LDAP settings (error authenticating bind credentials)

[Valentin Kragelj]

I want to setup LDAP in ReviewBoard. We already have Polarion and Gitblit servers set up, that use LDAP, so I got their LDAP settings. Can you help me how to fill the Review Board settings for LDAP, so they will be the same as other server's LDAP settings?

Polarion LDAP settings are in attached picture Capture0.jpg and here (changed some fields for obvious security reasons):

ldap.bind.password=[REMOVED, here is some password]

# Enable the new-account-form feature by setting the enableCreateAccountForm property below to true.

# This feature enables users to create a new Polarion account without an admin's assistance. 

# Users created this way will be assigned a license user slot defined by the licenseForNewUserAccount property.

# For this feature to work properly the Polarion system user (defined in the "login" property above) 

# must have write access to the following 2 folders in the Subversion repository:

#    /.polarion/user-management/users

#    /.polarion/security

#

# When enableCreateAccountForm is set to true, use these properties:

#   - minimalPasswordLength=<int> to specify the minimum length of user-defined passwords

#   - rolesForNewUserAccount (documented later in this file)

#

enableCreateAccountForm=false

minimalPasswordLength=4

# Specifies global roles that will be assigned to new users created either by the new-account-form, 

# or using the LDAP synchronization feature. The value is a comma-separated list of global roles.

# Default value is "user". 

# ** IMPORTANT: Make sure that at least the 'user' role is in the list, or else users will not be able to log in. **

rolesForNewUserAccount=user

# The following properties control the license assignment for automatically created user accounts:

#   - licenseForNewUserAccount=<named/concurrent><Reviewer/Pro/Requirements/QA/ALM> OR <concurrent><Reviewer/Pro/Requirements/QA/ALM>[<Group><name_of_the_group>]

#   to specify which type of license will be used (in installations where more than one license type is present on server)

#     for new users created in the following ways:

#          * Created via the Create Account form

#          * Created by the auto-create feature

#          * Created by LDAP synchronization

#        The "lowest" license type present will be used by default if this property is not specified.

#        Examples: namedReviewer, concurrentALM OR concurrentALMGroupDepartmentA

#

#   - disableLicenseAssignmentInLDAPSynchronize=<true or false> to explicitly enable or disable assignment of license to users

#        during LDAP synchronization.

#

#   - disableLicenseAssignmentInAutocreate=<true or false> to explicitly enable or disable assignment of license to auto-created users.

#

licenseForNewUserAccount=

#

# Set the following disableLicenseAssignmentInLDAPSynchronize=<true or false> to explicitly 

# enable or disable license assignment to users during LDAP synchronization:

# disableLicenseAssignmentInLDAPSynchronize=true

#

# Set the following disableLicenseAssignmentInAutocreate=<true or false> to explicitly enable or disable 

# license assignment to users created by the auto-create feature:

# disableLicenseAssignmentInAutocreate=true

# CFR 21 Part 11 compatible e-Signatures

#

# The portal will display a dialog asking for a password when certain user actions are invoked by the user. 

# These user actions are:

# - invoking a Work Item or a Test Run workflow action that has the Requires Signature flag set (in workflow administration)

# - approving/disapproving a Work Item when "secure.approvals" is set to true 

# - signing/declining of a Document workflow transition

# - executing a Test Case in a Test Run when the flag "Requires Signature for Test Case execution" is set (in Test Run Types administration)

#

# Additional properties "secure.dialog.title" and "secure.dialog.message" may be added below and used to specify 

# the title of the password entry dialog and the message shown there, thereby overriding the system's default 

# title and message for the dialog.

secure.approvals=false

Polarion apache settings (removed some settings for obvious security reasons):

<IfModule mod_authnz_ldap.c>

# Authenticate against both passwd file and LDAP

# - allows to combine Polarion-only users with organization-wide users

AuthBasicProvider file ldap

# LDAP search URL

# - LDAP port is 389

# - use ldaps:// for secure LDAP (with port 636)

# - basedn is the DN of the directory (sub)tree to search in

# - attribute is the name of user id attribute (used as "Login Name" in Polarion)

# - scope is the search scope ("sub" for whole subtree under basedn)

# - fiter is the search filter

# - see more examples below

#AuthLDAPURL "ldap://host:port/basedn?attribute?scope?filter"

# OpenLDAP and other directories using RFC-2798-compliant inetOrgPerson object class

#AuthLDAPURL "ldap://host:port/dc=company,dc=com?uid?sub?(objectclass=inetOrgPerson)"

