After you have Redmine installed and configured to the point where you can log in – go ahead and do so. Browse to Administration>Settings>Authentication tab>LDAP Configuration (in the bottom right).
Before you go and start changing things here, there are a few things you should keep in mind that will save you some time. Realize that you can’t do an anonymous bind to Active Directory. So, you need to actually specify a valid set of credentials for the service account. Now, I suppose they could have done something different here to reduce the configuration work… like relying on user login credentials and passing them to query AD. But in any event, you just need a normal domain user account should do just fine – anything that can query Active Directory. Why a domain account? Think about it another way… if someone plugged their laptop into your network, would they be able to query AD for user or computer objects? No… they wouldn’t, because they’d be anonymous. Even if they knew your domain name, had a domain controller’s IP address, the distinguished name, etc… no luck. So create a service account. Just FYI, my domain was at 2003 domain functional level.
As far as the Base DN – keep it simple… base DN means base. You probably don’t want CN=users, or CN=MyBusiness, or anything like that. In my case, I specified DC=domain,DC=local. As for the the attributes, they all come right out of Active Directory… there’s a bunch of places youcould find these if you wanted to spend the time to find them. Or, there’s a bunch of sites that already have this stuff listed (see the below for my config).
When you’re specifying the attributes, keep in mind that you don’t want any extra spaces (blank spaces) after the attributes. For instance, it should be ‘SAMAccountName’ (no quotes), NOT ‘SAMAccountName ‘. If you add a space, it breaks. If you don’t have those “optional” attributes, it breaks. Also – just FYI… if you’re under Authentication, and trying to run a “Test” of authentication, and it say’s successful – that doesn’t mean it’s actually working. You need to test Active Directory account logins from back on the main menu.
If you want to use on-the-fly account creation… you’ll need to make sure all of your Attributes are set correctly and that within Active Directory the attribute fields actually contain data for your users. This is very important. For example, if you have a user trying to login, but their account has “First Name”, and/or “Last Name”, and/or “E-mail” address fields blank (like if you have a “test” user account) – automatic user account creation in Redmine will fail. On top of that – it’s not very verbose about why it failed. So that might be something to file away in the back of your mind, so that when you find one account (or a group of accounts) somewhere that won’t login – you can make sure to check that they have all of the Active Directory attributes specified (just open up Active Directory Users and Computers and check-out the user object that is having a problem).
- Name: YourDomainOrWhateverYouWant
- Host: IP address of a Domain Controller (name is probably best)
- Port: 389
- Account: Domain\ServiceAccountRedmine01
- Password: SavedPassword
- Base DN: DC=domain,DC=local
- Login: SAMAccountName
- First Name: givenName
- Last Name: SN
- Email: mail
1 comment… add one
“if you’re under Authentication, and trying to run a “Test” of authentication, and it say’s successful – that doesn’t mean it’s actually working” just solved my issue after wasting a few hours!
Thanks for an excellent write-up.