MindTouch Community Portal
Logged in: Logged in as: Log in
Register
Search:
Page last modified 10:09, 5 Apr 2010 by coreyg
MindTouch Community Portal > MindTouch Community Portal > Knowledge Base > Integrate users from LDAP/MS Active Directory
Page Notifications Off
1 of 2 found this page helpful

Integrate users from LDAP/MS Active Directory

    Starting with Hayes, MindTouch can be integrated with an external an LDAP directory server such as OpenLDAP, MS Active Directory, Novell eDirectory. This allows companies to have users already setup with their directories to start using MindTouch immediately without having to create user accounts. As a user successfully logs in to MindTouch using their LDAP credentials, the account is created and syncronized with the info from the directory.

    HOWTO integrate MindTouch with LDAP
    1. Login as a user with ADMIN access such as Sysop
    2. Go to Control Panel -> Service Management
    3. Ensure that 'Local' is selected.
    4. Enter a description for the directory server such as "ACME Sales". Users will use this description to identify the correct authentication provider when logging in.
    5. Select "Native" and for the service identifier (SID) enter: " http://services.mindtouch.com/deki/s...authentication " (be sure to right click and copy link on this URI).
    6. In the Configuration section, add the following entries: (you'll need to click 'add' to enter these settings)
      1. hostname with the value being your ldap server host or IP such as "sales.acme.com" (note that this may or may not be the same as your domain. This should be a pingable ip or host of the machine hosting your LDAP service)
      2. searchbase with the value being the DN (distinguished name) of your LDAP/AD server such as "DC=sales,DC=acme,DC=com"
      3. bindingdn with the DN to use for binding/authenticating with LDAP. $1 will be dynamically substituted with user name at login.
        • Active directory example: $1@sales.acme.com
        • OpenLdap example: CN=$1,DC=sales,DC=acme,DC=com
      4. Optionally (new in 8.05): bindingpw with a password of the LDAP user described by bindingdn.  Create a new "Configuration" key and do not use quotes.  This is necessary when your LDAP server doesn't allow anonymous queries, or when integrating with single sign on via NTLM/SSPI, or using this LDAP service for trusted authentication. Set bindingdn to a user's full dn (use a real username instead of $1) and set the bindingpw to their password.
      5. userquery with the search query to use for looking up users. $1 will be dynamically substituted with user name at login.
        • ActiveDirectory example: samAccountName=$1
        • ActiveDirectory example 2: mailNickname=$1
        • OpenLdap example: CN=$1
      6. Optionally: timeout with value being the amount of time in milliseconds for LDAP operations to timeout (default is 5000)
      7. Optionally (new in 1.8.2): displayname-pattern allows you to customize the username for new accounts created via the LDAP service. For example "{sn}, {givenname}" will create a username in the form lastname, firstname. Refer to your directory documentation for a list of exposed attributes for user records. Note that the displayname-pattern is composed of attributes exposed from the user object in your directory.
      8. Optionally (new in 1.8.3C): usernameattribute and groupnameattribute can be used to set an LDAP attribute to use for returning the username or group name. By default the behavior is to look at the common attributes for this until a value comes back. The default order is: sAMAccountName -> uid -> name -> cn. If this isn't working or you're getting an error such as: Unexpected username 'Joe Schmoe' came back from external auth provider. Expected: 'jschmoe' then you'll want to set this to the name of an LDAP attribute that has the username so the searching isn't performed.
      9. Optionally (new in 8.05.2): set ssl to 'true' to enable LDAPS support. This will connect on port 636 and communicate via SSL. This requires a valid SSL certificate to be used on the server. You can set ssl-ignore-cert-errors to 'true' to allow the connection bypassing any certificate warnings and errors. Refer to the SSL troubleshooting section below.
    7. Ensure the service is enabled and click 'Add service'
    8. Read about how to set permissions for new and existing LDAP users:
      1. How do I...Set the default role for new LDAP / external accounts?
      2. How do I...Give specific rights to a set of LDAP accounts?

    You should see that the service was added and reset successfully.

    That should be it. Next time you go to the login page you'll see the service listed and you'll be able to authenticate with the directory.

