aC forum: LDAP - one more time

Post #20 by [user deleted]

[user deleted] — Fri, 02 Jul 2010 02:13:42 CEST

Yea, remember that it wouldn't necessarily need AD/LDAP directly, using some of the existing authentication/federation options would be fine as well - PAM/RADIUS/OpenID...

Post #19 by fernando.silva

fernando.silva — Wed, 30 Sep 2009 12:36:28 CEST

Interested. A single sign on interface (CAS, Shibbollet...) would be even better.

Post #18 by Fei Y.

Fei Yan — Mon, 21 Sep 2009 01:46:48 CEST

Some updates (see my website http://www.activecollabmod.com/ for screenshot):
Added multiple group mapping based on directory
Added search filters
Tested on OpenLDAP

Post #17 by Fei Y.

Fei Yan — Tue, 08 Sep 2009 06:33:45 CEST

proskurin-kv:
Support is sounds really good!
I ask you few more question just because I can see or test your plugin. :-)

1) As I understand baseDN is hardcoded? Our baseDN is "dc=CAS" for example. it is not a big problem if we can easly change it in your code. Could we?

2) As I understand some search filter is hardcoded too. Like "ObjectClass=*" ?
Search filter is important because we - and many others - have many different type of accounts in LDAP and they have a same attribute like "uid" or "mail". So it will broke auth if it auth against wrong account.

So - it is possible to easly change a search filter?
For example we will want this: "ObjectClass: mailUser"

Thank you for your advice. Let me answer your questions:
1. baseDN can be changed from admin panel. It is not hardcoded.
2. search filter is somewhat hardcoded. You can easily add more filters into the source code.
3. In the original design I thought about group mapping but didn't come up a decent way to implement it. The thing is users in ActiveCollab can have only one system role but in LDAP they can belong to many. So I only provide a setting to default an ActiveCollab role to first time LDAP users.

Post #16 by proskurin-kv

proskurin-kv — Mon, 07 Sep 2009 19:12:32 CEST

Yes, if you want to use mail as the unique identifying field just put it in the setting and turn off "is binary" option. This module is very customizable.

For multi domain, user can enter their full login name containing domain name then system will not assume the default domain. Also you'll need to increase the scope of the baseDN setting to dc=org. Right now it cannot work in the case of you have both .org and .com.

I haven't thought about Search filters and group mapping but thanks for your advice I will keep improving the module.

This is NOT a "as is" piece of code. Customers will receive support.

Support is sounds really good!
I ask you few more question just because I can see or test your plugin. :-)

1) As I understand baseDN is hardcoded? Our baseDN is "dc=CAS" for example. it is not a big problem if we can easly change it in your code. Could we?

2) As I understand some search filter is hardcoded too. Like "ObjectClass=*" ?
Search filter is important because we - and many others - have many different type of accounts in LDAP and they have a same attribute like "uid" or "mail". So it will broke auth if it auth against wrong account.

So - it is possible to easly change a search filter?
For example we will want this: "ObjectClass: mailUser"

Post #15 by Fei Y.

Fei Yan — Mon, 07 Sep 2009 18:26:07 CEST

proskurin-kv:

Sounds great but we use OpenLDAP and before purchase we want to be sure what it is works well. For example - it will work if in UUID fild we chose "mail"?
So login will be like 'localpart@domain.org',

Muiltydomain?
eg -> 'localpart@domain2.org', 'localpart@domain3.org' and so on.

Search filters? Group mapping?

Yes, if you want to use mail as the unique identifying field just put it in the setting and turn off "is binary" option. This module is very customizable.

For multi domain, user can enter their full login name containing domain name then system will not assume the default domain. Also you'll need to increase the scope of the baseDN setting to dc=org. Right now it cannot work in the case of you have both .org and .com.

I haven't thought about Search filters and group mapping but thanks for your advice I will keep improving the module.

This is NOT a "as is" piece of code. Customers will receive support.

Post #14 by proskurin-kv

proskurin-kv — Mon, 07 Sep 2009 10:48:49 CEST

activecollabmod:
Hi everyone, I have developed a LDAP module and now it's for sale!

Visit my website http://www.activecollabmod.com for more info!

Highlights
· Enables LDAP login ability for ActiveCollab 2.x
· Built with safety in mind
· Automatically synchronizes user information with LDAP server
· Highly customizable
· Tested on Microsoft Active Directory for Windows Server 2003
· Potentially supports other LDAP providers

Sounds great but we use OpenLDAP and before purchase we want to be sure what it is works well. For example - it will work if in UUID fild we chose "mail"?
So login will be like 'localpart@domain.org',

Muiltydomain?
eg -> 'localpart@domain2.org', 'localpart@domain3.org' and so on.

Search filters? Group mapping?

Post #13 by Fei Y.

Fei Yan — Mon, 07 Sep 2009 10:15:05 CEST

Hi everyone, I have developed a LDAP module and now it's for sale!

Visit my website http://www.activecollabmod.com for more info!

Highlights
· Enables LDAP login ability for ActiveCollab 2.x
· Built with safety in mind
· Automatically synchronizes user information with LDAP server
· Highly customizable
· Tested on Microsoft Active Directory for Windows Server 2003
· Potentially supports other LDAP providers

Post #12 by proskurin-kv

proskurin-kv — Thu, 03 Sep 2009 10:59:11 CEST

So we have many peaple what could support development of this simple plugin.

Is here any developers who can do this work?

Post #11 by m80junk2

m80junk2 — Thu, 03 Sep 2009 01:10:46 CEST

Definitely would support this! Crucial :(