[Fusionforge-general] ldapextauth installation on Debian Lenny

Matt Kleffner kleffner at gmail.com
Tue Feb 17 05:04:30 CET 2009


Greetings!

I am installing GForge on a Debian Lenny server in a corporate
environment - I installed the package included with the distribution.
I can successfully log in to my administrator account via the web
interface.

I am trying to set up the ldapextauth plugin so that I can
authenticate users against our existing LDAP directory, which is on an
Active Directory server. My questions follow the description of my
setup.

I did not see a package for this plugin in Lenny, so I dowloaded
gforge-4.7rc3-svn6781 and installed the ldapextauth plugin as directed
in the README:

Installation:

- files from etc/ go to /etc/gforge/plugins/ldapextauth
- files from bin/ go to /usr/lib/gforge/plugins/ldapextauth/bin
- files from include/ go to /usr/lib/gforge/plugins/ldapextauth/include

Setup:

- customise files in /etc/gforge/plugins/ldapextauth to match your
LDAP installation (server, base DN, and mapping)
- /usr/lib/gforge/plugins/ldapextauth/bin/db-upgrade.pl
- /usr/lib/gforge/bin/register-plugin ldapextauth "LDAP external authentication"

In /etc/gforge/plugins/ldapextauth/config.php I set $ldap_kind="AD";
and the port is 389. I set the remaining variables to the AD-server
configuration.

I do not have ownership of the Active Directory (LDAP) server. I am
required to authenticate myself to the server in order to browse the
directory or authenticate accounts against it. The username I am
interested in is stored in the sAMAccountName field, which appears to
already be supported by the plugin as it appears in the source. I have
no authority to create or delete accounts on the AD server, which is
acceptable for my purposes. I can successfully login/bind and search
the AD server with ldapsearch.

I cannot determine if the plugin is intercepting logins as GForge
still accepts my local admin account/password but does not accept any
ldap accounts - the result is "Invalid Password Or User Name".

I noticed ldapextauth did not show up in the "Plugin Manager",
although browsing the gforge database (with phppgadmin) indicated it
was registered as a plugin. Creating the empty directory
/usr/share/gforge/plugins/ldapextauth ($sys_plugins_path) caused an
entry for ldapextauth to show up in the Plugin Manager. I'm not sure
if this was otherwise a meaningful operation as nothing else appeared
to change.

Questions:
* I noticed that there are also ldap variables in
/etc/gforge/local.inc . Must I set these as well to get ldapextauth to
work, or are they for a different purpose?
* What steps have I missed in installing ldapextauth?
* How can I debug or turn on logging to inspect interaction with the
LDAP server? If I recall correctly, I followed comments that mentioned
changing @ldap_bind to ldap_bind in
/usr/lib/gforge/plugins/ldapextauth/include/LdapExtAuthPlugin.class.php
to cause some logging - but I don't know where to look as
/var/log/gforge has only 2009, cvs, and svn directories. The logs in
2009 don't show any LDAP evidence.
* How/where do I put my password for the account that is used to bind
to the LDAP server?
* Once I can authenticate against the LDAP server, will I no longer be
able to login with my local admin account? Do I need to have an admin
account created on the LDAP server?
* There are many users in the LDAP directory that will not and should
not log in to the GForge site. Can I prevent user-creation (and
deletion) of accounts, except by the administrator?

Any help is greatly appreciated.

GForge/FusionForge developers, thanks for all of your hard work!

 - Matt




More information about the Fusionforge-general mailing list