    Example settings

    Try the following settings (work fine with Active Directory on a SBS 2003) if you are facing error 500 or having trouble with the above mentioned configuration:

    searchbase  DC=domainname,DC=local
hostname    servername.domainname.local
userquery   samAccountName=$1
bindingdn   $1@domainname.local

    (work in progress -- please add to this table if you have issues with the given settings but find one that works for you

       Microsoft Active Directory  Novell eDirectory
    		 OpenLDAP  Mac OS X Server
    bindingdn $1@sales.acme.com CN=$1,DC=sales,DC=acme,DC=com
    		 CN=$1,DC=sales,DC=acme,DC=com
    		 uid=$1,cn=users,dc=your,dc=server,dc=name
    userquery samAccountName=$1 CN=$1 CN=$1
    		 uid=$1
    groupquery (available in 1.8.3)

    (&(cn=$1)(objectClass=group))
    or 
    (&(cn=$1)(objectCategory=group))
    or
    (&(samAccountName=$1)(objectCategory=group))

    		 (&(cn=$1)(objectClass=group))
    or
    (&(cn=$1)(objectClass=groupOfNames))

    (&(cn=$1)(objectClass=group))
    or
    (&(objectClass=posixGroup)(cn=$1))

    		   (&(objectClass=posixGroup)(cn=$1))
    groupqueryall (available in 1.8.3) (objectClass=group) (objectClass=group)

    (objectClass=group)
     or
    (objectClass=posixGroup)

    		  (objectClass=posixGroup)
    groupmembersattribute (available in 1.8.3) memberOf
    		 groupMembership
    		     
    groupmembershipquery (available in 8.05.2)    (&(uniqueMember=$1)(objectClass=groupOfUniqueNames))

    (&(uniqueMember=$1)(objectClass=groupOfUniqueNames))

    groupmembershipquery (&(member=uid=$1)(objectClass=groupOfNames))

     

      (&(memberUid=$1)(objectClass=posixGroup))
    Notes
    • The above configuration setting names are case sensitive (all lowercase).
    • Mac OS X Server settings will only pull an user's other groups, it doesn't pull the primary group.
    More info

    Take a look here if you have a custom user database (non-LDAP) that you'd like to integrate with.

    c22mort wrote a great guide for Novell eDirectory users here: http://forums.opengarden.org/showthread.php?p=14042 

    FAQs

    Q: My directory service requires all connections to be authenticated. Since I never hardcoded any system account, what credentials are used to allow LDAP queries?

    A: The login screen uses the credentials provided by the user to attempt authentication and to retrieve user/group info. The control panel user/group management screens ask for the credentials to use that are not stored anywhere.

    Q: I've setup LDAP correctly and it looks like my users are able to authenticate but are not allowed to login with the message "This user does not have access to login to MindTouch. Please contact your site administrator"

    A: Read the two FAQ's on external account rights from step 8 above.

    Q: I'm using Novell eDirectory and I cant get groups to work

    A: We found some issues in the way groups are being looked up for eDirectory. This will be fixed in 1.8.3. Please refer to http://forums.opengarden.org/showthread.php?t=890 for a fix until then

    Q: When adding a group you get an error: Group 'XXX' not found in the external authentication provider.

    A: This may happen on Active Directory when your CN doesn't match your sAMAccountName (windows 2000 name). Either change your sAMAccountName to the same as your group name or adjust your groupquery setting. Refer to this forum post.

    Troubleshooting
    Basic troubleshooting steps

    A simple way to troubleshoot LDAP-related issues is to ensure that the LdapAuthentication service is able to communicate to your directory correctly. You may do this by going to the Control Panel -> Service Management and getting the URI for the LDAP Authentication service you added. You can then use a browser to interact with your directory through this service. For example, if your LDAP Authentication service URI is http://wiki.acme.org/@api/deki/services/11 you can attempt to authenticate and get user info by going to http://wiki.acme.org/@api/deki/services/11/users/maxm where maxm is the user you want to lookup. It should ask you for credentials which it will use to create the bind to the directory. To see the groups in the domain you can go to http://wiki.acme.org/@api/deki/services/11/groups.


    NOTE:  If you are using Mindtouch 2009 the link to troubleshoot would now be:  http://wiki.acme.org/@api/deki/servi.../11/users/maxm

    If you're having problems having LDAP accept your username/password you can ensure that it's receiving your credentials correctly by enabling trace logging. You can do this by editing your mindtouch.host.exe.config and at the bottom use <level value="TRACE" />. 

    If you suspect a searchbase configuration issue, the Active Directory Explorer allows you to visually see the Active Directory tree structure.

    Running VM on the Windows Server computer that you are trying to authenticate with

    In at least one instance - the MindTouch running on the same server would be denied access to the LDAP database, causing connection errors even when everything is connected and configured properly.
    To test: Suspend the VM, move your VM anywhere else, and test (good first test is the @api url).