# Active Directory

#AuthLDAPURL "ldap://host:port/cn=users,dc=company,dc=com?sAMAccountName?sub?(objectclass=user)"

#AuthLDAPURL "ldap://sisiaddc01.itc.global.mahle:389/OU=MAHLE,DC=itc,DC=global,DC=mahle?sAMAccountName?sub?(objectclass=user)"

AuthLDAPURL "ldap://[SOME OUR IP]/OU=[SOME],DC=itc,DC=global,DC=[SOME]?sAMAccountName?sub?(objectclass=user)"

#AuthLDAPURL "ldap://[SOME OUR IP]/OU=[SOME],DC=itc,DC=global,DC=[SOME]?sAMAccountName?sub?(objectclass=user)"

# The user and password used to login to LDAP server to perform the searches

# - required by Active Directory

#AuthLDAPBindDN "cn=[USER],cn=users,dc=company,dc=com"

#AuthLDAPBindPassword "[PASSWORD]"

AuthLDAPBindDN "CN=S0002937,OU=system,OU=user,OU=si,OU=si,OU=[SOME],DC=itc,DC=global,DC=[SOME]"

AuthLDAPBindPassword "[SOME OUR PASSWORD]"

#Uncomment this when "500 Server failed" is returned and Apache's log contains error 

#"This function has not been implemented on this platform: AH01277: LDAP: Unable to add rebind cross reference entry. Out of memory?"

LDAPReferrals Off 

    

</IfModule>

Gitblit server (removed some settings for obvious security reasons):

# URL of the LDAP server.

# To use encrypted transport, use either ldaps:// URL for SSL or ldap+tls:// to

# send StartTLS command.

#

# SINCE 1.0.0

realm.ldap.server = ldap://[OUR LDAP SeRVER]

# Login username for LDAP searches.

# If this value is unspecified, anonymous LDAP login will be used.

# 

# e.g. mydomain\\username

#

# SINCE 1.0.0

realm.ldap.username = itc\\S0002937

# Login password for LDAP searches.

#

# SINCE 1.0.0

realm.ldap.password = [SOME PASSWORD]

# Bind pattern for Authentication.

# Allow to directly authenticate an user without LDAP Searches.

# 

# e.g. CN=${username},OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain

#

# SINCE 1.5.0

realm.ldap.bindpattern = 

# Delegate team membership control to LDAP.

#

# If true, team user memberships will be specified by LDAP groups.  This will

# disable team selection in Edit User and user selection in Edit Team.

#

# If false, LDAP will only be used for authentication and Gitblit will maintain

# team memberships with the *realm.ldap.backingUserService*.

#

# SINCE 1.0.0

realm.ldap.maintainTeams = false

# Root node for all LDAP users

#

# This is the root node from which subtree user searches will begin.

# If blank, Gitblit will search ALL nodes.

#

# SINCE 1.0.0

realm.ldap.accountBase = OU=[SOME],DC=itc,DC=global,DC=[SOME]

# Filter criteria for LDAP users

#

# Query pattern to use when searching for a user account. This may be any valid 

# LDAP query expression, including the standard (&) and (|) operators.

#

# Variables may be injected via the ${variableName} syntax.

# Recognized variables are:

#    ${username} - The text entered as the user name

#

# SINCE 1.0.0

realm.ldap.accountPattern = (&(objectClass=person)(sAMAccountName=${username}))

# Root node for all LDAP groups to be used as Gitblit Teams

#

# This is the root node from which subtree team searches will begin.

# If blank, Gitblit will search ALL nodes.  

#

# SINCE 1.0.0

realm.ldap.groupBase = OU=[SOME],DC=itc,DC=global,DC=[SOME]

# Filter criteria for LDAP groups

#

# Query pattern to use when searching for a team. This may be any valid 

# LDAP query expression, including the standard (&) and (|) operators.

#

# Variables may be injected via the ${variableName} syntax.

# Recognized variables are:

#    ${username} - The text entered as the user name

#    ${dn} - The Distinguished Name of the user logged in

#

# All attributes from the LDAP User record are available. For example, if a user

# has an attribute "fullName" set to "John", "(fn=${fullName})" will be 

# translated to "(fn=John)".

#

# SINCE 1.0.0

realm.ldap.groupMemberPattern = (&(objectClass=group)(member=${dn}))

