am using the default one. Also after reading for 10 times in a row the web page regarding the configuration for the authentication mechanism -http://www.mantisbt.org/manual/manual.c ... cation.php. I am wondering what is the $g_ldap_uid_field = 'sAMAccountName'; This account name doesn't mean anything to me. I mean, do we have to enter the name of an actual existing account? Or is this line more related to Novell LDAP? I have tried with the 'cn' as per the suggestion in a message on that same web page. If I can make it work, I would definitively be posting a HOW TO for this specific setup since I didn't find anything helpful so far.

Thank you in advances for any useful advices!

PS: forgot to mention that I am running Mantis 1.0.7 on Apache 2.0. Also I already have Apache authentication working against the same Win2k3 DC.

DGhost

Alright, so here is an update on the problem I am still working on.

After reading, again, a lot of posts in this forum and googling the problem, I have updated the config_inc.php file with the following :

#LDAP connectivity
$g_login_method = LDAP;
$g_ldap_server = 'ldap://server.domain.local';
$g_ldap_root_dn = 'DC=domain,DC=local';
$g_ldap_uid_field = 'sAMAccountName';
$g_use_ldap_email = 'OFF';
$g_ldap_bind_dn = 'CN=adminuser,OU=Users,DC=domain,DC=local';
$g_ldap_bind_passwd = 'secretpassword';
$g_ldap_protocol_version = 3;

Now here is what is happening :

- User can signup for a new account
- User will receive the email for confirming the account creation.
- User is able then to confirm the account creation is automatically logged into mantis when loading the mantis webpage through the link received by the confirmation email. At this point the user have access to mantis.

But as soon as the user log out of Mantis and is trying to log back in using his the active directory credential, hosted on the Windows 2003 server DC, the webpage being loaded give an error saying :

APPLICATION ERROR #1400
LDAP Authentication Failed

Another quick question, I am trying to enable the system logging of mantis without any success so far. From the documentation I have also added in the config_inc.php the following 2 lines :

#Log settings
$g_log_level = LOG_EMAIL_RECIPIENT;
$g_log_destination = 'file:/var/log/mantis_log';

That file always stay empty so far. Did I miss something for enabling the log?

Thank you for any advices!

So finally, i got it working after more than 2 weeks of working on it, on and off... Here is my configuration file of config_inc.php and some things that I have learned during the setup. Hope this might help somebody else in the futur

#LDAP connectivity
$g_login_method = LDAP;
$g_ldap_server = 'ldap://servername.domain.local/';
$g_ldap_port = '389';
$g_ldap_root_dn = 'CN=Users,DC=domain,DC=local';
#$g_ldap_organization = 'Company name';
$g_ldap_uid_field = 'sAMAccountName';
$g_use_ldap_email = 'ON';
$g_ldap_bind_dn = 'user@domain.local';
$g_ldap_bind_passwd = 'secretpassword';
$g_ldap_protocol_version = 3;

Like I said, my authentication is done from Mantis running on apache on Redhat ES 4 against the Domain Controller of the company, running Windows Server 2003. The biggest problem that I had was that the parameter of : $g_ldap_bind_dn used to be 'CN=adminuser,OU=Users,DC=domain,DC=local'; It never worked with this entry, instead when I changed it to the new format of Windows LDAP i.e user@domain.local it worked right away. This setting will be different if you are authenticating against a LDAP running on Linux, Novell of whatever else you are using for storing you users account.

On the firt line, notice that $g_login_method = LDAP; and NOT 'LDAP'; This is very important, do no put the LDAP word in ' '.

For the LDAP port, you can use the regular port of 389 for communication in ldap, but on the line of the $g_ldap_server you'll have to specify that the protocol being used is ldap:// and NOT ldaps:// If you are using ldaps:// it's because you are specifying to use ldap in SSL instead and it's running on a different port, 636 (you can look at this webpage for more details regarding the ports being used by LDAP : http://www.petri.co.il/ports_used_by_exchange.htm. I won't go into the details of configuring LDAP communication with SSL since this is another story.

