Dear All,
For the last few days I've been desperately reading official/user made
guides in order to properly configure my openldap to allow users to login
to a project management webapp (namely Redmine). With that said, please let
me share the basic setup of the environment i'm dealing with.
Webapplication(s):
Redmine, Phpldapadmin
LDAP:
Openldap
After the installation, i took the following steps to re-configure my ldap
to reflect better the ldap being used in production (since this whole
redmine + ldap isn't in production yet)
1. Stopped slapd service and removed the *cn=config.ldif* from
*/etc/ldap/slapd.d*
2.
Modified */usr/share/slapd/slapd.conf* to this:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_mdb
sizelimit 500
tool-threads 1
backend mdb
database mdb
suffix "o=testcompany.com"
rootdn "cn=admin,o=testcompany.com"
directory "/var/lib/tc-ldap"
rootpw "password"
index objectClass eq
index uid eq
index ou eq
index default eq,sub
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,o=testcompany.com" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,o=testcompany.com" write
by * read
3.
Afterwards, *slaptest -f /usr/share/slapd/slapd.conf -F
/etc/ldap/slapd.d* which generated my new *cn=config.ldif*
4.
Set the appropriate user/group to the new *cn=config.ldif* with *chown
-R openldap:openldap /etc/ldap/slapd.d/*
5.
Fired up slapd service and checked if the ldap was running or not. Since
it was and i could access it with phpldapadmin, i added an
*organizationalUnit
(ou=sales)*, all the country codes and imported 3000 users (by using
*ldapadd*) Now my DIT looks as follows
- o=testcompany.com
- ou=sales
- AD
+ uid=123456,c=AD,ou=sales,o=testcompany.com
+ ...
which is great, this is exactly the way it should look like, however
I've noticed, that *cn=admin,o=testcompany.com <http://testcompany.com>*
entry doesn't exists, while it did using the default config after i've
installed openldap.
6.
In Redmine, I've configured and tested the *ldap authentication*. It is
working correctly (it can both connect to my ldap and If i wish to add a
new user and choose the before configured ldap authentication for it, i can
even choose from the entries that are in my ldap, which is also great)
7.
However (this is where my problem is) when i try to log into Redmine
with a user that i've just created (with ldap authentication) i
always get *Invalid
credentials* error (while it works like a charm when i login with any
other account, created with *Simple Authentication*)
These events led me to believe that the error is in the LDAP configuration.
After a few more hours/days of fooling around with the *ACL*s and
*dpkg-reconfigure
slapd* (and even purging-reinstalling slapd and ldap-utils) i still can not
get beyond this point. And one more bit of information, after *dpkg-reconfigure
slapd* and creating a few users under the default *dc=example,dc=com*, i
can get them to log into Redmine just fine (and even
*cn=admin,o=testcompany.com
<http://testcompany.com>* shows up...).
Below i'll attach a few things that I've tried. I hope someone can aid me
with a few tips as to where i got off the trail (somehow i feel that i'm
missing the obvious here).
What I have tried so far:
1. modify the default slapd.conf file, and repeat the process i've
written above
2. create a completely new one
3. a lot of different ways to add/modify the ACL
4. read through a lot of mailing list, similar problems on redmine
forums, and openldap mailing lists, still no success (i can paste a
lot of links from my .txt if you need it)
