User Tools

Site Tools


mantisbt:active_directory

Active directory settings

Introduction

The page aims at describing how to configure mantis to connect to Active Directory.

General principles

Active Directory can currently be used by mantis for the following usage:

  • Check user password.
  • Retrieve user mail address (optional).

Users must be created manually in mantis using the same login as in Active Directory.

The way it proceeds is the following:

  1. Connect to Active Directory using LDAP protocol to search user by its login - A generic account is used for that purpose.
  2. If an entry was found, bind to Active Directory using dn entry found and the password provided by user. If several entries are found, each of them is tried until one successes.
  3. If the connection is a success, and if the option is activated, the user mail address is retrieved from Active Directory.

General LDAP configuration

The following parameters must be set in the config_inc.php file:

  • $g_login_method = LDAP;
  • $g_ldap_server = 'ldap://yourservername:389'; # or $g_ldap_server = 'ldaps:yourservername:636'; * Do not use $g_ldap_port since it is depricated * $g_ldap_root_dn = “OU=your_organization_RDN,DC=your_organization_RDN,DC=your_organization_RDN”; # The root DN where to search users e.g. 'ou=people,dc=example,dc=com' * $g_ldap_bind_dn = 'full_DN_entry_for_generic_user'; # A system account to login to LDAP e.g. 'cn=Robert Smith,ou=people,dc=example,dc=com' * $g_ldap_bind_passwd = '**'; # System account password * $g_ldap_organization = ''; # This is additional filter that may be added to search query - you should first leave it empty and may add a filter later for optimization. e.g. '(objectClass=person)' If you want to use user e-mail address defined in Active Directory instead of the one defined when creating mantis account you must add the following parameter: * $g_use_ldap_email = ON; ===== Specific Active Directory configuration ===== You must add the following parameters in the config_inc.php file: * $g_ldap_protocol_version = 3; * $g_ldap_uid_field= 'sAMAccountName'; # Use 'sAMAccountName' for Active Directory - this is the name of the attribute used to search a user Additionally, make sure not to use the root of your domain for $g_ldap_root_dn parameter. If you bind to the root of your domain, i.e. just dc=company,dc=com, then Active Directory, in addition to the search results you expected, will also return referrals to the other directory partitions which would confuse current implementation and cause an error.
mantisbt/active_directory.txt · Last modified: 2013/02/22 04:56 by sge