For the line that give the user@domain ($g_ldap_bind_dn = ). Make sure that you are using a username that is already existing in your SAM database of users on your Domain Controller. You'll also have to enter the password with this account since this is the account used to make the query in the SAM DB. The account being used in my case is also an admin account. I didn't tried with an account that is not an admin account, but my guess would be that it should work. Can somebody confirm this? Anyway, I feel like I am talking to myself only in this forum.

The users in the office only need to sign up for a new account, they get the email, they confirm the validation process and there you go, the user can now login to mantis using his Windows credential.

Hope this might help you!

DGhost wrote:Another quick question, I am trying to enable the system logging of mantis without any success so far. From the documentation I have also added in the config_inc.php the following 2 lines :

#Log settings
$g_log_level = LOG_EMAIL_RECIPIENT;
$g_log_destination = 'file:/var/log/mantis_log';

That file always stay empty so far. Did I miss something for enabling the log?

Thank you for any advices!

This is used to log the email actions.

I haven't checked the forums lately (been doing the ldap authentication thing for JasperServer instead!), or I would have tried to assist.

The account that is used to bind to Active Directory does NOT need to be an admin account. The account I use was specifically set up to be used for this purpose, and has read-only access.

Mantis was my first experience getting an application on a linux (ubuntu) system authenticating against Active Directory. I found it easier to make it work first by writing a little PHP module to access AD instead of changing the config file over and over again.

DGHost -

Just want to assure you that you're not talking to yourself. After trying this for HOURS, I finally came across your post and got it working. So, THANK YOU!!

FYI - Here's my config:

$g_login_method = LDAP;
$g_ldap_server = 'ldap://pe1800';
#$g_ldap_port = '389';
$g_ldap_root_dn = 'ou=employees,dc=mycompany, dc=com';
$g_ldap_uid_field = 'sAMAccountName';
$g_ldap_bind_dn = 'mantis@mycompany.com';
$g_ldap_bind_passwd = 'mantis';
$g_ldap_protocol_version = 3;

I created a "mantis" user in Active Directory that I removed from any important group and denied actual logins to any computer, so hopefully all that user can really do is bind to the server, which works fine.

Thanks again.

- O

Hi,

It must be a configuration issue of the AD but in our environment we should omit the "ldap://" prefix in $g_ldap_server.

Took me some time to figure it out, probably someone will read this and save some time.

DGhost, one big hug for you! I spent a few weeks struggling to make Mantis LDAP to work with my company's AD. It's working like a charm now. My params look like this :

$g_login_method = LDAP;
$g_ldap_server = 'ldap://192.111.11.55/';
$g_ldap_port = '389';
$g_ldap_root_dn = 'OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=ad,DC=xxx,DC=com';
#$g_ldap_organization = 'xxx';
$g_ldap_uid_field = 'sAMAccountName';
$g_use_ldap_email = 'ON';
$g_ldap_bind_dn = 'myuserid@ad.xxx.com';
$g_ldap_bind_passwd = 'xxx';
$g_ldap_protocol_version = 3;

My debrief for anyone who wants to configure mantis to work with their company LDAP server.

1) Call up the network admin folks and ask them for the server ip and port
2) If you or your network support group are unsure of what the value for the $g_ldap_root_dn might be, don't worry. Get yourself an LDAP browser so that you can check out what your company's AD looks like. If you use eclipse, you could pick it up the ldap browser plugin from here :-

http://sourceforge.net/projects/elbe
(Usage of this plugin : go to window-->open perspective-->other --> ldap browser)

Create an ldap connection with the server. Now search for your userid using the search tool that comes bundled with the browser. Once you find your userid. Take a look at its properties on the right pane. There will be this DN parameter right on top of the screen. This is your root dn. Knock off your username and paste the part after that.

It should work.

Also, please don't expect to be logged in miraculously when all this is done. You'll still need to sign up for a new account. It'll send you a mail, you'll need to use a link and log back in. (Smart people on these forums have found ways around this, I haven't gotten around to doing that yet. Will keep you updated)

Send me mail in case you're getting stuck somewhere, i'll try to help.

Cheers
Nitya