Two interesting things I have found after setting up LDAP authentication to a 2003 ADS server from my LAMP test server.

1. AD users are authenticated regardless of what password is entered, may have something to do with them being anon users by default.

2. Cannot set the base DN to an OU, only to the default Users container.

not sure if these should be entered into mantis. I figured only if other people are seeing this as well.

stoomart - thanks for reporting this. I'll enter it as a Mantis job mostly because the programmer who wrote this component is forum-phobic :) :) :)

Hi,

This is a valid concern. I got the chance to test this with a Windows 2003 Server and for me it didnt bind at all. Looking around i found that it expects an explicit set of options. Also users could bind anonymously if they had no password (seems to be the behaviour with 2000 AD too).

I fixed both of these in the CVS and attached the fixed file to the bug report in mantis.

Note that the ldap search user is now the Full DN of the user you want to bind as when searching.

Tested with Windows Server 2003 Std. and binding in Seperate OU's.

Let me know how it goes.

Sweet, that fixed the password issue and I can also now set the base DN to an OU.

I'm seeing now is that it will only authenticate users in that one OU and not OUs nested inside of it.
I am also unable to set the base DN to a nested OU. I can see this being necessary because people will want to restrict LDAP authentication to a specific OU and many times they use a lot of nested OUs.
The "import contacts" filter seems to pick up these users alright but cannot directly query a nested OU either.

Please let me know if you want me to keep testing the LDAP authentication functionality or if you plan on doing more work on it. I just see this as something a lot of people are going to use and it will be totally awsome when it's done.

I appreciate your help on this and please do let me know if I get annoying.

Sweet, that fixed the password issue and I can also now set the base DN to an OU.

I'm seeing now is that it will only authenticate users in that one OU and not OUs nested inside of it.
I am also unable to set the base DN to a nested OU. I can see this being necessary because people will want to restrict LDAP authentication to a specific OU and many times they use a lot of nested OUs.
The "import contacts" filter seems to pick up these users alright but cannot directly query a nested OU either.

Please let me know if you want me to keep testing the LDAP authentication functionality or if you plan on doing more work on it. I just see this as something a lot of people are going to use and it will be totally awsome when it's done.

I appreciate your help on this and please do let me know if I get annoying.

I would edit the last post but don't have permissions, I CAN set the base DN to nested and import contacts CAN query directly, this was my bad with LDAP syntax.
The only problem that still exists is it will only authenticate users in that one OU and not OUs nested inside of it.

Sorry.

I just want to make sure i have got the picture correctly.

You have an OU with OU's inside it and you want to search all the nested OU's for users to authenticate?

Maybe something like this:
<pre>
OU=Admin
|
>--> OU=HR,OU=Admin
|
`--> OU=Accounts,OU=Admin
</pre>
Where HR and Accounts OU's are nested in the Admin OU for example?

I could allow for searching recursively maybe. Or specifying multiple OUs to search.

Let me know if my example is similar to what you are saying.

Exactly.

Fixed up the ldap search so it properly binds to any nested OU's.
Check it out from the cvs if you can.

Works perfect, you rock.

One other thing I think would be cool would be the ability to add a user from the "import contacts option, maybe call it Import Contacts/Users.

This might be too much to ask and is really more of an enhancement request but the nice thing about being able to do this is you could set up permissions for the user prior to them logging in.
Additionally, you could possibly lock the LDAP authentication to only the users that have been added to the system.

I will have to think about how to design this. The basic problem as i see it is that your AD users dont have permissions in dotproject when they login.

One option i guess is to map domain local groups to dotproject roles. So you could add each user to a respective domain local group like dpAdmin and so on.. thats a possibility.

I could do it like you explained too - import the users before they login so you can assign permissions. I would like to make it a bit more automatic if i could, just in case someone has 500 users for example.

How far did you get with this?
I would like to do the same and give them permissions based on LDAP user groups.