Many companies manage access to their tools thanks to LDAP or Active Directory. iceScrum Pro allows user authentication via these directories.
Principles
There are two types of users in iceScrum, depending on their authentication mode:
– Internal: usual iceScrum users. They are authenticated according to their user / password registered in iceScrum. There is no attempt to authenticate them through LDAP. Users created through the register form or from the user administration panel are internal by default.
– External: users that can authenticate only through LDAP. If the LDAP authentication fails, they can’t log in. When a new user successfully logs in into iceScrum for the first time through LDAP, the corresponding iceScrum external user is created from her LDAP attributes: username, first name, last name and email address. Consequently, there is no need for the administrator to create them manually. Their email address cannot be updated in iceScrum since it is intended to be defined in the directory.
Each time an external user logs in successfully, its iceScrum attributes are updated from her LDAP information. Please note that there is no role inference according to LDAP groups. Project rights of external users are managed through the usual iceScrum team wizard.
User type (internal / external) can be changed by the administrator at any time. This can be used to migrate an existing user base to LDAP. Please refer to the user administration documentation for more information.
Please note that iceScrum never writes in your LDAP directory. Authentication is achieved by a bind operation. However, a search is required prior to the bind in order to retrieve the user Distinguished Name (DN). Consequently, if anonymous connections aren’t allowed then you will need to configure the credentials of a user having rights to search in your directory).
Configuration
You need to log in as administrator (by default, username: admin, password: adminadmin!) in order to configure the LDAP connection. You will find the LDAP settings in the “Settings” menu.
– Enable: Enable or disable the LDAP feature for the iceScrum server.
– Server URL: URL and port of the LDAP server.
– Search base: Context to search in.
– Search filter: The filter expression used in the user search. {0} will be replaced by the given username. For an AD server, use sAMAccountName={0}. In the example, uid is the LDAP attribute corresponding to the username.
– Search subtree: If yes, it searches the entire subtree as identified by context, if no then it only searches the level identified by the context.
– Ignore partial result: Whether PartialResultExceptions should be ignored in searches, typically used with Active Directory since AD servers often have a problem with referrals.
– First name attribute: LDAP attribute used to populate the external user first name.
– Last name attribute: LDAP attribute used to populate the external user last name.
– Email attribute: LDAP attribute used to populate the external user email.
– Anonymous connection: Whether anonymous connection will be used for search.
– Manager Dn: DN of a user having sufficient rights to search the LDAP directory. Required if you don’t allow anonymous connection.
– Manager password: Required if you don’t allow anonymous connection.
If you want to use LDAP over SSL:
– Use the ldaps scheme in the server URL
– Use the appropriate port in the server URL (usually 636)
– Import the certificate chain in the trustStore of the iceScrum server
– Add the path to the trustStore in the JVM system properties (usually defined in CATALINA_OPTS): -Djavax.net.ssl.trustStore=/your/path/to/truststore
Please note that TLS is not supported.
Troubleshooting
General troubleshooting information:
– Detailed logs about LDAP authentication can be obtained by enabling verbose logging for security. Please refer to the server administration documentation.
If user authentication through LDAP doesn’t work, please ensure that:
– Your configuration has been taken into account (a restart is required). You can check in the verbose logs that the search base used when a user tries to authenticate is the one you defined.
– The iceScrum server has access to the LDAP server (proxy, firewall, ports).
– An LDAP search with the given search base and filter works outside iceScrum (anonymous or based on the user credentials given in the configuration).
If an attribute of external users isn’t populated from LDAP, you should ensure that you defined the proper attribute name in the configuration.