Mantis集成 LDAP 认证

mantis的用户认证函数Authentication中相关有

$g_login_method	MD5 LDAP PLAIN CRYPT CRYPT_FULL_SALT BASIC_AUTH Some systems (mostly non-unix) do not have crypt support in PHP. MD5 will accomplish almost the same thing. PLAIN is plain text and there is no attempt to secure the password in the database. You will not be able to easily convert between encryption methods so this needs to be chosen at install time. CRYPT was the default until 0.17.0; MD5 is now the default. Try CRYPT_FULL_SALT if CRYPT is not working.
$g_ldap_server	The ldap server (eg: ldaps://ldap.example.com
$g_ldap_port	LDAP port (default 636).
$g_ldap_root_dn	“dc=example, dc=com”
$g_ldap_organisation	“organizationname=*Example)”
$g_use_ldap_email	Use email address in LDAP rather than the email stored in the database.
$g_ldap_bind_dn	“cn=Manager, dc=example, dc=com”
$g_ldap_bind_passwd

由于需要涉及到几个程序的统一认证，所以需要mantis到windows的AD进行认证，竟然发现互联网上又没有相关文档，高手们太坏了。诶诶，害的我再次自力更生艰苦奋斗。
相关配置方法：
首先介绍微软的一款Support Tools，ldp.exe，用来查看AD的详细信息。 
给出一个界面

在mantis的config_inc.php中配置以下信息， 
$g_login_method=LDAP; //设置认证方法为LDAP 
$g_ldap_server=’ldap://boofee.local’; //LDAP的访问路径 
$g_ldap_port = ’389′; //端口，微软的AD是389 
$g_ldap_organization = ”; 
$g_ldap_uid_field = ‘CN’; //这句最重要，其他文档配置未成功就是这里出了错 
$g_ldap_root_dn = ‘CN=Users,DC=boofee,DC=local’; //在AD中建立的相关用户在哪个组里面就将此配置到哪里，具体怎么写就是靠ldp.exe进行查询。 
$g_ldap_bind_dn=”CN=user,CN=Users,DC=boofee,DC=local”; //连接AD的用户名，user权限就可以了。 
$g_ldap_bind_passwd=”user”; //连接AD的密码
配置完成后基于AD的LDAP认证成功。
成功之后还是需要在mantis中建立用户名，在AD的相关组中也要有同样的用户名，认证的时候密码使用的是AD内存贮的密码。

转载自：http://www.boofee.net/flyingbamboo/archives/242

Mantis tweaks: logging in via Microsoft Active Directory LDAP

This is a short article on how to get the above Mantis version to work with Microsoft Windows Active Directory LDAP.
Used Mantis version: 1.1.1 and PHP Version 5

Mantis currently supports only login via LDAP directory by the following scheme:

Connect to LDAP server
Bind with anonymous DNS or with a user specified DN (but in a config file permanently)
If the bind succeeds then do an ldap_search
If the search succeeds then login is successful.
When using Microsoft AD LDAP the situation is a bit different, we want to:

Connect to LDAP server
Create a DN basing on the config file and username field that the user entered in the login form
Try Bind with the above DN and password that the user entered in the login form
If the bind succeeds then the login is successful (we don’t need to run the search)
To achieve that, there are some minor changes to do in the Mantis core API.

Step 1
Log in to a fresh mantis installation, and create a user with admin privileges with a username matching your LDAP username (in this example xy2093)

Step 2
First, add to your config_inc.php configuration file the following options:

/* we want to use LDAP auth */

$g_login_method = LDAP;
$g_ldap_server = 'ldap://ldap.myhost.com/';

/* the root DN that will be used to form the bind DN during authentication phase */
$g_ldap_root_dn = 'ou=staff,ou=company,dc=domain,dc=com';

/* we don't want the users to be able to sign-up via mantis */
$g_allow_signup=OFF;

/* we want to use Mantis email field instead of LDAP one */
$g_use_ldap_email = OFF;

