LDAP auth binddn problem

Hi,

I'm evaluating Youtrack 7 as a replacement for Redmine and I want to use our OpenLDAP system for authentication. We are using the SAMACCOUNTNAME attribute for login names and the CN attribute for the real names. Our directory structure is using the CN attribute as DN. Youtrack seems to construct a binddn for binding using the login name instead of a ldap search, which is not working with our directory layout. This way the user has to login with "firstname lastname" instead of a username.

Teamcity 9 is working fine with our layout, the configuration in ldap-config.properties:
java.naming.provider.url=ldaps://<servername>:636/ou=users,dc=win,dc=example,dc=com
teamcity.users.login.filter=(SAMACCOUNTNAME=$capturedLogin$)
teamcity.users.username=SAMACCOUNTNAME

The configuration in Youtrack is the same:
Server-URL: ldaps://<servername>:636/ou=users,dc=win,dc=example,dc=com
Filter: (SAMACCOUNTNAME=%u)
Login attribute: SAMACCOUNTNAME
Name attribtue: cn

When I take a look at hub-ldap.log, Youtrack does not evaluate the correct user DN, which should be cn=Firstname Lastname, ou=location1, ou=users,dc=win,dc=example,dc=com. Instead the logfile shows:

[pPasswordAuthenticationHandler] testuser: auth in LDAP
[LdapClient                    ] Constructed DN: testuser

How can I achieve this?

Thanks!

5 comments
Comment actions Permalink
Official comment

Hello Alex,

could you please send us a screenshot of your OpenLDAP Auth module settings? Thank you.

Comment actions Permalink

Hello Axel,

 

as far as I understand from your Teamcity 9 configuration description, you want your users to use SAMACCOUNTNAME as a login. So you need to set `Bind DN` with a correct distinguished name like `SAMACCOUNTNAME=%u,ou=users,dc=win,dc=example,dc=com`. And you need to replace `Filter` value with `SAMACCOUNTNAME=%u`.

You can verify the correctness of distinguished name with `ldapsearch` tool:
`ldapsearch -H ldaps://<servername>:636 -x -b 'ou=users,dc=win,dc=example,dc=com' -D 'SAMACCOUNTNAME=<username>,ou=users,dc=win,dc=example,dc=com' -w <PASSWORD> 'SAMACCOUNTNAME=<username>'`

0
Comment actions Permalink

Hi,

thank you for your response. It is not possible to set a bind dn that way, because SAMEACCOUNTNAME is not part of the users distinguished name. 

When I do a ldap search for my user, I'll get following entry:

dn: cn=Axel Steiner,ou=location1,ou=users,dc=win,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: USER
cn: Axel Steiner
sn: Steiner
givenName: Axel
initials: as
displayName: Axel Steiner
SAMACCOUNTNAME: ast
mail: ast@example.com

As you can see, the bind dn SAMACCOUNTNAME=%u,ou=users,dc=win,dc=example,dc=com does not exist. I would expect the ldap implementation to do an anonymous query with the filter (SAMACCOUNTNAME=<username>) to determine the correct bind dn for the authentication.

Teamcity 9 is working correctly, when only a filter is configured. Please see ldap-config.propetries of Teamcity 9:

---snip---
# LDAP filter string to search for LDAP user entry during TeamCity login.
# The search is performed inside the LDAP entry denoted by "java.naming.provider.url" and "teamcity.users.base" combined.
# Use $capturedLogin$ string to reference the name that user entered on login page and that was optionally modified via
#   "teamcity.users.login.capture" property (see below).
# Use $login$ string to reference raw user-entered value not affected by "teamcity.users.login.capture".
# The user found is then used to perform the actual login operation (LDAP bind). LDAP entry DN is used for the bind.
---snip---

It seems that Youtrack  does not search the user to use the found DN for the bind.  Instead the DN is constructed in a static way.

0
Comment actions Permalink

Hello Axel,

as far as we can tell, you can't authorise in YouTrack with your OpenLDAP the way you want currently.

We are going to have a new Hub 3.0 release very soon (in a couple of months) where it will be possible. Here is the feature request https://youtrack.jetbrains.com/issue/JPS-2289 please feel free to vote/comment/subscribe to it to be notified of the updates.

Let us know if we can help any further.

0

Please sign in to leave a comment.