Saturday, January 23, 2010

Redmine LDAP Integration - Active Directory Configuration

After you have Redmine installed and configured to the point where you can log in - go ahead and do so. Browse to Administration>Settings>Authentication tab>LDAP Configuration (in the bottom right).

Before you go and start changing things here, there are a few things you should keep in mind that will save you some time. Realize that you can't do an anonymous bind to Active Directory. So, you need to actually specify a valid set of credentials for the service account. Now, I suppose they could have done something different here to reduce the configuration work... like relying on user login credentials and passing them to query AD. But in any event, you just need a normal domain user account should do just fine - anything that can query Active Directory. Why a domain account? Think about it another way... if someone plugged their laptop into your network, would they be able to query AD for user or computer objects? No... they wouldn't, because they'd be anonymous. Even if they knew your domain name, had a domain controller's IP address, the distinguished name, etc... no luck. So create a service account. Just FYI, my domain was at 2003 domain functional level.

As far as the Base DN - keep it simple... base DN means base. You probably don't want CN=users, or CN=MyBusiness, or anything like that. In my case, I specified DC=domain,DC=local. As for the the attributes, they all come right out of Active Directory... there's a bunch of places you could find these if you wanted to spend the time to find them. Or, there's a bunch of sites that already have this stuff listed (see the below for my config).

When you're specifying the attributes, keep in mind that you don't want any extra spaces (blank spaces) after the attributes. For instance, it should be 'SAMAccountName' (no quotes), NOT 'SAMAccountName '. If you add a space, it breaks. If you don't have those "optional" attributes, it breaks. Also - just FYI... if you're under Authentication, and trying to run a "Test" of authentication, and it say's successful - that doesn't mean it's actually working. You need to test Active Directory account logins from back on the main menu.

If you want to use on-the-fly account creation... you'll need to make sure all of your Attributes are set correctly and that within Active Directory the attribute fields actually contain data for your users. This is very important. For example, if you have a user trying to login, but their account has "First Name", and/or "Last Name", and/or "E-mail" address fields blank (like if you have a "test" user account) - automatic user account creation in Redmine will fail. On top of that - it's not very verbose about why it failed. So that might be something to file away in the back of your mind, so that when you find one account (or a group of accounts) somewhere that won't login - you can make sure to check that they have all of the Active Directory attributes specified (just open up Active Directory Users and Computers and check-out the user object that is having a problem).

My Settings:

  • Name: YourDomainOrWhateverYouWant
  • Host: IP address of a Domain Controller (name is probably best)
  • Port: 389
  • Account: Domain\ServiceAccountRedmine01
  • Password: SavedPassword
  • Base DN: DC=domain,DC=local
  • Login: SAMAccountName
  • First Name: givenName
  • Last Name: SN
  • Email: mail

3 comments:

Michael said...

This was helpful and broke my mental logjam. The key for me was pre-pending the domain name in front of the binding account name. That is "DOMAIN\use" instead of just "user".

Sean said...

I'm a year late to the discussion but hopefully someone will be able to answer this one.

We currently have a full, working Redmine install but it's not hooked in to our LDAP or AD servers.

I'd love to tie it right into the AD but am concerned that the existing data will be confused with a whole new set of users with the same names but from a different source. Does redmine rely exclusively on email addresses to relate users to their tasks/tickets/etc? If so I assume that I'm worrying for nothing.

Redmine's still a little new to me so please be gentle. ;)

Thanks
S

Nick said...

I can't remember... I played with the install using local credentials. And I still use local credentials for non-internal users... but you might want to check the Redmine forums to be sure...
http://www.redmine.org/projects/redmine/boards