/* we don't want false mantis lost password feature */
$g_lost_password_feature = OFF;
Step 3:
Next, you have to modify the core LDAP authentication ldap_authenticate function. Go to core/ldap_api.php, find the above function and replace it with:

function ldap_authenticate( $p_user_id, $p_password ){
if (is_blank($p_password))
return false;
$t_ldap_host = config_get('ldap_server');
$t_ldap_port = config_get('ldap_port');
$t_ldap_rdn = config_get('ldap_root_dn');
$t_ds = ldap_connect($t_ldap_host, $t_ldap_port) or die('Unable to connect to LDAP server<br />');
$t_user = user_get_field($p_user_id, 'realname'); //This checks the users Real Name instead of username
$t_uname = user_get_field($p_user_id, 'username');
$binddn = "CN=$t_user ($t_uname),$t_ldap_rdn";
$t_authenticated = false;
if(@ldap_bind($t_ds,$binddn,$p_password))
$t_authenticated = true;

return $t_authenticated;
}
In the function notice the $bind_dn variable. This is the variable being used to prepare the bind DN for LDAP connection. Feel free to modify it to suit your authentication scheme, however you should not have to. It defaults to:

CN=Firstname Lastname (username),ou=staff,ou=company,dc=domain,dc=com

i.e.

CN=John Doe (xy2093),ou=staff,ou=company,dc=domain,dc=com.

You won’t believe it but that’s it! Now you can try to log in to Mantis with your LDAP password and it should work like a charm.

The next issue to solve here is that you have to have the users from LDAP in your $mantis_user_table, for instance to manage Mantis privileges. There are many ways to achieve that, you can import them every night. Or you can use Mantis SOAP API to check if the user exists in LDAP when they try to log in as I did. But how to do that is another article ;)

转载自：http://www.warden.pl/2008/07/08/mantis-tweaks-getting-it-to-work-with-microsoft-ad-ldap/

 

 

Active directory settings

Active directory settings

Introduction

The page aims at describing how to configure mantis to connect to Active Directory.

General principles

Active Directory can currently be used by mantis for the following usage:

Check user password.
Retrieve user mail address (optional).
Users must be created manually in mantis using the same login as in Active Directory.

The way it proceeds is the following:

Connect to Active Directory using LDAP protocol to search user by its login - A generic account is used for that purpose.
If an entry was found, bind to Active Directory using dn entry found and the password provided by user. If several entries are found, each of them is tried until one successes.
If the connection is a success, and if the option is activated, the user mail address is retrieved from Active Directory.
General LDAP configuration

The following parameters must be set in the config_inc.php file:

$g_login_method = LDAP;
$g_ldap_server = ‘ldap://yourservername’; # or $g_ldap_server = ‘ldaps://yourservername’;
$g_ldap_port = 389; # Default is 389
$g_ldap_root_dn = “OU=your_organization_RDN,DC=your_organization_RDN,DC=your_organization_RDN”; # The root DN where to search users e.g. ‘ou=people,dc=example,dc=com’
$g_ldap_bind_dn = ‘full_DN_entry_for_generic_user’; # A system account to login to LDAP e.g. ‘cn=Robert Smith,ou=people,dc=example,dc=com’
$g_ldap_bind_passwd = ‘**’; # System account password
$g_ldap_organization = ‘‘; # This is additional filter that may be added to search query - you should first leave it empty and may add a filter later for optimization. e.g. ‘(objectClass=person)’
If you want to use user e-mail address defined in Active Directory instead of the one defined when creating mantis account you must add the following parameter:

$g_use_ldap_email = ON;
Specific Active Directory configuration

You must add the following parameters in the config_inc.php file:

$g_ldap_protocol_version = 3;
$g_ldap_uid_field= ‘sAMAccountName’; # Use ‘sAMAccountName’ for Active Directory - this is the name of the attribute used to search a user
Additionally, make sure not to use the root of your domain for $g_ldap_root_dn parameter. If you bind to the root of your domain, i.e. just dc=company,dc=com, then Active Directory, in addition to the search results you expected, will also return referrals to the other directory partitions which would confuse current implementation and cause an error.

http://www.mantisbt.org/wiki/doku.php/mantisbt:active_directory