LDAP problems

[Jeff Ward]

I'm having significant problems getting LDAP authentication to work.

First, my problem, then a few suggestions to make this all go a bit
easier.  My set up is the following:
Review board 1.6.1
LDAP server: ldap://loaclhost:389
LDAP Base DN: ou=People,dc=domain,dc=com
Given Name Attribute: givenName
Surname Attribute: sn
Full Name Attribute: cn
E-mail LDAP attribute: mail
User Mask: uid=%s
Anonymous User Mask: cn=readonly,ou=System,dc=domain,dc=com
Anonymous User Password: password

The problem is, this doesn't authenticate properly.  I get an error in
the Reviewboard logs saying:
 WARNING - An error while LDAP-authenticating: KeyError(u'cn',)

Things I've tried: changing User Mask: to uid=
%s,ou=People,dc=domain,dc=com doesn't work. Error in the log is:
 WARNING - LDAP error: The specified object does not exist in the
Directory: uid=username,ou=People,dc=domain,dc=com
But a close look into the LDAP logs reveals that it's search was:
 filter: (uid=username,ou=people,dc=domain,dc=com)
Note the Lowercase people instead of People.

Any idea how to get this to authenticate correctly?

Something else I'd like to see: you should make a distinction between
the bind-dn and the anonymous-dn  We do not allow anonymous access to
our LDAP server, and it would be nice to distinguish the user that's
reading just to get binding information and the user that's reading as
an anonymous Review Board user.

Also, please make it so that when saving options to the LDAP
authentication screen, it doesn't take a blank password in Anonymous
Password to mean a blank password, especially after its been set.  I
hate having to re-enter that password every single time.

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: LDAP problems

[Jeff Ward]

Some more information,

I removed cn as the Full Name Attribute and mail as the Email LDAP
Attribute and auth now works (mostly) correctly.  Which means that the
givenName / sn fields were retrieved correctly, but the cn / mail
attributes were not.  I would like these attributes to be read,
especially the email one.

--
Jeff

On Sep 12, 3:20 pm, Jeff Ward j...@fuzzybinary.com wrote:
 I'm having significant problems getting LDAP authentication to work.

 First, my problem, then a few suggestions to make this all go a bit
 easier.  My set up is the following:
 Review board 1.6.1
 LDAP server: ldap://loaclhost:389
 LDAP Base DN: ou=People,dc=domain,dc=com
 Given Name Attribute: givenName
 Surname Attribute: sn
 Full Name Attribute: cn
 E-mail LDAP attribute: mail
 User Mask: uid=%s
 Anonymous User Mask: cn=readonly,ou=System,dc=domain,dc=com
 Anonymous User Password: password

 The problem is, this doesn't authenticate properly.  I get an error in
 the Reviewboard logs saying:
  WARNING - An error while LDAP-authenticating: KeyError(u'cn',)

 Things I've tried: changing User Mask: to uid=
 %s,ou=People,dc=domain,dc=com doesn't work. Error in the log is:
  WARNING - LDAP error: The specified object does not exist in the
 Directory: uid=username,ou=People,dc=domain,dc=com
 But a close look into the LDAP logs reveals that it's search was:
  filter: (uid=username,ou=people,dc=domain,dc=com)
 Note the Lowercase people instead of People.

 Any idea how to get this to authenticate correctly?

 Something else I'd like to see: you should make a distinction between
 the bind-dn and the anonymous-dn  We do not allow anonymous access to
 our LDAP server, and it would be nice to distinguish the user that's
 reading just to get binding information and the user that's reading as
 an anonymous Review Board user.

 Also, please make it so that when saving options to the LDAP
 authentication screen, it doesn't take a blank password in Anonymous
 Password to mean a blank password, especially after its been set.  I
 hate having to re-enter that password every single time.

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en