====== Active directory settings ====== ===== Introduction ===== The page aims at describing how to configure mantis to connect to Active Directory. ===== General principles ===== Active Directory can currently be used by mantis for the following usage: * Check user password. * Retrieve user mail address (optional). Users must be created manually in mantis using the same login as in Active Directory. The way it proceeds is the following: - Connect to Active Directory using LDAP protocol to search user by its login - A generic account is used for that purpose. - If an entry was found, bind to Active Directory using dn entry found and the password provided by user. If several entries are found, each of them is tried until one successes. - If the connection is a success, and if the option is activated, the user mail address is retrieved from Active Directory. ===== General LDAP configuration ===== The following parameters must be set in the config_inc.php file: * $g_login_method = LDAP; * $g_ldap_server = 'ldap://yourservername:389'; # or $g_ldap_server = 'ldaps://yourservername:636'; * Do not use $g_ldap_port since it is depricated * $g_ldap_root_dn = "OU=your_organization_RDN,DC=your_organization_RDN,DC=your_organization_RDN"; # The root DN where to search users e.g. 'ou=people,dc=example,dc=com' * $g_ldap_bind_dn = 'full_DN_entry_for_generic_user'; # A system account to login to LDAP e.g. 'cn=Robert Smith,ou=people,dc=example,dc=com' * $g_ldap_bind_passwd = '******'; # System account password * $g_ldap_organization = ''; # This is additional filter that may be added to search query - you should first leave it empty and may add a filter later for optimization. e.g. '(objectClass=person)' If you want to use user e-mail address defined in Active Directory instead of the one defined when creating mantis account you must add the following parameter: * $g_use_ldap_email = ON; ===== Specific Active Directory configuration ===== You must add the following parameters in the config_inc.php file: * $g_ldap_protocol_version = 3; * $g_ldap_uid_field= 'sAMAccountName'; # Use 'sAMAccountName' for Active Directory - this is the name of the attribute used to search a user Additionally, make sure not to use the root of your domain for $g_ldap_root_dn parameter. If you bind to the root of your domain, i.e. just dc=company,dc=com, then Active Directory, in addition to the search results you expected, will also return referrals to the other directory partitions which would confuse current implementation and cause an error.