# Filter criteria for empty LDAP groups

#

# Query pattern to use when searching for an empty team. This may be any valid 

# LDAP query expression, including the standard (&) and (|) operators.

#

# default: (&(objectClass=group)(!(member=*)))

# SINCE 1.4.0

realm.ldap.groupEmptyMemberPattern = (&(objectClass=group)(!(member=*)))

# LDAP users or groups that should be given administrator privileges.

#

# Teams are specified with a leading '@' character.  Groups with spaces in the

# name can be entered as "@team name".  This setting only applies when using

# LDAP to maintain team memberships.

#

# e.g. realm.ldap.admins = john @git_admins "@git admins"

#

# SPACE-DELIMITED

# SINCE 1.0.0

realm.ldap.admins = @Git_Admins

# Attribute(s) on the USER record that indicate their display (or full) name.

# Leave blank for no mapping available in LDAP.

#

# This may be a single attribute, or a string of multiple attributes.  Examples:

#  displayName - Uses the attribute 'displayName' on the user record

#  ${personalTitle}. ${givenName} ${surname} - Will concatenate the 3 

#       attributes together, with a '.' after personalTitle

#

# SINCE 1.0.0

realm.ldap.displayName = displayName

# Attribute(s) on the USER record that indicate their email address.

# Leave blank for no mapping available in LDAP.

#

# This may be a single attribute, or a string of multiple attributes.  Examples:

#  email - Uses the attribute 'email' on the user record

#  ${givenName}.${surname}@gitblit.com -Will concatenate the 2 attributes

#       together with a '.' and '@' creating something like first...@gitblit.com 

#

# SINCE 1.0.0

realm.ldap.email = email

# Attribute on the USER record that indicate their username to be used in gitblit

# when synchronizing users from LDAP

# if blank, Gitblit will use uid

# For MS Active Directory this may be sAMAccountName

#

# SINCE 1.0.0

realm.ldap.uid = uid

# Defines whether to synchronize all LDAP users and teams into the user service

#

# Valid values: true, false

# If left blank, false is assumed

#

# SINCE 1.4.0

realm.ldap.synchronize = false

# Defines the period to be used when synchronizing users and teams from ldap.

#

# Must be of the form '<long> <TimeUnit>' where <TimeUnit> is one of 'MILLISECONDS', 'SECONDS', 'MINUTES', 'HOURS', 'DAYS' 

# default: 5 MINUTES

#

# RESTART REQUIRED

# SINCE 1.4.0

realm.ldap.syncPeriod = 15 MINUTES

# Defines whether to delete non-existent LDAP users from the user service

# during synchronization. depends on  realm.ldap.synchronize = true

#

# Valid values: true, false

# If left blank, true is assumed

#

# SINCE 1.4.0

realm.ldap.removeDeletedUsers = true

 

So far, I filled Review Board LDAP settings like in Capture1.jpg and Capture2.jpg, but when I try to log in I get error  "Error authenticating with LDAP: The credentials provided for "itc\\S0002937" are invalid." I am sure LDAP bind password is correct, i typed it multiple times.

Happy for any offered help!

-ValeV

[Christian Hammond]

Hi Valentin,

I'm really not sure about this, but can you try using only a single backslash in that username? If you're going for a DOMAIN\username form, I think Gitblit requires that you escape the backslash, hence the "\\". We don't have that requirement.

Christian

--
Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---
You received this message because you are subscribed to the Google Groups "Review Board Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/c9d1050d-00fe-42d7-9efd-6e1c220b7927%40googlegroups.com.

--

Christian Hammond

President/CEO of Beanbag

Makers of Review Board

[Valentin Kragelj]

Yes, that worked beautifully. I just had to change "domain\\username" to  "domain\username", nothing else.

You mentioned you don't require to escape backslash. Is there a documentation stating this that I can read about? Maybe there is written some else important things I should know about.

#  ${givenName}.${surn...@gitblit.com -Will concatenate the 2 attributes

#       together with a '.' and '@' creating something like firs...@gitblit.com 

To unsubscribe from this group and stop receiving emails from it, send an email to revie...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/c9d1050d-00fe-42d7-9efd-6e1c220b7927%40googlegroups.com.

[Christian Hammond]

Glad to hear it!

It’s not so much that we don’t require escaping as it is that gitblit does. It’s a requirement on their end due to something involving their configuration file format.

Christian

To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/a7a8e7a4-a6fb-4cea-8140-8e2aebccf6fd%40googlegroups.com.

--