LDAP authentication questions

Hi,

Some questions about LDAP:
- Does the new LDAP authentication functionality support Active Directory?
- Is there a template for "ldap-config.properties"?
- Should the java.naming.security.authentication value be set to kerberos for Active Directory?
- Is there any documentation about how to setup LDAP other than this:
http://www.jetbrains.net/confluence/display/TCD/Authentication+Settings

Thanks,
-Dave

7 comments
Comment actions Permalink

Hi Dave,

I managed to get this sort-of working with a very simple config file
like this:

java.naming.referral=follow
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url=ldap://ldap.mycompany.com:389

However, I have to log in as Robert Gibson instead of rgibson. I'm also
a bit confused because in previous setups I have used (i.e. Jira,
Confluence which both use Open Symphony) they require a separate user to
be set up to do the lookups. The most useful doc I have found so far
details how to do the setup on this other system - it's not directly
applicable, but at least it gives some property names to try :-/
http://confluence.atlassian.com/display/DOC/AddingLDAPIntegrationToConfluence+2.0.x

Hope this helps, and maybe JetBrains can help me look up by sAMAccountName!
R

0
Comment actions Permalink

Robert Gibson wrote:

Hi Dave,

I managed to get this sort-of working with a very simple config file
like this:

java.naming.referral=follow
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url=ldap://ldap.mycompany.com:389

However, I have to log in as Robert Gibson instead of rgibson. I'm also
a bit confused because in previous setups I have used (i.e. Jira,
Confluence which both use Open Symphony) they require a separate user to
be set up to do the lookups. The most useful doc I have found so far
details how to do the setup on this other system - it's not directly
applicable, but at least it gives some property names to try :-/
http://confluence.atlassian.com/display/DOC/AddingLDAPIntegrationToConfluence+2.0.x


Hope this helps, and maybe JetBrains can help me look up by sAMAccountName!
R


We constantly improving our documentation. Check out updated version for
better AD example.

Specifically, both LDAP CN (i.e. "Alexey Gopachenko") and
DOMAIN\sAMAccountName (i.e. "labs\alexey.gopachenko") can be used as
login name.

--
Alexey Gopachenko
JetBrains Inc.
http://www.intellij.com
"Develop with pleasure!"

0
Comment actions Permalink

Thanks for this, I was fiddling around and discovered that I can log in
with any of the following:
Robert Gibson
domain\rgibson
rgibson@domain
rgibson@domain.mycompany.com
CN=Robert Gibson,CN=Users,DC=domain,DC=mycompany,DC=com

Also, I was able to reduce my ldap-config.properties file to just one line
java.naming.provider.url=ldap://ldap1.mycompany.com:389
ldap://ldap2.mycompany.com:389 ldap://ldap3.mycompany.com:389

Looks like there's no way to authenticate against just the
sAMAccountName (that is, without the domain) - I may log a feature
request if I get too many complaints from our users ;)

R

0
Comment actions Permalink

Robert & Alexey,

Thanks for your responses (and updated doc). I got LDAP/AD authentication working.

I was fiddling around and discovered that I can log in with any of the following:
Robert Gibson
domain\rgibson
rgibson@domain
rgibson@domain.mycompany.com


The one danger that I see in allowing this kind of username flexibility when logging in is
that each user can potentially use up 4 licenses. While experimenting with this, I
managed to use 3 licenses by logging in 3 different ways as myself. Is there a way to
impose a limitation as to what username format is allowed?

-Dave

0
Comment actions Permalink

Requiring a user to authenticate with the domain\username format differs from many of our other systems. It would be nice to specify a default domain in the config, so users can just authenticate with their sAMAccoutName.

This is an enhancement that I would be interested in.

-Martin

0
Comment actions Permalink

mberwanger wrote:

Requiring a user to authenticate with the domain\username format differs from many of our other systems. It would be nice to specify a default domain in the config, so users can just authenticate with their sAMAccoutName.

This is an enhancement that I would be interested in.

-Martin

This is already possible and documented.

example

java.naming.provider.url=ldap://main.labs.intellij.net:389/CN=users,DC=Labs,DC=IntelliJ,DC=Net
loginFilter=.+
formatDN=labs
$login$

--
Alexey Gopachenko
JetBrains Inc.
http://www.intellij.com
"Develop with pleasure!"

0
Comment actions Permalink

Are there any plans to support multiple LDAP groups and allow role assignments based on the group?

0

Please sign in to leave a comment.