LDAP/Active Directory

Native LDAP integration allows several operations:

1) user import “by hand”: there is a procedure for importing users from an LDAP server (including Microsoft Active Directory ©), which may be used even if authentication through LDAP is not enabled; it is of course necessary if it is enabled, because the users in Twproject must exist in all cases.

2) user import from a scheduled job:

3) authentication from the LDAP server

screen1083

Since version 4.5, you can now enable LDAP with fallback to Twproject internal authentication in case of LDAP login failure.

LDAP basic parameters

First of all, you must setup the LDAP basic parameters; go to “Ldap integration” from the administration page:

screen1084

By checking LDAP radio button you will have to configure LDAP parameters.

Note: LDAP is a language with several dialects. Hence we provide out of the box some variants on the language, in different configuration files. The variants provided are:

· Active Directory (©Microsoft Corp.):
in the file[web app root]/commons/settings/ldap/activeDirectory.properties

· Apache Directory Server:
in the file[web app root]/commons/settings/ldap/apacheDirectory.properties

· OpenLdap:
in the file[web app root]/commons/settings/ldap/openLdap.properties

One may add properties files here, and they will be available in the global configuration combo.

Notice also that both “1.0” and “2.0” LDAP queries should work.

A nice feature is:

That allows Twproject to create LDAP validated user at its first login.

Example configuration with Active Directory:

Example configuration with Apache Directory:

Example configuration with OpenLDAP:

screen1085
Once you have inserted values you can check the configuration by using the test button.

In order to enable authentication you MUST have users created in Twproject. You may proceed by importing them manually or by scheduling an import.

Importing users by hand

There is a comfortable procedure for importing users by hand, which also lets you configure the imported users rights from the point of view of Twproject: if you’ve set up the LDAP parameters, then go to admin page an follow “LDAP integration – import users”.

Here you can select the CN groups in which to search users, and once found some, pick those you want to import.

screen1086

For every picked user, you can decide whether to make it a Twproject administrator, or set on her/him other area-global roles.

screen1087

LDAP roles are not mapped into Twproject as the business logic behind them is quite different; customized behavior can be developed on demand.

screen1088

Users will be put on the area you pick.

“update existing users” will update non security related data on existing users.

“set password for import users”: this is the Twproject password that will be set on imported users, in case LDAP authentication is off. If leaved empty, a password equal to the login name will be set.

Consider that complex LDAP structure could be “complex” to filter, you could use a LDAP explorer tools to navigate the structure and identify the wanted users.
Here some tools:
a free generic one:  http://jxplorer.org/
or for Active Directory: http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx
There are several resources available online for helping with filter syntax.
Here some starting points:
http://www.google.com/support/enterprise/static/postini/docs/admin/en/dss_admin/prep_ldap.html
http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

Additional properties

The eventually mapped additional properties are listed in a ldap.properties file, in

[web app root]/commons/settings/ldap/[the chosen one].properties

The sample ones mapped are:

PHONE=telephoneNumber

COUNTRY=co

STATE=st

CITY=l

ZIP=postalCode

MOBILE=mobile

You can add your own, compliant with your LDAP dialect.

Scheduling user import

From LDAP user import click on button “see/add scheduled import”

screen1089

Click on “create schedule”

screen1090

First box contains data about job scheduling the right box data about your LDAP.

default pwd: this is the Twproject password that will be set on imported users, in case LDAP authentication is off. If leaved empty, a password equal to the login name will be set.

Change the repetition on your needs

 

HELP! I can’t login into Twproject anymore!

1) You may have enabled LDAP authentication, but didn’t import any user. Proceed as follows:

2) stop Twproject

3) go to [your root]webapps/ROOT/commons/settings, open the file global.properties, remove the property
AUTHENTICATION_TYPE=ENABLE_LDAP_AUTHENTICATION

4) restart Twproject

We login with our LDAP accounts, but nobody is administrator any more.

If you imported the users “by hand”, not with the scheduled job, you should have selected the “administrator” checkbox for at least one user. To fix this, you must temporarily disable LDAP authentication, as in the FAQ above, enter with the original Twproject administrator login, enable the administrator checkbox on some users, and then re-enable LDAP authentication.

HELP! I’ve setup LDAP parameters and successfully imported the users, but they can’t login!

You may have forgot to set LDAP as authentication modality: log in with the original Twproject administrator login, go to tools -> administration -> global settings, select the LDAP authentication radio:

screen1083

and then save.