How can I set up Redmine => Active Directory authentication?
First, I'm not an AD admin on site, but my manager has asked me to try to get my personal Redmine installation to integrate with ActiveDirectory in order to test-drive it for a larger-scale rollout.
Our AD server is at host:port ims.example.com:389
and I have a user IMS/me
.
Right now, I also have a user me
in Redmine using local authentication.
I have created an ActiveDirectory LDAP authentication method in RedMine with the following parameters:
Host: ims.example.com
Port: 389
Base DN: cn=Users,dc=ims,dc=example,dc=com
On-The-Fly User Creation: YES
Login: sAMAccountName
Firstname: givenName
Lastname: sN
Email: mail
Testing this connection works just fine.
I have, however, not successfully authenticated with it.
I've created a backup admin user so that I can get back in to the me
account if I break things, and then I've tried changing me
to use the ActiveDirectory credentials. However, once I do, nothing works to log in. I have tried all of these login name options:
me
IMS/me
IMS\me
I've used my known Domain password, but no joy.
So, what setting do I have wrong, or what information do I need to acquire in order to make this work?
Okay, so here are the specific settings that I needed in order to make this work:
Host: ims.example.com
Port: 389
User: MYDOMAIN\accountName
Password: *******
Base DN: dc=mydomain,dc=example,dc=com
On-The-Fly User Creation: YES
Login: sAMAccountName
Firstname: givenName
Lastname: sN
Email: mail
The trick was removing cn=Users
from the Base DN, after which it all sort of came together.
The other notable thing was the inclusion of a user to read the directory.
Lastly, the user that logs in uses their user name without domain qualification, and their domain password as usual. Our domain does not require an email address, so there is an additional step where the email address has to be set during user creation, but that's pretty straightforward.
A trick to find the Base DN for ActiveDirectory LDAP authentication is to check what the users fully qualified domain name is. you can check that with:
whoami /FQDN
if you are logged in as that user, which returns something like
CN=John Doe,OU=users,OU=department,DC=corp,DC=domain,DC=com
and the Base DN can be found by removing the first CN.
OU=users,OU=department,DC=corp,DC=domain,DC=com
I have no familiarity with Redmine, but it sure looks like you're trying to do an anonymous bind to Active Directory to validate credentials. That's not going to work. Having configured multiple products for LDAP integration with AD, this is a common problem that I've seen.
Out of the box, AD requires that clients authenticate when binding to the directory to perform queries.
Have a look at this Redmine wiki posting re: configuring LDAP authentication. They're talking about specifying an account and password for Redmine to use (one that has rights to read the directory-- a plain ol' "Domain User" will do) to bind to the directory.