Dear All,

For the last few days I've been desperately reading official/user made
guides in order to properly configure my openldap to allow users to login
to a project management webapp (namely Redmine). With that said, please let
me share the basic setup of the environment i'm dealing with.


Redmine, Phpldapadmin



After the installation, i took the following steps to re-configure my ldap
to reflect better the ldap being used in production (since this whole
redmine + ldap isn't in production yet)

   1. Stopped slapd service and removed the *cn=config.ldif* from

   Modified */usr/share/slapd/slapd.conf* to this:

   include         /etc/ldap/schema/core.schema
   include         /etc/ldap/schema/cosine.schema
   include         /etc/ldap/schema/nis.schema
   include         /etc/ldap/schema/inetorgperson.schema

   pidfile         /var/run/slapd/
   argsfile        /var/run/slapd/slapd.args
   loglevel        none

   modulepath  /usr/lib/ldap
   moduleload  back_mdb

   sizelimit 500
   tool-threads 1

   backend     mdb
   database        mdb
   suffix          ""
   rootdn          "cn=admin,"
   directory       "/var/lib/tc-ldap"
   rootpw          "password"

   index           objectClass eq
   index       uid eq
   index       ou eq
   index       default eq,sub

   lastmod         on
   checkpoint      512 30

   access to attrs=userPassword,shadowLastChange
           by dn="cn=admin," write
           by anonymous auth
           by self write
           by * none

   access to dn.base="" by * read

   access to *
           by dn="cn=admin," write
           by * read


   Afterwards, *slaptest -f /usr/share/slapd/slapd.conf -F
   /etc/ldap/slapd.d* which generated my new *cn=config.ldif*

   Set the appropriate user/group to the new *cn=config.ldif* with *chown
   -R openldap:openldap /etc/ldap/slapd.d/*

   Fired up slapd service and checked if the ldap was running or not. Since
   it was and i could access it with phpldapadmin, i added an
   (ou=sales)*, all the country codes and imported 3000 users (by using
   *ldapadd*) Now my DIT looks as follows

     - ou=sales
       - AD
         + uid=123456,c=AD,ou=sales,
         + ...

   which is great, this is exactly the way it should look like, however
   I've noticed, that *cn=admin, <>*
   entry doesn't exists, while it did using the default config after i've
   installed openldap.

   In Redmine, I've configured and tested the *ldap authentication*. It is
   working correctly (it can both connect to my ldap and If i wish to add a
   new user and choose the before configured ldap authentication for it, i can
   even choose from the entries that are in my ldap, which is also great)

   However (this is where my problem is) when i try to log into Redmine
   with a user that i've just created (with ldap authentication) i
always get *Invalid
   credentials* error (while it works like a charm when i login with any
   other account, created with *Simple Authentication*)

These events led me to believe that the error is in the LDAP configuration.
After a few more hours/days of fooling around with the *ACL*s and
slapd* (and even purging-reinstalling slapd and ldap-utils) i still can not
get beyond this point. And one more bit of information, after *dpkg-reconfigure
slapd* and creating a few users under the default *dc=example,dc=com*, i
can get them to log into Redmine just fine (and even
<>* shows up...).

Below i'll attach a few things that I've tried. I hope someone can aid me
with a few tips as to where i got off the trail (somehow i feel that i'm
missing the obvious here).

What I have tried so far:

    1. modify the default slapd.conf file, and repeat the process i've
written above
    2. create a completely new one
    3. a lot of different ways to add/modify the ACL
    4. read through a lot of mailing list, similar problems on redmine
forums, and openldap mailing lists, still no success (i can paste a
lot of links from my .txt if you need it)

Reply via email to