    SSL / LDAPS connections

    SSL support has been added in 8.05.2. It requires a valid certificate on the server that is trusted by the ldap client. If you're unable to connect and you suspect it's a cert issue, you can try setting ssl-ignore-cert-errors to 'true' to disregard and certificate related errors. If you get a "SSL Provider not found" error, you should download the new Novell.Directory.Ldap.dll and replace the file in your wiki's bin directory (new version is included in MindTouch 8.07). Make sure you have trusted certs installed if you're having certificate related issues. More info on this forum thread. (todo: FAQ/howto for installing trusted root certs).

    LDAP help

    If you're struggling take a look the posts on the ldap forum. Try the troubleshooting steps above and search the forum before posting.

    Drop by the MindTouch irc channel at irc.freenode.net #mindtouch

    Was this page helpful?
    Tag page
    What links here

    Files 1

    Attach file or image
    FileVersionSizeModified 
    Viewing 15 of 16 comments: view all
    #2
    londonmet says:
    using http://wiki.acme.org/@api/deki/services/11/users/maxm, bring up user details, however I am not able to pick up any groups, http://wiki.acme.org/@api/deki/services/11/groups or through group management. Using Novell eDiretcry. same as above comment, would like use ldaps.
    Posted 05:03, 9 Oct 2007
    #3
    MaxM says:
    If you're having problems retrieving groups with Novell eDirectory, refer to http://forums.opengarden.org/showpost.php?p=4569&postcount=6
    Posted 20:19, 9 Oct 2007
    #4
    MaxM says:
    SSL support for LDAP isn't currently enabled but should be possible with the Novell.Directory.Ldap.dll lib that we're using. We'll try to get this in for a later release but we'll happily accept patches to allow this meanwhile :)
    Posted 20:22, 9 Oct 2007
    #5
    londonmet says:
    MaxM could you please elaborate in sll ldap for novell (port 636) . Would work great with our eDirectory and put our ldap admin mind to rest.
    Posted 03:00, 12 Oct 2007
    #6
    anegan01 says:
    Is it possible to achieve single sign on with Microsoft Active Directory? I would like to avoid having to force users to log in explicitly.
    Posted 20:54, 6 Nov 2007
    #8
    MaxM says:
    gilles: I've filed a bug for being able to configure the ldap port here: http://bugs.opengarden.org/view.php?id=2954
    I'll try to get it into the next 1.8.3 release. But meanwhile, if you're technical enough you can edit the source and recompile to set your correct port number.
    Posted 10:55, 27 Nov 2007
    #9
    duhrer says:
    We want to use a different approach, where we have a single authorized binddn that has a password. Is this approach possible with the built-in LDAP?
    Posted 06:46, 8 Jan 2008
    #10
    momentum says:
    Is it possible to make MS AD LDAP recognize nested groups?
    Posted 07:06, 11 Jan 2008
    #11
    nc1 says:
    If you're having problems getting AD-integration to work, check the syntax of the DN that you're specifying for the searchbase - make sure that it makes sense. The way the instructions read, I was specifying the hostname of a DC twice, once in the hostname line, and once in the searchbase line. Authentication was happening according the event log on my DC, but Dekiwiki didn’t like it. I did a write up here…

    http://addicted-to-it.blogspot.com/2008/01/dekiwiki-active-directory-integration.html
    Posted 10:13, 17 Jan 2008
    #12
    pc1oad1etter says:
    should http://wiki.acme.org/@api/deki/services/11/groups. include a "default" ?
    Posted 13:25, 8 May 2008
    #13
    pmt says:
    Easy to bind to OS X Server LDAP


    userquery uid=$1

    hostname your.server.name

    bindingdn uid=$1,cn=users,dc=your,dc=server,dc=name

    searchbase cn=users,dc=your,dc=server,dc=name
    edited 17:50, 18 Jul 2008
    Posted 17:49, 18 Jul 2008
    #14
    paul99 says:
    this is hopelssly out of date and unclear. Can't someone learn to write clear and concise technical documentation?!
    Posted 21:03, 2 Jul 2009
    #15
    roadzy says:
    i just updated the troubleshooting links to reflect how it should work in mindtouch 2009 http://wiki.acme.org/@api/deki/services/*DEFAULT*/11/users/maxm.... note the one i put *'s around.... that is why the above one wouldn't work
    Posted 06:10, 21 Jan 2010
    #16
    alex@sol1.com.au says:
    There is no "service Management" option under the control panel
    Posted 21:16, 15 Jul 2010
    #17
    coreyg says:
    @alex@sol1.com.au take a look at our new Authentication guide: http://developer.mindtouch.com/en/docs/mindtouch_setup/030User_Authentication
    Posted 22:05, 15 Jul 2010
    Viewing 15 of 16 comments: view all
    You must login to post a comment.
    MindTouch Social Knowledge Base

    Copyright © 2011 MindTouch, Inc. Powered by