LDAP Authentication with Active Directory?

[GoogleCodeExporter]

Reason:
I'm trying to get users to be able to authenticate against the AD server and am 
unable to, partially due to lack of documentation. I have a bind user if its 
any help...

Original issue reported on code.google.com by nshe...@gmail.com on 21 Jun 2011 at 5:19

[GoogleCodeExporter]

Chech the following config settings:
http://code.google.com/p/ovz-web-panel/wiki/Configuration#LDAP

I didn't tested integration of Owp with AD server, but had project with such 
auth in the past. Something similar to following should be used:
login_pattern: "DOMAIN\\<login>"

Replace DOMAIN with your AD domain name. And don't replace <login>, it will be 
replaced dynamically.

Original comment by sibprogrammer on 22 Jun 2011 at 4:55

• Added labels: Milestone-Release2.1

[GoogleCodeExporter]

Original comment by sibprogrammer on 22 Jun 2011 at 4:55

[GoogleCodeExporter]

That didn't work. I tried the following:

-Set host to IP of main AD server
-Set host to dns entry of "athens.RRC.local"
-Set host to "ldap.lan" (no connection to server)
-Set login_pattern to "RRC\\<login>"
-Set login_pattern to "RRC\<login>"
-Set login_pattern to "RRC.local\\<login>"
-Set login_pattern to "RRC.local\<login>"

Original comment by nshe...@gmail.com on 22 Jun 2011 at 2:28

[GoogleCodeExporter]

Here is the simple script to test LDAP connection:

#--->cut>---

require 'rubygems'
require 'net/ldap'

LDAPSERVER = "ldap.lan"

ldap = Net::LDAP.new(:host => LDAPSERVER)
ldap.auth "user", "password"

if ldap.bind
  puts true
else
  puts false
end

#---<cut<---

Place the content to test.rb file and run it using command:
ruby /opt/ovz-web-panel/script/runner -e production test.rb

Try to play with user login name. I've used for AD server "DOMAIN\\user" form. 
In case of success you should see "true" word.

Original comment by sibprogrammer on 23 Jun 2011 at 2:45

[GoogleCodeExporter]

I got the script to work using RRC\\<username> (returns true), but after 
copying the settings into config.yml, I still can't login with LDAP credentials.

test.rb

   1 require 'rubygems'
   2 require 'net/ldap'
   3
   4
   5 LDAPSERVER = "Athens.RRC.local"
   6
   7 ldap = Net::LDAP.new(:host => LDAPSERVER)
   8 ldap.auth "RRC\\<removed>", <removed>
   9
  10 if ldap.bind
  11   puts true
  12 else
  13   puts false
  14 end

config.yml

   1 ldap:
   2   enabled: true
   3   host: "Athens.RRC.local"
   4   login_pattern: "RRC\\<login>"

Original comment by nshe...@gmail.com on 27 Jun 2011 at 9:05

[GoogleCodeExporter]

Did you create user with corresponding login in Owp?

Original comment by sibprogrammer on 28 Jun 2011 at 3:31

[GoogleCodeExporter]

no, wouldn't that defeat the purpose of logging in with LDAP? If its not there, 
make it and keep the password synced with the auth server?

Original comment by nshe...@gmail.com on 28 Jun 2011 at 4:00

[GoogleCodeExporter]

LDAP is used for authentication, not for authorization. If you didn't create 
user in Owp, it will be impossible to understand what permissions should this 
user have?  You should create corresponding user in Owp, but there is no need 
to provide password in such case. 

Original comment by sibprogrammer on 28 Jun 2011 at 5:32

[GoogleCodeExporter]

Original comment by sibprogrammer on 1 May 2012 at 8:47

• Added labels: Milestone-Release2.5
• Removed labels: Milestone-Release2.1

[GoogleCodeExporter]

A few things...

1) Wouldn't it make a lot more sense to "import" a user upon first login rather 
than duplicating the process of adding users? phpBB3, for example, does this. 
You can simply retrieve a user's information upon first login and store it in 
the local database. I'd rather we just used LDAP entirely, but that'd be a 
middleground approach to what you have and #2:

2) I host a whole bunch of stuff for people behind a VPN and would enjoy being 
able to manage user creation and privileges totally inside of LDAP. Obviously 
schemas will vary, so making those parameters configurable would be necessary.

3) I realize this is an older issue, but the behavior is same today.

Thanks for your time reading and considering this.

Original comment by intentio...@gmail.com on 31 Oct 2012 at 3:46