LDAP Binding
Moderators: Developer, Contributor
Bind to LDAP server with user login information
Instead of specifying a bind account into the configuration is it possible for the LDAP/AD authentication to use the current user credentials being used to log in?
Usecase/example: I have never used Mantis but I have details in Active Directory, I use my AD details to try to log into Mantis. Mantis then uses these details to attempt and bind/search of the AD. A failure to bind means the user doesn't exist. A successful bind means Mantis can grab the details for my user (email, name, etc.). Even if anonymous binding is allowed we can search for these details and figure out of the user exists.
Usecase/example: I have never used Mantis but I have details in Active Directory, I use my AD details to try to log into Mantis. Mantis then uses these details to attempt and bind/search of the AD. A failure to bind means the user doesn't exist. A successful bind means Mantis can grab the details for my user (email, name, etc.). Even if anonymous binding is allowed we can search for these details and figure out of the user exists.
Re: Bind to LDAP server with user login information
My AD server does not allow for anonymous binding and I do not want to specify a bind account in the configuration.
The account I want to bind with is the login credentials when a user attempts to log in. Does this make sense?
The account I want to bind with is the login credentials when a user attempts to log in. Does this make sense?
LDAP Binding
Greetings,
Mantis BT Ver: 1.2.19
I am trying to get Mantis to work with our AD setup and need a bit of guidance. You cannot search anonymously and there is not a service account. I need to make the $g_ldap_bind_dn be equal to the following format DOMAIN\username. The username and password must come from the login form.
So where in the LDAP_api.php can I change this or is there an easier way? The AD admin will not create a service account for searching and will not allow for anonymous searches.
Mantis BT Ver: 1.2.19
I am trying to get Mantis to work with our AD setup and need a bit of guidance. You cannot search anonymously and there is not a service account. I need to make the $g_ldap_bind_dn be equal to the following format DOMAIN\username. The username and password must come from the login form.
So where in the LDAP_api.php can I change this or is there an easier way? The AD admin will not create a service account for searching and will not allow for anonymous searches.
Re: Bind to LDAP server with user login information
This is exactly what I need in my environment as well! The $g_ldap_bind_dn need to equal "Domain\Username" the username and password coming from the login form.
Re: LDAP Binding
So I found a way to hard code it for the time being but to fully implement authentication from a domain, DOMAIN\User, I need to rewrite the function ldap_authenticate_by_username.
Temp fix to auth by Domain\User, approx. lines 352 - 360 in ldap_api.php
A couple of notes if you do it the hardcoded way for now. Make sure you turn off Admin checks since it will try to authenticate as the default admin account for some reason, and you cannot update the users MAIL and REALNAME because those functions bind anonymously since the bind_dn and bind_passwrd are blank in the config_inc.php.
To fix that you will need to do all your LDAP detail getting during the "authenticate_by_username" function since the other method bind on their own.
Temp fix to auth by Domain\User, approx. lines 352 - 360 in ldap_api.php
Code: Select all
# Bind
log_event( LOG_LDAP, "Binding to LDAP server" );
$t_ds = ldap_connect_bind( 'DOMAIN\\'.$p_username , $p_password); #here is where you place the domain.
log_event( LOG_LDAP, "Binding via $p_username with supplied password" );
if ( $t_ds === false ) {
ldap_log_error( $t_ds );
trigger_error( ERROR_LDAP_AUTH_FAILED, ERROR );
}
To fix that you will need to do all your LDAP detail getting during the "authenticate_by_username" function since the other method bind on their own.
Re: Bind to LDAP server with user login information
Glad to see I'm not the only one mcgoode.
If anyone needs and example, the Jenkins active directory plugin has this behaviour.
If anyone needs and example, the Jenkins active directory plugin has this behaviour.
Re: Bind to LDAP server with user login information
I posted how I did a temp fix on my thread, sorry mods for the dup.
Re: LDAP Binding
Once i get a fully working method for binding by the domain I will post it here.
Re: LDAP Binding
HI everyone.
I'm new to this forum, but not new to MantisBT. Used it back in 2003/2004 and installed version 1.2.x last summer, for another company in which I work now.
I have upgraded to 2.1.0 yesterday, but I'm struggling with having users login through single sign on. In version 1.2.x, I had the adLogin plugin, which was very straightforward.
In 2.1.0, such a plugin does not seem to be necessary anymore, but I'm having a hard time getting that configured. The LDAP settings are a pain, since I do not have all information at hand (server: OK, but pretty much all the rest is not available to me and central won't reveal the information, nor will they give me an account and password to read the information from Active Directory.
Can I work around this by using a plugin, or am I really forced to used LDAP/Active Directory? In that last case... what is my best option?
I'm new to this forum, but not new to MantisBT. Used it back in 2003/2004 and installed version 1.2.x last summer, for another company in which I work now.
I have upgraded to 2.1.0 yesterday, but I'm struggling with having users login through single sign on. In version 1.2.x, I had the adLogin plugin, which was very straightforward.
In 2.1.0, such a plugin does not seem to be necessary anymore, but I'm having a hard time getting that configured. The LDAP settings are a pain, since I do not have all information at hand (server: OK, but pretty much all the rest is not available to me and central won't reveal the information, nor will they give me an account and password to read the information from Active Directory.
Can I work around this by using a plugin, or am I really forced to used LDAP/Active Directory? In that last case... what is my best option?
Re: LDAP Binding
Me again!
Seems the solution to my issue was already on this forum. I found it here: viewtopic.php?f=3&t=21116&p=61257&hilit ... ory#p61244
I was only looking for a SSO solution. I didn't need more functionality from AD.
Seems the solution to my issue was already on this forum. I found it here: viewtopic.php?f=3&t=21116&p=61257&hilit ... ory#p61244
I was only looking for a SSO solution. I didn't need more functionality from AD.