Dear All,
For the last few days I've been desperately reading official/user made guides in order to properly configure my openldap to allow users to login to a project management webapp (namely Redmine). With that said, please let me share the basic setup of the environment i'm dealing with.
Webapplication(s):
Redmine, Phpldapadmin
LDAP:
Openldap
After the installation, i took the following steps to re-configure my ldap to reflect better the ldap being used in production (since this whole redmine + ldap isn't in production yet)
1. Stopped slapd service and removed the *cn=config.ldif* from */etc/ldap/slapd.d* 2.
Modified */usr/share/slapd/slapd.conf* to this:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none
modulepath /usr/lib/ldap moduleload back_mdb
sizelimit 500 tool-threads 1
backend mdb database mdb suffix "o=testcompany.com" rootdn "cn=admin,o=testcompany.com" directory "/var/lib/tc-ldap" rootpw "password"
index objectClass eq index uid eq index ou eq index default eq,sub
lastmod on checkpoint 512 30
access to attrs=userPassword,shadowLastChange by dn="cn=admin,o=testcompany.com" write by anonymous auth by self write by * none
access to dn.base="" by * read
access to * by dn="cn=admin,o=testcompany.com" write by * read
3.
Afterwards, *slaptest -f /usr/share/slapd/slapd.conf -F /etc/ldap/slapd.d* which generated my new *cn=config.ldif* 4.
Set the appropriate user/group to the new *cn=config.ldif* with *chown -R openldap:openldap /etc/ldap/slapd.d/* 5.
Fired up slapd service and checked if the ldap was running or not. Since it was and i could access it with phpldapadmin, i added an *organizationalUnit (ou=sales)*, all the country codes and imported 3000 users (by using *ldapadd*) Now my DIT looks as follows
- o=testcompany.com - ou=sales - AD + uid=123456,c=AD,ou=sales,o=testcompany.com + ...
which is great, this is exactly the way it should look like, however I've noticed, that *cn=admin,o=testcompany.com http://testcompany.com* entry doesn't exists, while it did using the default config after i've installed openldap. 6.
In Redmine, I've configured and tested the *ldap authentication*. It is working correctly (it can both connect to my ldap and If i wish to add a new user and choose the before configured ldap authentication for it, i can even choose from the entries that are in my ldap, which is also great) 7.
However (this is where my problem is) when i try to log into Redmine with a user that i've just created (with ldap authentication) i always get *Invalid credentials* error (while it works like a charm when i login with any other account, created with *Simple Authentication*)
These events led me to believe that the error is in the LDAP configuration. After a few more hours/days of fooling around with the *ACL*s and *dpkg-reconfigure slapd* (and even purging-reinstalling slapd and ldap-utils) i still can not get beyond this point. And one more bit of information, after *dpkg-reconfigure slapd* and creating a few users under the default *dc=example,dc=com*, i can get them to log into Redmine just fine (and even *cn=admin,o=testcompany.com http://testcompany.com* shows up...).
Below i'll attach a few things that I've tried. I hope someone can aid me with a few tips as to where i got off the trail (somehow i feel that i'm missing the obvious here).
What I have tried so far:
1. modify the default slapd.conf file, and repeat the process i've written above 2. create a completely new one 3. a lot of different ways to add/modify the ACL 4. read through a lot of mailing list, similar problems on redmine forums, and openldap mailing lists, still no success (i can paste a lot of links from my .txt if you need it)