Understanding Collabnet’s LDAP binding
- by Robert May
We want to use both subversion usernames and passwords as well as Active Directory for our authentication on our Collabnet subversion server. This has proven to be more of a challenge than we thought, mostly because Collabnet’s documentation is pretty poor. To supplement that documentation, I add my own. The first thing to understand is that the attribute that you specify in the LDAP Login Attribute ONLY applies to lookups done for the user. It does NOT apply to the LDAP Bind DN field. Second, know that the debug logs (error is the one you want) don’t give you debug information for the bind DN, just the login attempts. Third, by default, Active Directory does not allow anonymous binds, so you MUST put in a user that has the authority to query the Active Directory ldap. Because of these items, the values to set in those fields can be somewhat confusing. You’ll want to have ADSI Edit handy (I also used ldp, which is installed by default on server 2008), since ADSI Edit can help you find stuff in your active directory. Be careful, you can also break stuff. Here’s what should go into those fields. LDAP Security Level: Should be set to None LDAP Server Host: Should be set to the full name of a domain controller in your domain. For example, dc.mydomain.com LDAP Server Port: Should be set to 3268. The default port of 389 will only query that specific server, not the global catalog. By setting it to 3268, the global catalog will be queried, which is probably what you want. LDAP Base DN: Should be set to the location where you want the search for users to begin. By default, the search scope is set to sub, so all child organizational units below this setting will be searched. In my case, I had created an OU specifically for users for group policies. My value ended up being: OU=MyOu,DC=domain,DC=org. However, if you’re pointing it to the default Users folder, you may end up with something like CN=Users,DC=domain,DC=org (or com or whatever). Again, use ADSI edit and use the Distinguished Name that it shows. LDAP Bind DN: This needs to be the Distinguished Name of the user that you’re going to use for binding (i.e. the user you’ll be impersonating) for doing queries. In my case, it ended up being CN=svn svn,OU=MyOu,DC=domain,DC=org. Why the double svn, you might ask? That’s because the first and last name fields are set to svn and by default, the distinguished name is the first and last name fields! That’s important. Its NOT the username or account name! Again, use ADSI edit, browse to the username you want to use, right click and select properties, and then search the attributes for the Distinguished Name. Once you’ve found that, select it and click View and you can copy and paste that into this field. LDAP Bind Password: This is the password for the account in the Bind DN LDAP login Attribute: sAMAccountName. If you leave this blank, uid is used, which may not even be set. This tells it to use the Account Name field that’s defined under the account tab for users in Active Directory Users and Computers. Note that this attribute DOES NOT APPLY to the LDAP Bind DN. You must use the full distinguished name of the bind DN. This attribute allows users to type their username and password for authentication, rather than typing their distinguished name, which they probably don’t know. LDAP Search Scope: Probably should stay at sub, but could be different depending on your situation. LDAP Filter: I left mine blank, but you could provide one to limit what you want to see. LDP would be helpful for determining what this is. LDAP Server Certificate Verification: I left it checked, but didn’t try it without it being checked. Hopefully, this will save some others pain when trying to get Collabnet setup. Technorati Tags: Subversion,collabnet
