How can I set up Redmine => Active Directory authentication?

authentication active-directory ruby-on-rails ldap redmine

First, I'm not an AD admin on site, but my manager has asked me to try to get my personal Redmine installation to integrate with ActiveDirectory in order to test-drive it for a larger-scale rollout.

Our AD server is at host:port ims.example.com:389 and I have a user IMS/me.

Right now, I also have a user me in Redmine using local authentication.

I have created an ActiveDirectory LDAP authentication method in RedMine with the following parameters:

Host: ims.example.com
Port: 389
Base DN: cn=Users,dc=ims,dc=example,dc=com

On-The-Fly User Creation: YES
Login: sAMAccountName
Firstname: givenName
Lastname: sN
Email: mail

Testing this connection works just fine.

I have, however, not successfully authenticated with it.

I've created a backup admin user so that I can get back in to the me account if I break things, and then I've tried changing me to use the ActiveDirectory credentials. However, once I do, nothing works to log in. I have tried all of these login name options:

  • me
  • IMS/me
  • IMS\me

I've used my known Domain password, but no joy.

So, what setting do I have wrong, or what information do I need to acquire in order to make this work?


Okay, so here are the specific settings that I needed in order to make this work:

Host: ims.example.com
Port: 389
User: MYDOMAIN\accountName
Password: *******
Base DN: dc=mydomain,dc=example,dc=com

On-The-Fly User Creation: YES
Login: sAMAccountName
Firstname: givenName
Lastname: sN
Email: mail

The trick was removing cn=Users from the Base DN, after which it all sort of came together.

The other notable thing was the inclusion of a user to read the directory.

Lastly, the user that logs in uses their user name without domain qualification, and their domain password as usual. Our domain does not require an email address, so there is an additional step where the email address has to be set during user creation, but that's pretty straightforward.


A trick to find the Base DN for ActiveDirectory LDAP authentication is to check what the users fully qualified domain name is. you can check that with: 

whoami /FQDN

if you are logged in as that user, which returns something like

CN=John Doe,OU=users,OU=department,DC=corp,DC=domain,DC=com

and the Base DN can be found by removing the first CN.

OU=users,OU=department,DC=corp,DC=domain,DC=com

I have no familiarity with Redmine, but it sure looks like you're trying to do an anonymous bind to Active Directory to validate credentials. That's not going to work. Having configured multiple products for LDAP integration with AD, this is a common problem that I've seen.

Out of the box, AD requires that clients authenticate when binding to the directory to perform queries.

Have a look at this Redmine wiki posting re: configuring LDAP authentication. They're talking about specifying an account and password for Redmine to use (one that has rights to read the directory-- a plain ol' "Domain User" will do) to bind to the directory.

Related

How can I reset my iPhone 1 without using the (broken) power button?
Does the iPhone 4 geo-tag photos without a data connection?
Deploy iOS app on personal devices
How to toggle between normal, vibrate and silent modes like in Android
Is there any way to open a recently closed tab in Safari in iOS?
Changing OS X Spotlight priorities for specific applications
How can I turn off Bluetooth with only keyboard actions?
Does the CDMA iPhone 4S support simultaneous voice and data on Verizon
Magsafe charger getting really hot
Can't disable 'Check spelling while typing' in 'Notes' in OSX El Capitan 10.11.6
How to diagnose Time Capsule issues
Could I trust such a FlashPlayer update?